chkrootkit is a tool to locally check for signs of a rootkit. It is a common tool among system administrators to check for rootkits. Here, I will explain how to install chkrootkit and scan your server for rootkits. I will also explain how to write a bash script to automate the chkrootkit scan and email the result to you. This script can be set as a cron job to run daily or weekly to check for rootkits.

Installing chkrootkit

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

tar -zxf chkrootkit.tar.gz

cd chkrootkit-0.48

make sense

./chkrootkit

If you are a server administrator, you need to scan your server each week to keep it secure. But, you can simply automate this process using a cron job. That is, write a script to scan using chkrootkit and mail the result to your email account. Below script does it for your you.

#!/bin/bash

echo “If you feel chkrootkit is outdated, update it manually ;)” > /tmp/chkrootkit

echo ” ” >> /tmp/chkrootkit

echo “Scanning the system with ChkRootkit” >> /tmp/chkrootkit

/usr/local/chkrootkit/chkrootkit >> /tmp/chkrootkit

cat /tmp/chkrootkit | mail -s “ChkRootkit scan report on `hostname`” <email address>

Save this script somewhere ( say /root/chkhunter-weekly.sh ), then set a cron to run this script every sunday at 15:00 hours.

0 15 * * 0 /root/chkrootkit-weekly.sh

Thats it! You’re server will be scanned for rootkits on every sunday and result will be mailed to you 😉