Brief About Chkrootkit
Chkrootkit is also known as Check Rootkit. It is a common Unix-based security scanner that allows you to detect rootkits on your system. Chkrootkit consists of a shell script that looks after various security issues and system binaries for rootkit modification.
This tutorial explains how to install and configure Chkrootkit on MilesWeb Cloud Elastic Compute Service (ECS) Ubuntu 18.04 server.
Prerequisites
- MilesWeb Cloud Instance with Ubuntu 18.04 installed.
- Your instance needs to have a root password.
First of all, create a new ECS instance and connect to your instance as the root user.
If you don’t know how to do it, let the MilesWeb support team help you with it.
After it, log into your Ubuntu 18.04 instance and run the following command.
apt-get update -y
This command will update your base system with the latest available packages.
Install Chkrootkit
Remember by default, Chkrootkit is available in the Ubuntu 18.04 default repository. So, to install it just run the below command :
apt-get install chkrootkit -y
Once the installation is done, you can check the version of Chkrootkit using following command :
chkrootkit -V
Output will be :
chkrootkit version 0.52
To list out the options available with Chkrootkit use the following command :
chkrootkit -h
Run the following command to list all the available tests with Chkrootkit :
chkrootkit -l
Use Chkrootkit
Now, run the following command to run the Chkrootkit test :
chkrootkit
The output will be as shown below. If any of the output shows as infected, then you will need to check :
ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `crontab'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not found Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not found Checking `identd'... not found Checking `init'... not infected Checking `killall'... not infected Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not infected Checking `mail'... not found Checking `mingetty'... not found Checking `netstat'... not infected Checking `named'... not found Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not infected Checking `rpcinfo'... not found Checking `rlogind'... not found Checking `rshd'... not found Checking `slogin'... not infected Checking `sendmail'... not found Checking `sshd'... not infected Checking `syslogd'... not tested Checking `tar'... not infected Checking `tcpd'... INFECTED Checking `tcpdump'... not infected Checking `top'... not infected Checking `telnetd'... not found Checking `timed'... not found Checking `traceroute'... not found Checking `vdir'... not infected Checking `w'... not infected Checking `write'... not infected
To list the output message with only ‘infected’ status, run Chkrootkit with -q option :
chkrootkit -q
Output :
Checking `tcpd'... INFECTED /usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo /lib/modules/4.15.0-20-generic/vdso/.build-id /lib/modules/4.15.0-20-generic/vdso/.build-id not tested enp0s3: PACKET SNIFFER(/lib/systemd/systemd-networkd[643]) not tested
Run the following command to check all the files under the specified directory :
chkrootkit -r /opt
Enable the Schedule Check
Chkrootkit consists of a default crontab configuration file. The daily checkup can be enabled by /etc/chkrootkit.conf file.
nano /etc/chkrootkit.conf
Now, change this line from –
RUN_DAILY="false"
to –
RUN_DAILY="true"
Once you are done with all the processes, Save and Close the file.
That’s it!
This way you can successfully install and use Chkrootkit on Ubuntu 18.04 server. It also enables you to easily find any infected files on your system using Chkrootkit.
Also Read :
Installing PIP on Ubuntu 18.04
