Skip to main content
LPIC-3 Exam 303

CentOS 7 chkrootkit

By August 23, 2018November 16th, 2018No Comments

Using CentOS 7 chkrootkit

The standard repositories for CentOS do not include a package for chkrootkit as they do for Ubuntu. However, this is not really an issue as the installation from source is not a difficult task. To use CentOS 7 chkrootkit, first, we make sure that we have the packages needed to compile from source. The group Development Tools is a good target for this, but we will also add wget and glibc-static.

$ sudo yum groups install -y "Development Tools"
$ sudo yum install -y wget glibc-static

We can now download the source from the software author. The website is http://www.chkrootkit.org. You can check on the latest version from the site and retrieve the link to download it. As of 2017 the current version is 0.52 for us to use CentOS 7 chkrootkit. To download the current version:

$ wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

Now you can proceed to expand the archive:

$ tar -xzf chkrootkit.tar.gz

We can then move into the directory and compile the required files. The main program is a shell script, this script, though, calls the compliled binaries.

$ cd chkrootkit-0.52/

To compile the code we uase make. There is only one make target in the Makefile. The target is called sense, so we can amusingly call:

$ make sense

We now should copy the directory to a sensible location:

$ cd ; sudo mv chkrootkit-0.52/ /usr/local/ 
$ ln -s /usr/local/chkrootkit-0.52/ /usr/local/chkrootkit

The last command creates a link /usr/local/chkrootkit that points to the current version directory /usr/local/chkrootkit-0.52/. When a new version is developed we can link to the new directory. The link gives us a consistent location to use that is independent to the verion of chkrootkit.

The chkrootkit script calls the compiled binaries using a relative path. We should run the command from the directory which we can acheive by grouping commands:

$ sudo bash -c 'cd /usr/local/chkrootkit && ./chkrootkit -q'

Running Cronjobs

Most of the time we will by running chkrootkit and most other malware detectors as a cron job. If we have compiled chkrootkit we will need to define our own cron task. To run the task daily we can create a script in /etc/cron.daily

$ sudo vim /etc/cron.daily/chkrootkit 
#!/bin/sh
cd /usr/local/chkrootkit ./chkrootkit -q | mail -s "CHKROOTKIT daily run" root
$ chmod +x /etc/cron.daily/chkrootkit

We can leave this to run with cron and check the root user’s mail daily. To test execution we can execute as the root user:

$ sudo /etc/cron.daily/chkrootkit

To check the mail has been recieved we can open a root shell and read mail:

$ sudo -i
# mail