Table of Contents CHKRootKit: Eliminate The Enemy Within
Scope of Article
Last month we learnt about the technical components that form the rootkits. We also discussed why and how the rootkits are dangerous and glanced at a few detection options. This article is an extension to the same topic, talking about a proven method to detect the presence of rootkits on the servers. In this article, we are going to learn about a powerful utility named Chkrootkit, which is an open-source tool dedicated for this purpose. We will cover installation methods, its usage, and ways to incorporate it into daily administrative tasks to ensure the security of servers and datacenters.
Revisiting the Basics
In past several years, open-source Linux distributions have evolved from being just desktop operating systems to robust platforms for production datacenters catering to mission-critical IT infrastructure. This growth prompted hackers to exploit the kernel, making it vulnerable to attacks. Among the most serious threats are rootkits, which are even more dangerous than viruses or trojans.
Rootkits are a collection of tools, utilities, and scripts installed by attackers to gain administrator-level access and exploit systems further. They may steal data, use the machine as a zombie to attack others, or spread malware. Rootkits often consist of network sniffers, log parsers, and other low-level scripts. The challenge is that rootkits can modify outputs on the fly, fooling antivirus solutions and remaining undetected.
Symptoms of rootkit presence can include degraded system performance, file deletions, altered file permissions, disrupted backups, and other anomalies. Administrators must employ monitoring systems and tools like Chkrootkit to swiftly respond to such threats.
About Chkrootkit
Chkrootkit is a popular open-source utility designed to detect the presence of rootkits. It’s widely used by Linux system administrators for two main reasons: it’s free and continuously updated by the community, and it detects a wide range of rootkits with improved accuracy over time.
Key Features of Chkrootkit
- Detects over 60 old and new rootkits
- Identifies network interfaces in promiscuous mode
- Checks for tampered
lastlogandwtmpfiles - Simple command-line usage with clear options
- Verbose output for automation and analysis
Chkrootkit uses C and shell scripts to scan system binaries and processes. It can report suspicious utilities and sometimes even remove them. Some algorithms also detect trends that hint at rootkits not yet officially supported.
Chkrootkit Programs
| Program | Purpose |
|---|---|
| chkrootkit | Main script to check for tampered system files |
| strings.c | Detect and perform string replacement |
| ifpromisc.c | Check network interfaces for promiscuous mode |
| chklastlog.c, chkwtmp.c | Check for deleted lastlog and wtmp entries |
| chkproc.c, chkdirs.c | Detect kernel module-based trojans |
Installation
Chkrootkit installation is simple:
- Red Hat / other distros: Download the latest tarball from chkrootkit.org, verify with MD5, then extract:
tar xfvz chkrootkit.tar.gzNavigate to the extracted directory and run:
make sense - Debian / Ubuntu: Use:
sudo apt-get install chkrootkit
Chkrootkit Usage
The first recommended step is to run ifpromisc to check network interfaces. Then run Chkrootkit without options to scan the system. Outputs such as “not infected” or “INFECTED” indicate scan results.
Common Command Options
| Option | Explanation | Example |
|---|---|---|
| -h | Show help | chkrootkit -h |
| -v | Show version | chkrootkit -v |
| -l | List supported tests | chkrootkit -l |
| [testname] | Run specific test | chkrootkit ps sniffer |
| -x | Expert mode (detailed scan actions) | chkrootkit -x | more |
| -q | Quiet mode (only infected files shown) | chkrootkit -q |
| -r dir | Use specified dir as root (scan mounted volumes) | chkrootkit -r /mnt1 |
What if a Rootkit is Found?
If a rootkit is detected:
- Immediately disconnect the infected system from the network
- Best practice: rebuild the system after backup
- Study the rootkit thoroughly if manual removal is required
- Run scans from a healthy system for improved accuracy
Integrating Chkrootkit into Admin Tasks
System administrators are encouraged to automate Chkrootkit scans. Scripts with verbose output can be scheduled via cron jobs, capturing logs for anomalies. Regular scans should check for promiscuous network interfaces, and scans can be extended to all servers in the farm. This ensures early detection and better incident response.
Summary
Rootkits pose a serious threat to datacenters. Chkrootkit provides a reliable, fast, and effective way to detect them. Administrators can leverage its features, automate scans, and maintain secure IT infrastructure with this open-source utility.
About the Author
The author has over 18 years of experience in IT hardware, networking, web technologies, and IT security. Prashant is MCSE, MCDBA certified and an F5 load balancer expert. In IT security, he is an ethical hacker and net-forensic specialist. He runs his own firm Valency Networks in India (www.valencynetworks.com), offering consultancy in IT security design, audits, and business process management. Contact: prashant@valencynetworks.com.
