Thanks to an article on the O'Reilly network (http://linux.oreillynet.com/pub/a/linux/2002/02/07/rootkits.html), I've started using chkrootkit (http://www.chkrootkit.org), a utility that checks for rootkits on your Linux/BSD/Solaris install. It looks for certain signatures in trojaned system binaries and compares them against known rootkits. It includes other tools that check for network promiscuity (ifpromisc), lastlog deletions (chklastlog), wtmp deletions (chkwtmp), wtmpx deltions (check_wtmpx - Solaris only), and checks for signs of LKM trojans (chkproc). I've performed some extra steps which allow me to automate the running of chkrootkit, while also authenticating the validity of the chkrootkit binary itself. I'm including the steps here, in case anyone else would like to try this on their own systems. Please note... this utility is great for checking against *known* rootkits... it's not a substitution for common security practices. I would also suggest that anyone serious about preventing rootkit modifications also ensure they install Tripwire on all new installations. However, in situations where a box does not already have Tripwire installed, chkrootkit is a great tool to help gain back some peace of mind. This document covers Linux and *BSD installs only. Installation of chkrootkit is very simple. Grab the tarball, uncompress, and run 'make sense' (as root). Copy the binaries to a standard system bin (I used /usr/local/sbin). Cd to the new location and run the chkrootkit by hand to make sure everything looks good.... tar zxf chkrootkit-0.35.tar.gz cd chkrootkit-0.35/ make sense cp chkrootkit /usr/local/sbin/ cp chkwtmp /usr/local/sbin/ cp chklastlog /usr/local/sbin/ cp chkproc /usr/local/sbin/ cp ifpromisc /usr/local/sbin/ ./chkrootkit The output will look something like this... (snipped for brevity's sake) ROOTDIR is `/' Checking `amd'... not infected Checking `basename'... not infected Checking `biff'... not infected Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected ... Checking `sniffer'... dc0 is not promisc sl0 is not promisc ppp0 is not promisc bridge1 is not promisc gif0 is not promisc Checking `wted'... nothing deleted Checking `z2'... nothing deleted Ok, now for the extra layer of security. To ensure that no one tampers with my chkrootkit binaries, I've created a new file (/etc/chkrootkit.md5) containing the md5sum for each binary. Next, we want to modify the md5 file so nobody can tamper with it. We want to turn on the *immutable* bit for this file. Making a file immutable means that no one can modify the delete the file. In linux, we want to use the 'chattr +i' command... in *BSD, the same command is 'chflags schg'. To view special attributes, you must use 'lsattr' in Linux and 'ls -lo' in *BSD. Note that in Linux, the immutable flag can be removed by the superuser at any time with 'chattr -i'. In *BSD systems, you can only remove the "system immutable" (schg) flag in securelevel 0 or -1 (single-user mode is an example of securelevel 0). md5sum chkrootkit >> /etc/chkrootkit.md5 [run the same command for each binary; command is 'md5' in *BSD] chattr +i /etc/chkrootkit.md5 [Linux] chflags schg /etc/chkrootkit.md5 [*BSD] To automate these utilities, I've setup a cron job to execute a perl script I've created which first authenticates our stored md5 digests against the current md5 values. It uses the Digest::MD5 perl module to run the digests. Installing the perl module is very simple... grab the tarball, uncompress to a directory, run (as root) 'perl Makefile.pl', 'make', 'make test' and 'make install'. wget http://www.cpan.org/authors/id/GAAS/Digest-MD5-2.16.tar.gz tar zxf Digest-MD5-2.16.tar.gz cd Digest-MD5-2.16/ perl Makefile.pl make make test make install Here is the script... I make no guarantees... YMMV. Note the variables that should be changed specific to your usage... $md5_sav_file (location of your trusted md5 file), $runpath (location of your chkrootkit binary), and $admin_mail (your email address... make sure to escape the '@' with a backslash or perl won't interpret it correctly). The script will first compare the known and trusted md5 sums found in our immutable file to the current md5 sums of the binaries. If there are any discrepancies, it will report them. Next, it will cd to the system bin (as defined by $runpath) and run the chkrootkit binary. It needs to cd to the directory, as chkrootkit will attempt to run the other utilities within it's current directory. #!/usr/bin/perl -w # safe_chkrootkit.pl use strict; no strict 'subs'; use Digest::MD5(md5_hex); my $md5_new; my $md5_sav; my $md5_sav_file = "/etc/chkrootkit.md5"; my $file; my $file_and_path; my $path = "/usr/local/sbin"; my @files = qw( ifpromisc chkproc chkrootkit chklastlog chkwtmp ); my @input; my $admin_mail = "admin\@localhost.com"; open(MAIL, "|/usr/bin/mail $admin_mail"); print MAIL "Running authentication tests on chkrootkit binaries...\n\n"; while (<@files>) { $file = $_; $file_and_path = "$path/$file"; open(MD5,"$file_and_path") || die "Can't open file for reading: $!"; $md5_new = Digest::MD5->new->addfile(MD5)->hexdigest; close(MD5); open(TST,"$md5_sav_file",) || die "Can't open file for reading: $!"; while (<TST>) { chomp; if (/$file/) { @input = split(/ /,$_); $md5_sav = pop(@input); unless ($md5_new eq $md5_sav) { print MAIL "\t\t\t*** WARNING ***\n"; print MAIL "The binary file for " . $path . "/" . $file . " has been altered.\n"; print MAIL "The original md5 sum for $file was\n\n"; print MAIL "\t\t$md5_sav\n\n"; print MAIL "and the new md5 sum is\n\n"; print MAIL "\t\t$md5_new\n\n"; print MAIL "Please investigate ASAP\n"; print MAIL "\t\t\t*********************\n"; } else { print MAIL "\[$file\]\n"; print MAIL "Current: $md5_new\n"; print MAIL "Trusted: $md5_sav\n\n"; } } } close(TST); } I hope that others find this as useful as I have. I've implemented this on my OpenBSD firewall, and plan on installing it on my Linux workstation ASAP. Keep in mind that there are many other facets of system security that should still be scrutinized, but this is a nice tool to help out nonetheless. If anyone has any questions, comments or suggestions regarding my usage of this program, or the functionality of the script, please let me know. -Jason _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Feb 24 2002 - 21:18:58 PST