Comprehensive Guide to Rootkit Detection with chkrootkit: Installation, Automation, and Backup Strategies

A rootkit is a tool often used by intruders to gain unauthorized access or control over a system. These tools are highly stealthy and challenging for users to detect. To combat this, we employ the open-source software *chkrootkit* to establish an intrusion detection system for monitoring rootkit installations.

During rootkit detection, *chkrootkit* relies on specific built-in operating system commands. However, intruders aware of this may alter these commands, preventing *chkrootkit* from identifying the rootkit, thereby rendering the intrusion detection system ineffective. To mitigate this risk, we run *chkrootkit* immediately after installing the operating system or before deploying the server. Additionally, we back up the system commands *chkrootkit* depends on so that, in case of suspected tampering, *chkrootkit* can operate using the secure, backed-up versions. This approach ensures reliable rootkit detection.

Installing chkrootkit

First, let’s download and install the chkrootkit tool. (Text in red represents commands the user needs to input, and text in blue provides an explanation of those commands)

[root@localhost ~]#wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz ← Download the chkrootkit package –03:05:31–

ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz  =>  `chkrootkit.tar.gz’ Resolving ftp.pangeia.com.br… 200.239.53.35 Connecting to ftp.pangeia.com.br|200.239.53.35|:21… connected. Logging in as anonymous … Logged in! ==>  SYST … done. ==>  PWD … done. ==>  TYPE I … done. ==>  CWD /pub/seg/pac … done. ==>  PASV … done. ==>  RETR chkrootkit.tar.gz … done. Length: 37,140 (36K) (unauthoritative)

100%[====================================> ] 37,140 5.67K/s ETA 00:00

03:05:46 (5.30 KB/s) – `chkrootkit.tar.gz’ saved [37140] [root@localhost ~]# tar zxvf chkrootkit.tar.gz ← Extract the compressed source code [root@localhost ~]# cd chkrootkit* ← Navigate into the chkrootkit source code directory [root@localhost chkrootkit-0.46a]# make sense ← Compile the source code [root@localhost chkrootkit-0.46a]# cd .. ← Return to the parent directory [root@localhost ~]# cp -r chkrootkit-* /usr/local/chkrootkit ← Copy the compiled files to the target directory [root@localhost ~]# rm -rf chkrootkit* ← Delete the remaining source code directory and related files

Testing chkrootkit

Now let’s test if chkrootkit can run properly.

[root@localhost ~]# cd /usr/local/chkrootkit ← Navigate to the chkrootkit directory [root@localhost chkrootkit]# ./chkrootkit | grep INFECTED ← Run a test using chkrootkit

After a moment… If no “INFECTED” message is displayed and the command prompt appears directly, it indicates everything is fine! [root@localhost chkrootkit]# cd ← Return to the root user’s home directory

Automating chkrootkit Detection

　　Write a Shell Script to automate the chkrootkit detection process. If a rootkit is detected, the script will send an email notification to the root user and log the results in the /var/log/messages file.

[root@localhost ~]# vi chkrootkit ← Create an automated script for chkrootkit#!/bin/bash

PATH=/usr/bin:/bin

TMPLOG=`mktemp`

# Run the chkrootkit /usr/local/chkrootkit/chkrootkit > $TMPLOG

# Output the log cat $TMPLOG | logger -t chkrootkit

# SMTP Port workaround if [ ! -z “$(grep 465 $TMPLOG)” ] && / [ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then sed -i ‘/465/d’ $TMPLOG fi

# If the rootkit is found, send email to the root mailbox [ ! -z “$(grep INFECTED $TMPLOG)” ] && / grep INFECTED $TMPLOG | mail -s “chkrootkit report in `hostname`” root

rm -f $TMPLOG [root@localhost ~]# chmod 700 chkrootkit ← Grant execute permission to the script [root@localhost ~]# mv chkrootkit /etc/cron.daily/ ← Move the script to the directory for daily automated execution

Backing Up chkrootkit-Related System Commands

　　As mentioned earlier, if the system commands used by chkrootkit are altered by an intruder, it will lose its ability to detect rootkits. To prevent this, back up these system commands in advance. When needed, use the backed-up commands to restore chkrootkit’s detection ability.

[root@localhost ~]# mkdir /root/commands/ ← Create a directory to temporarily store command backups [root@localhost ~]# cp `which –skip-alias awk cut echo egrep find head id ls netstat ps strings sed uname` /root/commands/ ← Backup the system commands to the newly created directory (Enter as a single line, without line breaks) [root@localhost ~]# /usr/local/chkrootkit/chkrootkit -p /root/commands|grep INFECTED ← Run chkrootkit using the backed-up commands [root@localhost ~]# tar cvf /root/commands.tar /root/commands/ ← Package the command backup [root@localhost ~]# gzip /root/commands.tar ← Compress the packaged backup file (Then download the compressed commands.tar.gz using SCP to a secure location) [root@localhost ~]# rm -rf commands* ← For security reasons, delete the server-side backup files and related directories

　　If you need to run chkrootkit using the backed-up commands in the future, upload the compressed backup file to the server’s directory and decompress it. Run chkrootkit while specifying the appropriate directory. For example, assuming the backup has been uploaded to the root user’s home directory:

[root@localhost ~]# tar zxvf /root/commands.tar.gz ← Decompress the command backup [root@localhost ~]# /usr/local/chkrootkit/chkrootkit -p /root/commands|grep INFECTED ← Run chkrootkit using the backed-up commands