[chkrootkit: kicking script kiddies' asses since 1997]

locally checks for signs of a rootkit

  1. How does chkrootkit detect a trojaned system command?
  2. Can chkrootkit detect modified (or new) rootkit versions?
  3. Why haven't you written chkrootkit in Perl?
  4. Which commands does chkrootkit use?
  5. Can I trust these commands on a compromised machine?
  6. How accurate is chkproc?
  7. I'm running PortSentry/klaxon. What's wrong with the bindshell test?
  8. chkrootkit is reporting some files and dirs as suspicious: `.packlist', `.cvsignore', etc. These are clearly false positives. Can't you ignore these?
  9. Can I run chkrootkit from cron?

  1. How does chkrootkit detect a trojaned system command?

    chkrootkit looks for known "signatures" in trojaned system binaries. For example, some trojaned versions of ps have "/dev/ptyp" inside them.

    Obviously an attacker can easily modify the rootkit sources to change its signatures and avoid chkrootkit detection. See next question.

  2. Can chkrootkit detect modified (or new) rootkit versions?

    If chkrootkit can't find a known signature inside a file, it can't automatically determine if it has been trojaned. Try to run chkrootkit in expert mode (-x option) -- in this mode the user can examine suspicious strings in the binary programs that may indicate a trojan.

    For example, lots of data can be seen with:

    # ./chkrootkit -x | more
    
    

    Pathnames inside system commands:

    # ./chkrootkit -x | egrep '^/'
    

  3. Why haven't you written chkrootkit in Perl?

    Not all systems have Perl available. The motivation was to write a simple tool that could be run in systems with minimal installation.

  4. Which commands does chkrootkit use?

    The following commands are used by the chkrootkit script:

    awk, cut, echo, egrep, find, head, id, ls, netstat, ps, strings, sed, uname

  5. Can I trust these commands on a compromised machine?

    Probably not. We suggest you follow one of the alternatives below:

    1. Use the `-p path' option to supply an alternate path to binaries you trust:
      
      # ./chkrootkit -p /cdrom/bin
      
      
    2. Mount the compromised machine's disk on a machine you trust and specify a new rootdir with the `-r rootdir' option:
      
      # ./chkrootkit -r /mnt
      
      

  6. How accurate is chkproc?

    If you run chkproc on a server that runs lots of short time processes it could report some false positives. chkproc compares the ps output with the /proc contents. If processes are created/killed during this operation chkproc could point out these PIDs as suspicious.

  7. I'm running PortSentry/klaxon. What's wrong with the bindshell test?

    If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).

  8. chkrootkit is reporting some files and dirs as suspicious: `.packlist', `.cvsignore', etc. These are clearly false positives. Can't you ignore these?

    Ignoring some files and dirs could impair chkrootkit's accuracy. An attacker might use this, since he knows that chkrootkit will ignore certain files and dirs.

  9. Can I run chkrootkit from cron?

    Yes. For example, to run chkrootkit every day at 3am and mail the output to root:

    0 3 * * * (cd /path/to/chkrootkit; ./chkrootkit 2>&1 | mail -s "chkrootkit output" root)
Valid
XHTML 1.0! Valid CSS!
$Date: 2007/12/17 19:04:27 $