A few updates... 1) Change the standard file attributes on the md5 file before setting the immutable flag. I make mine 0400 so it's read-only by the superuser. (chmod 0400 /etc/chkrootkit.md5) 2) You may need to edit the location of your mail program in line 18 (changed mine from /usr/bin/mail to /bin/mail). 3) Line 32 of the script will need to be adjusted on Linux boxes... the md5 output is reversed. Simply replace the command 'pop' with 'shift'.
-Jason At 05:54 PM 2/22/2002 -0500, Jason Dixon wrote: >Thanks to an article on the O'Reilly network >(http://linux.oreillynet.com/pub/a/linux/2002/02/07/rootkits.html), I've >started using chkrootkit (http://www.chkrootkit.org), a utility that >checks for rootkits on your Linux/BSD/Solaris install. It looks for >certain signatures in trojaned system binaries and compares them against >known rootkits. It includes other tools that check for network >promiscuity (ifpromisc), lastlog deletions (chklastlog), wtmp deletions >(chkwtmp), wtmpx deltions (check_wtmpx - Solaris only), and checks for >signs of LKM trojans (chkproc). > >I've performed some extra steps which allow me to automate the running of >chkrootkit, while also authenticating the validity of the chkrootkit >binary itself. I'm including the steps here, in case anyone else would >like to try this on their own systems. Please note... this utility is >great for checking against *known* rootkits... it's not a substitution for >common security practices. I would also suggest that anyone serious about >preventing rootkit modifications also ensure they install Tripwire on all >new installations. However, in situations where a box does not already >have Tripwire installed, chkrootkit is a great tool to help gain back some >peace of mind. This document covers Linux and *BSD installs only. > >Installation of chkrootkit is very simple. Grab the tarball, uncompress, >and run 'make sense' (as root). Copy the binaries to a standard system >bin (I used /usr/local/sbin). Cd to the new location and run the >chkrootkit by hand to make sure everything looks good.... > >tar zxf chkrootkit-0.35.tar.gz >cd chkrootkit-0.35/ >make sense >cp chkrootkit /usr/local/sbin/ >cp chkwtmp /usr/local/sbin/ >cp chklastlog /usr/local/sbin/ >cp chkproc /usr/local/sbin/ >cp ifpromisc /usr/local/sbin/ >./chkrootkit > >The output will look something like this... (snipped for brevity's sake) > >ROOTDIR is `/' >Checking `amd'... not infected >Checking `basename'... not infected >Checking `biff'... not infected >Checking `chfn'... not infected >Checking `chsh'... not infected >Checking `cron'... not infected >Checking `date'... not infected >... >Checking `sniffer'... >dc0 is not promisc >sl0 is not promisc >ppp0 is not promisc >bridge1 is not promisc >gif0 is not promisc >Checking `wted'... nothing deleted >Checking `z2'... nothing deleted > >Ok, now for the extra layer of security. To ensure that no one tampers >with my chkrootkit binaries, I've created a new file (/etc/chkrootkit.md5) >containing the md5sum for each binary. Next, we want to modify the md5 >file so nobody can tamper with it. We want to turn on the *immutable* bit >for this file. Making a file immutable means that no one can modify the >delete the file. In linux, we want to use the 'chattr +i' command... in >*BSD, the same command is 'chflags schg'. To view special attributes, you >must use 'lsattr' in Linux and 'ls -lo' in *BSD. Note that in Linux, the >immutable flag can be removed by the superuser at any time with 'chattr >-i'. In *BSD systems, you can only remove the "system immutable" (schg) >flag in securelevel 0 or -1 (single-user mode is an example of securelevel 0). > >md5sum chkrootkit >> /etc/chkrootkit.md5 >[run the same command for each binary; command is 'md5' in *BSD] > >chattr +i /etc/chkrootkit.md5 [Linux] >chflags schg /etc/chkrootkit.md5 [*BSD] > >To automate these utilities, I've setup a cron job to execute a perl >script I've created which first authenticates our stored md5 digests >against the current md5 values. It uses the Digest::MD5 perl module to >run the digests. Installing the perl module is very simple... grab the >tarball, uncompress to a directory, run (as root) 'perl Makefile.pl', >'make', 'make test' and 'make install'. > >wget http://www.cpan.org/authors/id/GAAS/Digest-MD5-2.16.tar.gz >tar zxf Digest-MD5-2.16.tar.gz >cd Digest-MD5-2.16/ >perl Makefile.pl >make >make test >make install > >Here is the script... I make no guarantees... YMMV. Note the variables >that should be changed specific to your usage... $md5_sav_file (location >of your trusted md5 file), $runpath (location of your chkrootkit binary), >and $admin_mail (your email address... make sure to escape the '@' with a >backslash or perl won't interpret it correctly). The script will first >compare the known and trusted md5 sums found in our immutable file to the >current md5 sums of the binaries. If there are any discrepancies, it will >report them. Next, it will cd to the system bin (as defined by $runpath) >and run the chkrootkit binary. It needs to cd to the directory, as >chkrootkit will attempt to run the other utilities within it's current >directory. > >#!/usr/bin/perl -w ># safe_chkrootkit.pl > >use strict; >no strict 'subs'; >use Digest::MD5(md5_hex); > >my $md5_new; >my $md5_sav; >my $md5_sav_file = "/etc/chkrootkit.md5"; >my $file; >my $file_and_path; >my $path = "/usr/local/sbin"; >my @files = qw( ifpromisc chkproc chkrootkit chklastlog chkwtmp ); >my @input; >my $admin_mail = "admin\@localhost.com"; > >open(MAIL, "|/usr/bin/mail $admin_mail"); >print MAIL "Running authentication tests on chkrootkit binaries...\n\n"; > >while (<@files>) { > $file = $_; > $file_and_path = "$path/$file"; > open(MD5,"$file_and_path") || die "Can't open file for reading: $!"; > $md5_new = Digest::MD5->new->addfile(MD5)->hexdigest; > close(MD5); > open(TST,"$md5_sav_file",) || die "Can't open file for reading: $!"; > while (<TST>) { > chomp; > if (/$file/) { > @input = split(/ /,$_); > $md5_sav = pop(@input); > unless ($md5_new eq $md5_sav) { > print MAIL "\t\t\t*** WARNING ***\n"; > print MAIL "The binary file for " . $path > . "/" . $file . " has been altered.\n"; > print MAIL "The original md5 sum for > $file was\n\n"; > print MAIL "\t\t$md5_sav\n\n"; > print MAIL "and the new md5 sum is\n\n"; > print MAIL "\t\t$md5_new\n\n"; > print MAIL "Please investigate ASAP\n"; > print MAIL "\t\t\t*********************\n"; > } else { > print MAIL "\[$file\]\n"; > print MAIL "Current: $md5_new\n"; > print MAIL "Trusted: $md5_sav\n\n"; > } > } > } > close(TST); >} > >I hope that others find this as useful as I have. I've implemented this >on my OpenBSD firewall, and plan on installing it on my Linux workstation >ASAP. Keep in mind that there are many other facets of system security >that should still be scrutinized, but this is a nice tool to help out >nonetheless. If anyone has any questions, comments or suggestions >regarding my usage of this program, or the functionality of the script, >please let me know. > >-Jason > >_________________________________________________________ >Do You Yahoo!? >Get your free @yahoo.com address at http://mail.yahoo.com _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
