"Fossies" - the Fresh Open Source Software Archive 
Member "chkrootkit-0.58b/README" (28 Jun 2023, 15638 Bytes) of package /linux/misc/chkrootkit-0.58b.tar.gz:
As a special service "Fossies" has tried to format the requested text file into HTML format (style:
standard) with prefixed line numbers.
Alternatively you can here
view or
download the uninterpreted source code file.
See also the last
Fossies "Diffs" side-by-side code changes report for "README":
0.54_vs_0.55.
1 chkrootkit V. 0.58
2
3 Nelson Murilo <nmurilo@gmail.com> (main author)
4 Klaus Steding-Jessen <jessen@cert.br> (co-author)
5
6 This program locally checks for signs of a rootkit.
7 chkrootkit is available at: http://www.chkrootkit.org/
8
9
10 No illegal activities are encouraged!
11 I'm not responsible for anything you may do with it.
12
13 This tool includes software developed by the
14 DFN-CERT, Univ. of Hamburg (chklastlog and chkwtmp),
15 and small portions of ifconfig developed by
16 Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org>.
17
18
19 1. What's chkrootkit?
20 ---------------------
21
22 chkrootkit is a tool to locally check for signs of a rootkit. It
23 contains:
24
25 * chkrootkit: a shell script that checks system binaries for
26 rootkit modification.
27
28 * ifpromisc.c: checks if the network interface is in promiscuous
29 mode.
30
31 * chklastlog.c: checks for lastlog deletions.
32
33 * chkwtmp.c: checks for wtmp deletions.
34
35 * check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
36
37 * chkproc.c: checks for signs of LKM trojans.
38
39 * chkdirs.c: checks for signs of LKM trojans.
40
41 * strings.c: quick and dirty strings replacement.
42
43 * chkutmp.c: checks for utmp deletions.
44
45 chkwtmp and chklastlog *try* to check for deleted entries in the wtmp
46 and lastlog files, but it is *not* guaranteed that any modification
47 will be detected.
48
49 Aliens tries to find sniffer logs and rootkit config files. It looks
50 for some default file locations -- so it is also not guaranteed it
51 will succeed in all cases.
52
53 chkproc checks if /proc entries are hidden from ps and the readdir
54 system call. This could be the indication of a LKM trojan. You can
55 also run this command with the -v option (verbose).
56
57
58 2. Rootkits, Worms and LKMs detected
59 ------------------------------------
60
61 For an updated list of rootkits, worms and LKMs detected by
62 chkrootkit please visit: http://www.chkrootkit.org/
63
64
65 3. Supported Systems
66 --------------------
67
68 chkrootkit has been tested on: Linux 2.0.x, 2.2.x, 2.4.x and 2.6.x,
69 FreeBSD 2.2.x, 3.x, 4.x and 5.x, OpenBSD 2.x, 3.x and 4.x., NetBSD
70 1.6.x, Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11, Tru64, BSDI and Mac
71 OS X.
72
73
74 4. Package Contents
75 -------------------
76
77 README
78 README.chklastlog
79 README.chkwtmp
80 COPYRIGHT
81 chkrootkit.lsm
82
83 Makefile
84 chklastlog.c
85 chkproc.c
86 chkdirs.c
87 chkwtmp.c
88 check_wtmpx.c
89 ifpromisc.c
90 strings.c
91 chkutmp.c
92
93 chkrootkit
94
95
96 5. Installation
97 ---------------
98
99 To compile the C programs type:
100
101 # make sense
102
103 After that it is ready to use and you can simply type:
104
105 # ./chkrootkit
106
107
108 6. Usage
109 --------
110
111 chkrootkit must run as root. The simplest way is:
112
113 # ./chkrootkit
114
115 This will perform all tests. You can also specify only the tests you
116 want, as shown below:
