Chkrootkit
What's chkrootkit?
Chkrootkit adalah tool untuk memeriksa tanda-tanda rootkit secara lokal.
Instalasi
Siapkan compiler
sudo su apt install make gcc
Download source code
cd /usr/local/src wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz tar zxvf chkrootkit.tar.gz cd /usr/local/src/chkrootkit-0.52/ make sense
Menjalankan
cd /usr/local/src/chkrootkit-0.52 ./chkrootkit
atau
cd /usr/local/src/chkrootkit-0.52 ./chkrootkit -q
Penggunaan
# ./chkrootkit
Usage: ./chkrootkit [options] [test ...]
Options:
-h show this help and exit
-V show version information and exit
-l show available tests and exit
-d debug
-q quiet mode
-x expert mode
-r dir use dir as the root directory
-p dir1:dir2:dirN path for the external commands used by chkrootkit
-n skip NFS mounted dirs
testname salah satu atau lebih dari daftar berikut,
aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp amd basename biff chfn chsh cron crontab date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write
Contoh
./chkrootkit ps ls sniffer
untuk melihat data lebih banyak
./chkrootkit -x | more
Melihat pathname dalam sistem command
./chkrootkit -x | egrep '^/'
chkrootkit menggunakan command berikut untukl melakukan test: awk, cut, egrep, find, head, id, ls, netstat, ps, strings, sed, uname. Pakai option -p untuk memberikan alternate path untuk chkrootkit agar tidak menggunakan system command yang mungkin sudah terinfeksi. Contoh,
./chkrootkit -p /cdrom/bin
Untuk beberapa path.
./chkrootkit -p /cdrom/bin:/floppy/mybin
Ada baiknya mount disk mesin yang ter-compromise ke mesin yang bisa di percaya, misalnya disk ada di /mnt, gunakan.
./chkrootkit -r /mnt
Output Messages
Keluaran
- "INFECTED": the test has identified a command probably modified by a known rootkit;
- "not infected": the test didn't find any known rootkit signature.
- "not tested": the test was not performed -- this could happen in
the following situations:
a) the test is OS specific;
b) the test depends on an external program that is not available;
c) some specific command line options are given. (e.g. -r ).
- not found": the command to be tested is not available;
- "Vulnerable but disabled": the command is infected but not in use. not running or commented in inetd.conf)
A trojaned command has been found. What should I do now?
Your biggest problem is that your machine has been compromised and this bad guy has root privileges.
Maybe you can solve the problem by just replacing the trojaned command -- the best way is to reinstall the machine from a safe media and to follow your vendor's security recommendations.