Re: Checking for rootkits

From: Jason Dixon (jwdixon1@yahoo.com)
Date: 02/25/02 

From: Jason Dixon <jwdixon1@yahoo.com>
To: incidents@securityfocus.com
Date: 25 Feb 2002 08:48:11 -0500

A few updates...

1) Change the standard file attributes on the md5 file before setting
the immutable flag. I make mine 0400 so it's read-only by the superuser.
(chmod 0400 /etc/chkrootkit.md5)
2) You may need to edit the location of your mail program in line 18
(changed mine from /usr/bin/mail to /bin/mail).
3) Line 32 of the script will need to be adjusted on Linux boxes... the
md5 output is reversed. Simply replace the command 'pop' with 'shift'.

-Jason

On Fri, 2002-02-22 at 17:55, Jason Dixon wrote:
> Thanks to an article on the O'Reilly network
> (http://linux.oreillynet.com/pub/a/linux/2002/02/07/rootkits.html), I've
> started using chkrootkit (http://www.chkrootkit.org), a utility that checks
> for rootkits on your Linux/BSD/Solaris install. It looks for certain
> signatures in trojaned system binaries and compares them against known
> rootkits. It includes other tools that check for network promiscuity
> (ifpromisc), lastlog deletions (chklastlog), wtmp deletions (chkwtmp),
> wtmpx deltions (check_wtmpx - Solaris only), and checks for signs of LKM
> trojans (chkproc).
>
> I've performed some extra steps which allow me to automate the running of
> chkrootkit, while also authenticating the validity of the chkrootkit binary
> itself. I'm including the steps here, in case anyone else would like to
> try this on their own systems. Please note... this utility is great for
> checking against *known* rootkits... it's not a substitution for common
> security practices. I would also suggest that anyone serious about
> preventing rootkit modifications also ensure they install Tripwire on all
> new installations. However, in situations where a box does not already
> have Tripwire installed, chkrootkit is a great tool to help gain back some
> peace of mind. This document covers Linux and *BSD installs only.
>
> Installation of chkrootkit is very simple. Grab the tarball, uncompress,
> and run 'make sense' (as root). Copy the binaries to a standard system bin
> (I used /usr/local/sbin). Cd to the new location and run the chkrootkit by
> hand to make sure everything looks good....
>
> tar zxf chkrootkit-0.35.tar.gz
> cd chkrootkit-0.35/
> make sense
> cp chkrootkit /usr/local/sbin/
> cp chkwtmp /usr/local/sbin/
> cp chklastlog /usr/local/sbin/
> cp chkproc /usr/local/sbin/
> cp ifpromisc /usr/local/sbin/
> ./chkrootkit
>
> The output will look something like this... (snipped for brevity's sake)
>
> ROOTDIR is `/'
> Checking `amd'... not infected
> Checking `basename'... not infected
> Checking `biff'... not infected
> Checking `chfn'... not infected
> Checking `chsh'... not infected
> Checking `cron'... not infected
> Checking `date'... not infected
> ...
> Checking `sniffer'...
> dc0 is not promisc
> sl0 is not promisc
> ppp0 is not promisc
> bridge1 is not promisc
> gif0 is not promisc
> Checking `wted'... nothing deleted
> Checking `z2'... nothing deleted
>
> Ok, now for the extra layer of security. To ensure that no one tampers
> with my chkrootkit binaries, I've created a new file (/etc/chkrootkit.md5)
> containing the md5sum for each binary. Next, we want to modify the md5
> file so nobody can tamper with it. We want to turn on the *immutable* bit
> for this file. Making a file immutable means that no one can modify the
> delete the file. In linux, we want to use the 'chattr +i' command... in
> *BSD, the same command is 'chflags schg'. To view special attributes, you
> must use 'lsattr' in Linux and 'ls -lo' in *BSD. Note that in Linux, the
> immutable flag can be removed by the superuser at any time with 'chattr
> -i'. In *BSD systems, you can only remove the "system immutable" (schg)
> flag in securelevel 0 or -1 (single-user mode is an example of securelevel 0).
>
> md5sum chkrootkit >> /etc/chkrootkit.md5
> [run the same command for each binary; command is 'md5' in *BSD]
>
> chattr +i /etc/chkrootkit.md5 [Linux]
> chflags schg /etc/chkrootkit.md5 [*BSD]
>
> To automate these utilities, I've setup a cron job to execute a perl script
> I've created which first authenticates our stored md5 digests against the
> current md5 values. It uses the Digest::MD5 perl module to run the
> digests. Installing the perl module is very simple... grab the tarball,
> uncompress to a directory, run (as root) 'perl Makefile.pl', 'make', 'make
> test' and 'make install'.
>
> wget http://www.cpan.org/authors/id/GAAS/Digest-MD5-2.16.tar.gz
> tar zxf Digest-MD5-2.16.tar.gz
> cd Digest-MD5-2.16/
> perl Makefile.pl
> make
> make test
> make install
>
> Here is the script... I make no guarantees... YMMV. Note the variables
> that should be changed specific to your usage... $md5_sav_file (location of
> your trusted md5 file), $runpath (location of your chkrootkit binary), and
> $admin_mail (your email address... make sure to escape the '@' with a
> backslash or perl won't interpret it correctly). The script will first
> compare the known and trusted md5 sums found in our immutable file to the
> current md5 sums of the binaries. If there are any discrepancies, it will
> report them. Next, it will cd to the system bin (as defined by $runpath)
> and run the chkrootkit binary. It needs to cd to the directory, as
> chkrootkit will attempt to run the other utilities within it's current
> directory.
>
> #!/usr/bin/perl -w
> # safe_chkrootkit.pl
>
> use strict;
> no strict 'subs';
> use Digest::MD5(md5_hex);
>
> my $md5_new;
> my $md5_sav;
> my $md5_sav_file = "/etc/chkrootkit.md5";
> my $file;
> my $file_and_path;
> my $path = "/usr/local/sbin";
> my @files = qw( ifpromisc chkproc chkrootkit chklastlog chkwtmp );
> my @input;
> my $admin_mail = "admin\@localhost.com";
>
> open(MAIL, "|/usr/bin/mail $admin_mail");
> print MAIL "Running authentication tests on chkrootkit binaries...\n\n";
>
> while (<@files>) {
> $file = $_;
> $file_and_path = "$path/$file";
> open(MD5,"$file_and_path") || die "Can't open file for reading: $!";
> $md5_new = Digest::MD5->new->addfile(MD5)->hexdigest;
> close(MD5);
> open(TST,"$md5_sav_file",) || die "Can't open file for reading: $!";
> while (<TST>) {
> chomp;
> if (/$file/) {
> @input = split(/ /,$_);
> $md5_sav = pop(@input);
> unless ($md5_new eq $md5_sav) {
> print MAIL "\t\t\t*** WARNING ***\n";
> print MAIL "The binary file for " . $path
> . "/" . $file . " has been altered.\n";
> print MAIL "The original md5 sum for $file
> was\n\n";
> print MAIL "\t\t$md5_sav\n\n";
> print MAIL "and the new md5 sum is\n\n";
> print MAIL "\t\t$md5_new\n\n";
> print MAIL "Please investigate ASAP\n";
> print MAIL "\t\t\t*********************\n";
> } else {
> print MAIL "\[$file\]\n";
> print MAIL "Current: $md5_new\n";
> print MAIL "Trusted: $md5_sav\n\n";
> }
> }
> }
> close(TST);
> }
>
> I hope that others find this as useful as I have. I've implemented this on
> my OpenBSD firewall, and plan on installing it on my Linux workstation
> ASAP. Keep in mind that there are many other facets of system security
> that should still be scrutinized, but this is a nice tool to help out
> nonetheless. If anyone has any questions, comments or suggestions
> regarding my usage of this program, or the functionality of the script,
> please let me know.
>
> -Jason
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: Checking for rootkits
    ... Change the standard file attributes on the md5 file before setting the ... >checks for rootkits on your Linux/BSD/Solaris install. ... >chkrootkit, while also authenticating the validity of the chkrootkit ... It uses the Digest::MD5 perl module to ...
    (Security-Basics)
  • Re: Checking for rootkits
    ... Create a chkrootkit server. ... >> dc0 is not promisc ... >> test' and 'make install'. ... >> This list is provided by the SecurityFocus ARIS analyzer service. ...
    (Incidents)
  • Checking for rootkits
    ... started using chkrootkit, a utility that checks ... for rootkits on your Linux/BSD/Solaris install. ... Copy the binaries to a standard system bin ... we want to modify the md5 ...
    (Incidents)
  • Checking for rootkits
    ... started using chkrootkit, a utility that checks ... for rootkits on your Linux/BSD/Solaris install. ... Copy the binaries to a standard system bin ... we want to modify the md5 ...
    (Security-Basics)
  • [Fwd: Re: [Fwd: Re: [Fwd: Vserver Chkrootkit result: SIGINVISIBLE Adore found]]]
    ... I install in the new Debian stable "sarge": ... #vserver vs1 start ... ii chkrootkit 0.44-2 Checks for signs of rootkits on the local system ...
    (Debian-User)