How does one test chkrootkit? - Security

This is a discussion on How does one test chkrootkit? - Security ; Hello all: I installed chkrootkit, and have it running and e-mailing me it's output. But as I look at each one, I wonder, how do I know if it is really working? I tried to replace the date file with ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: How does one test chkrootkit?

  1. How does one test chkrootkit?

    Hello all:

    I installed chkrootkit, and have it running and e-mailing me it's
    output.
    But as I look at each one, I wonder, how do I know if it is really
    working?


    I tried to replace the date file with someother file nemaning it date
    - and when I run chkrootkit, it reports Checking `date'... not
    infected

    Same goes if I edit and delete some part of date.


    Thanks,


    Charlie


  2. Re: How does one test chkrootkit?

    On 13 Apr 2007, in the Usenet newsgroup comp.os.linux.security, in article
    <1176486001.939512.82100@w1g2000hsg.googlegroups.co m>,
    charlie.alexander@gmail.com wrote:

    >I installed chkrootkit, and have it running and e-mailing me it's
    >output.


    Why? What do you expect this poorly written script to find? It's
    looking for symptoms that were seen in old attacks - some as old as
    nine years ago.

    >But as I look at each one, I wonder, how do I know if it is really
    >working?


    Working? Well, it's sending you some useless report, so it's "working".
    The real question is probably "is it working the way you expect it to?"
    and not knowing why you installed it, or what you expect, no one can
    answer.

    >I tried to replace the date file with someother file nemaning it date
    >- and when I run chkrootkit, it reports Checking `date'... not
    >infected


    By in large, chkrootkit (and the similar "rkhunter" from
    http://www.rootkit.nl) are just poorly written shell scripts using a
    concept not well thought out. If you actually look at the chkrootkit
    shell script - the section you want to read begins "chk_date ()" you
    will find it looking to see if the binary exists, and if the binary
    contains the strings "^/bin/.*sh$", "bash", "elite$:", "vejeta" or
    "\.ark" within the binary. If those exact strings are not present,
    the binary must not be infected. That the binary could be something
    completely different isn't deemed to be important.

    >Same goes if I edit and delete some part of date.


    chkrootkit (and rkhunter) don't work that way. For example, look at
    the chkrootkit shell script, about 50 lines in. There you will find it
    checking for the '55808' worm - a port scanner from June 2003. The
    entire test for this consists of looking to see if there is a directory
    named ".../a" or ".../r" in /tmp. Nothing else. Now never mind that
    the worm hasn't been seen in the wild in nearly four years, don't you
    think that the mal-ware author might avoid detection by merely changing
    the file name from "/tmp/.../a" to "/tmp/.../b"? Wow, what a concept!

    Neither 'chkrootkit' or 'rkhunter' is likely to find an installed
    exploit, and if they do, then the root kit author is exceptionally
    dumb.

    There are better alternatives. Perhaps most well known are 'tiger' and
    'satan' (neither up to date), tripwire, or the more modern 'aide'. These
    tools need to be initially installed/run on a clean installation, so
    that they know what it looks like. They also need to be redone when you
    update the system. Briefly, they look at what is on the system, compute
    various hashes and checksums, and when you then run them on a suspected
    system, that compare the existing hashes and checksums with the
    pre-computed ones. The tables of hashes/checksums, and the statically
    compiled binaries should be kept away from the monitored system to make
    it harder for a bad-guy to get to them. Another alternative (still
    relatively early in development) is Zeppoo' (http://www.zeppoo.net)
    though I've seen very little feedback on it.

    Old guy


  3. Re: How does one test chkrootkit?

    On 13 Apr, 18:40, charlie.alexan...@gmail.com wrote:
    >
    > But as I look at each one, I wonder, how do I know if it is really
    > working?
    >
    > I tried to replace the date file with someother file nemaning it date
    > - and when I run chkrootkit, it reports Checking `date'... not
    > infected
    >
    > Same goes if I edit and delete some part of date.
    >


    You are not understanding how chkrootkit works and where it fits in
    your defence plan.

    chkrootkit looks for code fingerprints and known misbehaviours (e.g.
    some types of hidden processes). To detect file changes you need a
    file oriented IDS like L5 or tripwire.

    C.


+ Reply to Thread