Chrootkit help

SSH as admin to your server. DO NOT use telnet, it should be disabled anyways.

#Change to root
su –

#Type the following

# Check the MD5 SUM of the download for security:

md5sum chkrootkit.tar.gz

#Unpack the tarball using the command
tar xvzf chkrootkit.tar.gz

#Change to the directory it created
cd chkrootkit*

#Compile by typing
make sense

#To use chkrootkit, just type the command

#Everything it outputs should be ‘not found’ or ‘not infected’…

Important Note: If you see ‘Checking `bindshell’… INFECTED (PORTS:  465)’ read on.
I’m running PortSentry/klaxon. What’s wrong with the bindshell test?
If you’re running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test
(ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp,
31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).

cd ..
#Then remove the .gz file
rm chkrootkit.tar.gz

Daily Automated System Scan that emails you a report

While in SSH run the following:
pico /etc/cron.daily/

Insert the following to the new file:
cd /yourinstallpath/chkrootkit-0.42b/
./chkrootkit | mail -s “Daily chkrootkit from Servername” [email protected]

1. Replace ‘yourinstallpath’ with the actual path to where you unpacked Chkrootkit.
2. Change ‘Servername’ to the server your running so you know where it’s coming from.
3. Change ‘[email protected]’ to your actual email address where the script will mail you.

Now save the file in SSH:
Ctrl+X then type Y

Change the file permissions so we can run it
chmod 755 /etc/cron.daily/

Now if you like you can run a test report manually in SSH to see how it looks.
cd /etc/cron.daily/


You’ll now receive a nice email with the report! This will now happen everyday so you don’t have to run it manually.

Leave a Comment