Zum Inhalt springen

Rootkit scan with CentOS Live CD

Februar 10, 2013

centoslogo

In this Tutorial I want to show you how to do a rootkit scan with a Linux Centos Live CD.
It is always a good idea to do a rootkit scan with a non compromised platform.
If there is already a rootkit on your system, than a scan with already installed scanners doesn’t give you a trustworthy result.
So booting with a Linux Live CD, installing the rootkit scanner and then doing the scan gives you a reliable result.
I use chkrootkit as scanner. This scanner detects rootkits on Linux Systems.

1.
First of all you need to download the Centos Live CD. In example from here:

http://gd.tuwien.ac.at/opsys/linux/centos/6.3/isos/x86_64/CentOS-6.3-x86_64-LiveCD.iso

And it is necessary to burn the iso image to a CD.

2.
Boot the System with the CD and select “Boot Centos-6.3 Live CD”.

3.
After the System started you should press “Ctrl + Alt + F1″ to switch to the text mode.

4.
Run the following commands:

su - – This command gives you the right to install software on the System, amongst others.
cd /tmp – change directory
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz – Download the chkrootkit tarball
tar -xzf chkrootkit.tar.gz – unpacking the compressed tarball

No Disk space is used. The software is installed on a RAM Disk.

5.
On this point you have to mount your harddisk. The actions here depend on your disk configuration and hardware.
My root partition is installed on a SATA disk.
This disk is configured as follows:
sda1 – swap space
sda2 – this is the root partition /
sda3 – this is my home partition /home
sda4 – this is the home directory of the root user /root

The relevant files for the scan are saved on sda2.

6.
Do the following:
mkdir /mnt/disk – creates a directory
mount /dev/sda2 /mnt/disk – provides access to the filesystem and the files on the system which I want to scan
mount /dev/sda4 /mnt/disk/root – this location will be also scanned, so it is important to grant access to it

7.
Okay, now you are ready to scan the system:
/tmp/chkrootkit-0.49/chkrootkit -r /mnt/disk/

Normally the output should say things like “nothing found” or “not infected”.

If there is a detected rootkit do another scan with rkhunter. It could be a false positive.
Rkhunter needs to be installed and updated.
If there is a rootkit installed you should reinstall the Operatingsystem.

About these ads

Von → Tutorials

Hinterlasse einen Kommentar

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

Gravatar
WordPress.com-Logo

Du kommentierst mit Deinem WordPress.com-Konto. Abmelden / Ändern )

Twitter-Bild

Du kommentierst mit Deinem Twitter-Konto. Abmelden / Ändern )

Facebook-Foto

Du kommentierst mit Deinem Facebook-Konto. Abmelden / Ändern )

Abbrechen

Verbinde mit %s

«
»
Follow

Bekomme jeden neuen Artikel in deinen Posteingang.

%d Bloggern gefällt das: