Chkrootkit
chkrootkit aims to identify the presence of such rootkits by detecting abnormal behavior within the system and tampered binaries.
① Download and install chkrootkit
|
1 2 3 |
# cd /usr/local/src # wget ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.tar.gz # tar xvf chkrootkit.tar.gz |
➁Move the chkrootkit command to /usr/bin
|
1 |
# mv chkrootkit-0.58b/chkrootkit /usr/bin |
➂Check chkrootkit.
|
1 |
# chkrootkit | grep INFECTED |
If nothing is displayed, no problem.
④Create chkrootkit periodic execution script and change permissions
Create chkrootkit execution script in a directory where it is automatically executed daily
|
1 |
# vi /etc/cron.daily/chkrootkit |
Scheduled Script Contents
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
#!/bin/bash PATH=/usr/bin:/bin LOG=/tmp/$(basename ${0}) # Run chkrootkit chkrootkit > $LOG 2>&1 # log output cat $LOG | logger -t $(basename ${0}) # SMTPS bindshell false positive response if [ ! -z "$(grep 465 $LOG)" ] && \ [ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then sed -i '/465/d' $LOG fi # Support for Suckit false positives when updating upstart package if [ ! -z "$(grep Suckit $LOG)" ] && \ [ -z "$(rpm -V `rpm -qf /sbin/init`)" ]; then sed -i '/Suckit/d' $LOG fi # Send mail to root only when rootkit is detected [ ! -z "$(grep INFECTED $LOG)" ] && \ grep INFECTED $LOG | mail -s "chkrootkit report in `hostname`" root |
Add execution permission to chkrootkit execution script
|
1 |
# chmod 700 /etc/cron.daily/chkrootkit |
⑥Backup commands used by chkrootkit
If the commands used by chkrootkit are tampered with, rootkit will not be detected.
Back up these commands.
If necessary, run chkrootkit with the backed up command
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
# cd /root # mkdir /root/chkrootkit_cmd # cp `which --skip-alias awk cut echo egrep grep find head id ls netstat ps strings sed ssh uname` chkrootkit_cmd/ # ls -l /root/chkrootkit_cmd/ total 2788 -rwxr-xr-x 1 root root 768176 Dec 1 15:25 awk -rwxr-xr-x 1 root root 53216 Dec 1 15:25 cut -rwxr-xr-x 1 root root 36496 Dec 1 15:25 echo -rwxr-xr-x 1 root root 106 Dec 1 15:25 egrep -rwxr-xr-x 1 root root 209304 Dec 1 15:25 find -rwxr-xr-x 1 root root 165872 Dec 1 15:25 grep -rwxr-xr-x 1 root root 45016 Dec 1 15:25 head -rwxr-xr-x 1 root root 44920 Dec 1 15:25 id -rwxr-xr-x 1 root root 141184 Dec 1 15:25 ls -rwxr-xr-x 1 root root 148840 Dec 1 15:25 netstat -rwxr-xr-x 1 root root 120584 Dec 1 15:25 ps -rwxr-xr-x 1 root root 120176 Dec 1 15:25 sed -rwxr-xr-x 1 root root 897552 Dec 1 15:25 ssh -rwxr-xr-x 1 root root 36936 Dec 1 15:25 strings -rwxr-xr-x 1 root root 36664 Dec 1 15:25 uname |
⑦Run chkrootkit on the copied command
|
1 |
# chkrootkit -p /root/chkrootkit_cmd | grep INFECTED |
If nothing is displayed, no problem.
