A rootkit is a set of programs that were installed on the system, enabling an intruder to work as root on that system without your knowing. A rootkit manipulates settings and programs on the system in a way that prevents detecting the break-in or makes it at least very difficult to find any traces of it. Because you cannot be sure what was modified or replaced, you need to use untainted binaries to detect such a set of programs. Using a rootkit on another system could be a punishable offense in most parts of the world.
To make one thing perfectly clear first: not every system showing some kind of strange behavior was taken over by a cracker. You need to check first if the system displays uncommon patterns of network activity. You need another system, known to be clean, to run these checks. If you were not able to find another reason for the strange behavior and still suspect an occupied system, then you need to check the machine.
The first step you need to take is to check the system using aide. If there is any reason to believe that something is wrong with the system, then it should be taken off the network immediately. This does not mean that you should shut down the system, but rather disconnect it from the network at once. After that, you need to check the system for the reported modified files, configurations, etc. Which commands, settings, and programs were modified?
These modifications allow you to assess the scope of the break-in. If you should not have experience regarding the treatment of a compromised machine, get professional help. If the incident damaged the company’s data or the system itself, then reporting that damage is governed by strict rules. These rules include a defined procedure concerning how the compromised system is to be secured. Doing computer forensics requires extensive training. If any proof should get lost in theprocess, insurance and law enforcement cannot do anything for you. Describing the detailed steps required is beyond the scope of this book. If you know the required steps, proceed.
The executable program chkrootkit and the required system commands usable on the compromised system should be on a CD-R. You have to mount that CD-R and start the program as shown in Executing chkrootkit.
Executing chkrootkit
# ./chkrootkit -p /cdrom/sol_bin
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not infected
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not infected
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not found
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not tested
Checking `login'... not tested
Checking `ls'... not infected
Checking `lsof'... not found
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not tested
Checking `pidof'... not found
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not found
Checking `rpcinfo'... not infected
Checking `rlogind'... not infected
Checking `rshd'... not found
Checking `slogin'... not found
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not found
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not infected
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while...
nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing
found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing
found
Searching for RSHA's default files and dir... nothing
found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and
dirs... nothing found
Searching for suspicious files and dirs, it may take
a while...
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit ... nothing found
Searching for Romanian rootkit ... nothing found
Searching for Suckit rootkit ... nothing found
Searching for Volc rootkit ... nothing found
Searching for Gold2 rootkit ... nothing found
Searching for TC2 Worm default files and dirs... nothing
found
Searching for Anonoying rootkit default files and dirs...
nothing found
Searching for ZK rootkit default files and dirs... nothing
found
Searching for ShKit rootkit default files and dirs...
nothing found
Searching for anomalies in shell history files... nothing
found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... not tested
Checking `rexedcs'... not found
Checking `sniffer'... Checking `w55808'... not infected
Checking `wted'... not tested: can't exec ./chkwtmp
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... not tested: can't exec ./chklastlog
#
The “secure” commands and programs are found on the CD-R in the directory /sol_bin. The list of inspected objects on the system is shown in full to give you an example what gets searched and where. The fact that the program found nothing of importance does not necessarily mean that the system is clean, though. You performed the test for a reason, because the system behaved erratically. The logical next step you need to take would be to use the program in expert mode via the –x option. Doing so requires a solid understanding of system programming on *NIX, especially the variant to be examined. When run in expert mode, the program outputs a lot of data, including the paths compiled into the system programs, among other things. If you need to filter out this information—this means you are interested in the paths compiled into the programs—then you can use a command like the one shown in Extracting the Paths Compiled into the System Commands.
Extracting the Paths Compiled into the System Commands
# ./chkrootkit -x | egrep '###|^/' | more
###
### Output of: /usr/bin/strings -a /usr/bin/basename
###
/* SVr4.0 1.8
###
### Output of: /usr/bin/ls -l /usr/bin/basename
###
###
### Output of: /usr/bin/strings -a /usr/ucb/biff
###
/usr/lib/ld.so.1
###
### Output of: /usr/bin/ls -l /usr/ucb/biff
###
###
### Output of: /usr/bin/strings -a chfn
###
###
### Output of: /usr/bin/strings -a chsh
###
###
### Output of: /usr/bin/strings -a /usr/sbin/cron
This listing filtered the output via egrep '###|^/'; therefore,
the output is restricted to lines containing either the string ### or start
with /. This way the output
contains only the examined programs and the paths found
in them. If you just need to examine one program for strings that are compiled
into it, then you could use the command aptly called strings, as well.
Using strings to Extract the Paths from a Program shows its use.
Using strings to Extract the Paths from a Program
erikk@unixhost> strings /usr/sbin/cron | egrep ^/
/usr/bin:/bin
/etc/crontab
/usr/sbin/sendmail
/dev/null
/var/cron
/var/run/
/bin/sh
Using strings to Extract the Paths from a Program demonstrates the extraction of all strings contained in the cron command. Because the output could be potentially very long and could contain a lot data you are not interested in, you can filter the output to include just lines starting (^) with /. The chkrootkit program uses the same approach. Some recommend running chkrootkit periodically via the crontab. This could be a valid approach, as long as you are aware of the fact that a possible intruder could modify the chkrootkit program in such a way that it never reports anything or signals everything is fine, respectively. The same holds true for the needed system programs.
