chkrootkit is a tool to locally check for signs of a rootkit. It is a common tool among system administrators to check for rootkits. Here, I will explain how to install chkrootkit and scan your server for rootkits. I will also explain how to write a bash script to automate the chkrootkit scan and email the result to you. This script can be set as a cron job to run daily or weekly to check for rootkits.
Installing chkrootkit
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar -zxf chkrootkit.tar.gz
cd chkrootkit-0.48
make sense
./chkrootkit
If you are a server administrator, you need to scan your server each week to keep it secure. But, you can simply automate this process using a cron job. That is, write a script to scan using chkrootkit and mail the result to your email account. Below script does it for your you.
#!/bin/bash
echo “If you feel chkrootkit is outdated, update it manually ;)” > /tmp/chkrootkit
echo ” ” >> /tmp/chkrootkit
echo “Scanning the system with ChkRootkit” >> /tmp/chkrootkit
/usr/local/chkrootkit/chkrootkit >> /tmp/chkrootkit
cat /tmp/chkrootkit | mail -s “ChkRootkit scan report on `hostname`” <email address>
Save this script somewhere ( say /root/chkhunter-weekly.sh ), then set a cron to run this script every sunday at 15:00 hours.
0 15 * * 0 /root/chkrootkit-weekly.sh
Thats it! You’re server will be scanned for rootkits on every sunday and result will be mailed to you 😉
