chkrootkit

  1. Home
  2. FreeBSD Server Tips
  3. chkrootkit

Install chkrootkit on FreeBSD

chkrootkit is a tool to locally check for signs of a rootkit. It contains a chkrootkit: shell script that checks system binaries for rootkit modification. The following tests are made: aliens, asp, bindshell, lkm, rexedcs, sniffer, wted, z2, amd, basename, biff, chfn, chsh, cron, date, du, dirname, echo, egrep, env, find, fingerd, gpm, grep, hdparm, su, ifconfig, inetd, inetdconf, identd, killall, login, ls, mail, mingetty, netstat, named, passwd, pidof, pop2, pop3, ps, pstree, rpcinfo, rlogind, rshd, slogin, sendmail, sshd, syslogd, tar, tcpd, top, telnetd, timed, traceroute, and write. ifpromisc.c checks whether the interface is in promiscuous mode, chklastlog.c checks for lastlog deletions, chkwtmp.c checks for wtmp deletions, check_wtmpx.c checks for wtmpx deletions (Solaris only), and chkproc.c checks for signs of LKM trojans.

chkrootkit is available in FreeBSD ports. To install, first find the location of chkrootkit on FreeBSD ports

server16# cd /usr/ports
server16# make search name=chkrootkit
Port: chkrootkit-0.46a
Path: /usr/ports/security/chkrootkit
Info: A tool to locally check for signs of a rootkit
Maint: [email protected]
B-deps:
R-deps:
WWW: http://www.chkrootkit.org/

We have find chkrootkit available at /usr/ports/security/chkrootkit, to install go to the folder and run "make install clean"

server16# cd /usr/ports/security/chkrootkit
server16# make install clean
===> Vulnerability check disabled, database not found
=> chkrootkit-0.46a.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch from ftp://ftp.pangeia.com.br/pub/seg/pac/.
..........
..........
..........
..........
===> Registering installation for chkrootkit-0.46a
===> Cleaning for chkrootkit-0.46a

server16# rehash

Now chkrootkit is installed on the server. To check your server for rootkit infection, run chkrootkit with command "chkrootkit".

server16# checkrootkit
checkrootkit: Command not found.
server16# chkrootkit
ROOTDIR is `/'
........
........
........
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... chkutmp: nothing deleted
server16#

If you see anything INFECTED, you need to do further check and make sure your server is not infected. At times, chkrootkit provide FALSE POSITIVE results.

Get in touch with us

Questions? Concerns? Comments? We want to hear from you!
Drop us a line with whatever is on your mind and we will get back to you ASAP!!

CONTACT US NOW!