⑧Compresses backed up commands
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# tar zcvf chkrootkit_cmd.tar.gz chkrootkit_cmd chkrootkit_cmd/ chkrootkit_cmd/awk chkrootkit_cmd/cut chkrootkit_cmd/echo chkrootkit_cmd/egrep chkrootkit_cmd/find chkrootkit_cmd/head chkrootkit_cmd/id chkrootkit_cmd/ls chkrootkit_cmd/netstat chkrootkit_cmd/ps chkrootkit_cmd/strings chkrootkit_cmd/sed chkrootkit_cmd/ssh chkrootkit_cmd/uname chkrootkit_cmd/grep |
|
1 2 3 4 5 6 7 |
# ls -l -rw-------. 1 root root 1219 Nov 29 12:34 anaconda-ks.cfg -rw------- 1 root root 450 Dec 1 14:28 appid_stats.log drwxr-xr-x 2 root root 184 Dec 1 15:25 chkrootkit_cmd -rw-r--r-- 1 root root 1322265 Dec 1 15:26 chkrootkit_cmd.tar.gz --------------------------------------------------------------------------- --------------------------------------------------------------------------- |
⑨Download and save chkrootkit_cmd.tar.gz file to Windows
⑩Delete commands on the backed up server
|
1 |
# rm -f chkrootkit_cmd.tar.gz |
Logwatch
①Install
|
1 |
# dnf install logwatch -y |
②Edit configuration file
|
1 2 |
# cat /usr/share/logwatch/default.conf/logwatch.conf >> /etc/logwatch/conf/logwatch.conf # vi /etc/logwatch/conf/logwatch.conf |
|
1 2 3 4 5 6 7 |
# Line 77 : Set the email address where you want to receive notifications #MailTo = root MailTo = [mail address] # Line 116 : Set the level of detail for log notifications #Detail = Low Detail = High |
③Output Logwatch reports
|
1 |
# logwatch --output stdout |
It will appear as follows
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
################### Logwatch 7.11 (07/22/24) #################### Processing Initiated: Mon Dec 1 15:41:34 2025 Date Range Processed: yesterday ( 2025-Nov-30 ) Period is day. Detail Level of Output: 10 Type of Output/Format: stdout / text Logfiles for Host: Lepard ################################################################## --------------------- Kernel Audit Begin ------------------------ Number of audit daemon starts: 1 Number of audit initializations: 1 **Unmatched Entries** auditd[1111]: audit dispatcher initialized with q_depth=2000 and 1 active plugins: 1 Time(s) ---------------------- Kernel Audit End ------------------------- ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ --------------------- Disk Space Begin ------------------------ Filesystem Size Used Avail Use% Mounted on /dev/mapper/almalinux-root 17G 7.4G 9.6G 44% / /dev/nvme0n1p2 960M 348M 613M 37% /boot ---------------------- Disk Space End ------------------------- --------------------- lm_sensors output Begin ------------------------ No sensors found! Make sure you loaded all the kernel drivers you need. Try sensors-detect to find out which these are. ---------------------- lm_sensors output End ------------------------- ###################### Logwatch End ######################### |
④Test to see if the report arrives at the address you set. Check if you receive a log report email like the one above.
|
1 |
# /etc/cron.daily/0logwatch |
Introduce disk usage check script
1. Script Creation
|
1 2 |
# cd /var/www/system # vi disk_capacity_check.sh |
Contents of disk_capacity_check.sh
|
1 2 3 4 5 6 7 8 9 10 |
#!/bin/bash #Specify notification email address MAIL="<your mailaddress>" DVAL=`/bin/df / | /usr/bin/tail -1 | /bin/sed 's/^.* \([0-9]*\)%.*$/\1/'` if [ $DVAL -gt 80 ]; then echo "Disk usage alert: $DVAL %" | mail -s "Disk Space Alert in `hostname`" $MAIL fi |
|
1 |
# chmod 700 disk_capacity_check.sh |
2. Execution Confirmation
①Check current usage rates
|
1 |
# df -h |
It appears as follows
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
Filesystem Size Used Avail Use% Mounted on /dev/mapper/rl-root 17G 7.4G 9.6G 44% / devtmpfs 1.3G 0 1.3G 0% /dev tmpfs 1.4G 0 1.4G 0% /dev/shm tmpfs 536M 7.9M 528M 2% /run tmpfs 1.0M 0 1.0M 0% /run/credentials/systemd-journald.service /dev/loop1 105M 105M 0 100% /var/lib/snapd/snap/core/17247 /dev/loop4 51M 51M 0 100% /var/lib/snapd/snap/snapd/25577 /dev/loop2 67M 67M 0 100% /var/lib/snapd/snap/core24/1225 /dev/loop3 128K 128K 0 100% /var/lib/snapd/snap/hello-world/29 /dev/loop0 71M 71M 0 100% /var/lib/snapd/snap/certbot/5057 /dev/nvme0n1p2 960M 344M 617M 36% /boot tmpfs 1.0M 0 1.0M 0% /run/credentials/getty@tty1.service tmpfs 268M 16K 268M 1% /run/user/1000 |
②Create a dummy file to achieve at least 80% utilization(In the example, a file named dummyfile with a size of about 8G)
|
1 |
# dd if=/dev/zero of=dummyfile bs=1M count=8000 |
③check again
|
1 |
# df -h |
Run it and make sure it is above 80%.
④Run check scripts
|
1 |
# /var/www/system/disk_capacity_check.sh |
You will receive an email to the email address you have set up, stating something like "Disk usage alert: 90 %".
⑤Delete "dummyfile"
|
1 |
# rm dummyfile |
⑥Periodic Execution Setting
|
1 2 |
# crontab -e 30 2 * * * /var/www/system/disk_capacity_check.sh |
