"Fossies" - the Fresh Open Source Software Archive

Member "chkrootkit-0.55/README" (11 Jun 2021, 15243 Bytes) of package /linux/misc/chkrootkit-0.55.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "README": 0.54_vs_0.55.

    1                          chkrootkit V. 0.55
    2 
    3           Nelson Murilo <nelson@pangeia.com.br> (main author)
    4             Klaus Steding-Jessen <jessen@cert.br> (co-author)
    5 
    6           This program locally checks for signs of a rootkit.
    7          chkrootkit is available at: http://www.chkrootkit.org/
    8 
    9 
   10                  No illegal activities are encouraged!
   11          I'm not responsible for anything you may do with it.
   12 
   13            This tool includes software developed by the
   14            DFN-CERT, Univ. of Hamburg (chklastlog and chkwtmp),
   15            and small portions of ifconfig developed by
   16            Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org>.
   17 
   18 
   19  1. What's chkrootkit?
   20  ---------------------
   21 
   22  chkrootkit is a tool to locally check for signs of a rootkit.  It
   23  contains:
   24 
   25  * chkrootkit: a shell script that checks system binaries for
   26    rootkit modification.
   27 
   28  * ifpromisc.c: checks if the network interface is in promiscuous
   29    mode.
   30 
   31  * chklastlog.c: checks for lastlog deletions.
   32 
   33  * chkwtmp.c: checks for wtmp deletions.
   34 
   35  * check_wtmpx.c: checks for wtmpx deletions.  (Solaris only)
   36 
   37  * chkproc.c: checks for signs of LKM trojans.
   38 
   39  * chkdirs.c: checks for signs of LKM trojans.
   40 
   41  * strings.c: quick and dirty strings replacement.
   42 
   43  * chkutmp.c: checks for utmp deletions.
   44 
   45  chkwtmp and chklastlog *try* to check for deleted entries in the wtmp
   46  and lastlog files, but it is *not* guaranteed that any modification
   47  will be detected.
   48 
   49  Aliens tries to find sniffer logs and rootkit config files.  It looks
   50  for some default file locations -- so it is also not guaranteed it
   51  will succeed in all cases.
   52 
   53  chkproc checks if /proc entries are hidden from ps and the readdir
   54  system call.  This could be the indication of a LKM trojan.  You can
   55  also run this command with the -v option (verbose).
   56 
   57 
   58  2. Rootkits, Worms and LKMs detected
   59  ------------------------------------
   60 
   61  For an updated list of rootkits, worms and LKMs detected by
   62  chkrootkit please visit: http://www.chkrootkit.org/
   63 
   64 
   65  3. Supported Systems
   66  --------------------
   67 
   68  chkrootkit has been tested on: Linux 2.0.x, 2.2.x, 2.4.x and 2.6.x,
   69  FreeBSD 2.2.x, 3.x, 4.x and 5.x, OpenBSD 2.x, 3.x and 4.x., NetBSD
   70  1.6.x, Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11, Tru64, BSDI and Mac
   71  OS X.
   72 
   73 
   74  4. Package Contents
   75  -------------------
   76 
   77  README
   78  README.chklastlog
   79  README.chkwtmp
   80  COPYRIGHT
   81  chkrootkit.lsm
   82 
   83  Makefile
   84  chklastlog.c
   85  chkproc.c
   86  chkdirs.c
   87  chkwtmp.c
   88  check_wtmpx.c
   89  ifpromisc.c
   90  strings.c
   91  chkutmp.c
   92 
   93  chkrootkit
   94 
   95 
   96  5. Installation
   97  ---------------
   98 
   99  To compile the C programs type:
  100 
  101  # make sense
  102 
  103  After that it is ready to use and you can simply type:
  104 
  105  # ./chkrootkit
  106 
  107 
  108  6. Usage
  109  --------
  110 
  111  chkrootkit must run as root.  The simplest way is:
  112 
  113  # ./chkrootkit
  114 
  115  This will perform all tests.  You can also specify only the tests you
  116  want, as shown below:
