magentron / chkrootkit Goto Github PK

View Code? Open in Web Editor NEW

207.0 207.0 53.0 80 KB

This program locally checks for signs of a rootkit. 'Forked' to fix false-positive for SucKIT rootkit

Home Page: http://www.chkrootkit.org/

License: Other

C 38.05% Shell 60.75% Makefile 1.20%

chkrootkit's People

Contributors

Stargazers

Watchers

Forkers

qunxyz crunchsec giannisalinetti toysweet songofhack diggold kbahaxor rosemberg-al idkwim liumorgan sabrinaanaa fingerleakers omri9741 puppycodes nitrocao 5up3rc carlziess cyjaysun tesuji nexweb lionhex derjohn xcm-jj basketwill haidragon fengjixuchui rootkea steve8291 0x6b7966 chingliu bbbking adityavs medasz praneetrai nhpt ra2003 sofienelkamel peacesh4wn stjordanis jbro885 luizferrbarbosa good-man-1998 andrewpedia liyanvip xkgoodbest 5l1v3r1 powned ipop c1x1x00xxpentium ksanadf vineetp6

chkrootkit's Issues

icinga2 api port gets detected as bindshell

Checking `bindshell'...                                     INFECTED (PORTS:  5665)

root@device ~ # netstat -tulpen | grep 5665
tcp        0      0 0.0.0.0:5665            0.0.0.0:*               LISTEN      121        23103      1806/icinga2

root@heimeran ~ # nmap -sV localhost -p 5665
PORT     STATE SERVICE     VERSION
5665/tcp open  ssl/unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5665-TCP:V=7.40%T=SSL%I=7%D=7/9%Time=5D24301B%P=x86_64-pc-linux-gnu
SF:%r(GetRequest,A2,"HTTP/1\.0\x20401\x20Unauthorized\r\nContent-Type:\x20
SF:text/html\r\nWWW-Authenticate:\x20Basic\x20realm=\"Icinga\x202\"\r\nCon
SF:tent-Length:\x2021\r\nServer:\x20Icinga/r2\.6\.0-1\r\n\r\n<h1>Unauthori
SF:zed</h1>")%r(HTTPOptions,AD,"HTTP/1\.0\x20400\x20Wrong\x20Accept\x20hea
SF:der\r\nContent-Type:\x20text/html\r\nContent-Length:\x2067\r\nServer:\x
SF:20Icinga/r2\.6\.0-1\r\n\r\n<h1>Accept\x20header\x20is\x20missing\x20or\
SF:x20not\x20set\x20to\x20'application/json'\.</h1>")%r(RTSPRequest,9A,"HT
SF:TP/1\.1\x20400\x20Bad\x20request\r\nTransfer-Encoding:\x20chunked\r\nSe
SF:rver:\x20Icinga/r2\.6\.0-1\r\n\r\n3e\r\n<h1>Bad\x20request</h1><p><pre>
SF:Unsupported\x20HTTP\x20version</pre></p>\r\n0\r\n\r\n")%r(Help,96,"HTTP
SF:/1\.1\x20400\x20Bad\x20request\r\nTransfer-Encoding:\x20chunked\r\nServ
SF:er:\x20Icinga/r2\.6\.0-1\r\n\r\n3a\r\n<h1>Bad\x20request</h1><p><pre>In
SF:valid\x20HTTP\x20request</pre></p>\r\n0\r\n\r\n")%r(SSLSessionReq,96,"H
SF:TTP/1\.1\x20400\x20Bad\x20request\r\nTransfer-Encoding:\x20chunked\r\nS
SF:erver:\x20Icinga/r2\.6\.0-1\r\n\r\n3a\r\n<h1>Bad\x20request</h1><p><pre
SF:>Invalid\x20HTTP\x20request</pre></p>\r\n0\r\n\r\n")%r(TLSSessionReq,96
SF:,"HTTP/1\.1\x20400\x20Bad\x20request\r\nTransfer-Encoding:\x20chunked\r
SF:\nServer:\x20Icinga/r2\.6\.0-1\r\n\r\n3a\r\n<h1>Bad\x20request</h1><p><
SF:pre>Invalid\x20HTTP\x20request</pre></p>\r\n0\r\n\r\n")%r(Kerberos,96,"
SF:HTTP/1\.1\x20400\x20Bad\x20request\r\nTransfer-Encoding:\x20chunked\r\n
SF:Server:\x20Icinga/r2\.6\.0-1\r\n\r\n3a\r\n<h1>Bad\x20request</h1><p><pr
SF:e>Invalid\x20HTTP\x20request</pre></p>\r\n0\r\n\r\n")%r(FourOhFourReque
SF:st,A2,"HTTP/1\.0\x20401\x20Unauthorized\r\nContent-Type:\x20text/html\r
SF:\nWWW-Authenticate:\x20Basic\x20realm=\"Icinga\x202\"\r\nContent-Length
SF::\x2021\r\nServer:\x20Icinga/r2\.6\.0-1\r\n\r\n<h1>Unauthorized</h1>")%
SF:r(LPDString,96,"HTTP/1\.1\x20400\x20Bad\x20request\r\nTransfer-Encoding
SF::\x20chunked\r\nServer:\x20Icinga/r2\.6\.0-1\r\n\r\n3a\r\n<h1>Bad\x20re
SF:quest</h1><p><pre>Invalid\x20HTTP\x20request</pre></p>\r\n0\r\n\r\n")%r
SF:(SIPOptions,152,"HTTP/1\.1\x20400\x20Bad\x20request\r\nTransfer-Encodin
SF:g:\x20chunked\r\nServer:\x20Icinga/r2\.6\.0-1\r\n\r\n4d\r\n<h1>Bad\x20r
SF:equest</h1><p><pre>Invalid\x20URL:\x20'/'\x20expected\x20after\x20schem
SF:e\.</pre></p>\r\n0\r\n\r\nHTTP/1\.1\x20400\x20Bad\x20request\r\nTransfe
SF:r-Encoding:\x20chunked\r\nServer:\x20Icinga/r2\.6\.0-1\r\n\r\n4d\r\n<h1
SF:>Bad\x20request</h1><p><pre>Invalid\x20URL:\x20'/'\x20expected\x20after
SF:\x20scheme\.</pre></p>\r\n0\r\n\r\n");

