The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tweaking chkrootkit

Discussion in 'General Discussion' started by verdon, Apr 20, 2008.

  1. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    Hi,

    Old server: CentOS 3.9 chkrootkit 0.47
    New server: CentOS 5 chkrootkit 0.48

    I've just moved to a new server and one difference I've noticed is that on my new server, chkrootkit is getting a much longer list of ..

    can't exec ./strings-static,
    /usr/lib/gtk-2.0/immodules/.relocation-tag /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/MIME/Types/.packlist /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/MIME/tools/.packlist /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/MIME/Lite/.packlist /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/Sub/Uplevel/.packlist /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/Module/Build/.packlist /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/Curses/UI/.packlist /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/
    ... and so on lines

    in addition to the contents of all the cache and session files in the /tmp directory. This is a lot and is giving an error message about the size of the email.

    There always was some of these lines from the old server's report, but only about 28k of them and none of all these standard /tmp files contents.

    I have a file called chkrootkit in /etc/cron.daily It contains
    Code:
    cd /root/distros/chkrootkit-0.48/
    ./chkrootkit -q | mail -s "Chkrootkit Daily Monitoring Log" admin@domain.com
    
    If I run ./chkrootkit 2>&1 |grep "INFECTED\|Vulnerable"| grep -v "Checking \`bindshell'... INFECTED (PORTS: 465)" in a shell, it seems to run without printing all the session files. Is there some way I can combine those?

    I'm still curious why chkrootkit is behaving differently on the two servers though. I suppose it could be different versions involved, but I wouldn't have suspected this difference.

    Rgds,
    verdon
     
  2. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    Is the project still active?

    Does anyone know if chkrootkit is still active? I've tried joining the mailing list on their site (no response). The last entry in that list's archive is a couple years old. I've tried mailing the authors (also no response).

    Is chkrootkit redundant with rkhunter also running on the server?

    Does anyone know of a better source of information about chkrootkit? There's not much on their site, and google isn't bring up much other than general user posts, mostly to do with false positives.

    Any knowledge would be appreciated :)
     

Share This Page