locally checks for signs of a rootkit

What's chkrootkit?

chkrootkit is a tool to locally check for signs of a rootkit. It contains:

chkrootkit: shell script that checks system binaries for rootkit modification. The following tests are made:
- asp, bindshell, z2, wted, rexedcs, sniffer, aliens, lkm, amd, basename, biff, chfn, chsh, cron, date, du, dirname, echo, egrep, env, find, fingerd, gpm, grep, su, ifconfig, inetd, identd, killall, login, ls, mail, mingetty, netstat, named, passwd, pidof, pop2, pop3, ps, pstree, rpcinfo, rlogind, rshd, slogin, sendmail, sshd, syslogd, tar, tcpd, top, telnetd, timed, traceroute, write
ifpromisc.c: checks if the interface is in promiscuous mode.
chklastlog.c: checks for lastlog deletions.
chkwtmp.c: checks for wtmp deletions.
chkproc.c: checks for signs of LKM trojans.

The following rootkits, worms and LKMs are currently detected:

lrk3, lrk4, lrk5, lrk6 (and some variants);
Solaris rootkit;
FreeBSD rootkit;
t0rn (including some variants and t0rn v8);
Ambient's Rootkit for Linux (ARK);
Ramen Worm;
rh[67]-shaper;
RSHA;
Romanian rootkit;
RK17;
Lion Worm;
Adore Worm;
LPD Worm;
kenny-rk;
Adore LKM;
ShitC Worm;
Omega Worm;
Wormkit Worm;
Maniac-RK;
dsc-rootkit.

chkrootkit has been tested on: Linux 2.0.x, 2.2.x, FreeBSD 2.2.x, 3.x and 4.x, OpenBSD 2.6, 2.7 and 2.8, Solaris 2.5.1, 2.6 and 8.0.

More details can be found on the chkrootkit's README.

What's New

chkrootkit 0.33 is now available! (Release Date: Sat, Jun 2 2001) This version includes:

new tests added: amd, named, egrep, slogin;
ShitC Worm detection;
Omega Worm detection;
Wormkit Worm detection;
dsc-rootkit detection;
new ports added to the bindshell test: 1524, 5665, 60001, 10008, 12321;
chklastlog bug fix (thanks to Rudolf Leitgeb);
some bug fixes.

Download

The following files are available for downloading:

Latest Source tarball (15372 bytes)
tarball's MD5 signature

License Information

chkrootkit is free software. License information is available at chkrootkit's COPYRIGHT file.

Mailing List

To subscribe:


echo "subscribe users your email" | mail majordomo@chkrootkit.org

FAQ

How does chkrootkit detect a trojaned system command?
chkrootkit looks for known "signatures" in trojaned system binaries. For example, some trojaned versions of ps have "/dev/ptyp" inside them.
Obviously an attacker can easily modify the rootkit sources to change its signatures and avoid chkrootkit detection. See next question.
Can chkrootkit detect modified (or new) rootkit versions?
If chkrootkit can't find a known signature inside a file, it can't automatically determine if it has been trojaned. Try to run chkrootkit in expert mode (-x option) -- in this mode the user can examine suspicious strings in the binary programs that may indicate a trojan.
For example, lots of data can be seen with:
```
# ./chkrootkit -x | more
```
Pathnames inside system commands:
```
# ./chkrootkit -x | egrep '^/'
```
Why haven't you written chkrootkit in Perl?
Not all systems have Perl available. The motivation was to write a simple tool that could be run in systems with minimal installation.
Which commands does chkrootkit use?
The following commands are used by the chkrootkit script:
awk, cut, echo, egrep, find, head, id, ls, netstat, ps, strings, sed, uname
Can I trust these commands on a compromised machine?
Probably not. We suggest you follow one of the alternatives below:
1. Use the `-p path' option to supply an alternate path to binaries you trust:
```
# ./chkrootkit -p /cdrom/bin
```
2. Mount the compromised machine's disk on a machine you trust and specify a new rootdir with the `-r rootdir' option:
```
# ./chkrootkit -r /mnt
```
How accurate is chkproc?
If you run chkproc on a server that runs lots of short time processes it could report some false positives. chkproc compares the ps output with the /proc contents. If processes are created/killed during this operation chkproc could point out these PIDs as suspicious.
I'm running PortSentry/klaxon. What's wrong with the bindshell test?
If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).

