Running Chkrootkit
Before you can run Chkrootkit, you need to get it. Chkrootkit can be downloaded from http://www.chkrootkit.org/ . After it's downloaded, Chkrootkit needs to be unarchived and compiled:
tar -zxvf chkrootkit.tar.gz cd chkrootkit-<NNNN> make sense
Yes, that does say make sense in the code example. Although Chkrootkit is a shell script, there is some additional functionality gained by compiling the code. Compiling is not required, but because it's quick and adds some additional levels of checking, I'd recommend doing so. Specifically, compiling Chkrootkit will enable these additional checks:
• chklastlog
Of all the tools used in this book, Chkrootkit is probably the easiest to use. To run Chkrootkit, from within the chkrootkit source directory you simply type this:
./chkrootkit | less
You aren't required to pipe the output to less but there is a copious amount of output. So if you actually want to read the output, you'll probably need to pipe it somewhereunless, of course, you have a huge scrollback buffer.
Because running Chkrootkit produces a lot of output, it is wise to pipe the output to more or less, depending on your preference. Alternatively, you could redirect the output to a file:
./chkrootkit > output.txt
This document iscreatedwith trial version °fCHM2PDF Pilot 2.15.72.tly checking for along with the ultimate status of the check. The output will look similar to this:
Checking Namd'... not found Checking Nbasename' . . . not infected Checking Nbiff'... not infected Checking Nchfn' . . . not infected Checking Nchsh' . . . not infected S e archi ng for S hit C Worm. . . nothi ng found Searching for Omega Worm... nothing found Searching for Sadmind/lIS Worm... nothing found Searching for MonKit... nothing found Searching for Showtee... nothing found
As you can see from the output sample, it doesn't appear that any trojaned files or rootkits were detected. An infected file or detection of a rootkit will look similar to the following:
Checking "bindshell'... INFECTED (PORTS: 1524 31337)
Even though the output from Chkrootkit seems to indicate that the computer is infected with bindshell, Chkrootkit does sometimes produce false positives. However, if you see the infected output from Chkrootkit, it's in your best interest to assume that Chkrootkit reported correctly and take steps to mitigate the damage.
A false positive occurs when a tool detects and reports a problem when in fact there is no problem. The underlying cause for false positives varies depending on the nature of the software reporting the occurrence. False positives are not as bad as false negatives. A false negative occurs when there really is a problem but the problem is not reported by tools that should find the problem.
False positives and negatives are not limited to computing. Imagine the case in which a person goes to a doctor and gets an ultrasound scan. Based on the scan results, the doctor reports that the person has cancer. However, on further examination it appears that the initial report was incorrect. This is an example of a false positive. Although additional tests were unnecessarily performed based on the false positive, it is still much better than having a false negative, with the cancer going unnoticed and untreated.
Because Chkrootkit reports using tools on the computer, it may report a false negative. There are ways around this problem as described later in this section.
Post a comment