magentron / chkrootkit Goto Github PK
View Code? Open in Web Editor NEWThis program locally checks for signs of a rootkit. 'Forked' to fix false-positive for SucKIT rootkit
Home Page: http://www.chkrootkit.org/
License: Other
This program locally checks for signs of a rootkit. 'Forked' to fix false-positive for SucKIT rootkit
Home Page: http://www.chkrootkit.org/
License: Other
Checking `bindshell'... INFECTED (PORTS: 5665)
root@device ~ # netstat -tulpen | grep 5665
tcp 0 0 0.0.0.0:5665 0.0.0.0:* LISTEN 121 23103 1806/icinga2
root@heimeran ~ # nmap -sV localhost -p 5665
PORT STATE SERVICE VERSION
5665/tcp open ssl/unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5665-TCP:V=7.40%T=SSL%I=7%D=7/9%Time=5D24301B%P=x86_64-pc-linux-gnu
SF:%r(GetRequest,A2,"HTTP/1\.0\x20401\x20Unauthorized\r\nContent-Type:\x20
SF:text/html\r\nWWW-Authenticate:\x20Basic\x20realm=\"Icinga\x202\"\r\nCon
SF:tent-Length:\x2021\r\nServer:\x20Icinga/r2\.6\.0-1\r\n\r\n<h1>Unauthori
SF:zed</h1>")%r(HTTPOptions,AD,"HTTP/1\.0\x20400\x20Wrong\x20Accept\x20hea
SF:der\r\nContent-Type:\x20text/html\r\nContent-Length:\x2067\r\nServer:\x
SF:20Icinga/r2\.6\.0-1\r\n\r\n<h1>Accept\x20header\x20is\x20missing\x20or\
SF:x20not\x20set\x20to\x20'application/json'\.</h1>")%r(RTSPRequest,9A,"HT
SF:TP/1\.1\x20400\x20Bad\x20request\r\nTransfer-Encoding:\x20chunked\r\nSe
SF:rver:\x20Icinga/r2\.6\.0-1\r\n\r\n3e\r\n<h1>Bad\x20request</h1><p><pre>
SF:Unsupported\x20HTTP\x20version</pre></p>\r\n0\r\n\r\n")%r(Help,96,"HTTP
SF:/1\.1\x20400\x20Bad\x20request\r\nTransfer-Encoding:\x20chunked\r\nServ
SF:er:\x20Icinga/r2\.6\.0-1\r\n\r\n3a\r\n<h1>Bad\x20request</h1><p><pre>In
SF:valid\x20HTTP\x20request</pre></p>\r\n0\r\n\r\n")%r(SSLSessionReq,96,"H
SF:TTP/1\.1\x20400\x20Bad\x20request\r\nTransfer-Encoding:\x20chunked\r\nS
SF:erver:\x20Icinga/r2\.6\.0-1\r\n\r\n3a\r\n<h1>Bad\x20request</h1><p><pre
SF:>Invalid\x20HTTP\x20request</pre></p>\r\n0\r\n\r\n")%r(TLSSessionReq,96
SF:,"HTTP/1\.1\x20400\x20Bad\x20request\r\nTransfer-Encoding:\x20chunked\r
SF:\nServer:\x20Icinga/r2\.6\.0-1\r\n\r\n3a\r\n<h1>Bad\x20request</h1><p><
SF:pre>Invalid\x20HTTP\x20request</pre></p>\r\n0\r\n\r\n")%r(Kerberos,96,"
SF:HTTP/1\.1\x20400\x20Bad\x20request\r\nTransfer-Encoding:\x20chunked\r\n
SF:Server:\x20Icinga/r2\.6\.0-1\r\n\r\n3a\r\n<h1>Bad\x20request</h1><p><pr
SF:e>Invalid\x20HTTP\x20request</pre></p>\r\n0\r\n\r\n")%r(FourOhFourReque
SF:st,A2,"HTTP/1\.0\x20401\x20Unauthorized\r\nContent-Type:\x20text/html\r
SF:\nWWW-Authenticate:\x20Basic\x20realm=\"Icinga\x202\"\r\nContent-Length
SF::\x2021\r\nServer:\x20Icinga/r2\.6\.0-1\r\n\r\n<h1>Unauthorized</h1>")%
SF:r(LPDString,96,"HTTP/1\.1\x20400\x20Bad\x20request\r\nTransfer-Encoding
SF::\x20chunked\r\nServer:\x20Icinga/r2\.6\.0-1\r\n\r\n3a\r\n<h1>Bad\x20re
SF:quest</h1><p><pre>Invalid\x20HTTP\x20request</pre></p>\r\n0\r\n\r\n")%r
SF:(SIPOptions,152,"HTTP/1\.1\x20400\x20Bad\x20request\r\nTransfer-Encodin
SF:g:\x20chunked\r\nServer:\x20Icinga/r2\.6\.0-1\r\n\r\n4d\r\n<h1>Bad\x20r
SF:equest</h1><p><pre>Invalid\x20URL:\x20'/'\x20expected\x20after\x20schem
SF:e\.</pre></p>\r\n0\r\n\r\nHTTP/1\.1\x20400\x20Bad\x20request\r\nTransfe
SF:r-Encoding:\x20chunked\r\nServer:\x20Icinga/r2\.6\.0-1\r\n\r\n4d\r\n<h1
SF:>Bad\x20request</h1><p><pre>Invalid\x20URL:\x20'/'\x20expected\x20after
SF:\x20scheme\.</pre></p>\r\n0\r\n\r\n");
I got the following error when running "make sense"
make sense
cc -static -o strings-static strings.c
/usr/bin/ld: cannot find -lc
collect2: error: ld returned 1 exit status
make: *** [Makefile:72: strings-static] Error 1
On CentOS 8
Version 0.50a need a fix for the Windigo - Ebury rootkit on lastest versions of OpenSSH. Since version openssh-6.9p1 a -G was introduced (it is also documented in the ssh man page).
