Rootkit scan with CentOS Live CD
In this Tutorial I want to show you how to do a rootkit scan with a Linux Centos Live CD.
It is always a good idea to do a rootkit scan with a non compromised platform.
If there is already a rootkit on your system, than a scan with already installed scanners doesn’t give you a trustworthy result.
So booting with a Linux Live CD, installing the rootkit scanner and then doing the scan gives you a reliable result.
I use chkrootkit as scanner. This scanner detects rootkits on Linux Systems.
First of all you need to download the Centos Live CD. In example from here:
And it is necessary to burn the iso image to a CD.
Boot the System with the CD and select “Boot Centos-6.3 Live CD”.
After the System started you should press “Ctrl + Alt + F1″ to switch to the text mode.
Run the following commands:
su - – This command gives you the right to install software on the System, amongst others.
cd /tmp – change directory
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz – Download the chkrootkit tarball
tar -xzf chkrootkit.tar.gz – unpacking the compressed tarball
No Disk space is used. The software is installed on a RAM Disk.
On this point you have to mount your harddisk. The actions here depend on your disk configuration and hardware.
My root partition is installed on a SATA disk.
This disk is configured as follows:
sda1 – swap space
sda2 – this is the root partition /
sda3 – this is my home partition /home
sda4 – this is the home directory of the root user /root
The relevant files for the scan are saved on sda2.
Do the following:
mkdir /mnt/disk – creates a directory
mount /dev/sda2 /mnt/disk – provides access to the filesystem and the files on the system which I want to scan
mount /dev/sda4 /mnt/disk/root – this location will be also scanned, so it is important to grant access to it
Okay, now you are ready to scan the system:
/tmp/chkrootkit-0.49/chkrootkit -r /mnt/disk/
Normally the output should say things like “nothing found” or “not infected”.
If there is a detected rootkit do another scan with rkhunter. It could be a false positive.
Rkhunter needs to be installed and updated.
If there is a rootkit installed you should reinstall the Operatingsystem.