Checking for Rootkits

Blane Warrene

One of the plagues of a server getting hacked is not realizing there has been an intrusion. This can lead to savvy malicious intruders who leave hidden tools that can capture authentication data, damage critical system files and monitor/relay traffic through a compromised server, often without detection.

These threats often come in the form of rootkits.

While checking after the fact is probably not the best method, it is one way in keeping tabs on the integrity of your servers. The best practice is to have tools in place such as well-configured firewalls, difficult root passwords and applications that prevent or alarm on binary and configuration file changes (such as Tripwire).

That said, when an administrator is concerned that something may be amiss on a system, a tool called chkrootkit, authored by Nelson Murilo and Klaus Steding-Jessen, can detect up to 56 different root kits on numerous platform variants including FreeBSD, Linux, Solaris, HP UX and others.

It is amazingly easy to install, simply untar in a directory of your choice on your server, su to root and type ‘make sense’ within the chkrootkit directory. You can then execute ‘./chkrootkit’ as root and receive an onscreen report of the results. My preference is to let this run from time to time in cron and output the results to a file I can review when checking logs and performing general admin on my servers.