          chkrootkit -- locally checks for signs of a rootkit

                  locally checks for signs of a rootkit

                                               
                           What's chkrootkit?  
                                               
chkrootkit is a tool to locally check for signs of a rootkit [1] . It
contains:
  * chkrootkit: shell script that checks system binaries for rootkit
    modification. The following tests are made:

    * asp, bindshell, z2, wted, rexedcs, sniffer, aliens, lkm, amd,
      basename, biff, chfn, chsh, cron, date, du, dirname, echo, egrep,
      env, find, fingerd, gpm, grep, su, ifconfig, inetd, identd,
      killall, login, ls, mail, mingetty, netstat, named, passwd,
      pidof, pop2, pop3, ps, pstree, rpcinfo, rlogind, rshd, slogin,
      sendmail, sshd, syslogd, tar, tcpd, top, telnetd, timed,
      traceroute, write

  * ifpromisc.c: checks if the interface is in promiscuous mode.
  * chklastlog.c: checks for lastlog deletions.
  * chkwtmp.c: checks for wtmp deletions.
  * chkproc.c: checks for signs of LKM trojans.

The following rootkits, worms and LKMs are currently detected:
  * lrk3, lrk4, lrk5, lrk6 (and some variants);
  * Solaris rootkit;
  * FreeBSD rootkit;
  * t0rn (including some variants and t0rn v8);
  * Ambient's Rootkit for Linux (ARK);
  * Ramen Worm;
  * rh[67]-shaper;
  * RSHA;
  * Romanian rootkit;
  * RK17;
  * Lion Worm;
  * Adore Worm;
  * LPD Worm;
  * kenny-rk;
  * Adore LKM;
  * ShitC Worm;
  * Omega Worm;
  * Wormkit Worm;
  * Maniac-RK;
  * dsc-rootkit.

chkrootkit has been tested on: Linux 2.0.x, 2.2.x, FreeBSD 2.2.x, 3.x
and 4.x, OpenBSD 2.6, 2.7 and 2.8, Solaris 2.5.1, 2.6 and 8.0.

More details can be found on the chkrootkit's README [2] .

                                           
                               What's New  
                                           
chkrootkit 0.33 is now available! (Release Date: Sat, Jun 2 2001) This
version includes:
  * new tests added: amd, named, egrep, slogin;
  * ShitC Worm detection;
  * Omega Worm detection;
  * Wormkit Worm detection;
  * dsc-rootkit detection;
  * new ports added to the bindshell test: 1524, 5665, 60001, 10008,
    12321;
  * chklastlog bug fix (thanks to Rudolf Leitgeb);
  * some bug fixes.

                                          
                                Download  
                                          
The following files are available for downloading:
  * Latest Source tarball [3]  (15372 bytes)
  * tarball's MD5 signature [4]

                                               
                          License Information  
                                               
chkrootkit is free software. License information is available at
chkrootkit's COPYRIGHT [5]  file.

                                            
                              Mailing List  
                                            
To subscribe:

echo "subscribe users your email" | mail majordomo@chkrootkit.org

                                       
                                  FAQ  
                                       
  * How does chkrootkit detect a trojaned system command?

chkrootkit looks for known "signatures" in trojaned system binaries.
For example, some trojaned versions of ps have "/dev/ptyp" inside them.

Obviously an attacker can easily modify the rootkit sources to change
its signatures and avoid chkrootkit detection. See next question.

------------------------------------------------------------------------
  * Can chkrootkit detect modified (or new) rootkit versions?

If chkrootkit can't find a known signature inside a file, it can't
automatically determine if it has been trojaned. Try to run chkrootkit
in expert mode (-x option) -- in this mode the user can examine
suspicious strings in the binary programs that may indicate a trojan.

For example, lots of data can be seen with:

# ./chkrootkit -x | more
Pathnames inside system commands:

# ./chkrootkit -x | egrep '^/'

------------------------------------------------------------------------
  * Why haven't you written chkrootkit in Perl?

Not all systems have Perl available. The motivation was to write a
simple tool that could be run in systems with minimal installation.

------------------------------------------------------------------------
  * Which commands does chkrootkit use?

