Web Hosting Forum | Lunarpages

Author Topic: Installing Rootkit check (Scan for trojans/backdoor)  (Read 11206 times)

Offline abhilash

  • Intergalactic Cowboy
  • *****
  • Posts: 61
Installing Rootkit check (Scan for trojans/backdoor)
« on: May 04, 2005, 08:50:10 AM »
RootKits
========


The definitions
=============


"A kit for maintaining root"

"A root kit is a set of tools/programs used by an intruder after a succesful intrusion into a system.  These tools can help the attacker maintain his or her access to the system and use it for malicious purposes. Malicious purposes includes but not limited to, a backdoor entry to the system, mask the fact that the system is compromised (by hiding logins, processes, logs etc.), tty monitoring and so on."
 
What it does
===========


A typical rootkit includes a set of modified Unix tools such as "ps", "top", "netstat", "w", "passwd", "du", "find", "login", "syslogd" and "ifconfig". Those commands on execution would display normally except the processes run by cracker, thus allowing him to maintain "root" on the system without the system administrator even seeing them. A well designed rootkit hides logins, processes, and logs and often includes software to intercept data from terminals (tty monitors), network connections (modified nc), and the keyboard (keyloggers).
 
A rootkit may also include utilities, known as backdoors to help the attacker subsequently access the system more easily. For example, the rootkit may include an application that spawns a shell when the attacker connects to a particular network port on the system (a modified sshd server that spawns shell without even asking for password). Kernel root kits (LKM rootkits) may provide functionality that allows processes started by a nonpriviliged user to execute functions normally reserved for the superuser.
 
LKM's (Loadable Kernel Modules) are hard to find as it won't display in a lsmod, can't remove them when using rmmod and some gets tainted with kernel. Still most of them are detected by Rootkit checkers as they won't hide itself when we do a cat /proc/ksyms and cat /proc/modules on the system.
 
Where do they keep the rootkits
===========================


Once they gained the root access to your system, they can keep the files in any of the directories but the most common place is the /dev/ directory. Before asking me why /dev is a typical choice do an ls on /dev :-P. They can also keep the rootkits and related binaries on /tmp, /dev/shm , /var/spool/samba and many other world writeable directories. The above mentioned directories are the most common place to keep the exploits on their way to gain root access.
 
As it's very difficult for us to look into each and every directory, that's where rootkit checkers come into picture. They are designed to check for known exploits/worms/rootkits as well as check for the signs of possible intrusion. It is not a preventative procedure in any way, and will not protect you from being cracked. It will however allow you to detect that it is already getting to be too late, before too much damage is done. Be aware that "Security is a process, not a product".

Installing Chkrootkit
=================

 
1. Download the chkrootkit and the md5sum from below URLs to /usr/local/share/.chkrootkit (mkdir -p /usr/local/share/.chkrootkit will create one if one doesn't exist already. I recommend using hidden (starting with period, .) and creatively named directories.)
 
        Chkrootkit --> ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
        md5sum --> ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
 
2. Once downloaded check the md5sum by executing
Code: [Select]
md5sum chkrootkit.tar.gz and compare it with the md5sum downloaded.
 
3. Extract and install
 
Code: [Select]
       cd /usr/local/share/.chkrootkit
        tar xvzf chkrootkit.tar.gz
        cd chkrootkit* (Remove any old chkrootkit installations, if any)
        make sense

 
4. You can now run the chkrootkit by executing
Code: [Select]
./chkrootkit . If you see notfound/not infected/no suspect files/nothing deleted then you are safe.
 
5. However, if your system is compromised, the system files on which chkrootkit depends may be modified by the rootkits in such a way as to hide the modifications, thus defeating the purpose of it's installation. So I recommend you to keep and use a local/safe copy of the binary files necessary to run Chkrootkit.
 
On a newly installed system, you can execute the below command to copy all the files necessary to run chkrootkit.
 
