Rootkits are very powerful viruses. Viruses will cause trouble, but rootkits will keep themselves secret while doing their damage and getting details.
For this reason, scanning for them daily is very important.
Here we’ll show how to setup chkrootkit.
chkrootkit
chkrootkit is another good one. This can be good as a backup to make sure that one doesn’t slip through.
apt-get install chkrootkit
dnf install chkrootkit
pacman -Sy chkrootkit
The config file may be in /etc/chkrootkit.conf or /etc/chkrootkit/chkrootkit.conf, depending on your distro.
You shouldn’t have to edit it, as normally it’s already set RUN_DAILY="true" and other needed items.
Chkrootkit goes with the mindset that it will generate some output about the system’s state, and then will only report about things that are different.
So first, let’s run chkrootkit’s quiet mode, that will only tell about issues.
chkrootkit -q
Check its output and make sure that nothing looks odd. In my case it showed a lot of hidden files, but they all looked okay:
/usr/lib/ruby/vendor_ruby/rubygems/optparse/.document
Then run its cronjob, to verify that it is working.
/etc/cron.daily/chkrootkit
Review the output, and make sure it all appears good with no issues.
When it’s done, you’ll see a note at the bottom, showing how we will show chkrootkit a stable snapshot of the system, and then to only report changes:
To create this file containing all output from today's run, do (as root)
# cp -a /var/log/chkrootkit/log.today /var/log/chkrootkit/log.expected
If the output looks good, run that:
cp -a /var/log/chkrootkit/log.today /var/log/chkrootkit/log.expected
Checking and Excluding Items
Once you’ve done this, I’d recommend restarting your machine when you can. Some of the outputs can rely on the PID of the processes, which obviously change with a reboot.
Or if you use Docker, it’s likely that chkrootkit will flag docker’s bridge interfaces it uses to connect the containers together.
If either of these things happen, or you otherwise see some line(s) of the output changing, you’ll likely want to exclude them. See Exclude False Positives from chkrootkit for methods on how to do that.
Conclusion
And with that, we are a bit more secure, knowing we’ll be alerted to the presence of a rootkit on our system.
For more on rootkits, see how to setup rkhunter.
