[SGVLUG] Re: chkrootkit question
cafelizardo at gmail.com
Tue Oct 3 11:48:45 PDT 2006
On 9/27/06, Claude Felizardo <cafelizardo at gmail.com> wrote:
> Does anyone on the list use chkrootkit?
> I have two Linux boxes running Mandrake's msec suite of security tools
> scheduled to run at 4 am. The machine at work is a P4 2.8 GHz box
> with SATA and it would usually complete its scans within the hour. My
> file server at home is a P3/450 with 3 IDE drives in a RAID-5
> configuration and the scan generally took well over 12 hours but since
> it usually completes by the time I get home and I don't often log into
> the machine it wasn't a big deal. I figured it was the amount of data
> it had to scan and the software RAID. One of the tools msec will use
> is chkrootkit and I discovered that while it's installed at home, it
> was never installed on my desktop at work.
> This morning I find that it's still running at work with a load avg of
> 2.5 while my server at home is at it's normal 1.2 during the scan. So
> I started looking around and
> crap, i just noticed that it's been scanning the home directories of
> everyone at work. Well it managed to generate about 145KB of
> Permission denied messages before I managed to kill it.
> Looks like there's a -n option I can use to tell it to skip NFS
> mounted directories but what I'd really want to do is have it ignore
> my backup directories as well. msec has some config options to
> exclude directories but I don't think its used by chkrootkit.
> I'm running chkrootkit 0.45 and from their website, i see that the
> latest is 0.46a. According to some of the posts to their mailing
> list, some people had complained that the -n option didn't support
> skipping AFS file systems and was causing a similar problem, not clear
> on what version this was.
> Any suggestions?
Got a little further with this. I had updated to 0.46 which claimed
to have fixed nfs skipping issues but it didn't seem to help. Turns
out the nfs skipping part isn't used everywhere. I tracked my slow
down problem to some assumptions in the /usr/sbin/chkrootkit shell
The check for aliens which scans for strange files in the home
directories assumes that the $HOME environment variable is defined.
Unfortunately when run by root in a cron job, it's not set so it
searches the entire directory tree including /dev, /proc and all of
the nfs mounts. The quickest solution was to define the HOME variable
in the script that calls chkrootkit and is run every morning.
The 2nd problem was the check for the Ducoci rootkit. This time it
doesn't even use the $HOME environment variable, instead it's starting
it's search at . which when run by root as a cron again defaults to
the top directory. I have this block commented out for now and may
fix the code but does anyone know what the Ducoci rootkit is? I've
tried searching for it but all i get is that chkrootkit scans for it.
The code is apparently looking for the file last.cgi.
Looking at the chkrootkit website, it looks like the last update was
nearly a year ago. I have tried contacting the two maintainers but
have not gotten a response though it's only been a few days. Any
btw, the security scans now complete within minutes. Much better than
the hours upon hours it was taking before.
More information about the SGVLUG