Home » Debian, Hacking, How-to, Kernel, Linux, Newbie, Recovery, Security, Ubuntu

chkrootkit under Debian / Ubuntu

9 March 2009 No Comment

When we auditing a Linux system we have a lot of good tools to monitor unexpected changes and unexpected behaviour of a system. Earlier we talked about rkhunter as a system check for rootkits and now, as an alternative, we will talk about chkrootkit (Determine whether the system is infected with a rootkit).

If you want to know a definition of what is a rootkit please read the first article about rkhunter.

chkrootkit is a freesoftware what is work with Linux, FreeBSD, OpenBSD, NetBSD, Solaris, HP-UX 11, Tru64, BSDI and Mac OS X. Is a very small utility what performs several system checks your system, using the knowledge of the security community’s, to ensure you don’t have an rootkit installed.

chkrootkit is the single rootkit, what I know, who have support for mobiles. This mobile version can test for:

Cabir A-E Variants
Lasco
Skulls
Comwar.C
Comwar.Q
Acallno.A
Cardblock.A
Mopofeli.A
SingleJump.C

chkrootkit checks:

1. system binaries against chkrootkit signatures
2. lkm (Loadable Kernel Modules) for trojans.

Installing under Debian / Ubuntu

[root@randombugs]# apt-get install chkrootkit

Runing

[root@randombugs]# chkrootkit

and now just look after “errors”

chkrootkit output

chkrootkit output

The latest version of chkrootkit is 0.48 (and 0.2 mobile version). To see the latest version what you are running just run in your console:

[root@randombugs]# chkrootkit -V
chkrootkit version 0.48

To check for a new version just go to http://www.chkrootkit.org/.

chkrootkit can detect the following rootkits and workms:

Solaris rootkit;
lrk3, lrk4, lrk5, lrk6 (and variants);
FreeBSD rootkit;
t0rn (and variants);
Ambient’s Rootkit (ARK);
Ramen Worm;
rh[67]-shaper;
RSHA
Romanian rootkit;
RK17
Lion Worm;
Adore Worm;
LPD Worm;
kenny-rk;
Adore LKM;
x.c Worm;
RST.b trojan;
duarawkz;
knark LKM;
Monkit;
ShitC Worm;
Omega Worm;
Wormkit Worm;
Maniac-RK;
dsc-rootkit;
Ducoci rootkit;
Hidrootkit;
Bobkit;
Pizdakit;
t0rn v8.0;
Showtee;
Optickit;
T.R.K;
MithRa’s Rootkit;
George;
SucKIT;
Scalper;
Slapper A, B, C and D;
OpenBSD rk v1;
Illogic rootkit;
SK rootkit.
sebek LKM;
LOC rootkit;
shv4 rootkit;
Aquatica rootkit;
ZK rootkit;
55808.A Worm;
TC2 Worm;
Volc rootkit;
Gold2 rootkit;
Anonoying rootkit;
Shkit rootkit;
AjaKit rootkit;
zaRwT rootkit;
Madalin rootkit;
Fu rootkit;
Kenga3 rootkit;
ESRK rootkit;
rootedoor rootkit;
Enye LKM;
Lupper.Worm;
shv5;


Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.