A rootkit is completely customized to the hacker who installs it. It may include trojans, viruses and other malware. Rootkits are also able to intercept data from network connections and the keyboard, to steal passwords and attack other computers. They can also alter log files and processes to hide their presence on your computer. For more information on rootkits, see Wikipedia.
Many rootkits will be stopped by a decent firewall, but virus scanners are no protection against rootkits. Running a rootkit checker regularly is strongly recommended. It will scan for rootkits, backdoors, and local exploits.
There are two tools I recommend: chkrootkit and rkhunter.
IMPORTANT: The tips in this document require the use of command-line commands. For more information about how to read and execute Linux command-line prompts and commands, please check the Linux Clues Linux Cheat Sheet, especially Linux Prompt Basics and Linux Command-Line Nomenclature.
chkrootkit is an easy to use tool and included with many distros. Log in as root and run:
For a reminder on how to log in as root, check the Linux Cheat Sheet at LinuxClues.com (the navigable, searchable companion site to Linux Explorer): Logging in and out as Root.
If your distro hasn't installed it, download the latest chkrootkit.tar.gz.
Then unzip it with this command:
# tar -xvzf chkrootkit.tar.gz
That extracts files into a folder called chkrootkit-0.46a (for the version we tested). Then type:
# cd chkrootkit-0.46a
Compile the program:
# make sense
You'll see in the terminal something like:
gcc -DHAVE_LASTLOG_H -o chklastlog chklastlog.c
gcc -DHAVE_LASTLOG_H -o chkwtmp chkwtmp.c
gcc -DHAVE_LASTLOG_H -D_FILE_OFFSET_BITS=64 -o ifpromisc ifpromisc.c
gcc -o chkproc chkproc.c
gcc -o chkdirs chkdirs.c
gcc -o check_wtmpx check_wtmpx.c
gcc -static -o strings-static strings.c
gcc -o chkutmp chkutmp.c
From there you can run the chkrootkit:
In terminal, you should see something like:
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not infected
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not infected
The actual list will be considerably longer, of course, covering all the files. If chkrootkit finds something it writes "INFECTED" to the log file. You may be able to restore the process that has been compromised, but you'll probably need to re-install the operating system. In severe cases you may need to wipe the hard disk and re-install.
You could keep chkrootkit on your system and re-run it every week, but that's not good security. Chkrootkit doesn't prevent rootkits from being installed, it merely detects them after the fact. So a hacker could conceivably install a rootkit in between your scans. And any hacker worth his salt would be able to change the configuration to avoid chkrootkit's detection.
Better security is to burn chkrootkit to a CD and run it from there next time. And for the most up-to-date protection, delete the chkrootkit directory after each scan, then download and compile a fresh copy of chkrootkit. It doesn't take long and that way you will be confident of a reliable scan.
Big Game Hunting Another option for protection against rootkits is rkhunter. It does a bit more than just looking for rootkits. It performs a system-wide check for vulnerable files and dependencies on your system, including:
The rkhunterinstall file is available as tarball. Complete download, decompress, and install instructions are available in the Rootkit Hunder FAQ.
An RPM version for Mandrake/Mandriva is also available, maintained by a third party. Some distros (Slackware for example) also require "Perl-Digest-SHA1" for a successful install.
You can find more installation tips from this thread on the Scot's Newsletter forums.
Once installed, run the program by typing:
# rkhunter -c --createlogfile
Rkhunter runs its scans and writes results and tips to the log file.
To ensure security of your system, don't rely on yourself to perform manual scans. Make rkhunter a daily cron job and have it mail you the scan results. To do that, type:
# rkhunter --cronjob
For more on cron jobs, see Taming the Cron Daemon on Linux Clues.
Have fun securing your system.