#Change to root
su -
#Download latest source
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
#Unpack the source file using the command
tar xvzf chkrootkit.tar.gz
#Change to chkrootkit source directory
cd chkrootkit
#Compile chkrootkit
make sense
#To run chkrootkit, type
./chkrootkit
A clean system should return many 'nothing found" or not infected. A comprised system may return 'INFECTED" or vulnerable.
Lastly, chkrootkit should run once a day to ensure system safety. The following script created in /etc/cron.daily will scan system one per day and report detected trojan to specified persons via emails:
# cat /etc/cron.daily/chkrootkit.sh
#!/bin/bash
SYSADMIN1=admin1@email.com
SYSADMIN2=admin2@email.com
TMPDIR=/tmp
HOSTNAME=`hostname`
DATE=`date "+%d/%m/%Y %H:%M"`
CHKROOTKIT=/usr/local/chkrootkit-0.46a/chkrootkit
MAIL=mail
# Clean up before its runs
rm -f $TMPDIR/chkrootkit.$$
if [ -f $TMPDIR/chkrootkit.$$ ]; then
echo "Checkroot kit temp files exist in $TMPDIR directory that cannot be removed. This may be an attempt to spoof the checker." | $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" -c $SYSADMIN1 $SYSADMIN2
exit 1
fi
# Check for root kits
$CHKROOTKIT | grep INFECTED > $TMPDIR/chkrootkit.$$
if [ -s $TMPDIR/chkrootkit.$$ ]; then
cat $TMPDIR/chkrootkit.$$ | $MAIL -s "$DATE - ROOTKIT DETECTED ON $HOSTNAME!" -c $SYSADMIN1 $SYSADMIN2
fi
# Clean Up
rm -f $TMPDIR/chkrootkit.$$
来自:http://www.linuxtone.org/thread-314-1-1.html