Rootcheck helps you to find rootkits or detect their presence. Probably
you are familiar with chkrootkit and rkhunter, they are good tools to scan
your Linux system for rootkit activity.
Heres how to scan your server using rootcheck to scan your computer for
signs of tampering.
[root@localhost ~]# mkdir rootkit
[root@localhost ~]# cd rootkit/
[root@localhost rootkit]# wget http://www.ossec.net/rootcheck/files/rootcheck-0.6.tar.gz
--07:09:34-- http://www.ossec.net/rootcheck/files/rootcheck-0.6.tar.gz
=> `rootcheck-0.6.tar.gz'
Resolving www.ossec.net... 66.240.231.110
Connecting to www.ossec.net|66.240.231.110|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 39,748 (39K) [application/x-gzip]
100%[====================================>] 39,748 11.27K/s ETA 00:00
07:09:40 (11.25 KB/s) - `rootcheck-0.6.tar.gz' saved [39748/39748]
[root@localhost rootkit]# tar -zxvf rootcheck-0.6.tar.gz
rootcheck-0.6
rootcheck-0.6/src
rootcheck-0.6/src/shared
rootcheck-0.6/src/shared/Makefile
rootcheck-0.6/src/shared/debug_op.c
rootcheck-0.6/src/shared/file_op.c
rootcheck-0.6/src/shared/help.c
rootcheck-0.6/src/shared/mem_op.c
rootcheck-0.6/src/shared/sig_op.c
rootcheck-0.6/src/shared/privsep_op.c
rootcheck-0.6/src/shared/pthreads_op.c
rootcheck-0.6/src/shared/regex_op.c
rootcheck-0.6/src/os_xml
rootcheck-0.6/src/os_xml/Makefile
rootcheck-0.6/src/os_xml/README
rootcheck-0.6/src/os_xml/VERSION
rootcheck-0.6/src/os_xml/os_xml.c
rootcheck-0.6/src/os_xml/os_xml.h
rootcheck-0.6/src/os_xml/os_xml_access.c
rootcheck-0.6/src/os_xml/os_xml_node_access.c
rootcheck-0.6/src/os_xml/os_xml_variables.c
rootcheck-0.6/src/os_xml/COPYRIGHT
rootcheck-0.6/src/rootcheck
rootcheck-0.6/src/rootcheck/db
rootcheck-0.6/src/rootcheck/db/rootkit_files.txt
rootcheck-0.6/src/rootcheck/db/rootkit_trojans.txt
rootcheck-0.6/src/rootcheck/check_rc_dev.c
rootcheck-0.6/src/rootcheck/check_rc_files.c
rootcheck-0.6/src/rootcheck/check_rc_if.c
rootcheck-0.6/src/rootcheck/check_rc_pids.c
rootcheck-0.6/src/rootcheck/check_rc_ports.c
rootcheck-0.6/src/rootcheck/check_rc_readproc.c
rootcheck-0.6/src/rootcheck/check_rc_sys.c
rootcheck-0.6/src/rootcheck/check_rc_trojans.c
rootcheck-0.6/src/rootcheck/common.c
rootcheck-0.6/src/rootcheck/config.c
rootcheck-0.6/src/rootcheck/os_string.c
rootcheck-0.6/src/rootcheck/rootcheck.c
rootcheck-0.6/src/rootcheck/rootcheck.conf
rootcheck-0.6/src/rootcheck/rootcheck.h
rootcheck-0.6/src/rootcheck/run_rk_check.c
rootcheck-0.6/src/rootcheck/Makefile
rootcheck-0.6/src/rootcheck/check_open_ports.c
rootcheck-0.6/src/rootcheck/rootkit_files.txt
rootcheck-0.6/src/rootcheck/rootkit_trojans.txt
rootcheck-0.6/src/headers
rootcheck-0.6/src/headers/ar.h
rootcheck-0.6/src/headers/debug_op.h
rootcheck-0.6/src/headers/defs.h
rootcheck-0.6/src/headers/file_op.h
rootcheck-0.6/src/headers/help.h
rootcheck-0.6/src/headers/list_op.h
rootcheck-0.6/src/headers/mem_op.h
rootcheck-0.6/src/headers/mq_op.h
rootcheck-0.6/src/headers/os_err.h
rootcheck-0.6/src/headers/privsep_op.h
rootcheck-0.6/src/headers/pthreads_op.h
