dcsimg

Finding Rootkits, Infections, and Files

Last month's "Tech Support" showed you how to monitor filesystem changes with Tripwire, a handy system utility that alerts you to all filesystem changes. Like SNORT and others, Tripwire's just one of many practical security measures that minds your system 24/7.

Last month’s “Tech Support” showed you how to monitor filesystem changes with Tripwire, a handy system utility that alerts you to all filesystem changes. Like SNORT and others, Tripwire’s just one of many practical security measures that minds your system 24/7.

Another sentry tool is chkrootkit, a free utility that can detect rootkits, loadable kernel modules, worms, and other nefarious cracker tools. (A rootkit is a collection of tools used to mask intrusion, obtain administrator-level access and, install a backdoor on a target computer. A loadable kernel module, or LKM, is a piece of code that’s loaded directly into the Linux kernel.) chkrootkit uses digital signatures to detect over fifty known rootkits and LKMs. It also uses some simple heuristics — looking for hidden processes, hidden directories, and a few other simple checks — to attempt to detect unknown kits.

chkrootkit is maintained by Nelson Murilo and is available from http://www.chkrootkit.org. After downloading the latest version of chkrootkit, verify the MD5 checksum, and unpack the tarball. Then type make sense in the build directory. After the build’s complete, run the program by typing ./chkrootkit. You’ll have to be root to run the chkrootkit tools.

By default, chkrootkit is quite verbose. You can use the -q flag to only output messages that indicate an “infection.” Another useful flag is -p, which allows you to specify a path to the supplemental, external programs that chkrootkit uses. Running the external commands from a read-only media ensures that chkrootkit itself hasn’t been tampered with.

Once you have everything working to your liking, run chkrootkit via cron using a command similar to…


0 3 * * * (cd /path/to/chkrootkit;
./chkrootkit 2>&1 | mail -s “chkrootkit
output” root)

Like any security program, the output of chkrootkit needs to be examined and interpreted to be useful. For example, chkrootkit may give output such as INFECTED (PORTS: 1999). While this may be a result of the Transcout backdoor, it may just be that a program that uses random ports greater than port 1023 is using the port.

Always a Good find

A few months back, “Tech Support” presented slocate as a replacement for the brute-force find / -name filename. One of slocate‘s main benefits is speed, as its results are returned almost instantly. The speed, however, doesn’t come without a cost: slocate relies on a daily updatedb to cache the results, so slocate can get out of sync with a live system. slocate also has limited search capabilities.

Re-enter find, an aptly named tool that lets you search for files in a directory hierarchy. find is an extremely powerful tool that not only finds files by name, but also manipulates and executes commands on the files it finds. You can also find files based on attributes such as last modified time, group ownership and file permissions.

Here are a few examples of how find can be used. Keep in mind that shells differ, so you may or may not have to escape characters such as ( and ).

Starting at /, find files of any type that have the setuid bit set:


% find / -perm -4000

Starting at /, find regular files that have the setuid or setgid bit set:


% find / -type f \( -perm -4000 -o -perm
-2000 \)

Starting at /, find regular files that are owned by root and have either the setuid or setgid bit set, and perform an ls -l for each file:


% find / -type f \( -perm -4000 -o \
-perm -2000 \) -user root \

-exec ls -l {} \;

Find all files in the current directory (.) that were modified more recently then reference_file:


% find . -newer reference_file

As you can see, multiple attributes and commands can be used together, which makes find extremely powerful and flexible. One thing to keep in mind is that you may want to append 2>/dev/null to the end of your command to suppress error messages.

As is often the case with Linux, many commands are similar, yet suited for different tasks. Learning the strengths and weaknesses of all of the commands allows you to use the command line, one of Linux’s greatest assets, to its fullest potential.



Jeremy Garcia is the founder and admin of LinuxQuestions.org. You may email questions to jeremy@linuxquestions.org.

Comments are closed.