[cobalt-users] resend of a great post on chkrootkit, appropriate for today's questions

[jale@xxxxxxxxxx]

This was sent to the list last week - instead of saying, go to the 
archives, I'm reposting a message I have referred to a number of times. 
There is some great stuff in this message, especially this command:

(cd /usr/local/chkrootkit-0.37; ./chkrootkit 2>&1 | mail -s "chkrootkit 
output" root)

It emails me a copy of my chkrootkit output (to root). Read below if you 
want good stuff on chkrootkit, I am following this now to add it to my cron.

Jale

> From: "Michelle A. Hoyle" <mahlist@xxxxxxxxxxxxx>
> Subject: Detecting openssl Apache worm (slapper) automatically on your RaQs
> Date: Tue, 17 Sep 2002 13:52:21 -0700
>
> The latest release of ChkRootKit (0.37) now detects the Apache OpenSSL 
> worm (slapper) when run.  The latest version is an easy install on a 
> RaQ.  Here's a set of instructions to help you install it, use it, and get 
> it automated.
>
> Product Name: Chkrootkit-0.37
> Web page: http://www.chkrootkit.org/
> System Requirements: Intel-based RaQ boxes (3 & 4 for sure).
>         Not sure about MIPs-based appliances.
> Your skill level: Must be comfortable with the command line and adding 
> cron jobs to automate the process.
>
> Notes: Lines preceded by a > in the below indicate what you type at the 
> shell prompt.  Do not type the > character.
>
>
>
> 1.) ssh in to your RaQ product as admin.
>
> 2.) cd to your favourite installation/build directory (I use 
> /home/installs/ for non-Cobalt installs)
>
> 3.) > wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
>
> 4.) Check the MD5 sum:
>    > md5sum chkrootkit.tar.gz
>    This should return: b0feebea67655daa440da92099dd5187 chkrootkit.tar.gz
>    If you get something different, do not proceed as there's something 
> suspect with the integrity of the tarball archive.  You can also 
> double-check that a new version hasn't been released from the web site by 
> going to the site and checking the version number and the posted MD5 sum.
>
>
> 5.) > tar -xzf chkrootkit.tar.gz
>    This unpacks your tarball archive.  You should end up with a directory 
> called chkrootkit-0.37
>
> 6.) > cd chkrootkit-0.37
>
> 7.) > make sense
>     This compiles the application for your machine.  It does not, 
> however, install it.
>
> 8.) > cd ../
>
> 9.) > mv chkrootkit-0.37 /usr/local/
>     This moves the entire directory, with its compiled version to the 
> chkrootkit-0.37 directory into /usr/local directory tree.
>
> 10.) > su - root
>      Log in as the root account to your machine.
>
> 11.) > chown -R root:root /usr/local/chkrootkit-0.37
>      This sets the files to be owned by root.  You're now all ready to 
> go.  You can run it as root (must be run as root!) from the command line by:
>     > cd /usr/local/chkrootkit-0.37
>     > ./chkrootkit
>
>     You'll get a pile of output, hopefully most of which says "Not 
> installed" or "Not infected."  The new slapper worm is listed at the end, 
> after it tests your Ethernet ports for promiscuity.
>
> -----
>
> This program is usually more useful when you have it automatically run.  I 
> added the following entry to my crontab to run the process at 01:30 every 
> night and mail me (root) the results.
>
> #check for rootkit nightly
> 30 1 * * * (cd /usr/local/chkrootkit-0.37; ./chkrootkit 2>&1 | mail -s 
> "chkrootkit output" root)
>
> Remember: this must be adding as a root-run job.  I actually have a 
> crontab file for my own root jobs, but you can also add it to 
> /etc/cron.daily by using a short shell script which just the same thing as 
> the crontab line and will run it at 4 am when your RaQ does its normal 
> Cobalt maintenance tasks.
>
> Here's a a set of steps to get a crontab entry for the above using the vi 
> text editor:
> 1.) As root:
>     > crontab -e
>
>     This will open your text editor with a copy of your current crontab 
> entries.  You may not have any, so this will be a big empty screen.  It 
> opens with your system specified editor.  In my case, that was vi.  The 
> remaining instructions apply to vi.  If your system opens with Pico 
> instead, then basically do the same -- paste the line in and save the 
> result, however you do that with Pico.
>
> 2.) Hit the <esc> key on your keyboard a few times to put vi into command 
> mode.
>     If the file is empty:
>       Hit <esc> a few times on your keyboard to put yourself into command 
> mode in vi.
>       Type i (lowercase eye letter) to put yourself into insert mode.
>       Paste the line in.  Make sure it's all on one line without any 
> breaks in it.
>
>     Otherwise if you have something in the file:
>       Type 0G$A  <return> (zero, followed by capital letter gee, followed 
> by the dollar sign, followed by the capital letter aye, followed by the 
> return key) to go to the bottom of the file and start a new line.
>       Paste the lines in.  Make sure the second line (the one starting 
> with 30 1) is all on one line without any breaks in it or it won't work 
> properly.  The previous line is just a comment and should sit on a line 
> of its own.
>
>
> 3.) When you've got that in, hit <esc> a few times to put yourself back 
> into command mode.
>
>     Type :wq <return>  (colon, double-u, que, followed by return key)
>     This tells vi to write out your file and quit.  Your crontab should 
> be updated.
>
>
> You can also set it to run more often and mail you--whatever makes you 
> happy.  As usual, your mileage may vary, this probably voids your 
> warranty, and I offer no guarantees.  (-:
>
> Good luck!
>
> Michelle