Defending against rootkits
In this article we are going to look at detecting rootkits and taking the correct precautions to identify when your server has been infected with or has a rootkit installed. The two anti-rootkit tools that we will look at are: ‘chkrootkit’ and ‘rkhunter’, these two programs help identify a wide range of rootkits that may be lurking on your workstation/server.
The chkrootkit utility is used to identify malicious Trojans, worms, viruses and suspicious files such as hidden directories and PHP files which may contain malicious content. The first step you will need to do is download the chkrootkit source tarball archive from the chkrootkit website .
Once you are at the chkrootkit website you will need to download the source tarball and the MD5 signatures to check the authenticity of the source tarball. Once you have downloaded both of these files into the same directory you can issue the md5 command supplied with the ‘-c’ qualifier as shown in Figure 2.1.
server1:/usr/src # md5sum -c chkrootkit.md5 chkrootkit.tar.gz: OK
Figure 2.1: Checking the chkrootkit tarball authenticity.
If the chkrootkit tarball returns that the tarball is in fact authentic we can begin to decompress the tarball archive using the tar command as shown in Figure 2.2. Table 1 explains what each qualifier is supplied with the tar command.
server1:/usr/src # tar zvxf chkrootkit.tar.gz chkrootkit-0.48 chkrootkit-0.48/ACKNOWLEDGMENTS chkrootkit-0.48/check_wtmpx.c ... ...
Figure 2.2: Decompressing the chkrootkit tarball.
|z||Filter the archive through the gzip utility.|
|v||Verbosely display the files being extracted.|
|x||Extract the files from the archive.|
|f||Use the archive file.|
Table 1: Figure 2.2 qualifier explained.
Once you have extracted the chkrootkit tarball you can change into the chkrootkit directory and you will need to issue the ‘make sense‘ command to install the chkrootkit as shown in Figure 2.3.
server1:/usr/src # cd chkrootkit-0.48/ server1:/usr/src/chkrootkit-0.48 # make sense gcc -DHAVE_LASTLOG_H -o chklastlog chklastlog.c gcc -DHAVE_LASTLOG_H -o chkwtmp chkwtmp.c chkwtmp.c: In function ‘main’: chkwtmp.c:95: warning: incompatible implicit declaration of built-in function ‘exit’ gcc -DHAVE_LASTLOG_H -D_FILE_OFFSET_BITS=64 -o ifpromisc ifpromisc.c gcc -o chkproc chkproc.c gcc -o chkdirs chkdirs.c gcc -o check_wtmpx check_wtmpx.c gcc -static -o strings-static strings.c gcc -o chkutmp chkutmp.c
Figure 2.3: Compiling the chkrootkit software.
Once the chkrootkit has been compiled you can run the chkrootkit by executing the chkrootkit executable in the current directory as shown in Figure 2.4.
server1:/usr/src/chkrootkit-0.48 # ./chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `crontab'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected ... ...
Figure 2.4: Performing a system check.
Once you have scan your workstation/server and it has reported no infections, you can make the installation a bit cleaner. I would recommend creating a symbolic link in the /sbin directory of the chkrootkit utility as shown in Figure 2.5.
server1:/usr/src/chkrootkit-0.48 # ln -s /usr/src/chkrootkit-0.48/chkrootkit /sbin/ server1:/usr/src/chkrootkit-0.48 # ls -l /sbin/chkrootkit lrwxrwxrwx 1 root root 35 2008-05-21 13:18 /sbin/chkrootkit -> /usr/src/chkrootkit-0.48/chkrootkit
Figure 2.5: Creating a symbolic link for the chkrootkit utility.
Once you have created the symbolic link you will not have to keep changing into that directory just to run the chkrootkit utility.
In this section of the article we will look at the ‘rkhunter’ utility which we will use to help identify rootkits that maybe lurking on your workstation/server. The rkhunter utility can be downloaded from  website along with a checksum file which can be used to check the source tarball archive for authenticity.
Once you have downloaded the rkhunter tarball you can extract it using the tar command as shown in Figure 3.1, Table 1 explains what each qualifier is used for.
server1:/usr/src # tar zvxf rkhunter-1.3.2.tar.gz rkhunter-1.3.2/ rkhunter-1.3.2/files/ rkhunter-1.3.2/files/stat.pl rkhunter-1.3.2/files/WISHLIST rkhunter-1.3.2/files/check_port.pl ... ...
