Friday, July 10, 2009

HOWTO : Make sure no rootkit on Ubuntu 9.04 Server

To ensure your server will not be installed rootkits or trojans as well as worm without your approval, you should check it frequently.

ChkRootKit

Get the chkrootkit package :

sudo apt-get install chkrootkit

Make a Cron Job to do the scan daily at 0700 hours :

sudo crontab -e

0 7 * * * /usr/sbin/chkrootkit; /usr/sbin/chkrootkit -q 2 >&1 | mail -s "Daily ChkRootKit Scan" samiux@gmail.com

Do a manual scan :

sudo /usr/sbin/chkrootkit


Rootkit Hunter

sudo apt-get install rkhunter


Make a Cron Job to do the scan daily at 0500 hours :

sudo crontab -e

0 5 * * * rkhunter --cronjob --rwo | mail -s "Daily Rootkit Hunter Scan" samiux@gmail.com


Do a manual scan :

sudo rkhunter --check


Forensic tool to find hidden processes and ports – unhide

Get the unhide package :

sudo apt-get install unhide

Make a Cron Job to do the scan daily between 0800 and 0930 hours :

sudo crontab -e

0 8 * * * unhide proc; unhide proc -q 2 >&1 | mail -s "Daily unhide proc Scan" samiux@gmail.com

30 8 * * * unhide sys; unhide sys -q 2 >&1 | mail -s "Daily unhide sys Scan" samiux@gmail.com

0 9 * * * unhide brute; unhide brute -q 2 >&1 | mail -s "Daily unhide brute Scan" samiux@gmail.com

30 9 * * * unhide-tcp; unhide-tcp -q 2 >&1 | mail -s "Daily unhide-tcp Scan" samiux@gmail.com

Do a manual scan :

sudo unhide proc
sudo unhide sys
sudo unhide brute
sudo unhide-tcp

Beware :
There will be produced some false positive by RootKit Hunter or ChkRootKit when your packages or files had been updated or have the similar behavior as the rootkit.

If this happened, you can do the following the reset it if anything is alright.

sudo rkhunter --propupd

Remarks :
It is not 100% to proof that your system is away from the attack of Rootkits.

That's all. See you!