The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

having trouble with chrootkit...

Discussion in 'General Discussion' started by christi1, Jun 28, 2004.

  1. christi1

    christi1 Well-Known Member

    Joined:
    Oct 20, 2003
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Texas, USA
    Ok, have installed chrootkit and it is working when run via SSH. Only shows BINDSHELL (465) as infected, which is normall according to their website.

    Went a step further and am trying to setup a cron to get it to email me with output via the little tutorial here ... this is what I just can't get going.

    My cron line looks like this:
    0 */2 * * * (/chrootkit*; /chrootkit 2>&1 | mail -s "chrootkit output" root)

    ... to run every 2 hours at the top of the hour

    My chrootkit is installed in the main root directory.

    Can someone tell me what I've done wrong here?

    Thanks in advance.
     
  2. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Looks like you should "cd" to the chkrootkit directory like this: cd /root/chkrootkit-"version#"/
    Also chkrootkit not chrootkit and a period before /chkrootkit
    HTH
     
  3. christi1

    christi1 Well-Known Member

    Joined:
    Oct 20, 2003
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Texas, USA
    OH! Thank you!

    Got it working with your help ... it sends a blank email? I am guessing that means it found nothing wrong.

    Thanks again!
     
  4. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Chkrootkit should usually complain about port 465 (bindshell) as a false positive. Another program along this line which IMHO is more inclusive is: http://www.rootkit.nl/
     
  5. christi1

    christi1 Well-Known Member

    Joined:
    Oct 20, 2003
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Texas, USA
    Yup interesting.

    I shows the bindshell error if I run it manually but still sends me a blank email.
     
  6. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    You might try sending it to an offsite email address.
     
Loading...

Share This Page