22. Guarding Linux Against Rootkits
By Bruno of Amsterdam

Viruses, schmiruses. If you want something really scary to worry about on your Linux box, worry about rootkits. They are far more dangerous than a pesky virus. A rootkit is a toolkit typically installed by a cracker looking to gain access to information on your computer and any network it's attached to. Rootkits are self-hiding toolkits that are activated on system boot up. They typically go active before the operating system completes start up, so they can be difficult for the average antivirus scanner to detect.

A rootkit is completely customized to the hacker who installs it. It may include trojans, viruses and other malware. Rootkits are also able to intercept data from network connections and the keyboard, to steal passwords and attack other computers. They can also alter log files and processes to hide their presence on your computer. For more information on rootkits, see Wikipedia.

Many rootkits will be stopped by a decent firewall, but virus scanners are no protection against rootkits. Running a rootkit checker regularly is strongly recommended. It will scan for rootkits, backdoors, and local exploits.

There are two tools I recommend: chkrootkit and rkhunter.

IMPORTANT: The tips in this document require the use of command-line commands. For more information about how to read and execute Linux command-line prompts and commands, please check the Linux Clues Linux Cheat Sheet, especially Linux Prompt Basics and Linux Command-Line Nomenclature.

chkrootkit is an easy to use tool and included with many distros. Log in as root and run:

# chkrootkit

For a reminder on how to log in as root, check the Linux Cheat Sheet at LinuxClues.com (the navigable, searchable companion site to Linux Explorer): Logging in and out as Root.

If your distro hasn't installed it, download the latest chkrootkit.tar.gz.

Then unzip it with this command:

# tar -xvzf chkrootkit.tar.gz

That extracts files into a folder called chkrootkit-0.46a (for the version we tested). Then type:

# cd chkrootkit-0.46a

Compile the program:

# make sense

You'll see in the terminal something like:

gcc -DHAVE_LASTLOG_H -o chklastlog chklastlog.c
gcc -DHAVE_LASTLOG_H -o chkwtmp chkwtmp.c
gcc -DHAVE_LASTLOG_H -D_FILE_OFFSET_BITS=64 -o ifpromisc ifpromisc.c
gcc -o chkproc chkproc.c
gcc -o chkdirs chkdirs.c
gcc -o check_wtmpx check_wtmpx.c
gcc -static -o strings-static strings.c
gcc -o chkutmp chkutmp.c

From there you can run the chkrootkit:

# ./chkrootkit

In terminal, you should see something like:

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not infected
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not infected

The actual list will be considerably longer, of course, covering all the files. If chkrootkit finds something it writes "INFECTED" to the log file. You may be able to restore the process that has been compromised, but you'll probably need to re-install the operating system. In severe cases you may need to wipe the hard disk and re-install.

You could keep chkrootkit on your system and re-run it every week, but that's not good security. Chkrootkit doesn't prevent rootkits from being installed, it merely detects them after the fact. So a hacker could conceivably install a rootkit in between your scans. And any hacker worth his salt would be able to change the configuration to avoid chkrootkit's detection.

Better security is to burn chkrootkit to a CD and run it from there next time. And for the most up-to-date protection, delete the chkrootkit directory after each scan, then download and compile a fresh copy of chkrootkit. It doesn't take long and that way you will be confident of a reliable scan.

Big Game Hunting
Another option for protection against rootkits is rkhunter. It does a bit more than just looking for rootkits. It performs a system-wide check for vulnerable files and dependencies on your system, including:

  • MD5 hash compare
  • Look for default files used by rootkits
  • Wrong file permissions for binaries
  • Look for suspected strings in LKM and KLD modules
  • Look for hidden files
  • Optional scan within plaintext and binary files

    The rkhunterinstall file is available as tarball. Complete download, decompress, and install instructions are available in the Rootkit Hunder FAQ.

    An RPM version for Mandrake/Mandriva is also available, maintained by a third party. Some distros (Slackware for example) also require "Perl-Digest-SHA1" for a successful install.

    You can find more installation tips from this thread on the Scot's Newsletter forums.

    Once installed, run the program by typing:

    # rkhunter -c --createlogfile

    Rkhunter runs its scans and writes results and tips to the log file.

    To ensure security of your system, don't rely on yourself to perform manual scans. Make rkhunter a daily cron job and have it mail you the scan results. To do that, type:

    # rkhunter --cronjob

    For more on cron jobs, see Taming the Cron Daemon on Linux Clues.

    Have fun securing your system.