Root out rootkits

True Negatives

You can spend a moment disabling false positives by editing the /etc/chkrootkit.conf file. As you can see in Figure  2, you don't have many default config settings to worry about.

Figure 2: The default config file for Chkrootkit.

The first setting lets you choose to execute the Chkrootkit command on a daily basis. If that setting is changed from "false" to "true", you can peek inside the cronjob file /etc/cron.daily/chkrootkit to inspect the conditions used to launch the scheduled task. The RUN_DAILY_OPTS option tells Chkrootkit whether or not to produce output when a critical "INFECTED" status, or similar condition, is found. The "-q" here stands for "quiet."

If you wanted to receive the results of Chkrootkit tests every day by email, you could move the cron.daily/chkrootkit file somewhere like the /usr/local/etc/ directory and add the line in Listing  4 – or something similar – to your /etc/crontab or the root user's crontab. Note that if chkrootkit complains, you might need to adjust the beginning of the command by replacing the file name and its full path with cd /usr/local/etc; and then executing ./chkrootkit from within that directory. The example shown in the listing triggers every day at 1:00am. (Add your email address.)

Listing 4

Addition to crontab for Chkrootkit

 

To get rid of one of the Python false positives in Listing  2, you can add this entry to the foot of the /etc/cron.daily/chkrootkit file:

IGNORE="/usr/lib/pymodules/python2.7/.path"

After you've done that, try a test run to see if you're still getting false positives. Incidentally, if you want to peer into the innards of Chkrootkit, you'll find the -x option fascinating. Expert mode does put the onus entirely on the user to interpret the output, but it's very useful to run at least once. The -x option dutifully lists the suspicious entries that Chkrookit searches for inside the binaries it scans. To handle the large amount of output, you can read it as follows:

chkrootkit -x | less

If you only want to see which paths are checked, the manual helpfully offers this solution:

chkrootkit -x | egrep '^/'

You are also advised to mount a potentially infected drive to another machine so that you can inspect its content safely with the command:

chkrootkit -r /infected_disk-mountpoint

The chkrootkit package includes a few other tools that are also executed when the chkrootkit script runs. Among its other clever functionality, Chkrootkit will alert you as to whether your Network Interface Card (NIC) is set to listen in "Promiscuous Mode"; that is, your NIC is configured to listen for traffic that is not necessarily destined for your machine but is in fact visible on the network link to which it's connected.

Good, old network hubs were renowned for shouting loudly about everyone's traffic, but thankfully it's not as big a deal these days. Modern switched networks dutifully segment network traffic in a more secure fashion. However, you can achieve some interesting results from the ifpromisc tool included in the Chkrootkit package, even if your machine is connected to a switch.

Unless you know that a valid service (e.g., a network sniffer) has purposely configured your NIC to flaunt itself all over the network, you should probably be concerned if it is found to be running in Promiscuous Mode.

A malevolent attacker's modus operandi is to cover his tracks to avoid detection. One of the logging systems used on Unix-type systems resides in the wtmp (all logins and logouts) and lastlog (most recent logins) functionality.

With that in mind, you shouldn't be entirely surprised to hear that Chkrootkit also includes the chkwtmp and chklastlog tools to look for deleted entries in logfiles. Be warned that the manual makes an effort to remind you that all it can do is try to detect these altered logfiles and that these checks are far from foolproof.

Another piece of functionality that might be slightly alarming is the aliens test. This component apparently looks for any suspicious config files and network sniffer logfiles buried far, far away, deep into your filesystem.

Finally, the chkproc tool is used to separate the wheat from the chaff to identify unwelcome processes that might be running on your machine. It's a clever addition that checks what the ps command can see and then compares it to the /proc pseudo-filesystem entries, ringing a bell like a town crier if it finds something untoward.

End Of File

In this article, I have barely begun to look at rootkits. It's an ever-evolving subject involving the common cat and mouse chase between the good guys and the bad guys. Because you are now armed with new weaponry, I hope you can keep a closer eye on your machines. As you've seen, rootkits are very nasty trojan horse-style infections that can lie dormant for a relatively long period of time and then appear suddenly, biting you on the posterior.

Aside from knowing that your key system binaries are prone to compromise (and, as result, making you more aware of how important permissions and other security controls are), you should at least now be a little more familiar with the attack vectors that hackers consider. Admittedly, rootkit checkers won't save the day every time. If you do suffer a compromise, however, you'll probably know by the end of the same day that your machine has been infected and not several days or weeks later, when even more damage has been done.

For more information on Chkrootkit, the website encourages you to join its mailing list using

echo "subscribe users <email-address>" | mail majordomo@chkrootkit.org

and points you to some relevant books on the subject, as well  [3].

Infos

  1. Chkrootkit: http://www.chkrootkit.org (accessed September 10, 2015)
  2. Source code: http://www.chkrootkit.org/download/
  3. Chkrootkit publications: http://www.chkrootkit.org/books

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • chkrootkit

    Linux can be infected by rootkit malware that is hidden and hard to detect. The chkrootkit program can help find rootkit infections.

  • Expert Security Intro

    Internet intruders have many ingenious ways of escalating privileges and hiding their presence once they get inside your system. The best protection is to keep them out in the cold.

  • Host-Based IDS

    A host-based intrusion detection system is a simple but powerful tool for finding traces of an attacker's footprint.

  • Kernel Rootkits

    Rootkits allow attackers to take complete control of a computer. We describe the tricks intruders use to gain access to the Linux kernel and provide guidelines on hardening the kernel against such attacks.

  • On the Hunt

    The Rootkit Hunter script efficiently checks for malware, with the potential to detect over 240 rootkits.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News