Using CentOS 7 chkrootkit
The standard repositories for CentOS do not include a package for chkrootkit as they do for Ubuntu. However, this is not really an issue as the installation from source is not a difficult task. To use CentOS 7 chkrootkit, first, we make sure that we have the packages needed to compile from source. The group Development Tools is a good target for this, but we will also add wget and glibc-static.
$ sudo yum groups install -y "Development Tools"
$ sudo yum install -y wget glibc-static
We can now download the source from the software author. The website is http://www.chkrootkit.org. You can check on the latest version from the site and retrieve the link to download it. As of 2017 the current version is 0.52 for us to use CentOS 7 chkrootkit. To download the current version:
$ wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
Now you can proceed to expand the archive:
$ tar -xzf chkrootkit.tar.gz
We can then move into the directory and compile the required files. The main program is a shell script, this script, though, calls the compliled binaries.
$ cd chkrootkit-0.52/
To compile the code we uase make. There is only one make target in the Makefile. The target is called sense, so we can amusingly call:
$ make sense
We now should copy the directory to a sensible location:
$ cd ; sudo mv chkrootkit-0.52/ /usr/local/
$ ln -s /usr/local/chkrootkit-0.52/ /usr/local/chkrootkit
The last command creates a link /usr/local/chkrootkit that points to the current version directory /usr/local/chkrootkit-0.52/. When a new version is developed we can link to the new directory. The link gives us a consistent location to use that is independent to the verion of chkrootkit.
The chkrootkit script calls the compiled binaries using a relative path. We should run the command from the directory which we can acheive by grouping commands:
$ sudo bash -c 'cd /usr/local/chkrootkit && ./chkrootkit -q'
Most of the time we will by running chkrootkit and most other malware detectors as a cron job. If we have compiled chkrootkit we will need to define our own cron task. To run the task daily we can create a script in /etc/cron.daily
$ sudo vim /etc/cron.daily/chkrootkit
cd /usr/local/chkrootkit ./chkrootkit -q | mail -s "CHKROOTKIT daily run" root
$ chmod +x /etc/cron.daily/chkrootkit
We can leave this to run with cron and check the root user’s mail daily. To test execution we can execute as the root user:
$ sudo /etc/cron.daily/chkrootkit
To check the mail has been recieved we can open a root shell and read mail:
$ sudo -i