Seguridad en Linux. Instalar chkrootkit
Un rootkit es una herramienta, o un grupo de ellas que tiene como finalidad esconderse a sí misma y esconder otros programas, procesos, archivos, directorios, claves de registro, y puertos que permiten al intruso mantener el acceso a un sistema para remotamente comandar acciones o extraer información sensible. Existen rootkits para una amplia variedad de sistemas operativos, como GNU/Linux, Solaris o Microsoft Windows.
Hay varios programas disponibles para detectar rootkits. En los sistemas basados en Unix, dos de las aplicaciones más populares son chkrootkit y rkhunter.
Chkrootkit se encuentra en los repos de fedora, así que para instalarlo es muy sencillo:
1
# yum install chkrootkit
Después lanzamos chkrootkit. Ejecutándolo desde consola
1
# chkrootkit
También se puede ejecutar desde el entorno gráfico en Aplicaciones > Herramientas del sistema > chkrootkit
Lo que se devuelve por pantalla es algo similar a esto:
ROOTDIR is /'
Checking amd’… not found
Checking basename'... not infected
Checking biff’… not found
Checking chfn'... not infected
Checking chsh’… not infected
Checking cron'... not infected
Checking crontab’… not infected
Checking date'... not infected
Checking du’… not infected
Checking dirname'... not infected
Checking echo’… not infected
Checking egrep'... not infected
Checking env’… not infected
Checking find'... not infected
Checking fingerd’… not found
Checking gpm'... not found
Checking grep’… not infected
Checking hdparm'... not infected
Checking su’… not infected
Checking ifconfig'... not infected
Checking inetd’… not found
Checking inetdconf'... not found
Checking identd’… not found
Checking init'... not infected
Checking killall’… not infected
Checking ldsopreload'... not infected
Checking login’… not infected
Checking ls'... not infected
Checking lsof’… not infected
Checking mail'... not found
Checking mingetty’… not infected
Checking netstat'... not infected
Checking named’… not found
Checking passwd'... not infected
Checking pidof’… not infected
Checking pop2'... not found
Checking pop3’… not found
Checking ps'... not infected
Checking pstree’… not infected
Checking rpcinfo'... not found
Checking rlogind’… not found
Checking rshd'... not found
Checking slogin’… not infected
Checking sendmail'... not infected
Checking sshd’… not infected
Checking syslogd'... not tested
Checking tar’… not infected
Checking tcpd'... not infected
Checking tcpdump’… not infected
Checking top'... not infected
Checking telnetd’… not found
Checking timed'... not found
Checking traceroute’… not infected
Checking vdir'... not infected
Checking w’… not infected
Checking write'... not infected
Checking aliens’… no suspect files
Searching for sniffer’s logs, it may take a while… nothing found
Searching for HiDrootkit’s default dir… nothing found
Searching for t0rn’s default files and dirs… nothing found
Searching for t0rn’s v8 defaults… nothing found
Searching for Lion Worm default files and dirs… nothing found
Searching for RSHA’s default files and dir… nothing found
Searching for RH-Sharpe’s default files… nothing found
Searching for Ambient’s rootkit (ark) default files and dirs… nothing found
Searching for suspicious files and dirs, it may take a while…
/usr/lib/.libfipscheck.so.1.hmac /usr/lib/.libssl.so.1.0.0c.hmac /usr/lib/.libfipscheck.so.1.1.0.hmac /usr/lib/.libssl.so.10.hmac /usr/lib/firefox-3.6/.autoreg /lib/.libcrypto.so.10.hmac /lib/.libcrypto.so.1.0.0c.hmac /lib/.libgcrypt.so.11.hmac
Searching for LPD Worm files and dirs… nothing found
Searching for Ramen Worm files and dirs… nothing found
Searching for Maniac files and dirs… nothing found
Searching for RK17 files and dirs… nothing found
Searching for Ducoci rootkit… nothing found
Searching for Adore Worm… nothing found
Searching for ShitC Worm… nothing found
Searching for Omega Worm… nothing found
Searching for Sadmind/IIS Worm… nothing found
Searching for MonKit… nothing found
Searching for Showtee… nothing found
Searching for OpticKit… nothing found
Searching for T.R.K… nothing found
Searching for Mithra… nothing found
Searching for LOC rootkit… nothing found
Searching for Romanian rootkit… nothing found
Searching for HKRK rootkit… nothing found
Searching for Suckit rootkit… nothing found
Searching for Volc rootkit… nothing found
Searching for Gold2 rootkit… nothing found
Searching for TC2 Worm default files and dirs… nothing found
Searching for Anonoying rootkit default files and dirs… nothing found
Searching for ZK rootkit default files and dirs… nothing found
Searching for ShKit rootkit default files and dirs… nothing found
Searching for AjaKit rootkit default files and dirs… nothing found
Searching for zaRwT rootkit default files and dirs… nothing found
Searching for Madalin rootkit default files… nothing found
Searching for Fu rootkit default files… nothing found
Searching for ESRK rootkit default files… nothing found
Searching for rootedoor… nothing found
Searching for ENYELKM rootkit default files… nothing found
Searching for common ssh-scanners default files… nothing found
Searching for anomalies in shell history files… Warning: //root/.mysql_history' file size is zero
Checking asp’… not infected
Checking bindshell'... not infected
Checking lkm’… chkproc: nothing detected
chkdirs: nothing detected
Checking rexedcs'... not found
Checking sniffer’… eth0: PF_PACKET(/sbin/dhclient)
Checking w55808'... not infected
Checking wted’… chkwtmp: nothing deleted
Checking scalper'... not infected
Checking slapper’… not infected
Checking z2'... chklastlog: nothing deleted
Checking chkutmp’… chkutmp: nothing deleted
Checking `OSX_RSPLUG’… not infected