|
chkrootkit is a tool to locally check for signs of a rootkit. It contains:
- chkrootkit: shell script that checks system
binaries for rootkit modification.
- ifpromisc.c: checks if the interface is in
promiscuous mode.
- chklastlog.c: checks for lastlog deletions.
- chkwtmp.c: checks for wtmp deletions.
- check_wtmpx.c: checks for wtmpx deletions.
(Solaris only)
- chkproc.c: checks for signs of LKM trojans.
- chkdirs.c: checks for signs of LKM trojans.
- strings.c: quick and dirty strings replacement.
- chkutmp.c: checks for utmp deletions.
Chkrootkit is listed in the "Top 100 Network Security
Tools" survey, 2006 edition, released by Insecure.Org. We would like to thank
all people who voted for chkrootkit as their favourite tool!
What's New
chkrootkit 0.48 is now available! (Release
Date: Mon Dec 17 2007) This version includes:
- chkrootkit
- new tests: common SSH brute force scanners, suspicious PHP files
- enhanced tests: login, netstat, top, backdoor
- some minor bug fixes
chkrootkit-m 0.2 for mobile phones is now
available! (Release Date: Mon Dec 17 2007) This version
includes:
- chkrootkit-m
- chkrootkit Python port for mobile phones
- tests: Cabir A-E Variants, Lasco, Skulls, Comwar.C,
Comwar.Q, Acallno.A, Cardblock.A, Mopofeli.A, SingleJump.C
- still in alpha stage
Tests performed and rootkits detected
The following tests are made:
-
aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper
z2 chkutmp amd basename biff chfn chsh cron crontab date du dirname
echo egrep env find fingerd gpm grep hdparm su ifconfig inetd
inetdconf identd init killall ldsopreload login ls lsof mail mingetty
netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd
slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed
traceroute vdir w write
The following rootkits, worms and LKMs are currently detected:
| 01. lrk3, lrk4, lrk5, lrk6 (and variants); |
02. Solaris rootkit; |
03. FreeBSD rootkit; |
| 04. t0rn (and variants); |
05. Ambient's Rootkit (ARK); |
06. Ramen Worm; |
| 07. rh[67]-shaper; |
08. RSHA; |
09. Romanian rootkit; |
| 10. RK17; |
11. Lion Worm; |
12. Adore Worm; |
| 13. LPD Worm; |
14. kenny-rk; |
15. Adore LKM; |
| 16. ShitC Worm; |
17. Omega Worm; |
18. Wormkit Worm; |
| 19. Maniac-RK; |
20. dsc-rootkit; |
21. Ducoci rootkit; |
| 22. x.c Worm; |
23. RST.b trojan; |
24. duarawkz; |
| 25. knark LKM; |
26. Monkit; |
27. Hidrootkit; |
| 28. Bobkit; |
29. Pizdakit; |
30. t0rn v8.0; |
| 31. Showtee; |
32. Optickit; |
33. T.R.K; |
| 34. MithRa's Rootkit; |
35. George; |
36. SucKIT; |
| 37. Scalper; |
38. Slapper A, B, C and D; |
39. OpenBSD rk v1; |
| 40. Illogic rootkit; |
41. SK rootkit. |
42. sebek LKM; |
| 43. Romanian rootkit; |
44. LOC rootkit; |
45. shv4 rootkit; |
| 46. Aquatica rootkit; |
47. ZK rootkit; |
48. 55808.A Worm; |
| 49. TC2 Worm; |
50. Volc rootkit; |
51. Gold2 rootkit; |
| 52. Anonoying rootkit; |
53. Shkit rootkit; |
54. AjaKit rootkit; |
| 55. zaRwT rootkit; |
56. Madalin rootkit; |
57. Fu rootkit; |
| 58. Kenga3 rootkit; |
59. ESRK rootkit; |
60. rootedoor rootkit; |
| 61. Enye LKM; |
62. Lupper.Worm; |
63. shv5; |
chkrootkit has been tested on: Linux 2.0.x, 2.2.x, 2.4.x and 2.6.x,
FreeBSD 2.2.x, 3.x, 4.x and 5.x, OpenBSD 2.x, 3.x and 4.x., NetBSD
1.6.x, Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11, Tru64, BSDI and Mac
OS X.
More details can be found on the chkrootkit's
README.
Mailing List
To subscribe:
echo "subscribe users your email" | mail majordomo@chkrootkit.org
The
online archive of this mailing list is located at
The Mailing list ARChives
(MARC).
Contacting the Authors
Please send comments, new rootkits, questions and bug reports to Nelson Murilo
<nelson@pangeia.com.br> (main author) and Klaus Steding-Jessen
<jessen@cert.br> (co-author).
|
![[chkrootkit: kicking script kiddies' asses since 1997]](http://www.spenneberg.org/chkrootkit-mirror/images/chkrootkit-logo.jpg){kind=logo}
$Date: 2007/12/17 21:49:29 $