having trouble with chrootkit...

[christi1]

Ok, have installed chrootkit and it is working when run via SSH. Only shows BINDSHELL (465) as infected, which is normall according to their website.

Went a step further and am trying to setup a cron to get it to email me with output via the little tutorial here ... this is what I just can't get going.

My cron line looks like this:
0 */2 * * * (/chrootkit*; /chrootkit 2>&1 | mail -s "chrootkit output" root)

... to run every 2 hours at the top of the hour

My chrootkit is installed in the main root directory.

Can someone tell me what I've done wrong here?

Thanks in advance.

 

[sawbuck]

Looks like you should "cd" to the chkrootkit directory like this: cd /root/chkrootkit-"version#"/
Also chkrootkit not chrootkit and a period before /chkrootkit
HTH

 

[christi1]

OH! Thank you!

Got it working with your help ... it sends a blank email? I am guessing that means it found nothing wrong.

Thanks again!

 

[sawbuck]

Chkrootkit should usually complain about port 465 (bindshell) as a false positive. Another program along this line which IMHO is more inclusive is: http://www.rootkit.nl/

 

[christi1]

Yup interesting.

I shows the bindshell error if I run it manually but still sends me a blank email.

 

[sawbuck]

You might try sending it to an offsite email address.