Wednesday, November 11, 2009

Checking your Linux system for Rootkits

Chkrootkit is a tool to locally check for signs of a rootkit
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
2) Check the md5checksum:
md5sum chkrootkit.tar.gz
3) Then extract and install:
tar -zxvf chkrootkit.tar.gz
cd chkrootkit
make sense
4) You can run it with the following command:
5) Now we are going to add it to contrab to schedule daily automatic scans in the system:
vi /etc/cron.daily/chkrootkit.sh
# Enter the directory where the rootkit is installed
cd /root/chkrootkit/
# Enter your email address where you want to receive the report
./chkrootkit | mail -s “Daily chkrootkit from Server Name” your@email.com

6) Now change the file permissions so we can run it: chmod 755 /etc/cron.daily/chkrootkit.sh
7) To give it a try you can run the chkrootkit.sh file manually from /etc/cron.daily directory and you should receive a report to the email account you provided.

No comments:

Post a Comment