Difference between revisions of "Chkrootkit"

From OnnoWiki
Jump to navigation Jump to search
Line 84: Line 84:
  
  
7. Output Messages
+
==Output Messages==
------------------
 
  
The following messages are printed by chkrootkit (except with the -x
+
Keluaran
and -q command options) during its tests:
 
  
  "INFECTED": the test has identified a command probably modified by
+
* "INFECTED": the test has identified a command probably modified by a known rootkit;
  a known rootkit;
+
* "not infected": the test didn't find any known rootkit signature.
 
+
*"not tested": the test was not performed -- this could happen in
  "not infected": the test didn't find any known rootkit signature.
 
 
 
  "not tested": the test was not performed -- this could happen in
 
 
   the following situations:
 
   the following situations:
 
     a) the test is OS specific;
 
     a) the test is OS specific;
Line 101: Line 96:
 
     c) some specific command line options are given. (e.g. -r ).
 
     c) some specific command line options are given. (e.g. -r ).
  
  "not found": the command to be tested is not available;
+
* not found": the command to be tested is not available;
 
+
* "Vulnerable but disabled": the command is infected but not in use. not running or commented in inetd.conf)
  "Vulnerable but disabled": the command is infected but not in use.
 
  (not running or commented in inetd.conf)
 
 
 
 
 
8. A trojaned command has been found.  What should I do now?
 
------------------------------------------------------------
 
 
 
Your biggest problem is that your machine has been compromised and
 
this bad guy has root privileges.
 
 
 
Maybe you can solve the problem by just replacing the trojaned
 
command -- the best way is to reinstall the machine from a safe media
 
and to follow your vendor's security recommendations.
 
  
  
9. Reports and questions
+
==A trojaned command has been foundWhat should I do now?==
  ------------------------
 
  
Please send comments, questions and bug reports to
+
Your biggest problem is that your machine has been compromised and
nelson@pangeia.com.br and jessen@cert.br.
+
this bad guy has root privileges.
  
A simple FAQ and Related information about rootkits and security can
+
Maybe you can solve the problem by just replacing the trojaned
be found at chkrootkit's homepage, http://www.chkrootkit.org.
+
command -- the best way is to reinstall the machine from a safe media
 +
and to follow your vendor's security recommendations.
  
  

Revision as of 07:56, 13 June 2017

What's chkrootkit?

chkrootkit is a tool to locally check for signs of a rootkit.

Instalasi

Download source code

# make sense

Menjalankan

# ./chkrootkit


Penggunaan

# ./chkrootkit
Usage: ./chkrootkit [options] [testname ...]
Options:
        -h                show this help and exit
        -V                show version information and exit
        -l                show available tests
        -d                debug
        -q                quiet mode
        -x                expert mode
        -r dir            use dir as the root directory
        -p dir1:dir2:dirN path for the external commands used by chkrootkit
        -n                skip NFS mounted dirs

testname salah satu atau lebih dari daftar berikut,

aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper
z2 chkutmp amd basename biff chfn chsh cron crontab date du dirname
echo egrep env find fingerd gpm grep hdparm su ifconfig inetd
inetdconf identd init killall ldsopreload login ls lsof mail mingetty
netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd
slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed
traceroute vdir w write

Contoh

# ./chkrootkit ps ls sniffer
The `-q' option can be used to put chkrootkit in quiet mode -- in
this mode only output messages with `infected' status are shown.
With the `-x' option the user can examine suspicious strings in the
binary programs that may indicate a trojan -- all the analysis is
left to the user.
Lots of data can be seen with:
  # ./chkrootkit -x | more
Pathnames inside system commands:
  # ./chkrootkit -x | egrep '^/'
chkrootkit uses the following commands to make its tests: awk, cut,
egrep, find, head, id, ls, netstat, ps, strings, sed, uname.  It is
possible, with the `-p' option, to supply an alternate path to
chkrootkit so it won't use the system's (possibly) compromised
binaries to make its tests.
To use, for example, binaries in /cdrom/bin:
  # ./chkrootkit -p /cdrom/bin
It is possible to add more paths with a `:'
  # ./chkrootkit -p /cdrom/bin:/floppy/mybin
Sometimes is a good idea to mount the disk from a compromised machine
on a machine you trust.  Just mount the disk and specify a new
rootdir with the `-r' option.
For example, suppose the disk you want to check is mounted under
/mnt, then:
  # ./chkrootkit -r /mnt


Output Messages

Keluaran

  • "INFECTED": the test has identified a command probably modified by a known rootkit;
  • "not infected": the test didn't find any known rootkit signature.
  • "not tested": the test was not performed -- this could happen in
  the following situations:
    a) the test is OS specific;
    b) the test depends on an external program that is not available;
    c) some specific command line options are given. (e.g. -r ).
  • not found": the command to be tested is not available;
  • "Vulnerable but disabled": the command is infected but not in use. not running or commented in inetd.conf)


A trojaned command has been found. What should I do now?

Your biggest problem is that your machine has been compromised and this bad guy has root privileges.

Maybe you can solve the problem by just replacing the trojaned command -- the best way is to reinstall the machine from a safe media and to follow your vendor's security recommendations.


Referensi

Pranala Menarik