Skip to main content
LPIC-3 Exam 303

Ubuntu 18.04 chkrootkit

By August 22, 2018November 16th, 2018No Comments
chkrootkit ubuntu tcpd

Using chkrootkit on Ubuntu 18.04

Rootkit detectors, of course, are not limited to just one, we have more than just rkhunter. In many respects, defence in depth is a good approach and using more than one rootkit IDS is possible. The chkrootkit application can be downloaded from standard repositories in Ubuntu.

In CentOS, you can download the source tarball, you can find these on the project website . The package is maintained by the author Nelson Murilo, a Linux security expert. You can consider supporting his efforts on the site. Mainly chkrootkit is a shell script with some C libraries and is not a major task to add to CentOS which we will see later.

We will look at the package on Ubuntu 18.04. To install we can simply use:

$ sudo apt install -y chkrootkit

Once installed we can detail the version installed using

$ chkrootkit -V
chkrootkit version 0.52

We can now run the tests, but be aware of false positives. We get one on Ubuntu 18.04 for tcpd.

$ sudo chkrootkit
...
Checking `tar'...                                           not infected
Checking `tcpd'...                                          INFECTED
Checking `tcpdump'...                                       not infected
....

The output is quite verbose, so if you are more intersted in warnings and INFECTED output use the option -q

$ sudo chkrootkit  -q
Checking `tcpd'... INFECTED
/lib/modules/4.15.0-23-generic/vdso/.build-id
/lib/modules/4.15.0-23-generic/vdso/.build-id
not tested
enp0s3: PACKET SNIFFER(/lib/systemd/systemd-networkd[241])
not tested

We are warned of the possibled infected tcpd as well as warning over a suspicious module and systemd is sniffing packed on the NIC. These are all normal and can be ignored. These false positives are a concern to me but the program is just a shell script and the INFECTED diagnosis comes from egrep detecting the string hack in an executable. It finds this within debian_longlink_hack which is normal. I remove the check for hack in the script.

If you want to bypass the search for the string hack, carefully edit the file /usr/sbin/chkrootkit. The function chk_tcpd is on line 2586 in version 0.52. Replace the following line

TCPD_INFECTED_LABEL="p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux"

with the new line with the word hack removed

TCPD_INFECTED_LABEL="p1r0c4/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux"

The check is now correct and does not detect the false infection.

chk_tcpd () {
STATUS=${NOT_INFECTED}
#TCPD_INFECTED_LABEL="p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux"
TCPD_INFECTED_LABEL="p1r0c4|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux"

We can now re-run the check again

$ sudo chkrootkit -q
/lib/modules/4.15.0-23-generic/vdso/.build-id
/lib/modules/4.15.0-23-generic/vdso/.build-id
not tested
enp0s3: PACKET SNIFFER(/lib/systemd/systemd-networkd[241])
not tested

Without spefically knowing what the developers need to search, for I would not edit further but is a way to elliminate this error until it is fixed in the source.

There is no real configuration needed for chkrootkit. The configuration file, /etc/chkconfig.conf has just three options:

RUN_DAILY Enabling the cron daily script. This is false by default and should be changed to true if you want to run with cron

RUN_DAILY_OPTS This is set to -q by default and enures that chkrootkit runs in quiet mode when run from cron

DIFF_MODE This is set to false by default but is good to enable with true. This compares the output with the expected output. In this way it deals with false positives well as the current output is compared with previous output