Make sense build command error

I got the following error when running "make sense"

make sense
cc -static -o strings-static strings.c
/usr/bin/ld: cannot find -lc
collect2: error: ld returned 1 exit status
make: *** [Makefile:72: strings-static] Error 1

On CentOS 8

Windigo - Ebury False Positive

Version 0.50a need a fix for the Windigo - Ebury rootkit on lastest versions of OpenSSH. Since version openssh-6.9p1 a -G was introduced (it is also documented in the ssh man page).

The code following code section should take in consideration the installed version of OpenSSH on the machine.

if $ssh -G 2>&1 | grep -e illegal -e unknow > /dev/null; then
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
else
echo "Possible Linux/Ebury - Operation Windigo installetd"
fi

A good idea could be to check the version of OpenSSH using the ssh -V command and store the version in a variable for further processing:

OPENSSH_VER=$(grep -o 'OpenSSH_[0-9].[0-9]p[1-9]' <(ssh -V 2>&1) | sed 's/OpenSSH_//')

Then, using a simple awk parsing we can check the version of ssh:

OPENSSH_TEST=$(echo "$OPENSSH_VER" | awk 'BEGIN {FS = "p"} ; $1 >= 6.9 && $2 >= 1')

The OPENSSH_TEST var can be tested with a small if construct:

if [ -n $OPENSSH_TEST ]; then
echo "Not a Windigo - Ebury infection... Some other stuff..."
fi

Desktop entry does not work as it assumes root privileges

On Fedora 39, chkrootkit is packaged and has a GUI desktop entry

That does not work as it assumes to have root privileges.

putting a "pkexec" in the Exec= command solves the issue already, as polkit gives the process elevated privileges

Not sure if this repo even deals with the desktop entry though.

https://bugzilla.redhat.com/show_bug.cgi?id=2253108

secureblue/secureblue#12

[Desktop Entry]
Encoding=UTF-8
Name=chkrootkit
Comment=Locally check for signs of a rootkit
Icon=chkrootkit
Exec=pkexec chkrootkit
Terminal=true
Type=Application
Categories=Application;System;
X-Desktop-File-Install-Version=0.26

Honor Single Unix Specification (SUS) by allowing multiple arguments to be grouped behind single `-`

Hello!

As per SUS Utility syntax guideline 5, command-line utility should allow multiple arguments to be grouped behind single - delimiter.

I have yet to come across the *nix utility which doesn't follow this convention. Can we please honor the Single Unix Specification?

$ chkrootkit -qn
Usage: ./chkrootkit [options] [test ...]
Options:
        -h                show this help and exit
        -V                show version information and exit
        -l                show available tests and exit
        -d                debug
        -q                quiet mode
        -x                expert mode
        -r dir            use dir as the root directory
        -p dir1:dir2:dirN path for the external commands used by chkrootkit
        -n                skip NFS mounted dirs
$ chkrootkit -q -n
<False positives>
$

False-positive on php composer installer

+Searching for Linux.Xor.DDoS ...                            INFECTED: Possible Malicious Linux.Xor.DDoS installed
+/tmp/composer-installer.php

$ sha256sum /tmp/composer-installer.php 
203196aedb1a3b0f563363796bbf6f647a4f8c2419bc1dfc5aa45adc1725025d  /tmp/composer-installer.php
$ dpkg -l |grep chkrootkit
ii  chkrootkit                                     0.55-4                                  amd64        rootkit detector
$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 22.04.3 LTS
Release:	22.04
Codename:	jammy

composer downloaded from https://getcomposer.org/installer and validated against https://getcomposer.org/installer.sig

Chroot

False positive about LKM Trojan when using BTRFS

WARNIING: It seems you are using BTRFS, if this is true chkdirs can't help you to find hidden files/dirs
chkdirs: Warning: Possible LKM Trojan installed

2 year old report in askubuntu

timed daemon identified as infected on macOS Catalina

Checking timed... INFECTED

https://discussions.apple.com/thread/8122779

I have found only this info related to this issue, and I want to know if I should be concerned or not.

Thanks.

chkrootkit on nixOS

currently running chkrootkit on nixOS results in:

Expected behavior

- not sure why some are INFECTED
- no /usr/lib or /sbin in nixOS

NixOS/nixpkgs#285643

Looks like the site is down

👋 it looks like chkrootkit.org is not accessible at the moment. Thanks!

$ curl -I http://www.chkrootkit.org/
curl: (7) Failed to connect to www.chkrootkit.org port 80: Connection refused

ld: library not found for -lcrt0.o

Hi,

I just installed chkrootkit-0.53

I got this error running "make sense" on my mac 10.14.3. Can you help?

Colin G