Using chkrootkit

While most Linux users should not be overly concerned with being the victim of a rootkit, chkrootkit is an easy to use scanner for signs of one.

In my opinion, chkrootkit is not a good fit for most users, myself included. Its detection measures can be easily circumvented by a competent attacker, and standard security measures are adequate to secure against the incompetent. Still, it may be appropriate for someone. Just don’t let its presence lull you into a false sense of security, nor let its many false positives numb you to its reports.

Chkrootkit is diagnostic, not preventative. It will call your attention to signs of a possible rootkit on a system, but securing that system to avoid being compromised in the first place is your job.

To install, use your distribution’s package manager.

As root, chkrootkit. The results scroll by. The README tells us that possible results are:

  • Not infected: The test was performed and found no indication of a rootkit. Good news.
  • Not found: The program to be tested is not installed on your system. Very good news.
  • Not tested: The test was not performed. This could happen if, for example, the test is OS specific. Usually not a problem, but is worth investigating.
  • Vulnerable but disabled: The tested program appears to be compromised, but is not in use. Bad news.
  • Infected: The tested program appears to be compromised. Very bad news.

Additionally it will list any files and directories it considers suspicious. This does not mean “compromised”, it means “worthy of investigation”.

When interpreting the results, use common sense and seek advice when appropriate. By its nature chkrootkit will call to your attention things that investigation shows to be benign. A few I’ve seen are below.

It would be a good idea to have chkrootkit run automatically on a periodic basis and send the results to the system email. Some distributions have a security tool that can integrate with chkrootkit and do this; one example is Mandriva’s msec.


Checking `aliens'... 

The aliens test tries to identify sniffer logs and rootkit config files. Searching the web, files of the form /dev/shm/pulse-shm-* appear to commonly trigger false alarms.

Searching for suspicious files and dirs, it may take a while...

Chkrootkit often flags hidden directories outside /home. If a trusted package installed them, they are benign; use your package manager to confirm. If your package manager is RPM, rpm -qf /path/to/filename will tell you if the given file came from a package, and if so, which.

Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)

The sniffer test identifies network interfaces that have been placed in promiscuous mode. Oddly enough, dhclient often leaves the interface in promiscuous mode. So if dhclient was flagged as the culprit and you need it, there isn’t much you can do about it. This is expected behavior and can be ignored by all but the paranoid.

Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed

The common denominator here is the lkm check; the number of hidden processes may change. The lkm test compares what proc says with what ps says. Some processes are short-lived and may die before the comparisons complete, making this test prone to false positives. If you receive a warning like this, double-check it by running just the relevant tests again (as root, chkrootkit ps lkm). If the second test is negative, you can consider the first report a false positive.

Chkrootkit project site


About Warren Post

So far: Customer support guy, jungle guide, IT consultant, beach bum, entrepreneur, teacher, diplomat, over-enthusiastic cyclist. Tomorrow: who knows?
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

One Response to Using chkrootkit

  1. Pingback: Using msec | A maze of twisty little passages

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s