Task 3.2: Using a Rootkit Checker
It is of the utmost importance that as a security professional you maintain control of your systems and be able to detect whether an attacker has compromised any of your systems. One of the most common tools an attacker will use is a rootkit. Rootkits are nasty pieces of malware. Attackers use rootkits to gain control of a victim’s system. Rootkits contain tools to replace executables for many of the operating system’s critical components. Once an attacker has installed a rootkit, it can be used to hide evidence of the bad guy’s presence and to give them backdoor access to the system at will. Once the rootkit is installed, the attacker can come and go at any time and their activities will be hidden from the administrator. Some rootkits even contain log cleaners that attempt to remove all traces of an attacker’s presence from the log files.
Rootkits can be divided into two basic types. Traditionally, rootkits replaced binaries, such as ls, ifconfig, inetd, killall, login, netstat, passwd, pidof, or ps with Trojaned versions. These Trojaned versions have been written to hide certain processes or information from the administrator. The second type of rootkit is the loadable kernel module (LKM). A kernel rootkit is loaded as a driver or kernel extension. Both types can be a real problem. If you suspect that a computer has been infected with a rootkit, you will need to run a rootkit checker on the system to ensure that it has not been compromised. This will be your objective for this task.
Scenario
One of your clients has asked you to examine a Linux server. Your client is worried that a former employee may have compromised the system by installing a rootkit on it before quitting. Your task will be to examine the system and verify its integrity.
Scope of Task
Duration
This task should take about 30 minutes.
Setup
For this task you will need a Linux computer and an Internet connection, and you must have the ability to download files.
Caveat
When working with the Linux system, you will need access to the root account. You will want to use this account carefully. The root account has full and complete control of the Linux system. The root account has complete access to all files and commands, can modify the system in any way, and can grant and revoke any permissions. Unlike with Windows systems, you may not be prompted several times before a critical change is made.
Procedure
In this task, you will learn how to run a rootkit checker on a Linux system.
Equipment Used
For this task, you must have:
Details
This task will progress through several steps. First you must download the rootkit checker and install it. Then you will execute it and examine its various options. The tool used in this task is Rootkit Hunter. Rootkit Hunter is an open source tool that checks machines running Linux for the presence of rootkits and other unwanted tools. You can learn more about Rootkit Hunter and verify that Rootkit Hunter has been tested on the Linux system you are using by visiting the site at www.rootkit.nl/projects/rootkit_hunter.html.
Downloading and Installing Rootkit Hunter
1. Once you have accessed your Linux system, you will need to open a root terminal and download Rootkit Hunter. To do so, you must enter the following at the command-line shell:
wget http://downloads.rootkit.nl/rkhunter-version.tar.gz
The version syntax will require you to enter the current version of the software. As of this writing, version 1.3.8 is the most current version, so you would enter rkhunter-1.3.8.tar.gz.
2. Once the download is completed, you will need to unpack the archived file. Enter the following from the command line:
tar zxf rkhunter-version.tar.gz
This will extract the Rootkit Hunter files.
3. To install Rootkit Hunter, you first need to change directories. The install directory will be the one below your current location. Enter cd rkhunter.
4. Once you are in the proper directory, you need to run the installer. This will complete the installation. Enter ./installer.sh.
5. You should be able to see that the installation was completed successfully. This code shows the type of syntax of a successful installation:
Rootkit Hunter installer 1.3.8 (Copyright 2004-2009, Michael
Boelen)
———————-
Starting installation/update
Checking /usr/local... OK
Checking file retrieval tools... /usr/bin/wget
Checking installation directories...
- Checking /usr/local/rkhunter...Exists
- Checking /usr/local/rkhunter/etc...Exists
- Checking /usr/local/rkhunter/bin...Exists
- Checking /usr/local/rkhunter/lib/rkhunter/db...Exists
- Checking /usr/local/rkhunter/lib/rkhunter/docs...Exists
- Checking /usr/local/rkhunter/lib/rkhunter/scripts...Exists
- Checking /usr/local/rkhunter/lib/rkhunter/tmp...Exists
- Checking /usr/local/etc...Exists
- Checking /usr/local/bin...Exists
Checking system settings...
