chkrootkit -- locally checks for signs of a rootkit

chkrootkit locally checks for signs of a rootkit. Includes ifpromisc.c to check if the interface is in promiscuous mode.

chkrootkit is a tool to locally check for signs of a rootkit. It contains:

chkrootkit: shell script that checks system binaries for rootkit modification.
ifpromisc.c: checks if the interface is in promiscuous mode.
chklastlog.c: checks for lastlog deletions.
chkwtmp.c: checks for wtmp deletions.
check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
chkproc.c: checks for signs of LKM trojans.
chkdirs.c: checks for signs of LKM trojans.
strings.c: quick and dirty strings replacement.
chkutmp.c: checks for utmp deletions.

5. Installation
---------------

To compile the C programs type:

 # make sense

After that it is ready to use and you can simply type:

 # ./chkrootkit

6. Usage
--------

chkrootkit must run as root. The simplest way is:

 # ./chkrootkit

This will perform all tests. You can also specify only the tests you want, as shown below:

 Usage: ./chkrootkit [options] [testname ...]
 Options:
         -h                show this help and exit
         -V                show version information and exit
         -l                show available tests
         -d                debug
         -q                quiet mode
         -x                expert mode
         -r dir            use dir as the root directory
         -p dir1:dir2:dirN path for the external commands used by chkrootkit
         -n                skip NFS mounted dirs

Lots of data can be seen with:

   # ./chkrootkit -x | more

Pathnames inside system commands:

# ./chkrootkit -x | egrep '^/'

To use, for example, binaries in /cdrom/bin:

# ./chkrootkit -p /cdrom/bin

It is possible to add more paths with a `:'

# ./chkrootkit -p /cdrom/bin:/floppy/mybin

Sometimes is a good idea to mount the disk from a compromised machine on a machine you trust. Just mount the disk and specify a new rootdir with the `-r' option.

For example, suppose the disk you want to check is mounted under /mnt, then:

# ./chkrootkit -r /mnt

7. Output Messages
------------------

The following messages are printed by chkrootkit (except with the -x and -q command options) during its tests:

"INFECTED": the test has identified a command probably modified by a known rootkit;

"not infected": the test didn't find any known rootkit signature.

"not tested": the test was not performed -- this could happen in the following situations:
a) the test is OS specific;
b) the test depends on an external program that is not available;
c) some specific command line options are given. (e.g. -r ).

"not found": the command to be tested is not available;

"Vulnerable but disabled": the command is infected but not in use. (not running or commented in inetd.conf)

8. A trojaned command has been found. What should I do now?
------------------------------------------------------------

Your biggest problem is that your machine has been compromised and this bad guy has root privileges.

Maybe you can solve the problem by just replacing the trojaned command -- the best way is to reinstall the machine from a safe media and to follow your vendor's security recommendations.