Checking for rootkits

[Jason Dixon <jwdixon1 () yahoo com>]

Thanks to an article on the O'Reilly network 
(http://linux.oreillynet.com/pub/a/linux/2002/02/07/rootkits.html), I've 
started using chkrootkit (http://www.chkrootkit.org), a utility that checks 
for rootkits on your Linux/BSD/Solaris install.  It looks for certain 
signatures in trojaned system binaries and compares them against known 
rootkits.  It includes other tools that check for network promiscuity 
(ifpromisc), lastlog deletions (chklastlog), wtmp deletions (chkwtmp), 
wtmpx deltions (check_wtmpx - Solaris only), and checks for signs of LKM 
trojans (chkproc).

I've performed some extra steps which allow me to automate the running of 
chkrootkit, while also authenticating the validity of the chkrootkit binary 
itself.  I'm including the steps here, in case anyone else would like to 
try this on their own systems.  Please note... this utility is great for 
checking against *known* rootkits... it's not a substitution for common 
security practices.  I would also suggest that anyone serious about 
preventing rootkit modifications also ensure they install Tripwire on all 
new installations.  However, in situations where a box does not already 
have Tripwire installed, chkrootkit is a great tool to help gain back some 
peace of mind.  This document covers Linux and *BSD installs only.

Installation of chkrootkit is very simple.  Grab the tarball, uncompress, 
and run 'make sense' (as root).  Copy the binaries to a standard system bin 
(I used /usr/local/sbin).  Cd to the new location and run the chkrootkit by 
hand to make sure everything looks good....

tar zxf chkrootkit-0.35.tar.gz
cd chkrootkit-0.35/
make sense
cp chkrootkit /usr/local/sbin/
cp chkwtmp /usr/local/sbin/
cp chklastlog /usr/local/sbin/
cp chkproc /usr/local/sbin/
cp ifpromisc /usr/local/sbin/
./chkrootkit

The output will look something like this... (snipped for brevity's sake)

ROOTDIR is `/'
Checking `amd'... not infected
Checking `basename'... not infected
Checking `biff'... not infected
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
...
Checking `sniffer'...
dc0 is not promisc
sl0 is not promisc
ppp0 is not promisc
bridge1 is not promisc
gif0 is not promisc
Checking `wted'... nothing deleted
Checking `z2'... nothing deleted

Ok, now for the extra layer of security.  To ensure that no one tampers 
with my chkrootkit binaries, I've created a new file (/etc/chkrootkit.md5) 
containing the md5sum for each binary.  Next, we want to modify the md5 
file so nobody can tamper with it.  We want to turn on the *immutable* bit 
for this file.  Making a file immutable means that no one can modify the 
delete the file.  In linux, we want to use the 'chattr +i' command... in 
*BSD, the same command is 'chflags schg'.  To view special attributes, you 
must use 'lsattr' in Linux and 'ls -lo' in *BSD.  Note that in Linux, the 
immutable flag can be removed by the superuser at any time with 'chattr 
-i'.  In *BSD systems, you can only remove the "system immutable" (schg) 
flag in securelevel 0 or -1 (single-user mode is an example of securelevel 0).

md5sum chkrootkit >> /etc/chkrootkit.md5
[run the same command for each binary;  command is 'md5' in *BSD]

chattr +i /etc/chkrootkit.md5   [Linux]
chflags schg /etc/chkrootkit.md5   [*BSD]

To automate these utilities, I've setup a cron job to execute a perl script 
I've created which first authenticates our stored md5 digests against the 
current md5 values.  It uses the Digest::MD5 perl module to run the 
digests.  Installing the perl module is very simple... grab the tarball, 
uncompress to a directory, run (as root) 'perl Makefile.pl', 'make', 'make 
test' and 'make install'.

wget http://www.cpan.org/authors/id/GAAS/Digest-MD5-2.16.tar.gz
tar zxf Digest-MD5-2.16.tar.gz
cd Digest-MD5-2.16/
perl Makefile.pl
make
make test
make install

Here is the script... I make no guarantees... YMMV.  Note the variables 
that should be changed specific to your usage... $md5_sav_file (location of 
your trusted md5 file), $runpath (location of your chkrootkit binary), and 
$admin_mail (your email address... make sure to escape the '@' with a 
backslash or perl won't interpret it correctly).  The script will first 
compare the known and trusted md5 sums found in our immutable file to the 
current md5 sums of the binaries.  If there are any discrepancies, it will 
report them.  Next, it will cd to the system bin (as defined by $runpath) 
and run the chkrootkit binary.  It needs to cd to the directory, as 
chkrootkit will attempt to run the other utilities within it's current 
directory.

#!/usr/bin/perl -w
# safe_chkrootkit.pl

use strict;
no strict 'subs';
use Digest::MD5(md5_hex);

my $md5_new;
my $md5_sav;
my $md5_sav_file = "/etc/chkrootkit.md5";
my $file;
my $file_and_path;
my $path = "/usr/local/sbin";
my @files = qw( ifpromisc chkproc chkrootkit chklastlog chkwtmp );
my @input;
my $admin_mail = "admin\@localhost.com";

open(MAIL, "|/usr/bin/mail $admin_mail");
print MAIL "Running authentication tests on chkrootkit binaries...\n\n";

while (<@files>) {
        $file = $_;
        $file_and_path = "$path/$file";
        open(MD5,"$file_and_path") || die "Can't open file for reading: $!";
        $md5_new = Digest::MD5->new->addfile(MD5)->hexdigest;
        close(MD5);
        open(TST,"$md5_sav_file",) || die "Can't open file for reading: $!";
        while (<TST>) {
                chomp;
                if (/$file/) {
                        @input = split(/ /,$_);
                        $md5_sav = pop(@input);
                        unless ($md5_new eq $md5_sav) {
                                print MAIL "\t\t\t*** WARNING ***\n";
                                print MAIL "The binary file for " . $path 
. "/" . $file . " has been altered.\n";
                                print MAIL "The original md5 sum for $file 
was\n\n";
                                print MAIL "\t\t$md5_sav\n\n";
                                print MAIL "and the new md5 sum is\n\n";
                                print MAIL "\t\t$md5_new\n\n";
                                print MAIL "Please investigate ASAP\n";
                                print MAIL "\t\t\t*********************\n";
                        } else {
                                print MAIL "\[$file\]\n";
                                print MAIL "Current: $md5_new\n";
                                print MAIL "Trusted: $md5_sav\n\n";
                        }
                }
        }
        close(TST);
}

I hope that others find this as useful as I have.  I've implemented this on 
my OpenBSD firewall, and plan on installing it on my Linux workstation 
ASAP.  Keep in mind that there are many other facets of system security 
that should still be scrutinized, but this is a nice tool to help out 
nonetheless.  If anyone has any questions, comments or suggestions 
regarding my usage of this program, or the functionality of the script, 
please let me know.

-Jason 


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com