117
118 Usage: ./chkrootkit [options] [testname ...]
119 Options:
120 -h show this help and exit
121 -V show version information and exit
122 -l show available tests
123 -d debug
124 -q quiet mode
125 -x expert mode
126 -r dir use dir as the root directory
127 -p dir1:dir2:dirN path for the external commands used by chkrootkit
128 -n skip NFS mounted dirs
129
130 Where testname stands for one or more from the following list:
131
132 aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper
133 z2 chkutmp amd basename biff chfn chsh cron crontab date du dirname
134 echo egrep env find fingerd gpm grep hdparm su ifconfig inetd
135 inetdconf identd init killall ldsopreload login ls lsof mail mingetty
136 netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd
137 slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed
138 traceroute vdir w write
139
140 For example, the following command checks for trojaned ps and ls
141 binaries and also checks if the network interface is in promiscuous
142 mode.
143
144 # ./chkrootkit ps ls sniffer
145
146 The `-q' option can be used to put chkrootkit in quiet mode -- in
147 this mode only output messages with `infected' status are shown.
148
149 With the `-x' option the user can examine suspicious strings in the
150 binary programs that may indicate a trojan -- all the analysis is
151 left to the user.
152
153 Lots of data can be seen with:
154
155 # ./chkrootkit -x | more
156
157 Pathnames inside system commands:
158
159 # ./chkrootkit -x | egrep '^/'
160
161 chkrootkit uses the following commands to make its tests: awk, cut,
162 egrep, find, head, id, ls, netstat, ps, strings, sed, uname. It is
163 possible, with the `-p' option, to supply an alternate path to
164 chkrootkit so it won't use the system's (possibly) compromised
165 binaries to make its tests.
166
167 To use, for example, binaries in /cdrom/bin:
168
169 # ./chkrootkit -p /cdrom/bin
170
171 It is possible to add more paths with a `:'
172
173 # ./chkrootkit -p /cdrom/bin:/floppy/mybin
174
175 Sometimes is a good idea to mount the disk from a compromised machine
176 on a machine you trust. Just mount the disk and specify a new
177 rootdir with the `-r' option.
178
179 For example, suppose the disk you want to check is mounted under
180 /mnt, then:
181
182 # ./chkrootkit -r /mnt
183
184
185 7. Output Messages
186 ------------------
187
188 The following messages are printed by chkrootkit (except with the -x
189 and -q command options) during its tests:
190
191 "INFECTED": the test has identified a command probably modified by
192 a known rootkit;
193
194 "not infected": the test didn't find any known rootkit signature.
195
196 "not tested": the test was not performed -- this could happen in
197 the following situations:
198 a) the test is OS specific;
199 b) the test depends on an external program that is not available;
200 c) some specific command line options are given. (e.g. -r ).
201
202 "not found": the command to be tested is not available;
203
204 "Vulnerable but disabled": the command is infected but not in use.
205 (not running or commented in inetd.conf)
206
207
208 8. A trojaned command has been found. What should I do now?
209 ------------------------------------------------------------
210
211 Your biggest problem is that your machine has been compromised and
212 this bad guy has root privileges.
213
214 Maybe you can solve the problem by just replacing the trojaned
215 command -- the best way is to reinstall the machine from a safe media
216 and to follow your vendor's security recommendations.
217
218
219 9. Reports and questions
220 ------------------------
221
222 Please send comments, questions and bug reports to
223 nmurilo@gmail.com and jessen@cert.br.
224
225 A simple FAQ and Related information about rootkits and security can
226 be found at chkrootkit's homepage, http://www.chkrootkit.org.
227
228
229 10. ACKNOWLEDGMENTS
230 -------------------
231
232 See the ACKNOWLEDGMENTS file.
233
234 11. ChangeLog
235 -------------
236
237 02/20/1997 - Initial release
238 02/25/1997 - Version 0.4, formal testing.
239 03/30/1997 - Version 0.5, suspect files routine added.
240 06/11/1997 - Version 0.6, minor fixes and Debian compatibility.
241 06/24/1997 - Version 0.7, FreeBSD compatibility fixed.
242 08/07/1997 - Version 0.8, yet another FreeBSD compatibility and
243 RedHat PAM fixed.
244 04/02/1998 - Version 0.9, new r00tkits versions support.
