Howto | Protect against rootkits
21 Mar 2009Apparently Rootkits are a major problem in the linux world. Unlike viruses, you are much more likely to be infected without realising that you even have a problem. The purpose of this document is twofold:
- Check for existing infection
- Protect against future infection
If you are unsure what a Rootkit is, then please read the Rootkit Wikipedia page before continuing.
Warning
This is how I checked and protected against rootkits and is not how I would recommend that anyone else should do so.
Step 1: rkhunter
I suggest you visit the rkhunter website at: http://rkhunter.sourceforge.net/
$ sudo apt-get install rkhunter
$ sudo rkhunter --upgrade
$ sudo rkhunter --checkall --createlogfile
Read the output and take corrective action as required.
Step 2: chkrootkit
I suggest you visit the chkrootkit website at:
- http://www.chkrootkit.org
In particular, the FAQS would suggest that you shouldn’t trust the chkrootkit to use the commands on your system, bearing in mind that you suspect that they might be compromised; I chose not to take this additional precaution - you should make your decision based on the exposure of your server to the Internet and your assessment of the likelihood of your having a rootkit.
$ sudo apt-get install chkrootkit
$ sudo chkrootkit
Step 4: tripwire
- http://sourceforge.net/projects/tripwire/
Tripwire creates a database of your system files and then tracks any changes to them.
$ sudo apt-get install tripwire
Follow all the prompts, which will require you to create a Site Key Pass-phrase and a Local key Pass-phrase. Next we need to create the database:
$ sudo tripwire --init
Wrote database file: /var/lib/tripwire/hostname.domain.com.twd
The database was successfully generated.
Next we run a first check:
$ sudo tripwire --check
This will doubtless come back with far more information than you really want. For example I received loads of lines about “/proc/PIDNO/”.