  117 
  118  Usage: ./chkrootkit [options] [testname ...]
  119  Options:
  120          -h                show this help and exit
  121          -V                show version information and exit
  122          -l                show available tests
  123          -d                debug
  124          -q                quiet mode
  125          -x                expert mode
  126          -r dir            use dir as the root directory
  127          -p dir1:dir2:dirN path for the external commands used by chkrootkit
  128          -n                skip NFS mounted dirs
  129 
  130  Where testname stands for one or more from the following list:
  131 
  132  aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper
  133  z2 chkutmp amd basename biff chfn chsh cron crontab date du dirname
  134  echo egrep env find fingerd gpm grep hdparm su ifconfig inetd
  135  inetdconf identd init killall ldsopreload login ls lsof mail mingetty
  136  netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd
  137  slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed
  138  traceroute vdir w write
  139 
  140  For example, the following command checks for trojaned ps and ls
  141  binaries and also checks if the network interface is in promiscuous
  142  mode.
  143 
  144    # ./chkrootkit ps ls sniffer
  145 
  146  The `-q' option can be used to put chkrootkit in quiet mode -- in
  147  this mode only output messages with `infected' status are shown.
  148 
  149  With the `-x' option the user can examine suspicious strings in the
  150  binary programs that may indicate a trojan -- all the analysis is
  151  left to the user.
  152 
  153  Lots of data can be seen with:
  154 
  155    # ./chkrootkit -x | more
  156 
  157  Pathnames inside system commands:
  158 
  159    # ./chkrootkit -x | egrep '^/'
  160 
  161  chkrootkit uses the following commands to make its tests: awk, cut,
  162  egrep, find, head, id, ls, netstat, ps, strings, sed, uname.  It is
  163  possible, with the `-p' option, to supply an alternate path to
  164  chkrootkit so it won't use the system's (possibly) compromised
  165  binaries to make its tests.
  166 
  167  To use, for example, binaries in /cdrom/bin:
  168 
  169    # ./chkrootkit -p /cdrom/bin
  170 
  171  It is possible to add more paths with a `:'
  172 
  173    # ./chkrootkit -p /cdrom/bin:/floppy/mybin
  174 
  175  Sometimes is a good idea to mount the disk from a compromised machine
  176  on a machine you trust.  Just mount the disk and specify a new
  177  rootdir with the `-r' option.
  178 
  179  For example, suppose the disk you want to check is mounted under
  180  /mnt, then:
  181 
  182    # ./chkrootkit -r /mnt
  183 
  184 
  185  7. Output Messages
  186  ------------------
  187 
  188  The following messages are printed by chkrootkit (except with the -x
  189  and -q command options) during its tests:
  190 
  191    "INFECTED": the test has identified a command probably modified by
  192    a known rootkit;
  193 
  194    "not infected": the test didn't find any known rootkit signature.
  195 
  196    "not tested": the test was not performed -- this could happen in
  197    the following situations:
  198      a) the test is OS specific;
  199      b) the test depends on an external program that is not available;
  200      c) some specific command line options are given. (e.g. -r ).
  201 
  202    "not found": the command to be tested is not available;
  203 
  204    "Vulnerable but disabled": the command is infected but not in use.
  205    (not running or commented in inetd.conf)
  206 
  207 
  208  8. A trojaned command has been found.  What should I do now?
  209  ------------------------------------------------------------
  210 
  211  Your biggest problem is that your machine has been compromised and
  212  this bad guy has root privileges.
  213 
  214  Maybe you can solve the problem by just replacing the trojaned
  215  command -- the best way is to reinstall the machine from a safe media
  216  and to follow your vendor's security recommendations.
  217 
  218 
  219  9. Reports and questions
  220  ------------------------
  221 
  222  Please send comments, questions and bug reports to
  223  nelson@pangeia.com.br and jessen@cert.br.
  224 
  225  A simple FAQ and Related information about rootkits and security can
  226  be found at chkrootkit's homepage, http://www.chkrootkit.org.
  227 
  228 
  229  10. ACKNOWLEDGMENTS
  230  -------------------
  231 
  232  See the ACKNOWLEDGMENTS file.
  233 
  234  11. ChangeLog
  235  -------------
  236 
  237  02/20/1997 - Initial release
  238  02/25/1997 - Version 0.4, formal testing.
  239  03/30/1997 - Version 0.5, suspect files routine added.
  240  06/11/1997 - Version 0.6, minor fixes and Debian compatibility.
  241  06/24/1997 - Version 0.7, FreeBSD compatibility fixed.