245 07/03/1998 - Version 0.10, another types of r00tkits supported.
246 10/15/1998 - Version 0.11, bug found by Alberto Courrege Gomide fixed.
247 11/30/1998 - Version 0.12, lrk4 support added.
248 12/26/1998 - Version 0.13, minor fixes for Red Hat and glibc users.
249 06/14/1999 - Version 0.14, Sun/Solaris initial support added.
250 04/29/2000 - Version 0.15, lrk5 features added and minor fixes.
251 07/09/2000 - Version 0.16, new r00tkits types support and contrib patches.
252 09/16/2000 - Version 0.17, more contrib patches, rootkit types and
253 Loadable Kernel Modules (LKM) trojan checking
254 added.
255 10/08/2000 - Version 0.18, new rookits types support and many bug fixes.
256 12/24/2000 - Version 0.19, -r, -p, -l options added. ARK support
257 added. Some bug fixes.
258 01/18/2001 - Version 0.20, Ramen Worm and latest t0rnkit detection,
259 temporay check for promisc mode disabled
260 on Solaris boxes.
261 01/19/2001 - Version 0.21, Corrects a bug in the Ramen Worm detection.
262 01/26/2001 - Version 0.22, chklastlog core dump bug fixed, login and
263 bindshell false positives fixed, cron test
264 improvement.
265 03/12/2001 - Version 0.23, lrk6, rh[67]-shaper, RSHA and Romanian
266 rootkit detection. Test for shell history
267 file anomalies. More ports added to the
268 bindshell test.
269 03/15/2001 - Version 0.23a fixes a bug found in the cron and
270 bindshell tests.
271
272 03/22/2001 - Version 0.30 lots of new tests added. RK17 and Lion
273 Worm detection.
274 04/07/2001 - Version 0.31 new tests: gpm, rlogind, mgetty. Adore
275 Worm detection. Some bug fixes.
276 05/07/2001 - Version 0.32 t0rn v8, LPD Worm, kenny-rk and Adore LKM
277 detection. Some Solaris bug fixes.
278 06/02/2001 - Version 0.33 new tests added. ShitC, Omega and Wormkit
279 Worm detection. dsc-rootkit detection.
280 Some bug fixes.
281 09/19/2001 - Version 0.34 new tests added. check_wtmpx.c added.
282 Ducoci rootkit and x.c Worm detection.
283 `-q' option added.
284 01/17/2002 - Version 0.35 tests added: lsof and ldsopreload.
285 strings.c added. Ports added to the
286 bindshell test. RST.b, duarawkz, knark
287 LKM, Monkit, Hidrootkit, Bobkit, Pizdakit,
288 t0rn v8.0 (variant) detection.
289 06/15/2002 - Version 0.36 test added: w. chkproc.c additions.
290 Showtee, Optickit, T.R.K, MithRa's
291 Rootkit, George and SucKIT detection.
292 09/16/2002 - Version 0.37 tests added: scalper and slapper.
293 Scalper Worm, Slapper Worm, OpenBSD rk
294 v1, Illogic and SK rootkit detection.
295 chklastlog.c and chkproc.c improvements.
296 Small chkrootkit bug fix.
297 12/20/2002 - Version 0.38 chkdirs.c added. chkproc.c improvements.
298 slapper B, sebek LKM, LOC, Romanian
299 rootkit detection. new test added: trojan
300 tcpdump. Minor bug fixes in the
301 chkrootkit script.
302 01/30/2003 - Version 0.39 chkdirs.c and chkproc.c fixes. bug fixes
303 in the chkrootkit script. (more) Slapper
304 variants detection.
305 04/03/2003 - Version 0.40 chkproc.c fixes. Tru64 support. small
306 corrections in chkrootkit. New test
307 added: init. New rootkits detected: shv4,
308 Aquatica, ZK.
309 06/20/2003 - Version 0.41 chkproc.c fixes. New test added: vdir.
310 New worms detected: 55808.A and TC2. New
311 rootkits detected: Volc, Gold2, Anonoying,
312 Suckit (improved), ZK (improved). Minor
313 corrections.