Contacting the Authors

Please send comments, new rootkits, questions and bug reports to Nelson Murilo <nelson@pangeia.com.br> (main author) and Klaus Steding-Jessen <jessen@nic.br> (co-author).

Related Links

At the root of rootkits, by Chris Prosise and Saumil Udayan Shah, Security Issues column, CNET Builder.com (1/25/2001).
Detecting rootkits, by Chris Prosise and Saumil Udayan Shah, Security Issues column, CNET Builder.com (2/8/2001).
"Root Kits" and hiding files/directories/processes after a break-in, by Dave Dittrich (Draft).
Know Your Enemy: part III, "They Gain Root", by Lance Spitzner.
Rootkits: How Intruders Hide, by David Brumley.
invisible intruders: rootkits in practice, by David Brumley, published in ;login:, Special Issue: Intrusion Detection (Sept. 1999).
Recognizing and Recovering from Rootkit Attacks, by David O'Brien, published in Sys Admin 5(11) (November 1996), pp. 8-20.
Through the Looking Glass: Finding Evidence of Your Cracker, by Chris Kuethe, published in Issue 36 of Linux Gazette, January 1999.
(nearly) Complete Linux Loadable Kernel Modules -- the definitive guide for hackers, virus coders and system administrators, by pragmatic / THC, version 1.0, released 03/1999.
Attacking FreeBSD with Kernel Modules -- The System Call Approach, by pragmatic / THC, version 1.0, released 06/1999
Solaris Loadable Kernel Modules -- Attacking Solaris with loadable kernel modules, by Plasmoid / THC , version 1.0, (c) 1999.
Detecting Loadable Kernel Modules (LKM), by Toby Miller. This paper covers LKM basics, detecting trojaned LKM's and figuring out which LKM is installed on your machine.
Abuse of the Linux Kernel for Fun and Profit, by halflife, Phrack 50, April 9, 1997.
Analysis of the T0rn rootkit, by Toby Miller.
Analysis of the KNARK rootkit, by Toby Miller.
check-ps, by Duncan Simpson, is a program that is designed to detect rootkit versions of ps that fail to tell you about selected processes.
rkscan, by Stéphane Aubert, is a kernel-based module rootkit scanner for Linux. It detects Adore (v0.14, v0.2b and v0.24) and knark (v0.59).
rkdet, by Andrew Daviel, is a daemon intended to catch someone installing a rootkit or running a packet sniffer.
Widespread Compromises via "ramen" Toolkit, CERT Incident Note IN-2001-01.
Ramen Internet Worm Analysis, by Max Vision.
ramenfind, by William Stearns, is a tool to detect and remove the Ramen Worm from infected Linux machines.
Lion Worm, security advisory written by Matt Fearnow and William Stearns.
lionfind, by William Stearns, is a tool to detect the Lion Worm on infected Linux machines.
Protection Against The Lion Worm By Chris Brenton.
Adore Worm, security advisory written by Matt Fearnow and William Stearns.
adorefind, by William Stearns, is a tool to detect and remove the Adore Worm on infected Linux machines.
Carbonite v1.0, by Kevin Mandia and Keith J. Jones is a Linux Kernel Module to aid in rootkit detection.
Other security related links

Acknowledgments

Agustin Navarro (debug help)
Alberto Courrege Gomide (debug help)
Andre Gustavo de Carvalho Albuquerque (debug help, performance and Solaris patches)
Dave Ansalvish (Solaris debug help)
Bruno Lopes (debug help)
Daniel Lafraia (source code addition)
Josh Karp (debug help for Solaris 8)
Klaus Steding-Jessen (debug help, lots of good suggestions and Perl code for LKM checks, code revision)
Paulo C. Marques F. (debug help)
Pedro Vazquez (lots of good suggestions)
Richard Eisenman (Red Hat support)
Manfred Bartz (debug help)
Luiz E. R. Cordeiro (debug help)
Vince Hillier (debug help)
Steve Campbell (Solaris bug fixes)
Strashimir Mihnev (new rootkit)
Patrick Duane Dunston (Adore LKM detection)
Rudolf Leitgeb (chklastlog bug fix)

Last modified: Sun Jun 3 13:54:46 2001