Secure OS Software for Linux
1748073 Members
4373 Online
108758 Solutions
New Discussion юеВ

check for rootkits

 
SOLVED
Go to solution
'chris'
Super Advisor

check for rootkits

hi

howto check my debian server for rootkits ?
I have clamav installed, but I'm not sure if clamav could find rootkits.

kind regards
chris
7 REPLIES 7
Ivan Ferreira
Honored Contributor
Solution

Re: check for rootkits

Try with:

http://www.chkrootkit.org/
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Ivan Krastev
Honored Contributor

Re: check for rootkits

Try :

apt-get install chkrootkit


regards,
ivan
Ivan Krastev
Honored Contributor

Re: check for rootkits

Oops and one more:

apt-get install rkhunter


regards,
ivan
Ragu_3
Trusted Contributor

Re: check for rootkits

rkhunter definitely looks better than chkrootkit. After the apt-get install do a
'rkhunter --update' if net connected.
Debian GNU/Linux for the Enterprise! Ask HP ...
Fredrik.eriksson
Valued Contributor

Re: check for rootkits

A normal manual way of checking is using netstat to see if you have any wierd ports listening for connections. And i usually find the time to check my ps aux and see if anything obvious shows up (even thou it's not that hard to cloak a process :P).
Also check the writeable directories (for non superusers) for files that could be executed.

But if you're this paranoid about being hacked I would suggest you look into GRSEC-kernel or the like.
TPE is a wonderful way to stop users from doing things you don't want them to :P

Best regards
Fredrik Eriksson
Fred K. Abell Jr._1
Regular Advisor

Re: check for rootkits

If you have been rooted, then getting a program to run on the system may not give you the information your want, especially if it is a kernel based rootkit. Rootkits will rewrite commands like ls, netstat, ps, lsof, etc to hide the output that would give the rootkit away. For instance, if lsof was installed, the rootkit may filter lsof's output to hide any listening ports.

On a known safe machine, create a CD with the binaries you want to use to inspect your system for unusual activity. A very nice pocket reference guide can be downloaded from SANS.org to help you find indication of an intrusion.
http://www.sans.org/score/checklists/ID_Linux.pdf

Also, Trendmicro's housecall program can do an online scan of Linux distributions that support libc6. It may help, but I have never tried it on a Linux box.

Good luck, a well done rootkit can be hard to find.
Don Mallory
Trusted Contributor

Re: check for rootkits

I have to agree with Fred. Unless you have built this prior to being rootkitted, you must treat the system as hacked.

Another tool for finding hidden ports is "unhide". http://linuxappfinder.com/package/unhide

Add to the rkhunter, chrootkit, AIDE and auditd, then send the logs to rsyslog, OSSEC or Snort.

Checking the host with netstat and ps -ef, if already rootkitted won't help, especially if you don't have a baseline of what the host should be set to. You could also check teh host locally with these tools on a regular basis, but compare the output of the netstat with the output of nmap or OpenVAS (www.openvas.org). This will show you a "inside" vs. "outside" perspective.

Best regards,
Don