Is there a rootkit hunter in your arsenal?

It's been about three years since I woke up one morning and discovered my Web/mail server was rooted. Thinking back, I must have assumed that just running Linux was enough to keep me out of harm's way. These days I am not so cocky. I try to keep current with security patches for the apps I run. I don't run services I don't need or use. And there is a firewall between me and the wild. One thing I haven't made a part of my regular routine -- not yet, at least -- is checking for rootkits on a regular basis. That may be about to change, since I found a nifty little project called rootkit hunter.

Michael Boelen was motivated to create the rootkit hunter one day after he and a friend accidentally scanned a machine with a brand new installation of FreeBSD 5.0. The machine had no Internet connection, and yet the tool they used, chkrootkit, reported "backdoored" binaries. Since chkrootkit is open source, they looked at the code and found that a reserved keyword for a new option in FreeBSD was causing the false positive. As a result, he decided to write his own script from scratch. Not because he disliked chkrootkit -- he says he still uses it -- but simply to create a tool for a "second opinion" when chkrootkit indicated a problem.

Boelen's "second opinion" script is now more than 3,000 lines long. It will run on virtually any flavor or Unix. It calls other shell or Perl scripts to do things like check to see if a module is running, what ports are open, generate MD5 checksums, and scan critical directories for tell-tale "evil" strings which give away the presence of certain kits.

Read Full Story