                     __           __           __                     
  .-----.--.--.----.|  |.--.--.--|  |.-----.--|  |  .-----.----.-----.
  |  -__|_   _|  __||  ||  |  |  _  ||  -__|  _  |__|  _  |   _|  _  |
  |_____|__.__|____||__||_____|_____||_____|_____|__|_____|__| |___  |
                                                               |_____|
[ visit www.excluded.org ]

chkrootkit howto
(c) 2003 by Takt <takt@excluded.org> 
translated 2005 by feylamia <feylamia@gmail.com>

1. Preamble
2. Getting chkrootkit
3. Installation
4. Checking for root-kits
5. Evaluation
6. False alerts
7. Greetings

1. Preamble
In this howto, I describe how to check your *nix machine for rootkits. Unfortunately chkrootkit doesn't recognize 'every' rootkit. If you still propose "my box won't be h4x0red", then you're definetily wrong. So did I, and in the end my Red Hat 9 server, which had a IP-address assigned from T-online got rooted. I only noticed this, because from one day to another there 
was a new open port on the machine. Don't feel safe! Always check your boxes for rootkits in a while. Chkrootkit is a good start for this.

2. Getting chkrootkit
You can download the up-to-date version of chkrootkit from www.chkrootkit.org, it should be a packed archive (tar.gz).
Important: after downloading, all steps have to be done as root (uid 0)!

3. Installation
We unpack the archive with "tar -xvfz <filename>", where filename is the filename of the archive. Not to hard, isn't it?
After this, we change the directory to which we unpacked the file with "cd chkrootkit*".
Because here, we only have the source-code, we now need to compile chkrootkit, which is simply done by typing "make".
This will finish our installation.

4. Checking for rootkits
To check our box for rootkits, we now just type "./chkrootkit". This HAS to be done as root, because otherwise the tool won't have access to /dev/kmem or other devices which are need for the testing.

5. Evaluation
If the output contains something like 'infected' or similar, you can be quite sure you got a rootkit on your box. Also, the promiscmode on network devices might be a sign of an intrusion, of course only if you didn't put it into promiscmode yourself. 

6. False alerts
It can happen, that chkrootkit announces a rootkit, which in fact isn't one. Mostly, this is the case if you changed programs, so they are now similar to a rootkit. So don't follow the software blindly, but on the other hand, do not ignore the warnings, but check your system for empty logfiles and the like.

7. Greetings:
Greetz to:
-Chrisco:   "whazzup man?"
-maRc:      "you tried HLTV?"
-l0om:      "in Berlin we will be at the kickoff"
-XNet:      "ggggg"
-Lari:      "hey you :)"
-and everyone else I forgot here

Copying permitted, changes prohibited!

Takt