Wednesday, September 8, 2010
11:18 AM

Detecting Rootkits in Ubuntu system using Chkrootkit and Rkhunter

A rootkit is a program or set of programs used by an intruder to both hide their presence on a computer system and allow future access to that same system. A rootkit will usually either manipulate the data set the operating system relies on, or alter the execution flow of the operating system.

It is important you realize that rootkits are designed to be very stealth, meaning they are difficult to find or detect by normal means. Many rootkits have been so well written that their presence can go undetected for years. They are written by experienced individuals with an advanced level of programming knowledge far above that of the average virus or malware writer. A rootkit is not an exploit. It is what an attacker uses after an initial exploit to allow future undetected access to a compromised computer.

Chkrootkit:
chkrootkit is a tool to locally check for signs of a rootkit. It contains a chkrootkit: shell script that checks system binaries for rootkit modification.

Installation:
Open up the terminal and type the following command to install chkrootkit:
$ sudo apt-get install chkrootkit

Using chkrootkit:
Open up the terminal and type the command: $ sudo chkrootkit
This will perform all tests

Other Configurations:
If you want an automatic daily run of chkrootkit:
Open /etc/chkrootkit.conf and Replace RUN_DAILY="false" by RUN_DAILY="true"

If you also want a daily mailed report :
Open /etc/cron.daily/chkrootkit and replace '$CHKROOTKIT $RUN_DAILY_OPTS' by
'$CHKROOTKIT $RUN_DAILY_OPTS | mail -s '"\"Daily chkrootkit run from $HOSTNAME \"$YOUR_EMAIL_ADDRESS"'

Rkhunter:
Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, sniffers, and malware. The application consists of the main shell script, a few text-based databases, and optional Perl scripts. It can recognise and run external applications like 'skdet' and 'unhide'. It should run on almost every Unix clone.

Installation:
Open up the terminal and type the following command to install Rkhunter:
$ sudo apt-get install Rkhunter

Using Rkhunter:
Open up the terminal and type the command: $ sudo rkhunter --check
This will perform all tests

By default, the log file '/var/log/rkhunter.log' will be created. It will contain the results of the checks made by Rkhunter

The following command option causes rkhunter to check and download the later version of any of its text data files: $ sudo rkhunter --update

To see what other options can be used with rkhunter, enter: $ sudo rkhunter --help

0 comments:

Post a Comment