The following commands are used by the chkrootkit script:

awk, cut, echo, egrep, find, head, id, ls, netstat, ps, strings, sed,
uname

------------------------------------------------------------------------
  * Can I trust these commands on a compromised machine?

Probably not. We suggest you follow one of the alternatives below:

    * Use the `-p path' option to supply an alternate path to binaries
      you trust:

# ./chkrootkit -p /cdrom/bin

    * Mount the compromised machine's disk on a machine you trust and
      specify a new rootdir with the `-r rootdir' option:

# ./chkrootkit -r /mnt

------------------------------------------------------------------------
  * How accurate is chkproc?

If you run chkproc on a server that runs lots of short time processes
it could report some false positives. chkproc compares the ps output
with the /proc contents. If processes are created/killed during this
operation chkproc could point out these PIDs as suspicious.

------------------------------------------------------------------------
  * I'm running PortSentry/klaxon. What's wrong with the bindshell
    test?

If you're running PortSentry/klaxon or another program that binds
itself to unused ports probably chkrootkit will give you a false
positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp,
1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 5665/tcp, 10008/tcp, 12321/tcp,
23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp,
47017/tcp, 47889/tcp, 60001/tcp).

                                                 
                         Contacting the Authors  
                                                 
Please send comments, new rootkits, questions and bug reports to Nelson
Murilo <nelson@pangeia.com.br> [6]  (main author) and Klaus
Steding-Jessen <jessen@nic.br> [7]  (co-author).

                                               
                            Related Links [8]  
                                               
  * At the root of rootkits [9] , by Chris Prosise and Saumil Udayan
    Shah, Security Issues column, CNET Builder.com (1/25/2001).
  * Detecting rootkits [10] , by Chris Prosise and Saumil Udayan Shah,
    Security Issues column, CNET Builder.com (2/8/2001).
  * "Root Kits" and hiding files/directories/processes after a break-in
    [11] , by Dave Dittrich (Draft).
  * Know Your Enemy: part III, "They Gain Root" [12] , by Lance
    Spitzner.
  * Rootkits: How Intruders Hide [13] , by David Brumley.
  * invisible intruders: rootkits in practice [14] , by David Brumley,
    published in ;login:, Special Issue: Intrusion Detection (Sept.
    1999).
  * Recognizing and Recovering from Rootkit Attacks [15] , by David
    O'Brien, published in Sys Admin 5(11) (November 1996), pp. 8-20.
  * Through the Looking Glass: Finding Evidence of Your Cracker [16] ,
    by Chris Kuethe, published in Issue 36 of Linux Gazette, January
    1999.
  * (nearly) Complete Linux Loadable Kernel Modules -- the definitive
    guide for hackers, virus coders and system administrators [17] , by
    pragmatic / THC, version 1.0, released 03/1999.
  * Attacking FreeBSD with Kernel Modules -- The System Call Approach
    [18] , by pragmatic / THC, version 1.0, released 06/1999
  * Solaris Loadable Kernel Modules -- Attacking Solaris with loadable
    kernel modules [19] , by Plasmoid / THC , version 1.0, (c) 1999.
  * Detecting Loadable Kernel Modules (LKM) [20] , by Toby Miller. This
    paper covers LKM basics, detecting trojaned LKM's and figuring out
    which LKM is installed on your machine.
  * Abuse of the Linux Kernel for Fun and Profit [21] , by halflife,
    Phrack 50, April 9, 1997.
  * Analysis of the T0rn rootkit [22] , by Toby Miller.
  * Analysis of the KNARK rootkit [23] , by Toby Miller.
  * check-ps [24] , by Duncan Simpson, is a program that is designed to
    detect rootkit versions of ps that fail to tell you about selected
    processes.
  * rkscan [25] , by Stephane Aubert, is a kernel-based module rootkit
    scanner for Linux. It detects Adore (v0.14, v0.2b and v0.24) and
    knark (v0.59).
  * rkdet [26] , by Andrew Daviel, is a daemon intended to catch
    someone installing a rootkit or running a packet sniffer.
  * Widespread Compromises via "ramen" Toolkit [27] , CERT Incident
    Note IN-2001-01.
  * Ramen Internet Worm Analysis [28] , by Max Vision.
  * ramenfind [29] , by William Stearns, is a tool to detect and remove
    the Ramen Worm from infected Linux machines.
  * Lion Worm [30] , security advisory written by Matt Fearnow and
    William Stearns.
  * lionfind [31] , by William Stearns, is a tool to detect the Lion
    Worm on infected Linux machines.
  * Protection Against The Lion Worm [32]  By Chris Brenton.
  * Adore Worm [33] , security advisory written by Matt Fearnow and
    William Stearns.
  * adorefind [34] , by William Stearns, is a tool to detect and remove
    the Adore Worm on infected Linux machines.
  * Carbonite v1.0 [35] , by Kevin Mandia and Keith J. Jones is a Linux
    Kernel Module to aid in rootkit detection.
  * Other security related links [36]

