Task 3.2: Using a Rootkit Checker

It is of the utmost importance that as a security professional you maintain control of your systems and be able to detect whether an attacker has compromised any of your systems. One of the most common tools an attacker will use is a rootkit. Rootkits are nasty pieces of malware. Attackers use rootkits to gain control of a victim’s system. Rootkits contain tools to replace executables for many of the operating system’s critical components. Once an attacker has installed a rootkit, it can be used to hide evidence of the bad guy’s presence and to give them backdoor access to the system at will. Once the rootkit is installed, the attacker can come and go at any time and their activities will be hidden from the administrator. Some rootkits even contain log cleaners that attempt to remove all traces of an attacker’s presence from the log files.

Rootkits can be divided into two basic types. Traditionally, rootkits replaced binaries, such as ls, ifconfig, inetd, killall, login, netstat, passwd, pidof, or ps with Trojaned versions. These Trojaned versions have been written to hide certain processes or information from the administrator. The second type of rootkit is the loadable kernel module (LKM). A kernel rootkit is loaded as a driver or kernel extension. Both types can be a real problem. If you suspect that a computer has been infected with a rootkit, you will need to run a rootkit checker on the system to ensure that it has not been compromised. This will be your objective for this task.

Scenario

One of your clients has asked you to examine a Linux server. Your client is worried that a former employee may have compromised the system by installing a rootkit on it before quitting. Your task will be to examine the system and verify its integrity.

Scope of Task

Duration

This task should take about 30 minutes.

Setup

For this task you will need a Linux computer and an Internet connection, and you must have the ability to download files.

Caveat

When working with the Linux system, you will need access to the root account. You will want to use this account carefully. The root account has full and complete control of the Linux system. The root account has complete access to all files and commands, can modify the system in any way, and can grant and revoke any permissions. Unlike with Windows systems, you may not be prompted several times before a critical change is made.

Procedure

In this task, you will learn how to run a rootkit checker on a Linux system.

Equipment Used

For this task, you must have:

• A Linux system (such as Red Hat or equivalent)
• A CD-based version of Linux (such as BackTrack or Knoppix)
• Access to the root account

Details

This task will progress through several steps. First you must download the rootkit checker and install it. Then you will execute it and examine its various options. The tool used in this task is Rootkit Hunter. Rootkit Hunter is an open source tool that checks machines running Linux for the presence of rootkits and other unwanted tools. You can learn more about Rootkit Hunter and verify that Rootkit Hunter has been tested on the Linux system you are using by visiting the site at www.rootkit.nl/projects/rootkit_hunter.html.

Downloading and Installing Rootkit Hunter

1. Once you have accessed your Linux system, you will need to open a root terminal and download Rootkit Hunter. To do so, you must enter the following at the command-line shell:

wget http://downloads.rootkit.nl/rkhunter-version.tar.gz

The version syntax will require you to enter the current version of the software. As of this writing, version 1.3.8 is the most current version, so you would enter rkhunter-1.3.8.tar.gz.

2. Once the download is completed, you will need to unpack the archived file. Enter the following from the command line:

tar zxf rkhunter-version.tar.gz

This will extract the Rootkit Hunter files.

3. To install Rootkit Hunter, you first need to change directories. The install directory will be the one below your current location. Enter cd rkhunter.

4. Once you are in the proper directory, you need to run the installer. This will complete the installation. Enter ./installer.sh.

5. You should be able to see that the installation was completed successfully. This code shows the type of syntax of a successful installation:

Rootkit Hunter installer 1.3.8 (Copyright 2004-2009, Michael

Boelen)

———————-

Starting installation/update

 

Checking /usr/local... OK

Checking file retrieval tools... /usr/bin/wget

Checking installation directories...

- Checking /usr/local/rkhunter...Exists

- Checking /usr/local/rkhunter/etc...Exists

- Checking /usr/local/rkhunter/bin...Exists

- Checking /usr/local/rkhunter/lib/rkhunter/db...Exists

- Checking /usr/local/rkhunter/lib/rkhunter/docs...Exists

- Checking /usr/local/rkhunter/lib/rkhunter/scripts...Exists

- Checking /usr/local/rkhunter/lib/rkhunter/tmp...Exists

- Checking /usr/local/etc...Exists

- Checking /usr/local/bin...Exists

Checking system settings...

- Perl... OK

Installing files...

Installing Perl module checker... OK

Installing Database updater... OK

Installing Portscanner... OK

Installing MD5 Digest generator... OK

Installing SHA1 Digest generator... OK

Installing Directory viewer... OK

Installing Database Backdoor ports... OK

Installing Database Update mirrors... OK

Installing Database Operating Systems... OK

Installing Database Program versions... OK

Installing Database Program versions... OK

Installing Database Default file hashes... OK

Installing Database MD5 blacklisted files... OK

Installing Changelog... OK

Installing Readme and FAQ... OK

Installing Wishlist and TODO... OK

Installing RK Hunter configuration file... Skipped (no

overwrite)

Installing RK Hunter binary... OK

Configuration already updated.

 

Installation ready.

See /usr/local/rkhunter/lib/rkhunter/docs for more

information.

Run 'rkhunter' (/usr/local/bin/rkhunter)

Running Rootkit Hunter

In this example you were lucky to find the system had not been infected, but if it had been, you would be faced with additional challenges. This is primarily due to the fact that it is almost impossible to clean up a rootkit. Since hiding is the main purpose of the rootkit, it is difficult to see whether all remnants of the infection have been removed. You should always rebuild from well-known, good media. Should you find a rootkit, the program will return a message similar to this:

Criteria for Completion

You have completed this task when you have downloaded Rootkit Hunter, installed it on a Linux system, and scanned the system for rootkits.