• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Urban Penguin

The Urban Penguin - Linux Training

  • Home
  • About
  • Live Online Courses
  • Shop
  • Programming
    • Master Editing Text Files Using VIM
    • Learn Shell Scripting with BASH
    • PERL Scripting in Linux
    • Ruby Scripting in Linux
    • Scripting with PowerShell
    • Learn C Programming using Linux and the Raspberry Pi
    • General Java Tutorials
    • Java 7 OCA Exam 1ZO-803
  • OS Tutorials
    • Red Hat and CentOS Training
      • Red Hat Enterprise Linux System Administration 1 – RH124
      • RHCSA – System Admin 2 – RH134
      • RHCE – EX294 – Automation With Ansible
    • Learning Ubuntu
    • LPI Training
      • LPI Linux Essentials
      • LPIC-1 Linux Administrator
      • LPIC-2 Certified Linux Engineer
      • LPIC-3 Senior Level Certification
        • LPIC-3 Exam 300 : Mixed Environments
        • LPIC-3 Exam 303 : Security
        • LPIC-3 Exam 304 : Virtualization and High Availability
    • Linux Technologies
      • Apache HTTPD Server
      • Learning PHP
      • Learning PUPPET
      • Learning SAMBA
      • Linux File-Systems
      • Monitoring with Nagios Core
      • MYSQL
      • openLDAP Directories on Linux
You are here: Home / Linux / LPIC-3 Exam 303 / Ubuntu 18.04 chkrootkit

Ubuntu 18.04 chkrootkit

August 22, 2018 by The Urban Penguin

chkrootkit ubuntu tcpd

Using chkrootkit on Ubuntu 18.04

Rootkit detectors, of course, are not limited to just one, we have more than just rkhunter. In many respects, defence in depth is a good approach and using more than one rootkit IDS is possible. The chkrootkit application can be downloaded from standard repositories in Ubuntu.

In CentOS, you can download the source tarball, you can find these on the project website . The package is maintained by the author Nelson Murilo, a Linux security expert. You can consider supporting his efforts on the site. Mainly chkrootkit is a shell script with some C libraries and is not a major task to add to CentOS which we will see later.

We will look at the package on Ubuntu 18.04. To install we can simply use:

$ sudo apt install -y chkrootkit

Once installed we can detail the version installed using

$ chkrootkit -V
chkrootkit version 0.52

We can now run the tests, but be aware of false positives. We get one on Ubuntu 18.04 for tcpd.

$ sudo chkrootkit
...
Checking `tar'...                                           not infected
Checking `tcpd'...                                          INFECTED
Checking `tcpdump'...                                       not infected
....

The output is quite verbose, so if you are more intersted in warnings and INFECTED output use the option -q

$ sudo chkrootkit  -q
Checking `tcpd'... INFECTED
/lib/modules/4.15.0-23-generic/vdso/.build-id
/lib/modules/4.15.0-23-generic/vdso/.build-id
not tested
enp0s3: PACKET SNIFFER(/lib/systemd/systemd-networkd[241])
not tested

We are warned of the possibled infected tcpd as well as warning over a suspicious module and systemd is sniffing packed on the NIC. These are all normal and can be ignored. These false positives are a concern to me but the program is just a shell script and the INFECTED diagnosis comes from egrep detecting the string hack in an executable. It finds this within debian_longlink_hack which is normal. I remove the check for hack in the script.

If you want to bypass the search for the string hack, carefully edit the file /usr/sbin/chkrootkit. The function chk_tcpd is on line 2586 in version 0.52. Replace the following line

TCPD_INFECTED_LABEL="p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux"

with the new line with the word hack removed

TCPD_INFECTED_LABEL="p1r0c4/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux"

The check is now correct and does not detect the false infection.

chk_tcpd () {
STATUS=${NOT_INFECTED}
#TCPD_INFECTED_LABEL="p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux"
TCPD_INFECTED_LABEL="p1r0c4|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux"

We can now re-run the check again

$ sudo chkrootkit -q
/lib/modules/4.15.0-23-generic/vdso/.build-id
/lib/modules/4.15.0-23-generic/vdso/.build-id
not tested
enp0s3: PACKET SNIFFER(/lib/systemd/systemd-networkd[241])
not tested

Without spefically knowing what the developers need to search, for I would not edit further but is a way to elliminate this error until it is fixed in the source.

There is no real configuration needed for chkrootkit. The configuration file, /etc/chkconfig.conf has just three options:

RUN_DAILY Enabling the cron daily script. This is false by default and should be changed to true if you want to run with cron

RUN_DAILY_OPTS This is set to -q by default and enures that chkrootkit runs in quiet mode when run from cron

DIFF_MODE This is set to false by default but is good to enable with true. This compares the output with the expected output. In this way it deals with false positives well as the current output is compared with previous output

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to share on Pinterest (Opens in new window)
  • Click to share on Tumblr (Opens in new window)
  • Click to print (Opens in new window)

Filed Under: LPIC-3 Exam 303

Primary Sidebar

Newest Video

The Urban Penguin On Youtube

Categories

Pages

  • About The Urban Penguin
  • Contact Us
  • Shop
    • Basket
    • Checkout
    • My Account
  • LPI Training from The Urban Penguin
    • Live and Pluralsight hosted courses
    • Complete Linux Essentials
    • LPIC-3 Senior Level Certification
      • LPIC-3 Exam 300 : Mixed Environments
      • LPIC-3 Exam 303 : Security
      • LPIC-3 Exam 304 : Virtualization and High Availability
    • LPIC-2 Certified Linux Engineer
    • LPIC-1 Linux Administrator
    • LPI Linux Essentials for Raspberry Pi
    • LPI Linux Essentials
  • Operating System Tutorials
    • Linux Foundation Training
    • Solaris 11 OCA 1ZO-821
    • Learning Ubuntu
    • Learning SUSE
    • Red Hat and CentOS Training
      • RHCE – EX294 – Automation With Ansible
      • RHCSA – System Admin 1 – RH124
      • RHCSA – System Admin 2 – RH134
  • Scripting – the power of repetition!
    • Java 7 OCA Exam 1ZO-803
    • General Java Tutorials
    • Learn C Programming using Linux and the Raspberry Pi
    • Ruby Scripting in Linux
    • Scripting with PowerShell
    • PERL Scripting in Linux
    • Learn Shell Scripting with BASH
    • Master Editing Text Files Using VIM
  • Linux Technologies
    • Learning PUPPET
    • openLDAP Directories on Linux
    • Monitoring with Nagios Core
    • Linux File-Systems
    • Learning SAMBA
    • Apache HTTPD Server
    • Learning PHP
    • MYSQL
  • OpenStack
    • Pluralsight
    • Udemy
    • Raspberry Pi Tutorials
    • Citrix Videos
  • Online Instructor-led Courses
    • Red Hat Enterprise Linux System Administration 1 – RH124
    • SELinux Masterclass
    • Bash Scripting Masterclass
    • Nftables Masterclass

© 2021 The Urban Penguin · All Rights Reserved