Linux security – root kit scanner

Another useful tool for scanning files on a linux based file sharing/websites systems is chkrootkit. This is a simple root kit scanner.
Once the package is installed simmply run:

#chkrootkit
 ROOTDIR is `/'
 Checking `amd'... not found
 Checking `basename'... not infected
 Checking `biff'... not found
 Checking `chfn'... not infected
 Checking `chsh'... not infected
 Checking `cron'... not infected
 .
 .
 .
 .
 .
 Searching for 64-bit Linux Rootkit ... nothing found
 Searching for 64-bit Linux Rootkit modules... nothing found
 Searching for suspect PHP files... nothing found
 Searching for anomalies in shell history files... nothing found
 Checking `asp'... not infected
 Checking `bindshell'... not infected
 Checking `lkm'... chkproc: nothing detected
 Checking `rexedcs'... not found
 Checking `w55808'... not infected
 Checking `wted'... chkwtmp: nothing deleted
 Checking `scalper'... not infected
 Checking `slapper'... not infected
 Checking `z2'... chklastlog: nothing deleted
 Checking `chkutmp'... The tty of the following user process(es) were not found
 in /var/run/utmp !
 ! RUID PID TTY CMD
 ! root 13979 pts/0 -bash
 ! root 13990 pts/2 -bash
 ! root 15095 pts/2 /bin/sh /usr/sbin/chkrootkit
 ! root 15745 pts/2 ./chkutmp
 ! root 15747 pts/2 ps axk tty,ruser,args -o tty,pid,ruser,args
 ! root 15746 pts/2 sh -c ps axk "tty,ruser,args" -o "tty,pid,ruser,args"
 chkutmp: nothing deleted
 Checking `OSX_RSPLUG'... not infected

Linux security – Antivirus

Just a quick note on scanning files on linux. By far the most popular AV program on Linux is ClamAV. To install (Debian):

apt-get install clamav clamav-daemon

run initial AV definition update:

# freshclam
ClamAV update process started at Sun Mar 27 13:55:19 2016
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.99 Recommended version: 0.99.1
DON'T PANIC! Read http://www.clamav.net/support/faq
Empty script main-56.cdiff, need to download entire database
Downloading daily.cvd [100%]
daily.cvd updated (version: 21475, sigs: 83902, f-level: 63, builder: jesler)
Downloading bytecode-272.cdiff [100%]
Downloading bytecode-273.cdiff [100%]
Downloading bytecode-274.cdiff [100%]
Empty script bytecode-275.cdiff, need to download entire database
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 275, sigs: 45, f-level: 63, builder: amishhammer)
Database updated (4302737 signatures) from db.local.clamav.net (IP: 129.67.1.218)
Clamd successfully notified about the update.

Now to scan a folder and display list of infected files just run:

clamscan -r -i /folder/to/scan

Once the scan is completed scan summary will be displayed:

----------- SCAN SUMMARY -----------
Known viruses: 4297365
Engine version: 0.99
Scanned directories: 60
Scanned files: 318
Infected files: 0
Data scanned: 805.54 MB
Data read: 27979.70 MB (ratio 0.03:1)
Time: 55.183 sec (0 m 55 s)