×
Community Blog How to Install Chkrootkit Security Scanner on Ubuntu 18.04

How to Install Chkrootkit Security Scanner on Ubuntu 18.04

In this short tutorial, we will learn how to easily install and use Chkrootkit for troubleshooting issues on an Alibaba Cloud Elastic Compute Service (ECS) Ubuntu 18.

By Hitesh Jethva, Alibaba Cloud Community Blog author.

Introduction

Chkrootkit also known as Check Rootkit is a common security scanner that helps you to detect rootkits on your system. It consists of a shell script that checks various security issues and system binaries for rootkit modification.

In this tutorial, we will learn how to install and configure Chkrootkit on an Alibaba Cloud Elastic Compute Service (ECS) Ubuntu 18.04 server.

Prerequisites

  • A fresh Alibaba Cloud Instance with Ubuntu 18.04 installed.
  • A root password is set up to your instance.

Create a new ECS instance and connect to your instance as the root user.

Once you are logged into your Ubuntu 18.04 instance, run the following command to update your base system with the latest available packages.

apt-get update -y

Install Chkrootkit

By default, Chkrootkit is available in the Ubuntu 18.04 default repository. You can install it by just running the following command:

apt-get install chkrootkit -y

Once the installation has been completed, you can check the version of Chkrootkit with the following command:

chkrootkit -V

Output:

chkrootkit version 0.52

You can list out the options available with Chkrootkit with the following command:

chkrootkit -h

To list all the available tests with Chkrootkit, run the following command:

chkrootkit -l

Use Chkrootkit

You can now run the test with the following command:

chkrootkit

If any of the output shown below shows as infected, then you need to check:

ROOTDIR is `/'
Checking `amd'...                                           not found
Checking `basename'...                                      not infected
Checking `biff'...                                          not found
Checking `chfn'...                                          not infected
Checking `chsh'...                                          not infected
Checking `cron'...                                          not infected
Checking `crontab'...                                       not infected
Checking `date'...                                          not infected
Checking `du'...                                            not infected
Checking `dirname'...                                       not infected
Checking `echo'...                                          not infected
Checking `egrep'...                                         not infected
Checking `env'...                                           not infected
Checking `find'...                                          not infected
Checking `fingerd'...                                       not found
Checking `gpm'...                                           not found
Checking `grep'...                                          not infected
Checking `hdparm'...                                        not infected
Checking `su'...                                            not infected
Checking `ifconfig'...                                      not infected
Checking `inetd'...                                         not infected
Checking `inetdconf'...                                     not found
Checking `identd'...                                        not found
Checking `init'...                                          not infected
Checking `killall'...                                       not infected
Checking `ldsopreload'...                                   not infected
Checking `login'...                                         not infected
Checking `ls'...                                            not infected
Checking `lsof'...                                          not infected
Checking `mail'...                                          not found
Checking `mingetty'...                                      not found
Checking `netstat'...                                       not infected
Checking `named'...                                         not found
Checking `passwd'...                                        not infected
Checking `pidof'...                                         not infected
Checking `pop2'...                                          not found
Checking `pop3'...                                          not found
Checking `ps'...                                            not infected
Checking `pstree'...                                        not infected
Checking `rpcinfo'...                                       not found
Checking `rlogind'...                                       not found
Checking `rshd'...                                          not found
Checking `slogin'...                                        not infected
Checking `sendmail'...                                      not found
Checking `sshd'...                                          not infected
Checking `syslogd'...                                       not tested
Checking `tar'...                                           not infected
Checking `tcpd'...                                          INFECTED
Checking `tcpdump'...                                       not infected
Checking `top'...                                           not infected
Checking `telnetd'...                                       not found
Checking `timed'...                                         not found
Checking `traceroute'...                                    not found
Checking `vdir'...                                          not infected
Checking `w'...                                             not infected
Checking `write'...                                         not infected

You can run Chkrootkit with -q option to list only output messages with `infected' status:

chkrootkit -q

Output:

Checking `tcpd'... INFECTED

/usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo /lib/modules/4.15.0-20-generic/vdso/.build-id
/lib/modules/4.15.0-20-generic/vdso/.build-id
not tested
enp0s3: PACKET SNIFFER(/lib/systemd/systemd-networkd[643])
not tested

To check all the files under specified directory, run the following command:

chkrootkit -r /opt

Enable Scheduled Check

Chkrootkit comes with default crontab configuration file. You can enable daily check by /etc/chkrootkit.conf file.

nano /etc/chkrootkit.conf

Change the line from:

RUN_DAILY="false"

to

RUN_DAILY="true"

Save and close the file, when you are finished.

That's it! You have successfully installed and use Chkrootkit on Ubuntu 18.04 server. You can now easily find any infected files on your system using Chkrootkit.

0 0 0
Share on

Hiteshjethva

39 posts | 4 followers

You may also like

Comments