chkrootkit là gì? Local Rootkit Checker Chi Tiết
chkrootkit là open-source rootkit scanner cho Linux systems. Nó kiểm tra system cho signs of rootkits bằng cách look for suspicious files, processes, và network connections mà typical rootkits use to hide themselves.
chkrootkit được phát triển bởi Nelson Murilo và Klaus Steding-Jessen, là một trong những tools lâu đời nhất và được tin cậy nhất để detect rootkits trên Unix/Linux systems.
chkrootkit vs rkhunter
| Aspect | chkrootkit | rkhunter |
|---|---|---|
| Approach | Scan for known rootkit patterns | Check system state và integrity |
| Database | Built-in rootkit signatures | MD5 hashes của system files |
| Speed | Fast scan | Longer scan vì multiple checks |
| Updates | Less frequent updates | Regular updates |
| False Positives | Fewer | More (needs whitelisting) |
| Platform | Linux, Unix | Linux, BSD, macOS |
Chúng bổ trợ nhau – use both để maximize detection coverage. Many admins run both tools as part of comprehensive security scanning.
Cài Đặt chkrootkit
Trên Ubuntu/Debian
# Cài đặt từ repo sudo apt update sudo apt install chkrootkit # Kiểm tra version chkrootkit --version
Trên CentOS/RHEL
# Cài đặt từ EPEL sudo yum install epel-release sudo yum install chkrootkit
Build from Source
# Download latest version wget ftp://chkrootkit.org/chkrootkit.tar.gz tar xzf chkrootkit.tar.gz cd chkrootkit-0.58 make sense # Run directly sudo ./chkrootkit
Sử Dụng chkrootkit
Basic Scan
# Chạy scan đầy đủ sudo chkrootkit # Scan với output chi tiết hơn sudo chkrootkit -v # Silent mode (chỉ output warnings) sudo chkrootkit -q # Scan specific tests only sudo chkrootkit -x -e "amd basename cut echo egrep false fgrep head id ls netstat ps sed strings su test true uname who" # Output to file sudo chkrootkit > /var/log/chkrootkit.log 2>&1
Scan Options
# Extended mode (more thorough) sudo chkrootkit -x # Exclude specific tests sudo chkrootkit -e "promiscq" # Test named binaries only sudo chkrootkit -f /bin/ls /bin/ps # Log to syslog (ngày thường dùng more) sudo chkrootkit | logger -t chkrootkit
chkrootkit Tests
| Test | Description |
|---|---|
| checktm | Check for modified system time |
| checkls | Check for trojaned ls binary |
| checkps | Check for trojaned ps binary |
| checknetstat | Check for trojaned netstat binary |
| checkwtmp | Check for deletions in wtmp |
| checkutmp | Check for deletions in utmp |
| checklastlog | Check for deletions in lastlog |
| checkpromiscq | Check for promiscious mode on interfaces |
| checklkm | Check for suspicious LKM (kernel modules) |
| chkwtmp | Check wtmp for invader |
| chkutmp | Check utmp for invader |
| aliens | Scan for suspicious files in /dev |
Understanding chkrootkit Output
Sample Output
ROOTKIT CHECK Output from running 'cd /usr/src/rootkit/chkrootkit-0.58 && ./chkrootkit': Checking `amd`... not found Checking `basename`... not infected Checking `biff`... not found Checking `chfn`... not infected Checking `cron`... not infected Checking `date`... not infected Checking `du`... not infected Checking `echo`... not infected Checking `egrep`... not infected Checking `fifo`... not infected Checking `find`... not infected Checking `gpm`... not found Checking `grep`... not infected Checking `hd`... not found Checking `su`... not infected Checking `syslogd`... not infected Checking `promiscq`... not infected Checking `lkm`... not infected Checking `rexedcs`... not found Checking `wted`... not infected Checking `chkwtmp`... not infected Checking `chkutmp`... not infected INFECTED: Nothing found
Result Indicators
| Output | Meaning |
|---|---|
| not found | Binary not present on system |
| not infected | Binary present, no infection detected |
| INFECTED | Rootkit signature detected – ACTION REQUIRED |
| not tested | Test not run (disabled hoặc missing binary) |
Scheduling chkrootkit Scans
Cron Job Setup
# Edit root crontab sudo crontab -e # Thêm dòng sau (chạy daily lúc 2 AM) 0 2 * * * /usr/sbin/chkrootkit 2>&1 | logger -t chkrootkit # Hoặc với email notification 0 2 * * * /usr/sbin/chkrootkit 2>&1 | mail -s "chkrootkit daily scan" admin@example.com
Enhanced Security Script
#!/bin/bash
# /usr/local/bin/security-scan.sh
LOGFILE="/var/log/security-scan.log"
ADMIN_EMAIL="admin@example.com"
echo "=== Security Scan: $(date) ===" >> $LOGFILE
echo "Running chkrootkit..." >> $LOGFILE
/usr/sbin/chkrootkit -q 2>&1 | tee -a $LOGFILE
echo "Running rkhunter..." >> $LOGFILE
/usr/bin/rkhunter --check --skip-keypress --cronjob 2>&1 | tee -a $LOGFILE
# Check kết quả
if grep -q "INFECTED" $LOGFILE; then
echo "ALERT: Potential rootkit detected!" | mail -s "Security Alert" $ADMIN_EMAIL
fi
echo "=== Scan Complete ===" >> $LOGFILE
Network Promiscuous Mode Detection
chkrootkit checkpromiscq kiểm tra xem network interfaces có đang ở promiscuous mode không – đây là dấu hiệu của sniffing rootkits hoặc unauthorized network monitoring.
# Check manually chkrootkit -e checkpromiscq # Hoặc với ip command ip link show | grep PROMISC # Hoặc với ifconfig ifconfig | grep PROMISC
False Positive: Legitimate Promiscuous Mode
- Network monitoring tools (tcpdump, wireshark)
- Bridge interfaces
- Some VPN configurations
- Container networking (docker bridges)
If legitimate, add interface to ALLOWED_NETWORK_INTERFACE in config hoặc exclude checkpromiscq from scan.
Checking System Logs
wtmp và utmp
chkrootkit checkwtmp và checkutmp kiểm tra cho unauthorized deletions trong system logs (login records). Attackers thường clear logs để hide their tracks.
# Check last logins last | head -20 # Check failed login attempts lastb | head -20 # Check for suspicious logins last | grep -E "(root|admin)" | grep -v " pts/" # Check current logged in users who
Detect Log Tampering
# Check for gaps in logs
journalctl --list-boots | head -20
# Check SSH login failures
grep "Failed password" /var/log/auth.log | tail -20
# Check for unusual timing
diff <(last | awk '{print $1,$2,$3,$4,$5,$6,$7}') <(lastlog | awk '{print $1,$2,$3}')
chkrootkit Limitations
| Limitation | Description |
|---|---|
| Local-only | Can't detect rootkits that haven't been installed yet |
| Signature-based | New rootkits may evade detection |
| False positives | Legitimate tools may trigger warnings |
| Kernel-level rootkits | Some advanced rootkits can hide from chkrootkit |
Best Practices
- Run as cron job - Daily scans ensure early detection
- Combine with rkhunter - Use both tools for coverage
- Keep updated - Use latest version from source if possible
- Investigate warnings - Any "INFECTED" result needs follow-up
- Monitor scan logs - Compare results over time
- Boot from rescue media - For thorough scan, boot from external media
When Rootkit Detected
Immediate Actions
- Isolate system - Disconnect from network if possible
- Don't reboot - Some rootkits activate at boot
- Document findings - Screenshot/log all chkrootkit output
- Identify scope - Check other systems on same network
- Preserve evidence - Don't delete anything yet
Recovery Options
- Reinstall - Clean install (recommended for severe infections)
- Restore from backup - Only if backup predates infection
- Manual cleanup - Only for experienced security professionals
Prevention
- Keep system updated
- Use strong passwords
- Disable unnecessary services
- Implement fail2ban
- Regular security audits
- Use intrusion detection systems
Kết Luận
chkrootkit là lightweight, fast rootkit scanner rất phù hợp để chạy regularly trên Linux servers. Kết hợp với rkhunter và ClamAV, nó cung cấp comprehensive protection against rootkits và system compromises.
Remember: chkrootkit only detects, doesn't prevent. Strong security posture involves prevention (firewall, IDS, regular updates), detection (chkrootkit, rkhunter, monitoring), và response (incident response plan).
