RootCheck : Rootkit and Trojan Detector For Linux

RootCheck : Rootkit and Trojan Detector For Linux

by -
0 901

What is rootkit ?

A rootkit is a collection of tools (programs) that enable administrator-level access to a computer or computer network. Typically, a cracker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer and, possibly, other machines on the network,A rootkit may consist of spyware and other programs that: monitor traffic and keystrokes; create a “backdoor” into the system for the hacker’s use; alter log files; attack other machines on the network; and alter existing system tools to escape detection.

What is RootCheck ?

RootCheck is an Open Source software that scans all the system looking for possible problems (RootKit Detection), system auditing and policy monitoring parts of OSSEC. The result of the scan can be sent to an e-mail and you can choose between the html or text format. RootCheck is an extremely useful open source software for servers since it scans the server and finds any problems on it.

It is a very simple software. Just download, unpack, compile and execute it. It will scan the whole system and print if it founds or not anything.

Installation of RootCheck

To download directly from the site
http://www.ossec.net/rootcheck/files/rootcheck-2.0.tar.gz

[root@web ~]# wget http://www.ossec.net/rootcheck/files/rootcheck-2.0.tar.gz
–2016-07-14 23:43:45–  http://www.ossec.net/rootcheck/files/rootcheck-2.0.tar.gz
Resolving www.ossec.net… 150.70.191.237
Connecting to www.ossec.net|150.70.191.237|:80… connected.
HTTP request sent, awaiting response… 403 Forbidden
2016-07-14 23:43:46 ERROR 403: Forbidden.

Note: I tried to download this package using Wget but it showing errors, This link working fine in microsoft windows, After googling i found a command. try this out ..worked well.

[root@web ~]# wget -U Mozilla http://www.ossec.net/rootcheck/files/rootcheck-2.0.tar.gz
–2016-07-14 23:50:50–  http://www.ossec.net/rootcheck/files/rootcheck-2.0.tar.gz
Resolving www.ossec.net… 150.70.191.237
Connecting to www.ossec.net|150.70.191.237|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 163112 (159K) [application/x-gzip]
Saving to: `rootcheck-2.0.tar.gz’

100%[======================================>] 163,112      111K/s   in 1.4s

2016-07-14 23:50:52 (111 KB/s) – `rootcheck-2.0.tar.gz’ saved [163112/163112]

[root@web ~]#

[root@web ~]# tar -zxvf rootcheck-2.0.tar.gz

[root@web ~]# cd rootcheck-2.0
[root@web rootcheck-2.0]#

[root@web rootcheck-2.0]# make all
Compiling Rootcheck…

………………….

[root@web rootcheck-2.0]# ./ossec-rootcheck

** Starting Rootcheck v2.0 by Third Brigade        **
** http://www.ossec.net/en/about.html#dev-team     **
** http://www.ossec.net/rootcheck/                 **

Be patient, it may take a few minutes to complete…

[INFO]: Starting rootcheck scan.
[OK]: No presence of public rootkits detected. Analyzed 269 files.
[OK]: No binaries with any trojan detected. Analyzed 79 files.
[OK]: No problem detected on the /dev directory. Analyzed 248 files
[FAILED]: File ‘/sys/class/scsi_host/host30/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host29/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host28/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host27/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host26/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host25/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host24/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host23/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host22/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host21/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host20/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host19/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host18/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host17/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host16/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host15/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host14/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host13/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host12/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host11/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host10/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host9/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host8/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host7/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host6/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host5/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host4/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host3/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host2/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host1/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/devices/pci0000:00/0000:00:11.0/0000:02:05.0/host2/target2:0:0/2:0:0:0/sw_activity’ is:
– owned by root,
– has written permissions to anyone.
[ERR]: Check the following files for more information:
rootcheck-rwxrwxrwx.txt (list of world writtable/executable files)
rootcheck-suid-files.txt (list of suid files)
[OK]: No hidden process by Kernel-level rootkits.
/bin/ps is not trojaned. Analyzed 32768 processes.
[OK]: No kernel-level rootkit hiding any port.
Netstat is acting correctly. Analyzed 131072 ports.
[OK]: The following ports are open:
22 (tcp),53 (tcp),53 (udp),80 (tcp),
443 (tcp),953 (tcp)
[OK]: No problem detected on ifconfig/ifs. Analyzed 2 interfaces.

– Scan completed in 33 seconds.
[INFO]: Ending rootcheck scan.

[root@web rootcheck-2.0]#
[root@web rootcheck-2.0]# ls
db       Makefile         README          rootcheck-rwxrwxrwx.txt   src
LICENSE  ossec-rootcheck  rootcheck.conf  rootcheck-suid-files.txt
[root@web rootcheck-2.0]#
[root@web rootcheck-2.0]#

Above command made some files in the directory to analyse rootcheck better

*For more information, visit:
http://www.ossec.net/rootcheck/

*For more information about rootkits:
http://www.ossec.net/rootkits/

 

Enjoy Linux…It Works ………………!!

(Do share and comment, if you found this post interesting or useful for you )

CEO, KV IT-Solutions Pvt. Ltd. | vikas@kvit.in | 9810028374|
Linux Professional and an Industrial Trainer | 20 + years Experience in IT Industry

” We are born free, No Gate and Windows can snatch our freedom “

Download PDF

SIMILAR ARTICLES

0 1123

0 789

NO COMMENTS

Leave a Reply

Required Captcha *