[cobalt-users] Detecting openssl Apache worm (slapper) automatically on your RaQs

["Michelle A. Hoyle" <mahlist@xxxxxxxxxxxxx>]

The latest release of ChkRootKit (0.37) now detects the Apache 
OpenSSL worm (slapper) when run.  The latest version is an easy 
install on a RaQ.  Here's a set of instructions to help you install 
it, use it, and get it automated.

Product Name: Chkrootkit-0.37
Web page: http://www.chkrootkit.org/
System Requirements: Intel-based RaQ boxes (3 & 4 for sure).
	Not sure about MIPs-based appliances.
Your skill level: Must be comfortable with the command line and 
adding cron jobs to automate the process.

Notes: Lines preceded by a > in the below indicate what you type at 
the shell prompt.  Do not type the > character.



1.) ssh in to your RaQ product as admin.

2.) cd to your favourite installation/build directory (I use 
/home/installs/ for non-Cobalt installs)

3.) > wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

4.) Check the MD5 sum:
   > md5sum chkrootkit.tar.gz
   This should return: b0feebea67655daa440da92099dd5187	chkrootkit.tar.gz
   If you get something different, do not proceed as there's 
something suspect with the integrity of the tarball archive.  You can 
also double-check that a new version hasn't been released from the 
web site by going to the site and checking the version number and the 
posted MD5 sum.


5.) > tar -xzf chkrootkit.tar.gz
   This unpacks your tarball archive.  You should end up with a 
directory called chkrootkit-0.37

6.) > cd chkrootkit-0.37

7.) > make sense
    This compiles the application for your machine.  It does not, 
however, install it.

8.) > cd ../

9.) > mv chkrootkit-0.37 /usr/local/
    This moves the entire directory, with its compiled version to the 
chkrootkit-0.37 directory into /usr/local directory tree.

10.) > su - root
     Log in as the root account to your machine.

11.) > chown -R root:root /usr/local/chkrootkit-0.37
     This sets the files to be owned by root.  You're now all ready 
to go.  You can run it as root (must be run as root!) from the 
command line by:
    > cd /usr/local/chkrootkit-0.37
    > ./chkrootkit

    You'll get a pile of output, hopefully most of which says "Not 
installed" or "Not infected."  The new slapper worm is listed at the 
end, after it tests your Ethernet ports for promiscuity.

-----

This program is usually more useful when you have it automatically 
run.  I added the following entry to my crontab to run the process at 
01:30 every night and mail me (root) the results.

#check for rootkit nightly
30 1 * * * (cd /usr/local/chkrootkit-0.37; ./chkrootkit 2>&1 | mail 
-s "chkrootkit output" root)

Remember: this must be adding as a root-run job.  I actually have a 
crontab file for my own root jobs, but you can also add it to 
/etc/cron.daily by using a short shell script which just the same 
thing as the crontab line and will run it at 4 am when your RaQ does 
its normal Cobalt maintenance tasks.

Here's a a set of steps to get a crontab entry for the above using 
the vi text editor:
1.) As root:
    > crontab -e

    This will open your text editor with a copy of your current 
crontab entries.  You may not have any, so this will be a big empty 
screen.  It opens with your system specified editor.  In my case, 
that was vi.  The remaining instructions apply to vi.  If your system 
opens with Pico instead, then basically do the same -- paste the line 
in and save the result, however you do that with Pico.

2.) Hit the <esc> key on your keyboard a few times to put vi into command mode.
    If the file is empty:
      Hit <esc> a few times on your keyboard to put yourself into 
command mode in vi.
      Type i (lowercase eye letter) to put yourself into insert mode.
      Paste the line in.  Make sure it's all on one line without any 
breaks in it.

    Otherwise if you have something in the file:
      Type 0G$A  <return> (zero, followed by capital letter gee, 
followed by the dollar sign, followed by the capital letter aye, 
followed by the return key) to go to the bottom of the file and start 
a new line.
      Paste the lines in.  Make sure the second line (the one 
starting with 30 1) is all on one line without any breaks in it or it 
won't work properly.  The previous line is just a comment and should 
sit on a line of its own.


3.) When you've got that in, hit <esc> a few times to put yourself 
back into command mode.

    Type :wq <return>  (colon, double-u, que, followed by return key)
    This tells vi to write out your file and quit.  Your crontab 
should be updated.


You can also set it to run more often and mail you--whatever makes 
you happy.  As usual, your mileage may vary, this probably voids your 
warranty, and I offer no guarantees.  (-:

Good luck!

Michelle