  242  08/07/1997 - Version 0.8, yet another FreeBSD compatibility and
  243                            RedHat PAM fixed.
  244  04/02/1998 - Version 0.9, new r00tkits versions support.
  245  07/03/1998 - Version 0.10, another types of r00tkits supported.
  246  10/15/1998 - Version 0.11, bug found by Alberto Courrege Gomide fixed.
  247  11/30/1998 - Version 0.12, lrk4 support added.
  248  12/26/1998 - Version 0.13, minor fixes for Red Hat and glibc users.
  249  06/14/1999 - Version 0.14, Sun/Solaris initial support added.
  250  04/29/2000 - Version 0.15, lrk5 features added and minor fixes.
  251  07/09/2000 - Version 0.16, new r00tkits types support and contrib patches.
  252  09/16/2000 - Version 0.17, more contrib patches, rootkit types and
  253                             Loadable Kernel Modules (LKM) trojan checking
  254                             added.
  255  10/08/2000 - Version 0.18, new rookits types support and many bug fixes.
  256  12/24/2000 - Version 0.19, -r, -p, -l options added.  ARK support
  257                             added.  Some bug fixes.
  258  01/18/2001 - Version 0.20, Ramen Worm and latest t0rnkit detection,
  259                             temporay check for promisc mode disabled
  260                             on Solaris boxes.
  261  01/19/2001 - Version 0.21, Corrects a bug in the Ramen Worm detection.
  262  01/26/2001 - Version 0.22, chklastlog core dump bug fixed, login and
  263                             bindshell false positives fixed, cron test
  264                             improvement.
  265  03/12/2001 - Version 0.23, lrk6, rh[67]-shaper, RSHA and Romanian
  266                             rootkit detection.  Test for shell history
  267                             file anomalies.  More ports added to the
  268                             bindshell test.
  269  03/15/2001 - Version 0.23a fixes a bug found in the cron and
  270                             bindshell tests.
  271 
  272  03/22/2001 - Version 0.30  lots of new tests added.  RK17 and Lion
  273                             Worm detection.
  274  04/07/2001 - Version 0.31  new tests: gpm, rlogind, mgetty.  Adore
  275                             Worm detection.  Some bug fixes.
  276  05/07/2001 - Version 0.32  t0rn v8, LPD Worm, kenny-rk and Adore LKM
  277                             detection. Some Solaris bug fixes.
  278  06/02/2001 - Version 0.33  new tests added.  ShitC, Omega and Wormkit
  279                             Worm detection.  dsc-rootkit detection.
  280                             Some bug fixes.
  281  09/19/2001 - Version 0.34  new tests added.  check_wtmpx.c added.
  282                             Ducoci rootkit and x.c Worm detection.
  283                             `-q' option added.
  284  01/17/2002 - Version 0.35  tests added: lsof and ldsopreload.
  285                             strings.c added.  Ports added to the
  286                             bindshell test.  RST.b, duarawkz, knark
  287                             LKM, Monkit, Hidrootkit, Bobkit, Pizdakit,
  288                             t0rn v8.0 (variant) detection.
  289  06/15/2002 - Version 0.36  test added: w.  chkproc.c additions.
  290                             Showtee, Optickit, T.R.K, MithRa's
  291                             Rootkit, George and SucKIT detection.
  292  09/16/2002 - Version 0.37  tests added: scalper and slapper.
  293                             Scalper Worm, Slapper Worm, OpenBSD rk
  294                             v1, Illogic and SK rootkit detection.
  295                             chklastlog.c and chkproc.c improvements.
  296                             Small chkrootkit bug fix.
  297  12/20/2002 - Version 0.38  chkdirs.c added.  chkproc.c improvements.
  298                             slapper B, sebek LKM, LOC, Romanian
  299                             rootkit detection.  new test added: trojan
  300                             tcpdump.  Minor bug fixes in the
  301                             chkrootkit script.
  302  01/30/2003 - Version 0.39  chkdirs.c and chkproc.c fixes.  bug fixes
  303                             in the chkrootkit script.  (more) Slapper
  304                             variants detection.
  305  04/03/2003 - Version 0.40  chkproc.c fixes.  Tru64 support. small
  306                             corrections in chkrootkit.  New test
  307                             added: init.  New rootkits detected: shv4,
  308                             Aquatica, ZK.
  309  06/20/2003 - Version 0.41  chkproc.c fixes.  New test added: vdir.
