List of content you will read in this article:
There is no denying that the internet is a dangerous place in the terms of cybersecurity. There is countless malware out there just waiting for a clueless victim to download them. Today, we will discuss a very tricky and dangerous type of malicious software, known as rootkit.
What is a Rootkit?
A rootkit is a malicious software that provides privileged, root-level (i.e., administrator) access to a system without its presence being known to the system’s owner. It allows the perpetrator to exert absolute control over your device using remote access. Here are some other things a rootkit can do to your system:
- Steal Information: in the majority of rootkit hacks, cybercriminals use it to steal important data from your system. They can use it for identity theft, fraud, or simply just to sell it to the highest bidder.
- Deactivate Security Programs: some rootkits can hide from your system’s security programs and even completely disable them, making detecting and removing malicious programs very difficult.
- Create permanent backdoors: unlike other malware that can steal the current data on your computer, rootkits can create permanent backdoors that will allow hackers to come back and regain access to your system any time in the future.
- Invade your privacy: using a rootkit, hackers can gain access to your microphone, camera, tack your keypresses, and even intercept your internet traffic.
As you can probably guess, even as a casual computer user, rootkits are a frightening malware to get your computer infected with. When it comes to the business side of things, rootkits can definitely put a company out of business if installed on their system.
Because rootkits can bury themselves deep within your operating system, it’s hard to tell that they’re even there. That’s why anti-rootkit software exists to help identify a rootkit if you suspect having one.
Here are the two most popular anti-rootkit software out there:
As per chrootkit’s GitHub page, here’s what it is:
chkrootkit is a tool to check for signs of a rootkit locally. It contains:
* chkrootkit: a shell script that checks system binaries for rootkit modification.
* ifpromisc.c: checks if the network interface is in promiscuous mode.
* chklastlog.c: checks for lastlog deletions.
* chkwtmp.c: checks for wtmp deletions.
* check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
* chkproc.c: checks for signs of LKM trojans.
* chkdirs.c: checks for signs of LKM trojans.
* strings.c: quick and dirty strings replacement.
* chkutmp.c: checks for utmp deletions.
chkwtmp and chklastlog *try* to check for deleted entries in the wtmp and lastlog files, but it is *not* guaranteed that any modification will be detected. Aliens tries to find sniffer logs and rootkit config files. It looks for some default file locations -- so it is also not guaranteed it will succeed in all cases. Lastly, chkproc checks if /proc entries are hidden from ps and the readdir system call. This could be the indication of a LKM trojan. You can also run this command with the -v option (verbose).
How to Install Chrootkit on CentOS 7
Follow these simple steps to install an anti-rootkit on CentOS:
Step 1: Connect to your Linux VPS with SSH(How to connect to SSH).
Step 2: Now enter the following command to update your CentOS repositories.
Step 3: Enter the following command to install the Chkrootkit pre-requisites.
yum install wget gcc-c ++ glibc-static
Step 4: After installing the prerequisites download chkrootkit, type the following command to download the compressed chkrootkit file.
wget -c ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
Step 5: To ensure that the file is valid and not tampered with, download and check the MD5 hash file to make sure it is not compromised.
Step 6: After downloading, enter the following command to check the hash file with the original file.
md5sum -c chkrootkit.md5
The output of the above command should be as such:
Please Note: If you did not receive the same output above, do not install the downloaded file, as it may have been tampered with.
Step 7: After ensuring the file, you need to import the following commands in order to remove the chkrootkit file from the compressed state and install it.
tar -xzf chkrootkit.tar.gz
Step 8: Once the above steps are complete, chkrootkit is installed on your VPS or dedicated server. You can now scan your server by entering the following command.
If you consider scanning it automatically, you only need to define a Cron.
Rkhunter (i.e., Rootkit Hunter) is a Unix-based tool that scans for rootkits. It does this by comparing SHA-1 hashes of important files with known good ones within online databases, searching for default directories (of rootkits), wrong permissions, hidden files, and suspicious strings in kernel modules.
How to Install Rkhunter
For CentOS 7, rkhunter can be found within the EPEL repository.
Step 1: Use the following command to install the EPEL repository:
sudo yum install -y epel-release
Step 2: Use yum to install rkhunter:
sudo yum install rkhunter
sudo rkhunter –update
sudo rkhunter --propupd
And that’s it; it is as easy as that. Some might want to manually copy the /etc/passwd and /etc/group file to /var/lib/rkhunter; however, upon the first scan, it will be done automatically.
A rootkit can have detrimental consequences to your computer/server, especially if the system is being used for business purposes. If you suspect that you have a rootkit on your system, it is crucial that you get some anti-rootkit software and identify and remove the malware. We hope that with the help of this article, you were able to expand your knowledge about rootkits and their dangers.