- Perl... OK
Installing files...
Installing Perl module checker... OK
Installing Database updater... OK
Installing Portscanner... OK
Installing MD5 Digest generator... OK
Installing SHA1 Digest generator... OK
Installing Directory viewer... OK
Installing Database Backdoor ports... OK
Installing Database Update mirrors... OK
Installing Database Operating Systems... OK
Installing Database Program versions... OK
Installing Database Program versions... OK
Installing Database Default file hashes... OK
Installing Database MD5 blacklisted files... OK
Installing Changelog... OK
Installing Readme and FAQ... OK
Installing Wishlist and TODO... OK
Installing RK Hunter configuration file... Skipped (no
overwrite)
Installing RK Hunter binary... OK
Configuration already updated.
Installation ready.
See /usr/local/rkhunter/lib/rkhunter/docs for more
information.
Run 'rkhunter' (/usr/local/bin/rkhunter)
Running Rootkit Hunter
1. Once Rootkit Hunter is installed, you are ready to run it. A variety of options are available to you. To perform a complete check of the system, run Rkhunter —checkall.
2. Rootkit Hunter can search for many different types of rootkits. Here is a partial list:
5808 Trojan—Variant A
Ambient (ark) Rootkit
Apache Worm
Balaur Rootkit
Beastkit
beX2
BOBKit
CiNIK Worm (Slapper.B variant)
Devil Rootkit
Dica
Dreams Rootkit
Duarawkz Rootkit
Flea Linux Rootkit
FreeBSD Rootkit
GasKit
Heroin LKM
HjC Rootkit
ignoKit
ImperalsS-FBRK
Irix Rootkit
Kitko
Knark
Li0n Worm
Lockit/LJK2
mod_rootme (Apache backdoor)
MRK
Ni0 Rootkit
NSDAP (Rootkit for SunOS)
Optic Kit (Tux)
Oz Rootkit
Portacelo
R3dstorm Toolkit
RH-Sharpe’s Rootkit
RSHA’s Rootkit
Scalper Worm
Shutdown
SHV4 Rootkit
SHV5 Rootkit
Sin Rootkit
Slapper
Sneakin Rootkit
SunOS Rootkit
Superkit
TBD (Telnet BackDoor)
TeLeKiT
T0rn Rootkit
Trojanit Kit
URK (Universal Rootkit)
VcKit
Volc Rootkit
X-Org SunOS Rootkit
zaRwT.KiT Rootkit
3. Once the scan is completed, you should receive a message that is similar to the following:
—————————————— Scan results ———————————-
MD5
MD5 compared: 0
Incorrect MD5 checksums: 0
File scan
Scanned files: 342
Possible infected files: 0
Application scan
Vulnerable applications: 4
Scanning took 15748 seconds
————————————————————————————————-
Do you have some problems, undetected rootkits, false
positives, ideas or suggestions?
Please e-mail me by filling in the contact form
(@http://www.rootkit.nl)
————————————————————————————————-
In this example you were lucky to find the system had not been infected, but if it had been, you would be faced with additional challenges. This is primarily due to the fact that it is almost impossible to clean up a rootkit. Since hiding is the main purpose of the rootkit, it is difficult to see whether all remnants of the infection have been removed. You should always rebuild from well-known, good media. Should you find a rootkit, the program will return a message similar to this:
—————————————— Scan results ———————————-
MD5
MD5 compared: 0
Incorrect MD5 checksums: 0
File scan
Scanned files: 362
Possible infected files: 1
Netstat possible infected
Application scan
Vulnerable applications: 4
Scanning took 14631 seconds
————————————————————————————————-
Do you have some problems, undetected rootkits, false
positives, ideas or suggestions?
Please e-mail me by filling in the contact form
(@http://www.rootkit.nl)
Criteria for Completion
You have completed this task when you have downloaded Rootkit Hunter, installed it on a Linux system, and scanned the system for rootkits.
18.191.78.136