314 09/12/2003 - Version 0.42 BSDI support for chkdirs.c. chkproc.c
315 fix. New rootkit detected: ShKit.
316 ifpromisc test fixed for Linux 2.4.x
317 kernels. corrections for the -r option.
318 FreeBSD 5.x support. HPUX correction.
319 Extra "\n" removed from chklastlog.c
320 output.
321 09/18/2003 - Version 0.42a Bug fix release.
322 09/20/2003 - Version 0.42b Bug fix release.
323 12/27/2003 - Version 0.43 C++ comments removed from chkproc.c. New
324 rootkits detected: AjaKit and zaRwT. New
325 CGI backdoors detected. ifpromisc.c:
326 better detection of promisc mode on newer
327 Linux kernels. New command line option
328 (-n) to skip NFS mounted dirs. Minor bug
329 corrections.
330 09/01/2004 - Version 0.44 chkwtmp.c: del counter fixed. chkproc.c:
331 better support for Linux threads. New
332 rootkit detected: Madalin. Lots of minor
333 bug fixes.
334 02/22/2005 - Version 0.45 chkproc.c: better support for Linux
335 threads. New rootkit detected: Fu,
336 Kenga3, ESRK. New test: chkutmp. -n
337 option improvement. Minor bug fixes.
338 10/26/2005 - Version 0.46 chkproc.c: more fixes to better support
339 Linux threads. chkutmp.c: improved
340 execution speed. chkwtmp.c: segfault
341 fixed. New rootkit detected: rootedoor.
342 Mac OS X support added. Minor bug fixes.
343 10/28/2005 - Version 0.46a chkproc.c: bug fix for FreeBSD: chkproc
344 was sending a SIGXFSZ (kill -25) to init,
345 causing a reboot.
346 10/10/2006 - Version 0.47 chkproc.c: bug fixes, use of getpriority(),
347 Enye LKM detected. chkrootkit: crontab
348 test, Enye LKM and Lupper.Worm detected,
349 minor bug fixes.
350 12/17/2007 - Version 0.48 new tests: common SSH brute force
351 scanners, suspicious PHP files. Enhanced
352 tests: login, netstat, top, backdoor.
353 Minor bug fixes.
354 09/30/2009 - Version 0.49 new tests: Mac OS X OSX.RSPlug.A. Enhanced
355 tests: suspicious sniffer logs, suspicious
356 PHP files, shell history file anomalies.
357 Bug fixes in chkdirs.c, chkproc.c and
358 chkutmp.c.
359
360 04/30/2014 - Version 0.50 new tests: linuxrootkit-AMD-64-sound
361 Operation Windigo ssh backdoor detection
362 Minor bug fixes
363
364 10/13/2016 - Version 0.51 Mumblehard backdoor/botnet detection
365 Linux.Xor.DDoS Malware
366 Malicious TinyDNS detection
367 Backdoors.Linux.Mokes.a detection
368 Minor bug fixes
369
370 13/03/2017 - Version 0.52 Linux.Proxy.10 detection
371 strings.c & chkutmp.c bug fixes
372
373
374 01/25/2019 - Version 0.53 Rocke Monero Miner detection
375 Added ss support
376 ifconfig.c bug fixes
377 Minor bug fixes
378
379 12/24/2020 - Version 0.54 PWNLNX4 and 6 Rootkits detection
380 BTRFS bug fix
381 Fedora bug fix
382 Bug fix release
383
384 06/10/2021 - Version 0.55 Umbreon Linux Rootkit detection
385 Kinsing.A Backdoor
386 RotaJakito Backdoor
387 Minor bug fixes
388
389 12/22/2022 - Version 0.56 Kovid rootkit
390 Syslogk rootkit
391 Minor bug fixes
392
393 01/13/2023 - Version 0.57 bug fix release
394
395 06/29/2023 - Version 0.58
396 New option to avoid scanning network filesystems (-T)
397 Kovid Malware
398 Linux BPFDoor Malware
399 Minor buf fixes
400
401 -------------- Thx for using chkrootkit ----------------