The code following code section should take in consideration the installed version of OpenSSH on the machine.
if $ssh -G 2>&1 | grep -e illegal -e unknow > /dev/null; then
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
else
echo "Possible Linux/Ebury - Operation Windigo installetd"
fi
A good idea could be to check the version of OpenSSH using the ssh -V command and store the version in a variable for further processing:
OPENSSH_VER=$(grep -o 'OpenSSH_[0-9].[0-9]p[1-9]' <(ssh -V 2>&1) | sed 's/OpenSSH_//')
Then, using a simple awk parsing we can check the version of ssh:
OPENSSH_TEST=$(echo "$OPENSSH_VER" | awk 'BEGIN {FS = "p"} ; $1 >= 6.9 && $2 >= 1')
The OPENSSH_TEST var can be tested with a small if construct:
if [ -n $OPENSSH_TEST ]; then
echo "Not a Windigo - Ebury infection... Some other stuff..."
fi
On Fedora 39, chkrootkit is packaged and has a GUI desktop entry
That does not work as it assumes to have root privileges.
putting a "pkexec" in the Exec= command solves the issue already, as polkit gives the process elevated privileges
Not sure if this repo even deals with the desktop entry though.
https://bugzilla.redhat.com/show_bug.cgi?id=2253108
[Desktop Entry]
Encoding=UTF-8
Name=chkrootkit
Comment=Locally check for signs of a rootkit
Icon=chkrootkit
Exec=pkexec chkrootkit
Terminal=true
Type=Application
Categories=Application;System;
X-Desktop-File-Install-Version=0.26
Hello!
As per SUS Utility syntax guideline 5, command-line utility should allow multiple arguments to be grouped behind single -
delimiter.
I have yet to come across the *nix utility which doesn't follow this convention. Can we please honor the Single Unix Specification?
$ chkrootkit -qn
Usage: ./chkrootkit [options] [test ...]
Options:
-h show this help and exit
-V show version information and exit
-l show available tests and exit
-d debug
-q quiet mode
-x expert mode
-r dir use dir as the root directory
-p dir1:dir2:dirN path for the external commands used by chkrootkit
-n skip NFS mounted dirs
$ chkrootkit -q -n
<False positives>
$
+Searching for Linux.Xor.DDoS ... INFECTED: Possible Malicious Linux.Xor.DDoS installed
+/tmp/composer-installer.php
$ sha256sum /tmp/composer-installer.php
203196aedb1a3b0f563363796bbf6f647a4f8c2419bc1dfc5aa45adc1725025d /tmp/composer-installer.php
$ dpkg -l |grep chkrootkit
ii chkrootkit 0.55-4 amd64 rootkit detector
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.3 LTS
Release: 22.04
Codename: jammy
composer downloaded from https://getcomposer.org/installer and validated against https://getcomposer.org/installer.sig
WARNIING: It seems you are using BTRFS, if this is true chkdirs can't help you to find hidden files/dirs
chkdirs: Warning: Possible LKM Trojan installed
Checking timed... INFECTED
https://discussions.apple.com/thread/8122779
I have found only this info related to this issue, and I want to know if I should be concerned or not.
Thanks.
currently running chkrootkit on nixOS results in:
- not sure why some are INFECTED
- no /usr/lib or /sbin in nixOS
๐ it looks like chkrootkit.org
is not accessible at the moment. Thanks!
$ curl -I http://www.chkrootkit.org/
curl: (7) Failed to connect to www.chkrootkit.org port 80: Connection refused
Hi,
I just installed chkrootkit-0.53
I got this error running "make sense" on my mac 10.14.3. Can you help?
Colin G
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.