rootcheck-0.6/src/headers/rc.h
rootcheck-0.6/src/headers/regex_op.h
rootcheck-0.6/src/headers/sec.h
rootcheck-0.6/src/headers/shared.h
rootcheck-0.6/src/headers/sig_op.h
rootcheck-0.6/src/error_messages
rootcheck-0.6/src/error_messages/error_messages.h
rootcheck-0.6/src/Config.Make
rootcheck-0.6/src/Makeall
rootcheck-0.6/src/LOCATION
rootcheck-0.6/src/VERSION
rootcheck-0.6/Makefile
rootcheck-0.6/README
[root@localhost rootkit]# cd rootcheck-0.6
[root@localhost rootcheck-0.6]# ls
Makefile README src/
[root@localhost rootcheck-0.6]# make all
Making os_xml
make[1]: Entering directory `/root/rootkit/rootcheck-0.6/src/os_xml'
gcc -DXML_VAR=\"var\" -Wall -I../ -I../headers/ -DARGV0=\"os_xml\" -DXML_VAR=\"var\" -DOSSECHIDS -c os_xml.c os_xml_access.c os_xml_node_access.c os_xml_variables.c
ar cru os_xml.a os_xml.o os_xml_access.o os_xml_node_access.o os_xml_variables.o
ranlib os_xml.a
make[1]: Leaving directory `/root/rootkit/rootcheck-0.6/src/os_xml'
Making shared
make[1]: Entering directory `/root/rootkit/rootcheck-0.6/src/shared'
gcc -c -Wall -I../ -I../headers/ -DARGV0=\"shared-libs\" -DXML_VAR=\"var\" -DOSSECHIDS *.c
ar cru lib_shared.a *.o
ranlib lib_shared.a
make[1]: Leaving directory `/root/rootkit/rootcheck-0.6/src/shared'
Making rootcheck
make[1]: Entering directory `/root/rootkit/rootcheck-0.6/src/rootcheck'
gcc -Wall -I../ -I../headers/ -DARGV0=\"ossec-rootcheck\" -DXML_VAR=\"var\" -DOSSECHIDS *.c ../shared/lib_shared.a ../os_xml/os_xml.a -U OSSECHIDS -D_GNU_SOURCE -o ossec-rootcheck
make[1]: Leaving directory `/root/rootkit/rootcheck-0.6/src/rootcheck'
[root@localhost rootcheck-0.6]# ls
db/ Makefile ossec-rootcheck* README rootcheck.conf* src/
[root@localhost rootcheck-0.6]# cat rootcheck.conf
[root@localhost rootcheck-0.6]# ./ossec-rootcheck -c rootcheck.conf
Starting rootcheck (http://www.ossec.net/rootcheck)
Be patient, it may take a few minutes to complete...
[OK]: No presence of public rootkits detected. Analized 236 files.
[OK]: No binaries with any trojan detected. Analized 54 files
[FAILED]: File '/dev/.started' present on /dev. Possible hidden file.
[OK]: No problem found on the system. Analized 96036 files.
[OK]: No hidden process by Kernel-level rootkits.
/bin/ps is not trojaned. Analized 32768 processes.
[OK]: No kernel-level rootkit hiding any port.
Netstat is acting correctly. Analized 131072 ports.
[OK]: The following ports are open:
22 (tcp),25 (tcp),80 (tcp),111 (tcp),111 (udp),
137 (udp),138 (udp),139 (tcp),389 (tcp),
443 (tcp),445 (tcp),756 (udp),759 (udp),
762 (tcp),973 (udp),976 (tcp),1024 (udp),
1025 (tcp),1026 (udp),2049 (tcp),2049 (udp),
5335 (tcp),5353 (udp),6000 (tcp),7741 (tcp),7741 (udp),
8118 (tcp),9050 (tcp),10026 (tcp)
[OK]: No problem detected on ifconfig/ifs. Analized 2 interfaces.
From the above report only alert is '/dev/.started' which I checked
[root@localhost rootcheck-0.6]# file /dev/.started
/dev/.started: empty
[root@localhost rootcheck-0.6]# cat /dev/.started
The file /dev/.started is empty so NO Problems
No comments:
Post a Comment