Figure 3.1: Decompressing the rkhunter archive.
Once you have successfully decompressed the rkhunter archive you will need to change into the rkhunter directory and run the installation program as shown in Figure 3.2.
server1:/usr/src # cd rkhunter-1.3.2/ server1:/usr/src/rkhunter-1.3.2 # ./installer.sh --layout /usr --install Checking system for: Rootkit Hunter installer files: found. OK Available file retrieval tools: wget: found. OK Starting installation/update
Figure 3.2: Install the rkhunter software.
Once you have install the rkhunter software you will need to update the signature database, this can be done by issuing the rkhunter command followed by the –update qualifier as shown in Figure 3.3.
server1:~ # rkhunter --update [ Rootkit Hunter version 1.3.2 ] Checking rkhunter data files... Checking file mirrors.dat [ No update ] Checking file programs_bad.dat [ No update ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ Updated ] Checking file i18n/en [ No update ] Checking file i18n/zh [ No update ] Checking file i18n/zh.utf8 [ No update ]
Figure 3.3: Updating the rkhunter software.
Once you have successfully updated the rkhunter data files you can begin scanning your machine by issuing the rkhunter command with the ‘-c’ qualifier as shown in Figure 3.4. The ‘-c’ qualifier begins the scanning process and is the short hand for –check.
server1:~ # rkhunter -c [ Rootkit Hunter version 1.3.2 ] Checking system commands... Performing 'strings' command checks Checking 'strings' command [ OK ] Performing 'shared libraries' checks Checking for preloading variables [ None found ] Checking for preload file [ Not found ] Checking LD_LIBRARY_PATH variable [ Not found ] ... ...
Figure 3.4: Performing a system scan with rkhunter.
Once the scan has finished and hopefully reported no errors you can view the rkhunter.conf configuration file located within the /etc directory. The rkhunter.conf configuration file allows you to tweak the rkhunter utility to provide even more accurate readings of suspicious directories and files.
In this section of the article we will look at another technique to detect files that have been tampered with using the sha1sum command.
I strongly recommend performing this precaution just after you have installed your server/workstation as they can save you a lot of heartache. In the previous section of this article ‘chkrootkit’ you may notice that this program uses systems binaries such as ‘awk‘, ‘strings‘, ‘netstat‘ and many others, so what happens if you system has been infected with a rootkit and the ‘strings‘ and ‘netstat‘ has already been tampered with? You certainly won’t get an accurate reading.
The solution to this problem is to create a SH1 checksum of all the current binaries that chkrootkit uses and which you may consider important, Table 2 lists some of the important utilities that are most likely to be modified by a rootkit.
Table 2: Important utilities used by chkrootkit.
Once you have gathered a list of files that you would like to checksum you can use the sha1sum command combine with the which command as shown to create a list of checksums as shown in Figure 4.1.
server1:~ # sha1sum `which awk` `which cut` `which echo` `which egrep` `which find` `which head` `which id` `which ls` `which netstat` `which ps` `which strings` `which sed` > important.sha1
Figure 4.1: Checksumming Important files.
Once you have created a checksum for all your important programs you can store them in a file called: ‘important.sha1‘ and store them in a secure location, preferable on a different machine or on a floppy disk.
Checking the integrity of each file you created a checksum for is very easy, you can simply issue the sha1sum command with the ‘-c’ qualifier and the important.sha1 file as shown in Figure 4.2.
server1:~ # sha1sum -c important.sha1 /usr/bin/awk: OK /usr/bin/cut: OK /bin/echo: OK /usr/bin/egrep: OK /usr/bin/find: OK /usr/bin/head: OK /usr/bin/id: OK /bin/ls: OK /bin/netstat: OK /bin/ps: OK /usr/bin/strings: OK /usr/bin/sed: OK
Figure 4.2: Checking the integrity of the important files.
In this article we look over how to detect a rootkit and also a precaution that should be taken just after you have set up your workstation/server. I strongly recommend checking regularly for rootkits maybe via a cron job and having the results emailed to you every day or every weekend. Hopefully you will never be infected by a rootkit but if you ever are at least you have a very good chance at detecting it.