Andrzej Kardaś Web Page

How to configure Linux server to regularly check the presence of rootkits on the system

Everybody knows that Linux is not a friendly environment for malicious code. This doesn't mean however that is impossible to have some ugly software on your system. Typical Windows types viruses are not a real threat for Linux but every Linux administrator know that there are limited number of so called rootkits that are addressing Posix systems. Having them in system would cause a major security problem. As long as we are using verified software repositories it quite unlikely that this kind of code would become a part of one of the programs on our system. However it's always good to double check the system even if the risk of infection is close to zero. I will try to explain how I check my systems for the presence of this types of code. Provided below information address the Gentoo Linux distribution but most of them (except installation instructions) should be applicable to any Linux or even any Posix system (including MacOsX).

To make sure I don't have any rootkit in my systems I use chkrootkit package. You can obtain the source code of this program from the project website and compile it manually but most likely you will find it in software repository of every popular Linux distribution. In Gentoo Linux we would install this package by unmasking the latest version:

echo "app-forensics/chkrootkit" >> /etc/portage/package.keywords
 

and running emerge command to install it:

emerge -av app-forensics/chkrootkit

Then we are ready to run first check manually by running:

/usr/sbin/chkrootkit

Of course it's good to have our system checked from time to time. In Gentoo Linux after chkrootkit installation I already have a cron job defined in /etc/cront.weekly/chkrootkit. Here you can see this task:

#!/bin/sh
#
# uncomment this to make it work
#
 
#exec /usr/sbin/chkrootkit -q

To make my check run every week i just have to uncomment the last line. As you can see this cron task is very simple it run chkrootkit in quiet mode. This is not something I would like to have. I would like to be informed by my server every time the checks are being performed and see the full results of the test. Thats why I created my own chrootkit cron srcipt which will do it for me. My scrip is checking the system using chkrootkit and writing the results of check to text file. At the end the script is sending this results to me attached to mail. This way I can see for myself the full results output, and what is most important I'm sure that check was performed. The only problem I had with this script was sending results attached to mail. Simple Unix mail command is not very friendly thats why I used very nice and easy to use console mail client called mutt. So before I run my script I had to install mutt in my system. In Gentoo Linux I did it this way:

emerge -av mail-client/mutt

Now we can take a look at the script I called chkrootkit_cron.sh:

SERVERNAME=$(hostname)
DATE=$(date +"%d.%m.%Y")
EMAIL=my_administrator@email.org
FILENAME="/var/tmp/fulltest-${DATE}.txt"
 
/usr/sbin/chkrootkit 2>&1 > ${FILENAME}
 
if (cat ${FILENAME} | grep -q "INFECTED\|Vulnerable") then
        echo "There seems to be a problem!!!!" > /var/tmp/msgfile-${DATE}
        echo "-------------------------------------------------" >> /var/tmp/msgfile-${DATE}
        cat ${FILENAME} | grep "INFECTED\|Vulnerable" >> /var/tmp/msgfile-${DATE}
        echo "-------------------------------------------------" >> /var/tmp/msgfile-${DATE}
        echo "You can see whole test results in attachment file" >> /var/tmp/msgfile-${DATE}
else
        echo "Your system is not infected" > /var/tmp/msgfile-${DATE}
        echo "You can see whole test results in attachment file" >> /var/tmp/msgfile-${DATE}
fi
 
/usr/bin/mutt -s "${DATE} Weekly chkrootkit from ${SERVERNAME}" ${EMAIL} -a ${FILENAME} < /var/tmp/msgfile-${DATE}

As you can see this script is trying to guess the results of the scan using grep command and send me an email with the warning or just an information depending on the results.

The last thing I had to do is to put this file into /etc/cron.weekly and make the file executable by running:

chmod +x /etc/cron.weekly/chkrootkit_cron.sh

Optionally you can create a task.cron file. Similar to this one:

30     4      *      *       1-7/2       /usr/local/bin/chkrootkit_cron.sh

and add it to crontab running following command

crontab task.cron

This way you will have your check run every 2nd day of the week at 4.30 am. You can tune up this settings as you like. Some cron implementation may require additionally to run:

crontab /etc/crontab

I don't have to run above command as I use vixe-cron on my servers.

My script is also available on my svn server you can access it by following this link.

Sources:

• Chkrootkit webpage
• man mutt