RootCheck : Rootkit and Trojan Detector For Linux

RootCheck : Rootkit and Trojan Detector For Linux

by -
0 1304

What is rootkit ?

A rootkit is a collection of tools (programs) that enable administrator-level access to a computer or computer network. Typically, a cracker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer and, possibly, other machines on the network,A rootkit may consist of spyware and other programs that: monitor traffic and keystrokes; create a “backdoor” into the system for the hacker’s use; alter log files; attack other machines on the network; and alter existing system tools to escape detection.

What is RootCheck ?

RootCheck is an Open Source software that scans all the system looking for possible problems (RootKit Detection), system auditing and policy monitoring parts of OSSEC. The result of the scan can be sent to an e-mail and you can choose between the html or text format. RootCheck is an extremely useful open source software for servers since it scans the server and finds any problems on it.

It is a very simple software. Just download, unpack, compile and execute it. It will scan the whole system and print if it founds or not anything.

Installation of RootCheck

To download directly from the site
http://www.ossec.net/rootcheck/files/rootcheck-2.0.tar.gz

[[email protected] ~]# wget http://www.ossec.net/rootcheck/files/rootcheck-2.0.tar.gz
–2016-07-14 23:43:45–  http://www.ossec.net/rootcheck/files/rootcheck-2.0.tar.gz
Resolving www.ossec.net… 150.70.191.237
Connecting to www.ossec.net|150.70.191.237|:80… connected.
HTTP request sent, awaiting response… 403 Forbidden
2016-07-14 23:43:46 ERROR 403: Forbidden.

Note: I tried to download this package using Wget but it showing errors, This link working fine in microsoft windows, After googling i found a command. try this out ..worked well.

[[email protected] ~]# wget -U Mozilla http://www.ossec.net/rootcheck/files/rootcheck-2.0.tar.gz
–2016-07-14 23:50:50–  http://www.ossec.net/rootcheck/files/rootcheck-2.0.tar.gz
Resolving www.ossec.net… 150.70.191.237
Connecting to www.ossec.net|150.70.191.237|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 163112 (159K) [application/x-gzip]
Saving to: `rootcheck-2.0.tar.gz’

100%[======================================>] 163,112      111K/s   in 1.4s

2016-07-14 23:50:52 (111 KB/s) – `rootcheck-2.0.tar.gz’ saved [163112/163112]

[[email protected] ~]#

[[email protected] ~]# tar -zxvf rootcheck-2.0.tar.gz

[[email protected] ~]# cd rootcheck-2.0
[[email protected] rootcheck-2.0]#

[[email protected] rootcheck-2.0]# make all
Compiling Rootcheck…

………………….

[[email protected] rootcheck-2.0]# ./ossec-rootcheck

** Starting Rootcheck v2.0 by Third Brigade        **
** http://www.ossec.net/en/about.html#dev-team     **
** http://www.ossec.net/rootcheck/                 **

Be patient, it may take a few minutes to complete…

[INFO]: Starting rootcheck scan.
[OK]: No presence of public rootkits detected. Analyzed 269 files.
[OK]: No binaries with any trojan detected. Analyzed 79 files.
[OK]: No problem detected on the /dev directory. Analyzed 248 files
[FAILED]: File ‘/sys/class/scsi_host/host30/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host29/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host28/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host27/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host26/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host25/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host24/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host23/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host22/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host21/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host20/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host19/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host18/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host17/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host16/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host15/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host14/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host13/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host12/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host11/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host10/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host9/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host8/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host7/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host6/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host5/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host4/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host3/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host2/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/class/scsi_host/host1/em_message’ is:
– owned by root,
– has written permissions to anyone.
[FAILED]: File ‘/sys/devices/pci0000:00/0000:00:11.0/0000:02:05.0/host2/target2:0:0/2:0:0:0/sw_activity’ is:
– owned by root,
– has written permissions to anyone.
[ERR]: Check the following files for more information:
rootcheck-rwxrwxrwx.txt (list of world writtable/executable files)
rootcheck-suid-files.txt (list of suid files)
[OK]: No hidden process by Kernel-level rootkits.
/bin/ps is not trojaned. Analyzed 32768 processes.
[OK]: No kernel-level rootkit hiding any port.
Netstat is acting correctly. Analyzed 131072 ports.
[OK]: The following ports are open:
22 (tcp),53 (tcp),53 (udp),80 (tcp),
443 (tcp),953 (tcp)
[OK]: No problem detected on ifconfig/ifs. Analyzed 2 interfaces.

– Scan completed in 33 seconds.
[INFO]: Ending rootcheck scan.

[[email protected] rootcheck-2.0]#
[[email protected] rootcheck-2.0]# ls
db       Makefile         README          rootcheck-rwxrwxrwx.txt   src
LICENSE  ossec-rootcheck  rootcheck.conf  rootcheck-suid-files.txt
[[email protected] rootcheck-2.0]#
[[email protected] rootcheck-2.0]#

Above command made some files in the directory to analyse rootcheck better

*For more information, visit:
http://www.ossec.net/rootcheck/

*For more information about rootkits:
http://www.ossec.net/rootkits/

 

Enjoy Linux…It Works ………………!!

(Do share and comment, if you found this post interesting or useful for you )

Download PDF

CEO, KV IT-Solutions Pvt. Ltd. | [email protected] | 9810028374|
Linux Professional and an Industrial Trainer | 20 + years Experience in IT Industry

” We are born free, No Gate and Windows can snatch our freedom “

SIMILAR ARTICLES

0 1522

0 1163

0 1056

NO COMMENTS

Leave a Reply