Staying one step ahead of the intruders


One of the most popular rootkit scanners on Linux is Chkrootkit [2]. The toolkit by Nelson Murilo and Klaus Steding-Jessen comprises a collection of small C programs specially written to detect a specific anomaly. After unpacking the archive, build the applications by typing

make sense

and then perform a trial run by typing ./chkrootkit (Figure 1). Unfortunately, the rootkit scanner calls various binary programs on the infected system. For this reason, you should always run these tools directly from a separate, clean medium such as a CD or DVD drive:

./chkrootkit -p /cdrom/bin

in order to avoid infection.

Rootkit Hunter

Just like Chkrootkit, Rootkit Hunter also searches the infected system for specific characteristics that indicate the existence of a rootkit. Originally written by Michael Boelen, the tool was passed on to a team of developers in 2006, and the results are visible on SourceForge [3]. After downloading and unpacking the archive, become root and enter the following to build:

./ --layout custom . --install

Then change to the files subdirectory and modify the rkhunter.conf configuration file. The following command line starts the check

./rkhunter --check


In contrast to previous, simple scanners, OSSEC [4] launches a whole battery of functions (Figure 2). In addition to automatically performing period rootkit detection, it offers permanent monitoring and analysis of logfiles, integrity checks, and (rules-based) intrusion detection. The Rootcheck project has rootkit signatures up for grabs on its website [5].

OSSEC lets you set up a client/server team: Agents monitor the operating system on the client machines. Whenever a suspicious or atypical event occurs, a message is passed on to a central monitoring server, which then performs the analysis, draws conclusions, and raises the alarm if necessary.

To install OSSEC, just unpack the archive and type:


Say yes to all the prompts and choose local as the installation type, if you do not want to set up an agent/server operation.

Next, select one of the installation routine options for rootkit detection, then modify the configuration in /var/ossec/etc/ossec.conf, and launch OSSEC HIDS by typing

/var/ossec/bin/ossec-control start

The program then starts to monitor the target system.

In a default installation, the configuration file is stored in /etc/ossec-init.conf, with all other files in /var/ossec. Rootkit signatures are stored in the files rootkit_files.txt and rootkit_trojans.txt in /var/ossec/etc/shared.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Rootkits and Linux Security

    Your Linux system may not be so airtight after all. To understand the threats, you need to think like an intruder. We'll show you what the intruders are thinking now about the Linux 2.6 kernel.

  • chkrootkit

    Linux can be infected by rootkit malware that is hidden and hard to detect. The chkrootkit program can help find rootkit infections.

  • Kernel Rootkits

    Rootkits allow attackers to take complete control of a computer. We describe the tricks intruders use to gain access to the Linux kernel and provide guidelines on hardening the kernel against such attacks.

  • Host-Based IDS

    A host-based intrusion detection system is a simple but powerful tool for finding traces of an attacker's footprint.

  • Security Lessons

    We look at the history of the rootkit, including its newest incarnation, the DR RootKit.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More