                                             
                            Acknowledgments  
                                             
  * Agustin Navarro (debug help)
  * Alberto Courrege Gomide (debug help)
  * Andre Gustavo de Carvalho Albuquerque (debug help, performance and
    Solaris patches)
  * Dave Ansalvish (Solaris debug help)
  * Bruno Lopes (debug help)
  * Daniel Lafraia (source code addition)
  * Josh Karp (debug help for Solaris 8)
  * Klaus Steding-Jessen (debug help, lots of good suggestions and Perl
    code for LKM checks, code revision)
  * Paulo C. Marques F. (debug help)
  * Pedro Vazquez (lots of good suggestions)
  * Richard Eisenman (Red Hat support)
  * Manfred Bartz (debug help)
  * Luiz E. R. Cordeiro (debug help)
  * Vince Hillier (debug help)
  * Steve Campbell (Solaris bug fixes)
  * Strashimir Mihnev (new rootkit)
  * Patrick Duane Dunston (Adore LKM detection)
  * Rudolf Leitgeb (chklastlog bug fix)

------------------------------------------------------------------------
 [37] Last modified: Sun Jun 3 13:54:46 2001
----------
Site notes:
  [1] #related_links
  [2] README
  [3] ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
  [4] ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
  [5] COPYRIGHT
  [6] mailto:nelson@pangeia.com.br
  [7] mailto:jessen@nic.br
  [8] related_links
  [9]
http://quickenexcite.cnet.com/webbuilding/
0-7532-8-4561014-1.html?tag=st.bl.7532-8-4561014-5.txt.7532-8-4561014-1
  [10]
http://quickenexcite.cnet.com/webbuilding/
0-7532-8-4720241-1.html?tag=st.bl.7532.edt.7532-8-4720241-1
  [11] http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq
  [12] http://project.honeynet.org/papers/enemy3/
  [13] http://www.stanford.edu/~dbrumley/Me/rootkits-desc.txt
  [14]
http://www.usenix.org/publications/login/1999-9/features/rootkits.html
  [15]
http://www.cs.wright.edu/people/faculty/pmateti/Courses/499/
Fortification/obrien.html
  [16] http://www.linuxgazette.com/issue36/kuethe.html
  [17] http://packetstorm.securify.com/docs/hack/LKM_HACKING.html
  [18] http://packetstorm.securify.com/papers/unix/bsdkern.htm
  [19] http://packetstorm.securify.com/groups/thc/slkm-1.0.html
  [20] http://members.prestige.net/tmiller12/papers/lkm.htm
  [21] http://phrack.infonexus.com/search.phtml?view&amp;article=p50-5
  [22] http://www.sans.org/y2k/t0rn.htm
  [23]
http://www.securityfocus.com/templates/
forum_message.html?forum=2&amp;head=4871&amp;id=4871
  [24] http://sourceforge.net/projects/checkps/
  [25] http://www.hsc.fr/ressources/outils/rkscan/index.html.en
  [26] http://vancouver-webpages.com/rkdet/
  [27] http://www.cert.org/incident_notes/IN-2001-01.html
  [28] http://www.whitehats.com/library/worms/ramen/index.html
  [29]
http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/ramenfind.html
  [30] http://www.sans.org/y2k/lion.htm
  [31]
http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/lionfind.html
  [32]
http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/
lionprotection.htm
  [33] http://www.sans.org/y2k/adore.htm
  [34]
http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/adorefind.html
  [35] http://www.incident-response.org/Carbonite.htm
  [36] http://www.nic.br/links.html
  [37] http://validator.w3.org/check/referer
