How to install and use chrootkit

Installation & Use

  1. SSH into your server by your normal means.
  2. Change to your user to root:
    su - root
  3. Change to the source directory and download the chkrootkit files:
    cd /usr/local/src
    wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
  4. Verify the MD5 to ensure the source has not been modified:
    wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
    md5sum chkrootkit.tar.gz
  5. Extract the compressed source:
    tar xvzf chkrootkit.tar.gz
  6. Change to the directory it created:
    cd chkrootkit*
  7. Compile the source tree:
    make sense
  8. Run the chkrootkit script:
  9. View the results of the check, make sure there are no infected areas.
  10. Now change to the upper level directory.
    cd ..
  11. Remove the source .gz we downloaded earlier:
    rm chkrootkit.tar.gz

Automating chkrootkit to run and send a daily report

  1. While in SSH run the following:
    vi /etc/cron.daily/chkrootkit.sh
  2. Insert the following to the new file:
    cd /usr/local/src/chkrootkit*/
    ./chkrootkit | mail -s "Daily chkrootkit from Servername" admin at youremail.com
  3. Make sure to change these values before saving the file:
    -Change 'Servername' to your server
    -Change 'admin@youremail.com' to the email address you would like the report sent to
  4. Now save the file in vi:
  5. Change the file permissions of the script to make it executable:
    chmod 755 /etc/cron.daily/chkrootkit.sh
  6. Run a test report to verify it is working correctly:
    cd /etc/cron.daily/

You will now receive a daily report with the results of the Rootkit Check.