Can chkrootkit detect modified (or new) rootkit versions?
If chkrootkit can’t find a known signature inside a file, it can’t automatically determine if it has been trojaned. Try to run chkrootkit in expert mode (-x option) — in this mode the user can examine suspicious strings in the binary programs that may indicate a trojan.
For example, lots of data can be seen with:
Pathnames inside system commands:
# ./chkrootkit -x | egrep ‘^/’
Detect and close network ports that are not needed.
To get a list of listening network ports (TCP and UDP sockets), you can run the following command:
# netstat -tulp
# netstat -tulp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost.locald:domain *:* LISTEN 4521/named
tcp 0 0 localhost.localdoma:953 *:* LISTEN 4521/named
tcp6 0 0 [::]:ssh [::]:* LISTEN 4553/sshd
tcp6 0 0 ::1%134628752:953 [::]:* LISTEN 4521/named
udp 0 0 *:domain *:* 4521/named
udp 0 0 localhost.locald:domain *:* 4521/named
udp 0 0 *:bootpc *:* 4884/dhclient
udp 0 0 *:34787 *:* 4574/avahi-daemon:
udp 0 0 *:mdns *:* 4574/avahi-daemon:
udp6 0 0 [::]:38224 [::]:* 4521/named
Using nmap
# nmap -sTU [remote_host]
# nmap -sTU 127.0.0.1
Starting Nmap 4.53 ( http://insecure.org ) at 2009-10-18 04:55 IST
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 3196 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
953/tcp open rndc
53/udp open|filtered domain
68/udp open|filtered dhcpc
5353/udp open|filtered zeroconf
Nmap done: 1 IP address (1 host up) scanned in 1.608 seconds
If you remove the UDP port scan (without the option “-U”), then nmap will finish the port scan immediately. If you run it on the local machine it will also complete very fast.
Also note that nmap might not show all listening network sockets if a firewall is being used to block ports.
Another method to list all of the TCP and UDP sockets to which programs are listening is lsof:
# lsof -i -n | egrep ‘COMMAND|LISTEN|UDP’
# lsof -i -n | egrep ‘COMMAND|LISTEN|UDP’
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
named 4521 bind 20u IPv4 12381 TCP 127.0.0.1:domain (LISTEN)
named 4521 bind 21u IPv4 12392 TCP 127.0.0.1:953 (LISTEN)
named 4521 bind 22u IPv6 12393 TCP [::1]:953 (LISTEN)
named 4521 bind 512u IPv4 12380 UDP 127.0.0.1:domain
named 4521 bind 513u IPv4 12382 UDP *:domain
named 4521 bind 514u IPv6 12383 UDP *:38224
sshd 4553 root 3u IPv6 12423 TCP *:ssh (LISTEN)
avahi-dae 4574 avahi 14u IPv4 12466 UDP *:mdns
avahi-dae 4574 avahi 15u IPv4 12467 UDP *:34787
dhclient 4884 dhcp 6u IPv4 13547 UDP *:bootpc
One of the most important tasks is to remove any network services from the system startup process that are not needed.
On Red Hat systems you can list all services which are started at bootup using the following command:
To permanently disable e.g. the runlevel service nfs, run:
To immediately disable the runlevel service nfs, run: