Installazione CHKROOTKIT

La compilazione e l'uso di chkrootkit sono molto semplici.
Qui viene riportata la procedura di download, compilazione, esecuzione su una macchina SENZA rootkit identificati da CHKROOTKIT.

[macno@95 macno]$ wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
--13:08:30--  ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
           => `chkrootkit.tar.gz'
Resolving ftp.pangeia.com.br... done.
Connecting to ftp.pangeia.com.br[200.239.53.35]:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD /pub/seg/pac ... done.
==> PORT ... done.    ==> RETR chkrootkit.tar.gz ... done.
Length: 24,478 (unauthoritative)

100%[===============================================================================================>] 24,478         6.91K/s    ETA 00:00

13:08:38 (6.91 KB/s) - `chkrootkit.tar.gz' saved [24478]

[macno@95 macno]$ tar -zxvf chkrootkit.tar.gz
chkrootkit-pre-0.36
chkrootkit-pre-0.36/COPYRIGHT
chkrootkit-pre-0.36/Makefile
chkrootkit-pre-0.36/README
chkrootkit-pre-0.36/README.chklastlog
chkrootkit-pre-0.36/README.chkwtmp
chkrootkit-pre-0.36/check_wtmpx.c
chkrootkit-pre-0.36/chklastlog.c
chkrootkit-pre-0.36/chkproc.c
chkrootkit-pre-0.36/chkrootkit
chkrootkit-pre-0.36/chkrootkit.lsm
chkrootkit-pre-0.36/chkwtmp.c
chkrootkit-pre-0.36/ifpromisc.c
chkrootkit-pre-0.36/strings.c
[macno@95 macno]$ cd chkrootkit-pre-0.36/
[macno@95 chkrootkit-pre-0.36]$ cat README
                             chkrootkit V. 0.36

          Nelson Murilo (main author)
            Klaus Steding-Jessen (co-author)

          This program locally checks for signs of a rootkit.
         chkrootkit is available at: http://www.chkrootkit.org/


                 No illegal activities are encouraged!
         I'm not responsible for anything you may do with it.

           This tool includes software developed by the
           DFN-CERT, Univ. of Hamburg (chklastlog and chkwtmp),
           and small portions of ifconfig developed by
           Fred N. van Kempen, .


1. What's chkrootkit?
---------------------

chkrootkit is a tool to locally check for signs of a rootkit.  It
contains:

* chkrootkit: a shell script that checks system binaries for
   rootkit modification.  The following tests are made:

   aliens asp bindshell lkm rexedcs sniffer wted z2 amd basename biff
   chfn chsh cron date du dirname echo egrep env find fingerd gpm grep
   hdparm su ifconfig inetd inetdconf identd killall ldsopreload login
   ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps
   pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd
   top telnetd timed traceroute write

* ifpromisc.c: checks if the network interface is in promiscuous
   mode.

* chklastlog.c: checks for lastlog deletions.

* chkwtmp.c: checks for wtmp deletions.

* check_wtmpx.c: checks for wtmpx deletions.  (Solaris only)

* chkproc.c: checks for signs of LKM trojans.

* strings.c: quick and dirty strings replacement.

chkwtmp and chklastlog *try* to check for deleted entries in the wtmp
and lastlog files, but it is *not* guaranteed that any modification
will be detected.

Aliens tries to find sniffer logs and rootkit config files.  It looks
for some default file locations -- so it is also not guaranteed it
will succeed in all cases.

chkproc checks if /proc entries are hidden from ps and the readdir
system call.  This could be the indication of a LKM trojan.  You can
also run this command with the -v option (verbose).


2. Rootkits, Worms and LKMs detected
------------------------------------

The following rootkits, worms and LKMs are currently detected:
Solaris rootkit, FreeBSD rootkit, lrk3, lrk4, lrk5, lrk6, t0rn (and
t0rn v8), some lrk variants, Ambient's Rootkit for Linux (ARK), Ramen
Worm, rh[67]-shaper, RSHA, Romanian rootkit, RK17, Lion Worm, Adore
Worm, LPD Worm, kenny-rk, Adore LKM, ShitC Worm, Omega Worm, Wormkit
Worm, dsc-rootkit, RST.b, duarawkz, knark LKM, Monkit, Hidrootkit,
Bobkit, Pizdakit, t0rn (v8.0 variant), Showtee, Optickit, T.R.K,
MithRa's Rootkit, George and SucKIT.


3. Supported Systems
--------------------

chkrootkit has been tested on: Linux 2.0.x, 2.2.x and 2.4.x, FreeBSD
2.2.x, 3.x and 4.x, Solaris 2.5.1, OpenBSD 2.x and 3.x.


4. Package Contents
-------------------

README
README.chklastlog
README.chkwtmp
COPYRIGHT
chkrootkit.lsm

Makefile
chklastlog.c
chkproc.c
chkwtmp.c
check_wtmpx.c
ifpromisc.c
strings.c

chkrootkit


5. Installation
---------------

To compile the C programs type:

# make sense

After that it is ready to use and you can simply type:

# ./chkrootkit


6. Usage
--------

chkrootkit must run as root.  The simplest way is:

# ./chkrootkit

This will perform all tests.  You can also specify only the tests you
want, as shown below:

Usage: ./chkrootkit [options] [testname ...]
Options:
         -h                show this help and exit
         -V                show version information and exit
         -l                show available tests
         -d                debug
         -q                quiet mode
         -x                expert mode
         -r dir            use dir as the root directory
         -p dir1:dir2:dirN path for the external commands used by chkrootkit

Where testname stands for one or more from the following list:

aliens asp bindshell lkm rexedcs sniffer wted z2 amd basename biff
chfn chsh cron date du dirname echo egrep env find fingerd gpm grep
hdparm su ifconfig inetd inetdconf identd killall ldsopreload login
ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps
pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd
top telnetd timed traceroute write

For example, the following command checks for trojaned ps and ls
binaries and also checks if the network interface is in promiscuous
mode.

   # ./chkrootkit ps ls sniffer

The `-q' option can be used to put chkrootkit in quiet mode -- in
this mode only output messages with `infected' status are shown.

With the `-x' option the user can examine suspicious strings in the
binary programs that may indicate a trojan -- all the analysis is
left to the user.

Lots of data can be seen with:

   # ./chkrootkit -x | more

Pathnames inside system commands:

   # ./chkrootkit -x | egrep '^/'

chkrootkit uses the following commands to make its tests: awk, cut,
egrep, find, head, id, ls, netstat, ps, strings, sed, uname.  It is
possible, with the `-p' option, to supply an alternate path to
chkrootkit so it won't use the system's (possibly) compromised
binaries to make its tests.

To use, for example, binaries in /cdrom/bin:

   # ./chkrootkit -p /cdrom/bin

It is possible to add more paths with a `:'

   # ./chkrootkit -p /cdrom/bin:/floppy/mybin

Sometimes is a good idea to mount the disk from a compromised machine
on a machine you trust.  Just mount the disk and specify a new
rootdir with the `-r' option.

For example, suppose the disk you want to check is mounted under
/mnt, then:

   # ./chkrootkit -r /mnt


7. Output Messages
------------------

The following messages are printed by chkrootkit (except with the -x
and -q command options) during its tests:

   "INFECTED": the test has identified a command probably modified by
   a known rootkit;

   "not infected": the test didn't find any known rootkit signature.

   "not tested": the test was not performed -- this could happen in
   the following situations:
     a) the test is OS specific;
     b) the test depends on an external program that is not available;
     c) some specific command line options are given. (e.g. -r ).

   "not found": the command to be tested is not available;

   "Vulnerable but disabled": the command is infected but not in use.
   (not running or commented in inetd.conf)


8. A trojaned command has been found.  What should I do now?
------------------------------------------------------------

Your biggest problem is that your machine has been compromised and
this bad guy has root privileges.

Maybe you can solve the problem by just replacing the trojaned
command -- the best way is to reinstall the machine from a safe media
and to follow your vendor's security recommendations.


9. Reports and questions
------------------------

Please send comments, questions and bug reports to
nelson@pangeia.com.br and jessen@nic.br.

A simple FAQ and Related information about rootkits and security can
be found at chkrootkit's homepage, http://www.chkrootkit.org.


10. Acknowledgments
-------------------

Agustin Navarro, anavarro@vip.eniac.com (debug help)
Alberto Courrege Gomide, gomide@gomide.com (debug help)
Andre Gustavo de Carvalho Albuquerque, gustavo@visualnet.com.br
(debug help, performance and Solaris patches)
Dave Ansalvish, davea@jcs.mil (Solaris debug help)
Bruno Lopes, bruno@openline.com.br (debug help)
Daniel Lafraia, lafraia@iron.com.br (source code addition)
Josh Karp, jkarp@jother.com (debug help for Solaris 8)
Klaus Steding-Jessen, jessen@acm.org (debug help, lots of good
suggestions and Perl code for LKM checks)
Paulo C. Marques F., paul@u-netsys.com.br (debug help)
Pedro Vazquez, vazquez@iqm.unicamp.br (lots of good suggestions)
Richard Eisenman, richarde@tricity.wsu.edu (Red Hat support)
Manfred Bartz, mob@logi.cc (debug help)
Luiz E. R. Cordeiro, cordeiro@iqm.unicamp.br (debug help)
Vince Hillier, vince@lansystems.com (debug help)
Steve Campbell, steve@computurn.com (Solaris bug fixes)
Strashimir Mihnev, strasho@mail.ru (new rootkit)
Patrick Duane Dunston, duane@duane.yi.org (Adore LKM detection)
Rudolf Leitgeb, r.leitgeb@kreuzgruber.com (chklastlog bug fix)
Marcos Aguinaldo Forquesato, guina@ccuec.unicamp.br (Solaris debug)
scz, scz@nsfocus.com (check_wtmpx code)
Yaroslav Polyakov, xenon@inetlab.com (inetdconf function)
Andreas Tirok, Andreas.Tirok@beusen.de (chklastlog patch)
Sean D. True (strings.c)
Leif Neland, leif@neland.dk (duarawkz rootkit)
Kaveh Goudarzi (Pizdakit rootkit)
m0xx (monkit and Bobkit rootkits)
Bob Grabowsky and Mihai Sandu (t0rn v8.0 variant)
Razvan Cosma (new rootkit)
Kostya Kortchinsky (chkproc patch)
Frank Haverkamp (new rookit)
Ludovic Drolez (new rootkit)
Dan Irwin (new rootkit)
Anton Chuvakin (new rootkit)
Steve Collins (new rootkit)
Indra Kusuma (new rootkit)
Mark Newby (new rootkit)
anonymous (new rootkit)


