Even if you use Tripwire, you should realize that malicious attackers can still plant bad software on your system without your knowledge. In this article, you'll learn how to install and run three different antimalware applications that can help you keep your system free of malicious irritants that make users call you at the least convenient times: chkrootkit, rkhunter, and ClamAV.
Before attempting to repair a malware infection, switch to single user mode so that the malicious attacker won't be alerted to your activities or be able to cover their tracks.
I've used good ol'
chkrootkit for years. Simply put, it scans important files in your system for rootkits. Rootkits are collections of malicious programs designed to compromise the root user account and keep access for an extended period of time. Rootkits are hard to detect and difficult to remove from a system. I've heard many sysadmins say that if your system is the victim of a rootkit, you should reimage (format and reinstall from media) it and restore all data from a clean backup.
[ More about chkrootkit ]
Yes, that's one solution, but have you ever reimaged a system and been able to bring it back to a state where it was prior to the infection? I never have. There's always something left off from the new system and it's always something "critical." I've spent countless hours chasing down legacy software, searching for old documentation, and begging the local software hoarder for media to reinstall some essential program that no one supports anymore and that we possibly never had a legitimate license for. I digress.
You can scan for many types of rootkits and detect certain log deletions using
chkrootkit. While it doesn't remove any infected files, it does specifically tell you which ones are infected, so that you can remove/reinstall/repair the file or package.
Follow the simple procedure below to download, install, and scan your system using
su to root.
# yum update # yum install wget gcc-c++ glibc-static # wget -c ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz # tar –zxvf chkrootkit.tar.gz # mkdir /usr/local/chkrootkit # mv chkrootkit-0.xx/* /usr/local/chkrootkit # cd /usr/local/chkrootkit # make sense << compile output >> # /usr/local/chkrootkit/chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `crontab'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected << more output >>
chkrootkit script reports on infected files. I've never had a false positive, but your experience might be different than mine. I install
chkrootkit on every Linux system that I manage. I also set up a
cron job that performs all the above steps, except installing the dependencies, so that I always have an updated collection. I also redirect the output to a file in my user account's home directory. You could optionally have the text report emailed to you at the end of the script.
chkrootkit script only takes a few seconds to scan and report, so using it is not time or effort-consuming.
The RootKit Hunter (
rkhunter)is a rootkit detection script that automates scanning for a lot of different rootkits and other local exploits. I love
rkhunter. I've used it for years, too. Unlike
rkhunter provides a full log of its findings at
/var/log/rkhunter/rkhunter.log. If you install and run only one malware scanning application,
rkhunter should probably be it. I'm too paranoid to run just one.
[ Learn more about rkhunter ]
Here's how to install and run
rkhunter on your system. Use
su to root.
# yum -y install epel-release # yum -y install rkhunter # rkhunter -c [ Rootkit Hunter version 1.4.6 ] Checking system commands... Performing 'strings' command checks Checking 'strings' command [ OK ] Performing 'shared libraries' checks Checking for preloading variables [ None found ] Checking for preloaded libraries [ None found ] Checking LD_LIBRARY_PATH variable [ Not found ] << lots of output >> System checks summary ===================== File properties checks... Required commands check failed Files checked: 129 Suspect files: 4 Rootkit checks... Rootkits checked : 494 Possible rootkits: 0 Applications checks... All checks skipped The system checks took: 1 minute and 38 seconds All results have been written to the log file: /var/log/rkhunter/rkhunter.log One or more warnings have been found while checking the system. Please check the log file (/var/log/rkhunter/rkhunter.log)
rkhunter sometimes flags files that you've changed manually. Two of my four "suspect" files are
group, both of which I changed manually. It also flags files that you deliberately or accidentally modify with
vi, or some other program that changes an original access or modified date. The other two files it identified as suspicious on my system were
ifdown. I haven't figured out why yet, but I suspect that neither is a problem.
Check all flagged files even if you believe that you know what has happened.
From the ClamAV about page: ClamAV is an open source (GPL) anti-virus engine used in a variety of situations, including email scanning, web scanning, and endpoint security. It provides a number of utilities, including a flexible and scalable multi-threaded daemon, a command-line scanner, and an advanced tool for automatic database updates.
[ Check out the ClamAV homepage ]
To install ClamAV, become root or
sudo the following commands:
# yum -y install clamav # freshclam ClamAV update process started at Fri Apr 3 17:21:48 2020 daily database available for download (remote version: 25772) Time: 27.3s, ETA: 0.0s [=============================>] 57.90MiB/57.90MiB Testing database: '/var/lib/clamav/tmp.63140/clamav-5feeeb4cb75d1c44dd7c48b836fe457c.tmp-daily.cvd' ... << output >> # clamscan -r -i / LibClamAV Warning: fmap_readpage: pread fail: asked for 4085 bytes @ offset 11, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4088 bytes @ offset 8, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4088 bytes @ offset 8, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4085 bytes @ offset 11, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4093 bytes @ offset 3, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4093 bytes @ offset 3, got 0 << Lots of output >> ----------- SCAN SUMMARY ----------- Known viruses: 6801836 Engine version: 0.102.2 Scanned directories: 13294 Scanned files: 64849 Infected files: 0 Total errors: 11295 Data scanned: 2668.46 MB Data read: 2094.11 MB (ratio 1.27:1) Time: 509.652 sec (8 m 29 s) #
As you can see, scanning an entire system can take a few minutes, so it's easier to scan and redirect the output via
My best suggestion is to schedule automatic updates and scans via
cron. You should also perform a preliminary scan as soon as you bring up a new system because this gives you a baseline. Scan after each update and software install. There's specific malware for all operating systems, so don't allow your personal prejudices to preclude you from doing what's right for your systems and your users. Be paranoid. Assume that no system is completely clean. And, while we're all at home for a while, wash your hands.
[ Want to test your sysadmin skills? Take a skills assessment today. ]