|
chkrootkit is a tool to locally check for signs of a rootkit. It contains:
- chkrootkit: shell script that checks system
binaries for rootkit modification.
- ifpromisc.c: checks if the interface is in
promiscuous mode.
- chklastlog.c: checks for lastlog deletions.
- chkwtmp.c: checks for wtmp deletions.
- check_wtmpx.c: checks for wtmpx deletions.
(Solaris only)
- chkproc.c: checks for signs of LKM trojans.
- chkdirs.c: checks for signs of LKM trojans.
- strings.c: quick and dirty strings replacement.
- chkutmp.c: checks for utmp deletions.
Chkrootkit is listed in the "Top 100 Network Security
Tools" survey, 2006 edition, released by Insecure.Org. We would like to thank
all people who voted for chkrootkit as their favourite tool!
What's New
chkrootkit 0.49 is now available! (Release
Date: Thu Jul 30 2009) This version includes:
- chkrootkit
- new tests: Mac OS X OSX.RSPlug.A Trojan Horse
- more tests for suspicious sniffer logs
- more tests for suspicious PHP files
- more tests for shell history file anomalies
- minor bug fixes
- chkdirs.c
- chkproc.c
- chkutmp.c
- bug fix by Michael Schwendt
Tests performed and rootkits detected
The following tests are made:
-
aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper
slapper z2 chkutmp OSX_RSPLUG amd basename biff chfn chsh cron
crontab date du dirname echo egrep env find fingerd gpm grep
hdparm su ifconfig inetd inetdconf identd init killall
ldsopreload login ls lsof mail mingetty netstat named passwd
pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail
sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir
w write
The following rootkits, worms and LKMs are currently detected:
| 01. lrk3, lrk4, lrk5, lrk6 (and variants); |
02. Solaris rootkit; |
03. FreeBSD rootkit; |
| 04. t0rn (and variants); |
05. Ambient's Rootkit (ARK); |
06. Ramen Worm; |
| 07. rh[67]-shaper; |
08. RSHA; |
09. Romanian rootkit; |
| 10. RK17; |
11. Lion Worm; |
12. Adore Worm; |
| 13. LPD Worm; |
14. kenny-rk; |
15. Adore LKM; |
| 16. ShitC Worm; |
17. Omega Worm; |
18. Wormkit Worm; |
| 19. Maniac-RK; |
20. dsc-rootkit; |
21. Ducoci rootkit; |
| 22. x.c Worm; |
23. RST.b trojan; |
24. duarawkz; |
| 25. knark LKM; |
26. Monkit; |
27. Hidrootkit; |
| 28. Bobkit; |
29. Pizdakit; |
30. t0rn v8.0; |
| 31. Showtee; |
32. Optickit; |
33. T.R.K; |
| 34. MithRa's Rootkit; |
35. George; |
36. SucKIT; |
| 37. Scalper; |
38. Slapper A, B, C and D; |
39. OpenBSD rk v1; |
| 40. Illogic rootkit; |
41. SK rootkit. |
42. sebek LKM; |
| 43. Romanian rootkit; |
44. LOC rootkit; |
45. shv4 rootkit; |
| 46. Aquatica rootkit; |
47. ZK rootkit; |
48. 55808.A Worm; |
| 49. TC2 Worm; |
50. Volc rootkit; |
51. Gold2 rootkit; |
| 52. Anonoying rootkit; |
53. Shkit rootkit; |
54. AjaKit rootkit; |
| 55. zaRwT rootkit; |
56. Madalin rootkit; |
57. Fu rootkit; |
| 58. Kenga3 rootkit; |
59. ESRK rootkit; |
60. rootedoor rootkit; |
| 61. Enye LKM; |
62. Lupper.Worm; |
63. shv5; |
| 64. OSX.RSPlug.A; |
chkrootkit has been tested on: Linux 2.0.x, 2.2.x, 2.4.x and 2.6.x,
FreeBSD 2.2.x, 3.x, 4.x, 5.x and 7.x, OpenBSD 2.x, 3.x and 4.x., NetBSD
1.6.x, Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11, Tru64, BSDI and Mac
OS X.
More details can be found on the chkrootkit's
README.
Mailing List
To subscribe:
echo "subscribe users your email" | mail majordomo@chkrootkit.org
The
online archive of this mailing list is located at
The Mailing list ARChives
(MARC).
Supporters Sites
SharePoint Hosting from Sherweb
Contacting the Authors
Please send comments, new rootkits, questions and bug reports to Nelson Murilo
<nelson@pangeia.com.br> (main author) and Klaus Steding-Jessen
<jessen@cert.br> (co-author).
|
![[chkrootkit: kicking script kiddies' asses since 1997]](/images/chkrootkit-logo.jpg){kind=logo}
$Date: 2009/07/30 14:45:10 $