Check your server for rootkits with Chkrootkit

chkrootkit is a tool to locally check your system for signs of a compromise via rootkits. It contains a shell script that checks system binaries for rootkit modification, signs of LKM trojans, interface modes and lastlog, wtmp, utmp deletions.

Install via:

# cd /usr/local
# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
# tar xvzf chkrootkit.tar.gz
# rm chkrootkit.tar.gz
# ln -s chkrootkit-x.xx chkrootkit
# cd chkrootkit
# make sense

Make sure to check the md5sum of the download as well.

Put the below into "/etc/cron.daily/chkrootkit.sh" to run a daily report:

#!/bin/bash
# chkrootkit.sh
cd /usr/local/chkrootkit/
./chkrootkit 2>&1 |grep "INFECTED\|Vulnerable"| grep -v "Checking \`bindshell'... INFECTED (PORTS:  465)"

The cron script will only output an email if it detects anything suspicious.

Note, that bindshell port 465 infection is a false alarm as in my case EXIM uses port 465 for secure connections. So, you could similarly grep out any such false alarm and adjust the cron script.

Comment