Code: [Select]
mkdir -p /usr/local/share/.safebin
cp -aL /bin/awk /usr/bin/cut /bin/egrep /usr/bin/find /usr/bin/head /usr/bin/id /bin/ls /bin/netstat /bin/ps /usr/bin/strings /bin/sed /bin/uname /bin/echo /usr/local/share/.safebin
cd /usr/local/share/
tar cvzf safebin.tar.gz safebin

 
and keep a copy of safebin.tar.gz in your local computer and upload, extract and use it whenever you wish to run chkrootkit.
 
In such a case, where you keep your own binaries execute chkrootkit with the following options,
 
Code: [Select]
./chkrootkit -p /usr/local/share/.safebin
 
6. Running chkrootkits daily
 
I personally don't recommend running chkrootkits without any manual intervention. By simply running it periodically, you are alerting the attacker and he would change it so that it doesn't detect his presence.
 
Still, if you would like to proceed, use the cron service
 
Code: [Select]
crontab -e
 
and insert the below line in the file which opens up
 
0 1 * * * (cd /usr/local/share/.chkrootkit*; ./chkrootkit -p /usr/local/share/.safebin 2>&1 | mail -s "Chkrootkit output" youremail@yourdomain.tld)
 
7. What each binaries do ?
 
chkrootkit  - This is the master program
check_wtmpx - This checks your tmp dirs for problems
chkdirs   - This recurses all directories looking for problems
chklastlog - This checks your lastlog to see if it's been "fixed"
chkproc  - Checks the proc file system for trouble
chkwtmp - Checks for deleted entries.
chkutmp - Checks for hidden logins
ifpromisc - Checks to see if your nic has been made promiscous
strings-static - Does string checking for signatures.

Installing Rootkit hunter (RKhunter)
===============================

 
1. Download the latest version from http://downloads.rootkit.nl/. Latest version as of this writing is 1.2.5 at URL
 
http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz
 
It would be nice to subscribe to their release announcements at http://freshmeat.net/projects/rkhunter/
 
or the easy way
Code: [Select]
/usr/local/bin/rkhunter --versioncheck
 
2. Extract and install by typing the below commands
 
Code: [Select]
tar zxf rkhunter-1.2.7.tar.gz ; cd rkhunter ; ./installer.sh
 
3. Once you have successfully installed run rkhunter by typing the command
 
Code: [Select]
/usr/local/bin/rkhunter -c --createlogfile --skip-keypress --checkall
 
The log file is created at /var/log/rkhunter.log
 
4. Periodic run
 
Code: [Select]
crontab -e
 
and insert the below line in the file which opens up
 
0 1 * * * (/usr/local/bin/rkhunter -c --cronjob --report-mode --createlogfile --skip-keypress 2>&1 | mail -s "Daily Rkhunter Scan Report" youremail@yourdomain.tld)

NB: Rkhunter have a few more checks when compared to chkrootkit, like checking /dev for suspicious files, application (version) scan, checking a few key files in /etc and the like.

References
==========


[1] http://la-samhna.de/library/rootkits/detect.html - Samhain Labs explains
[2] http://www.cs.wright.edu/people/faculty/pmateti/Courses/499/Fortification/obrien.html - An article from Sysadmin magazine
[3] http://vancouver-webpages.com/rkdet/ - Another RootKit checker
[4] http://www.cert.org/tech_tips/intruder_detection_checklist.html
[5] http://www.securityfocus.com/infocus/1811 - GDB , an advanced RootKit checker
[6] http://www.chkrootkit.org - Homepage of Chkrootkit
[7] http://www.rootkit.nl - Homepage of RootKit Hunter
[8] http://www.ossec.net/rootcheck/ - One more RootKit checker
[9] http://www.sans.org/y2k/t0rn.htm - Analysis of the infamous T0rn rootkit

Edit : Added latest rkhunter download URL
Abhilash

JSA Supervisor - System Admin Team

 

Share |