Unixbhaskar's Blog

Friday, October 16, 2009

Checking malware for GNU/Linux system

Besically I am using two very good open source software to check my servers in certain time interval. One is chkrootkit ,and the second one is rkhunter . Both of them are capable of checking trojan and sign of rootkit.

You have to get them from their site as source and build them or install them manually or by some created scripts.Once they are installed ,both the software can be put into the cron to check it after certain interval.

I do not issue any guarantee that this will work for you.

Here is some excerpt from the chkrootkit site for how to use it below. For detail please visit the website:


chkrootkit must run as root. The simplest way is:

# ./chkrootkit

This will perform all tests. You can also specify only the tests you
want, as shown below:

Usage: ./chkrootkit [options] [testname ...]
-h show this help and exit
-V show version information and exit
-l show available tests
-d debug
-q quiet mode
-x expert mode
-r dir use dir as the root directory
-p dir1:dir2:dirN path for the external commands used by chkrootkit
-n skip NFS mounted dirs

Where testname stands for one or more from the following list:

aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper
z2 chkutmp amd basename biff chfn chsh cron crontab date du dirname
echo egrep env find fingerd gpm grep hdparm su ifconfig inetd
inetdconf identd init killall ldsopreload login ls lsof mail mingetty
netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd
slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed
traceroute vdir w write

For example, the following command checks for trojaned ps and ls
binaries and also checks if the network interface is in promiscuous

# ./chkrootkit ps ls sniffer

The `-q' option can be used to put chkrootkit in quiet mode -- in
this mode only output messages with `infected' status are shown.

With the `-x' option the user can examine suspicious strings in the
binary programs that may indicate a trojan -- all the analysis is
left to the user.

Lots of data can be seen with:

# ./chkrootkit -x | more

Pathnames inside system commands:

# ./chkrootkit -x | egrep '^/'

chkrootkit uses the following commands to make its tests: awk, cut,
egrep, find, head, id, ls, netstat, ps, strings, sed, uname. It is
possible, with the `-p' option, to supply an alternate path to
chkrootkit so it won't use the system's (possibly) compromised
binaries to make its tests.

To use, for example, binaries in /cdrom/bin:

# ./chkrootkit -p /cdrom/bin

It is possible to add more paths with a `:'

# ./chkrootkit -p /cdrom/bin:/floppy/mybin

Sometimes is a good idea to mount the disk from a compromised machine
on a machine you trust. Just mount the disk and specify a new
rootdir with the `-r' option.

For example, suppose the disk you want to check is mounted under
/mnt, then:

# ./chkrootkit -r /mnt
Now for rkhunter you have to follow these steps to use it and must follow the below paragraph:
      Prior to any incident it is recommended that you have read
"Intruder Detection Checklist". This is available from
This document will tell you what to check, and makes it easier

which is an excerpt from the site.

We can put the rkhunter in the cron job like below in GNU/Linux system:

The next example is of a cronjob script. For Linux systems this
script could be put in to the /etc/cron.daily directory, so that
it will be automatically run every day.

The script might look like this:


( /usr/local/bin/rkhunter --cronjob --update --rwo && echo "" ) \
| /bin/mail -s "Rkhunter daily run on `uname -n`" root

exit 0
Please read the FAQ regarding those wonderful software to get best out of it. I used to read a lot inside the README/readme file ,which comes along with the source before installing any open source software.

Hope this outline will help you to prevent some owes ,but not everything!!. A system is as secure as you made it.Plus security is an constant process ,which should not be ignored or left behind.

Bhaskar Chowdhury
Chat Google Talk: unixbhaskar Skype: unixbhaskar Y! messenger: unixbhaskar
Contact Me DiggLinkedinWordpressTwitterTechnoratiStumbleuponReddit

No comments:

Post a Comment