|
chkrootkit is a tool to locally check for signs of a rootkit. It contains:
- chkrootkit: shell script that checks system
binaries for rootkit modification.
- ifpromisc.c: checks if the interface is in
promiscuous mode.
- chklastlog.c: checks for lastlog deletions.
- chkwtmp.c: checks for wtmp deletions.
- check_wtmpx.c: checks for wtmpx deletions.
(Solaris only)
- chkproc.c: checks for signs of LKM trojans.
- chkdirs.c: checks for signs of LKM trojans.
- strings.c: quick and dirty strings replacement.
- chkutmp.c: checks for utmp deletions.
What's New
chkrootkit 0.46a is now available! (Release
Date: Fri Oct 28 2005) This version includes:
- chkproc.c
- bug fix for FreeBSD: chkproc was sending a SIGXFSZ (kill
-25) to init, causing a reboot
- more fixes to better support Linux threads
- chkutmp.c
- chkwtmp.c
- chkrootkit
- Mac OS X support added
- new rootkits detected: rootedoor
- some bug fixes
Tests performed and rootkits detected
The following tests are made:
-
aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper
slapper z2 chkutmp amd basename biff chfn chsh cron date du
dirname echo egrep env find fingerd gpm grep hdparm su ifconfig
inetd inetdconf identd init killall ldsopreload login ls lsof
mail mingetty netstat named passwd pidof pop2 pop3 ps pstree
rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd
tcpdump top telnetd timed traceroute vdir w write
The following rootkits, worms and LKMs are currently detected:
| 01. lrk3, lrk4, lrk5, lrk6 (and variants); |
02. Solaris rootkit; |
03. FreeBSD rootkit; |
| 04. t0rn (and variants); |
05. Ambient's Rootkit (ARK); |
06. Ramen Worm; |
| 07. rh[67]-shaper; |
08. RSHA; |
09. Romanian rootkit; |
| 10. RK17; |
11. Lion Worm; |
12. Adore Worm; |
| 13. LPD Worm; |
14. kenny-rk; |
15. Adore LKM; |
| 16. ShitC Worm; |
17. Omega Worm; |
18. Wormkit Worm; |
| 19. Maniac-RK; |
20. dsc-rootkit; |
21. Ducoci rootkit; |
| 22. x.c Worm; |
23. RST.b trojan; |
24. duarawkz; |
| 25. knark LKM; |
26. Monkit; |
27. Hidrootkit; |
| 28. Bobkit; |
29. Pizdakit; |
30. t0rn v8.0; |
| 31. Showtee; |
32. Optickit; |
33. T.R.K; |
| 34. MithRa's Rootkit; |
35. George; |
36. SucKIT; |
| 37. Scalper; |
38. Slapper A, B, C and D; |
39. OpenBSD rk v1; |
| 40. Illogic rootkit; |
41. SK rootkit. |
42. sebek LKM; |
| 43. Romanian rootkit; |
44. LOC rootkit; |
45. shv4 rootkit; |
| 46. Aquatica rootkit; |
47. ZK rootkit; |
48. 55808.A Worm; |
| 49. TC2 Worm; |
50. Volc rootkit; |
51. Gold2 rootkit; |
| 52. Anonoying rootkit; |
53. Shkit rootkit; |
54. AjaKit rootkit; |
| 55. zaRwT rootkit; |
56. Madalin rootkit; |
57. Fu rootkit; |
| 58. Kenga3 rootkit; |
59. ESRK rootkit; |
60. rootedoor rootkit; |
chkrootkit has been tested on: Linux 2.0.x, 2.2.x, 2.4.x and 2.6.x,
FreeBSD 2.2.x, 3.x, 4.x and 5.x, OpenBSD 2.x and 3.x., NetBSD 1.6.x,
Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11, Tru64, BSDI and Mac OS X.
More details can be found on the chkrootkit's
README.
Mailing List
To subscribe:
echo "subscribe users your email" | mail majordomo@chkrootkit.org
The
online archive of this mailing list is located at
The Mailing list ARChives
(MARC).
Contacting the Authors
Please send comments, new rootkits, questions and bug reports to Nelson Murilo
<nelson@pangeia.com.br> (main author) and Klaus Steding-Jessen
<jessen@cert.br> (co-author).
|
![[chkrootkit: kicking script kiddies' asses since 1997]](http://www.spenneberg.org/chkrootkit-mirror/images/chkrootkit-logo.jpg){kind=logo}
$Date: 2005/10/28 15:28:58 $