ChkrootKit is a tool that helps the admin to check their system and find out if the system is infected with rootkit malware. You can detect rootkits using chkrootkit. In this article, we are going to teach you How to Install ChkrootKit on Centos 7. Also, you can visit the packages available in Eldernode if you wish to purchase a Centos VPS Hosting.
Table of Contents
How to Install ChkrootKit on CentOS 7 | CentOS 8
Introduction to rootKit
A rootKit is one of the most dangerous types of malware and trojans and a malicious program on the Linux operating system that strands to discover and remove. rootKit has a high power of concealment and can hide in files, registry settings, or processes and steal users’ information. rootKits gives the attacker remote control and remains hidden for a long period of time. The most obvious sign of a rootKit is the slowdown of the system, which indicates that a malicious agent is operating in the background.
What is chkrootKit?
chkrootkit is a common and popular Unix-based program and security scanner used to detect rootkit and malware software. chkrootkit helps the server administrators to check their system for known rootkits and in securing the server. chkrootkit can be used to find files and processes related to rootkits. You can protect your system from known rootkits and make sure that all programs and software are updated and the system is protected from all known vulnerabilities.
Installing CkrootKit on CentOS 7
chkrootKit isn’t available in CentOS 7 repository packages. Before anything you should update the packages by entering the following command:
yum update -y
chkrootkit has C programs. You can avoid any errors during the process by installing the C/C++ compilers and glibc-static package. To do this run the following command:
yum install wget gcc-c++ glibc-static
Now you should go to the official chkrootkit website and download the latest available chkrootkit:
wget -c ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
Then you should check that the chkrootkit download has not been tampered with or damaged. To do this, you can download the md5 hash file associated with your chkrootkit download using the following command:
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5 md5sum -c chkrootkit.md5 chkrootkit.tar.gz: OK
After the download is complete, you should go to the downloads folder and extract the downloaded file. Then move the extracted contents to a separate folder as follows and install it. You can also extract it in the same path and move the chkrootkit binary to the /usr/bin folder.
tar –xzf chkrootkit.tar.gz
mkdir /usr/local/chkrootkit
mv chkrootkit-0.52/* /usr/local/chkrootkit
cd /usr/local/chkrootkit
make sense
Next, you should scan the server by running the chkrootkit:
/usr/local/chkrootkit/chkrootkit
Now you can enable automatic server scanning by adding a cron entry. Them a scan report will send to your email address. You should create and add the following entries to /etc/cron.daily/chkrootkit.sh:
#!/bin/sh ( /usr/local/chkrootkit/chkrootkit ) | /bin/mail -s 'CHROOTKIT Daily Run (ServerName)' [email protected]
Chkrootkit has a shell script called chkrootkit and several C programs. The chkrootkit shell script scans all system binaries for any rootkit changes and C programs performs various security checks including:
- ifpromisc.c: Check if the network interface is in promiscuous mode.
- chklastlog.c: Check lastlog deletions.
- chkwtmp.c: Check wtmp deletions.
- chkproc.c: Check for signs of LKM trojans.
- chkdirs.c: Check for signs of LKM trojans.
- strings.c: Perform quick and dirty string replacements.
- chkutmp.c: Check for utmp deletions.
What is the Purpose of Using chkrootkit?
You can simply run this tool using the chkrootkit command as root, which completes all tasks. You can use the options listed below to select specific options when executing this command:
- -h: Show a short help message and exit.
# chkrootkit -h Usage: /usr/sbin/chkrootkit [options] [test ...] Options: -h show this help and exit -V show version information and exit -l show available tests and exit -d debug -q quiet mode -x expert mode -e exclude known false positive files/dirs, quoted, space separated, READ WARNING IN README -r dir use dir as the root directory -p dir1:dir2:dirN path for the external commands used by chkrootkit -n skip NFS mounted dirs
-V: Show version information and exit.
# chkrootkit -V chkrootkit version 0.52
-I: Show available tests and exit.
# chkrootkit -l /usr/sbin/chkrootkit: tests: aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp OSX_RSPLUG amd basename biff chfn chsh cron crontab date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write
-d: Enter debug mode.
-x: Enter expert mode.
-e: Exclude known false positive files/dirs, quoted, space-separated.
-q: Enter quiet mode. In quiet mode, only output messages with infected status are displayed.
# chkrootkit -q Checking `tcpd'... INFECTED /lib/modules/4.15.0-20-generic/vdso/.build-id /lib/modules/4.15.0-23-generic/vdso/.build-id /lib/modules/4.15.0-20-generic/vdso/.build-id /lib/modules/4.15.0-23-generic/vdso/.build-id not tested INFECTED PORTS: ( 465) eth0: PACKET SNIFFER(/lib/systemd/systemd-networkd[536]) not tested
-r dir: use dir as the root directory.
# chkrootkit -r /mnt/ ; This will check all files under this specified directory.
-p dir1: Ability to add more binary paths using this option.
# ./chkrootkit -p /cdrom/bin:/floppy/mybin
-n: Skip NFS-mounted directories.
Conclusion
In this article, you learned how to install chkrootkit on Centos 7. You should check the servers against any suspicious attacks or intrusion. Chkrootkit tool protects the servers from any intrusion by performing regular security checks. I hope this tutorial was useful for you.