11. ChangeLog
-------------

02/20/1997 - Initial release
02/25/1997 - Version 0.4, formal testing.
03/30/1997 - Version 0.5, suspect files routine added.
06/11/1997 - Version 0.6, minor fixes and Debian compatibility.
06/24/1997 - Version 0.7, FreeBSD compatibility fixed.
08/07/1997 - Version 0.8, yet another FreeBSD compatibility and
                           RedHat PAM fixed.
04/02/1998 - Version 0.9, new r00tkits versions support.
07/03/1998 - Version 0.10, another types of r00tkits supported.
10/15/1998 - Version 0.11, bug found by Alberto Courrege Gomide fixed.
11/30/1998 - Version 0.12, lrk4 support added.
12/26/1998 - Version 0.13, minor fixes for Red Hat and glibc users.
06/14/1999 - Version 0.14, Sun/Solaris initial support added.
04/29/2000 - Version 0.15, lrk5 features added and minor fixes.
07/09/2000 - Version 0.16, new r00tkits types support and contrib patches.
09/16/2000 - Version 0.17, more contrib patches, rootkit types and
                            Loadable Kernel Modules (LKM) trojan checking
                            added.
10/08/2000 - Version 0.18, new rookits types support and many bug fixes.
12/24/2000 - Version 0.19, -r, -p, -l options added.  ARK support
                            added.  Some bug fixes.
01/18/2001 - Version 0.20, Ramen Worm and latest t0rnkit detection,
                            temporay check for promisc mode disabled
                            on Solaris boxes.
01/19/2001 - Version 0.21, Corrects a bug in the Ramen Worm detection.
01/26/2001 - Version 0.22, chklastlog core dump bug fixed, login and
                            bindshell false positives fixed, cron test
                            improvement.
03/12/2001 - Version 0.23, lrk6, rh[67]-shaper, RSHA and Romanian
                            rootkit detection.  Test for shell history
                            file anomalies.  More ports added to the
                            bindshell test.
03/15/2001 - Version 0.23a fixes a bug found in the cron and
                            bindshell tests.

03/22/2001 - Version 0.30  lots of new tests added.  RK17 and Lion
                            Worm detection.
04/07/2001 - Version 0.31  new tests: gpm, rlogind, mgetty.  Adore
                            Worm detection.  Some bug fixes.
05/07/2001 - Version 0.32  t0rn v8, LPD Worm, kenny-rk and Adore LKM
                            detection. Some Solaris bug fixes.
06/02/2001 - Version 0.33  new tests added.  ShitC, Omega and Wormkit
                            Worm detection.  dsc-rootkit detection.
                            Some bug fixes.
09/19/2001 - Version 0.34  new tests added.  check_wtmpx.c added.
                            Ducoci rootkit and x.c Worm detection.
                            `-q' option added.
01/17/2002 - Version 0.35  tests added: lsof and ldsopreload.
                            strings.c added.  Ports added to the
                            bindshell test.  RST.b, duarawkz, knark
                            LKM, Monkit, Hidrootkit, Bobkit, Pizdakit,
                            t0rn v8.0 (variant) detection.
06/15/2002 - Version 0.36  test added: w.  chkproc.c additions.
                            Showtee, Optickit, T.R.K, MithRa's
                            Rootkit, George and SucKIT detection.

-------------- Thx for using chkrootkit ----------------
[macno@95 chkrootkit-pre-0.36]$ make sense
gcc -DHAVE_LASTLOG_H   -o chklastlog chklastlog.c
gcc -DHAVE_LASTLOG_H   -o chkwtmp chkwtmp.c
gcc -DHAVE_LASTLOG_H    -o ifpromisc ifpromisc.c
gcc  -o chkproc chkproc.c
gcc  -o check_wtmpx check_wtmpx.c
gcc -static  -o strings strings.c
[macno@95 chkrootkit-pre-0.36]$ ./chkrootkit
./chkrootkit need root privileges
[macno@95 chkrootkit-pre-0.36]$ su
Password:
[root@95 chkrootkit-pre-0.36]# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `tcpd'... not infected
Checking `top'... not infected
Checking `telnetd'... not infected
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.6.1/i386-linux/.packlist

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... nothing detected
Checking `rexedcs'... not found
Checking `sniffer'...
eth0 is not promisc
Checking `wted'... nothing deleted
Checking `z2'...
nothing deleted