  310                             New worms detected: 55808.A and TC2. New
  311                             rootkits detected: Volc, Gold2, Anonoying,
  312                             Suckit (improved), ZK (improved).  Minor
  313                             corrections.
  314  09/12/2003 - Version 0.42  BSDI support for chkdirs.c.  chkproc.c
  315                             fix.  New rootkit detected: ShKit.
  316                             ifpromisc test fixed for Linux 2.4.x
  317                             kernels. corrections for the -r option.
  318                             FreeBSD 5.x support.  HPUX correction.
  319                             Extra "\n" removed from chklastlog.c
  320                             output.
  321  09/18/2003 - Version 0.42a Bug fix release.
  322  09/20/2003 - Version 0.42b Bug fix release.
  323  12/27/2003 - Version 0.43  C++ comments removed from chkproc.c.  New
  324                             rootkits detected: AjaKit and zaRwT.  New
  325                             CGI backdoors detected.  ifpromisc.c:
  326                             better detection of promisc mode on newer
  327                             Linux kernels.  New command line option
  328                             (-n) to skip NFS mounted dirs. Minor bug
  329                             corrections.
  330  09/01/2004 - Version 0.44  chkwtmp.c: del counter fixed. chkproc.c:
  331                             better support for Linux threads.  New
  332                             rootkit detected: Madalin.  Lots of minor
  333                             bug fixes.
  334  02/22/2005 - Version 0.45  chkproc.c: better support for Linux
  335                             threads.  New rootkit detected: Fu,
  336                             Kenga3, ESRK.  New test: chkutmp.  -n
  337                             option improvement.  Minor bug fixes.
  338  10/26/2005 - Version 0.46  chkproc.c: more fixes to better support
  339                             Linux threads. chkutmp.c: improved
  340                             execution speed.  chkwtmp.c: segfault
  341                             fixed.  New rootkit detected: rootedoor.
  342                             Mac OS X support added.  Minor bug fixes.
  343  10/28/2005 - Version 0.46a chkproc.c: bug fix for FreeBSD: chkproc
  344                             was sending a SIGXFSZ (kill -25) to init,
  345                             causing a reboot.
  346  10/10/2006 - Version 0.47  chkproc.c: bug fixes, use of getpriority(),
  347                             Enye LKM detected. chkrootkit: crontab
  348                             test, Enye LKM and Lupper.Worm detected,
  349                             minor bug fixes.
  350  12/17/2007 - Version 0.48  new tests: common SSH brute force
  351                             scanners, suspicious PHP files.  Enhanced
  352                             tests: login, netstat, top, backdoor.
  353                             Minor bug fixes.
  354  09/30/2009 - Version 0.49  new tests: Mac OS X OSX.RSPlug.A.  Enhanced
  355                             tests: suspicious sniffer logs, suspicious
  356                             PHP files, shell history file anomalies.
  357                             Bug fixes in chkdirs.c, chkproc.c and
  358                             chkutmp.c.
  359 
  360  04/30/2014 - Version 0.50 new tests: linuxrootkit-AMD-64-sound 
  361                            Operation Windigo ssh backdoor detection 
  362 			   Minor bug fixes
  363 
  364  10/13/2016 - Version 0.51 Mumblehard backdoor/botnet detection 
  365 			   Linux.Xor.DDoS Malware
  366                            Malicious TinyDNS detection 
  367                            Backdoors.Linux.Mokes.a detection 
  368 			   Minor bug fixes 
  369 
  370  13/03/2017 - Version 0.52 Linux.Proxy.10 detection 
  371               strings.c & chkutmp.c bug fixes
  372 
  373 
  374  01/25/2019 - Version 0.53 Rocke Monero Miner detection
  375                           Added ss support
  376 	                  ifconfig.c bug fixes 
  377                           Minor bug fixes 
  378 
  379  12/24/2020 - Version 0.54 PWNLNX4 and 6 Rootkits detection
  380 			BTRFS bug fix 
  381 			Fedora bug fix
  382 			Bug fix release
  383 
  384  06/10/2021 - Version 0.55 Umbreon Linux Rootkit detection 
  385 			Kinsing.A Backdoor 
  386 			RotaJakito Backdoor 
  387 			Minor bug fixes 
  388 
  389  -------------- Thx for using chkrootkit ----------------