By Hitesh Jethva, Alibaba Cloud Community Blog author.
Chkrootkit also known as Check Rootkit is a common security scanner that helps you to detect rootkits on your system. It consists of a shell script that checks various security issues and system binaries for rootkit modification.
In this tutorial, we will learn how to install and configure Chkrootkit on an Alibaba Cloud Elastic Compute Service (ECS) Ubuntu 18.04 server.
Create a new ECS instance and connect to your instance as the root user.
Once you are logged into your Ubuntu 18.04 instance, run the following command to update your base system with the latest available packages.
apt-get update -y
By default, Chkrootkit is available in the Ubuntu 18.04 default repository. You can install it by just running the following command:
apt-get install chkrootkit -y
Once the installation has been completed, you can check the version of Chkrootkit with the following command:
chkrootkit -V
Output:
chkrootkit version 0.52
You can list out the options available with Chkrootkit with the following command:
chkrootkit -h
To list all the available tests with Chkrootkit, run the following command:
chkrootkit -l
You can now run the test with the following command:
chkrootkit
If any of the output shown below shows as infected, then you need to check:
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not found
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... INFECTED
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
You can run Chkrootkit with -q option to list only output messages with `infected' status:
chkrootkit -q
Output:
Checking `tcpd'... INFECTED
/usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo /lib/modules/4.15.0-20-generic/vdso/.build-id
/lib/modules/4.15.0-20-generic/vdso/.build-id
not tested
enp0s3: PACKET SNIFFER(/lib/systemd/systemd-networkd[643])
not tested
To check all the files under specified directory, run the following command:
chkrootkit -r /opt
Chkrootkit comes with default crontab configuration file. You can enable daily check by /etc/chkrootkit.conf file.
nano /etc/chkrootkit.conf
Change the line from:
RUN_DAILY="false"
to
RUN_DAILY="true"
Save and close the file, when you are finished.
That's it! You have successfully installed and use Chkrootkit on Ubuntu 18.04 server. You can now easily find any infected files on your system using Chkrootkit.
38 posts | 4 followers
FollowAlibaba Clouder - August 16, 2019
Hiteshjethva - January 8, 2020
Alibaba Clouder - June 3, 2020
francisndungu - December 10, 2019
Hiteshjethva - March 2, 2020
Hiteshjethva - January 8, 2020
38 posts | 4 followers
FollowAlibaba Cloud is committed to safeguarding the cloud security for every business.
Learn MoreSimple, secure, and intelligent services.
Learn MoreAlibaba Cloud (in partnership with Whale Cloud) helps telcos build an all-in-one telecommunication and digital lifestyle platform based on DingTalk.
Learn MoreProtect, backup, and restore your data assets on the cloud with Alibaba Cloud database services.
Learn MoreMore Posts by Hiteshjethva