Server examination for potential rootkits

Written by Peter Davies on .

A rootkit is a malicious software designed to obtain root-level access to a computer while hiding its presence or identity from antivirus software. Common ways for rootkits to get installed on your system are through trojan horses contained in drive-by downloads, known system vulnerabilities, suspicious email attachments, web surfing, or simply by password cracking.

Using rkhunter

In debian the fastest way of checking is to use "rkhunter" which can be installed using:

apt-get install rkhunter

To perform rootkit scanning on your system, simply run the following to update the data files:

rkhunter --update

Followed by this to run the tool:

rkhunter -c

Once rkhunter is initiated, it will go ahead and run a series of tests as follows:

  • Compare SHA-1 hashes of system binaries against known good values maintained in the database.
  • Check for known rootkit files and directories, as well as rootkit strings.
  • Perform malware detection, including checking for login backdoors, sniffer log files, and other suspicious directories.
  • Perform trojan specific checks such as examining enabled xinetd services.
  • Perform checks on network ports and interfaces.
  • Perform system boot checks.
  • Perform group and account checks.
  • Perform system configuration file checks.
  • Perform filesystem checks.

Once complete you should see the following:

System checks summary
=====================

File properties checks...
    Files checked: 130
    Suspect files: 0

Rootkit checks...
    Rootkits checked : 244
    Possible rootkits: 0

Applications checks...
    All checks skipped

The system checks took: 4 minutes and 8 seconds

All results have been written to the log file (/var/log/rkhunter.log)

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

Using lynis

Install the tool and accept additional packages:

apt-get install lynis

Running this on the server:

lynis -c

This will begin showing something like:

[+] Initializing program
------------------------------------
  - Detecting OS...                                           [ DONE ]
  - Clearing log file (/var/log/lynis.log)...                 [ DONE ]

  ---------------------------------------------------
  Program version:           1.2.9
  Operating system:          Linux
  Operating system name:     Linux
  Operating system version:  2.6.35.4-rscloud
  Kernel version:            2.6.35.4-rscloud
  Hardware platform:         x86_64
  Hostname:                  coconut
  Auditor:                   [Unknown]
  Profile:                   /etc/lynis/default.prf
  Log file:                  /var/log/lynis.log
  Report file:               /var/log/lynis-report.dat
  Report version:            1.0
  ---------------------------------------------------

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

Using chkrootkit

Install the tool:

apt-get install chkrootkit

Running this on the server:

chkrootkit -r /

The results from this showed mostly nothing except this snippet:

Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/pymodules/python2.5/.path /usr/lib/pymodules/python2.6/.path /lib/init/rw/.ramfs

This apparently is a bug in chkrootkit.

References / links:

  1. http://xmodulo.com/2013/05/how-to-scan-linux-for-rootkits.html
  2. http://www.rackspace.com/knowledge_center/article/recovering-from-and-dealing-with-a-site-compromise
  3. http://www.rackspace.com/knowledge_center/article/checking-for-a-security-compromise-backdoors-and-intruders
  4. http://www.rackspace.com/knowledge_center/article/checking-for-a-security-compromise-rescue-mode-investigation
  5. https://stereo.lu/chkrootkit-finds-libinitrwramfs-on-debian-etch
  6. http://www.rootkit.nl/projects/lynis.html