                             chkrootkit V. 0.30
                   by Nelson Murilo, nelson@pangeia.com.br

          This program locally checks for signs of a rootkit.
         chkrootkit is available at: http://www.chkrootkit.org/


                 No illegal activities are encouraged!
         I'm not responsible for anything you may do with it.

           This tool includes software developed by the
           DFN-CERT, Univ. of Hamburg (chklastlog and chkwtmp),
           and small portions of ifconfig developed by
           Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org>.


 1. What's chkrootkit?
 ---------------------

 chkrootkit is a tool to locally check for signs of a rootkit.  It
 contains:

 * chkrootkit: a shell script that checks system binaries for
   rootkit modification.  The following commands are examined:

   basename, biff, chfn, chsh, cron, date, dirname, du, echo, env,
   find, fingerd, grep, identd, ifconfig, inetd, killall, login, ls,
   mail, netstat, passwd, pidof, pop2, pop3, ps, pstree, rpcinfo,
   rshd, sendmail, sshd, su, syslogd, tar, tcpd, telnetd, timed, top,
   traceroute, write.

 * ifpromisc.c: checks if the network interface is in promiscuous
   mode.

 * chklastlog.c: checks for lastlog deletions.

 * chkwtmp.c: checks for wtmp deletions.

 * chkproc.c: checks for signs of LKM trojans.

 chkwtmp and chklastlog *try* to check for deleted entries in the wtmp
 and lastlog files, but it is *not* guaranteed that any modification
 will be detected.

 Aliens tries to find sniffer logs and rootkit config files.  It looks
 for some default file locations -- so it is also not guaranteed it
 will succeed in all cases.

 chkproc checks if /proc entries are hidden from ps and the readdir
 system call.  This could be the indication of a LKM trojan.  You can
 also run this command with the -v option (verbose).

 The following rootkits and worms are currently detected: Solaris
 rootkit, FreeBSD rootkit, lrk3, lrk4, lrk5, lrk6, t0rn, some lrk
 variants, Ambient's Rootkit for Linux (ARK), Ramen Worm,
 rh[67]-shaper, RSHA, Romanian rootkit, RK17 and the Lion Worm.

 chkrootkit has been tested on: Linux 2.0.x, 2.2.x, FreeBSD 2.2.x, 3.x
 and 4.0, Solaris 2.5.1, OpenBSD 2.x.


 2. Package Contents
 -------------------

 README
 README.chklastlog
 README.chkwtmp
 COPYRIGHT
 chkrootkit.lsm

 Makefile
 chklastlog.c
 chkproc.c
 chkwtmp.c
 ifpromisc.c

 chkrootkit


 3. Installation
 ---------------

 To compile the C programs type:

 # make sense

 After that it is ready to use and you can simply type:

 # ./chkrootkit


 4. Usage
 --------

 chkrootkit must run as root.  The simplest way is:

 # ./chkrootkit

 This will perform all tests.  You can also specify only the tests you
 want, as shown below:

 Usage: ./chkrootkit [options] [testname ...]
 Options:
         -h                show this help and exit
         -V                show version information and exit
         -l                show available tests
         -d                debug
         -x                expert mode
         -r dir            use dir as the root directory
         -p dir1:dir2:dirN path for the external commands used by chkrootkit

 Where testname stands for one or more from the following list:

 asp, bindshell, z2, wted, sniffer, aliens, lkm, basename, biff, chfn,
 chsh, cron, date, du, dirname, Echo, env, find, fingerd, grep, su,
 ifconfig, inetd, identd, killall, login, ls, mail, netstat, passwd,
 pidof, pop2, pop3, ps, pstree, rpcinfo, rshd, sendmail, sshd,
 syslogd, tar, tcpd, top, telnetd, timed, traceroute, write

 For example, the following command checks for trojaned ps and ls
 binaries and also checks if the network interface is in promiscuous
 mode.

   # ./chkrootkit ps ls sniffer

 With the `-x' option the user can examine suspicious strings in the
 binary programs that may indicate a trojan -- all the analysis is
 left to the user.

 Lots of data can be seen with:

   # ./chkrootkit -x | more

 Pathnames inside system commands:

   # ./chkrootkit -x | egrep '^/'

 chkrootkit uses the following commands to make its tests: awk, cut,
 egrep, find, head, id, ls, netstat, ps, strings, sed, uname.  It is
 possible, with the `-p' option, to supply an alternate path to
 chkrootkit so it won't use the system's (possibly) compromised
 binaries to make its tests.

 To use, for example, binaries in /cdrom/bin:

   # ./chkrootkit -p /cdrom/bin

 It is possible to add more paths with a `:'

   # ./chkrootkit -p /cdrom/bin:/floppy/mybin

 Sometimes is a good idea to mount the disk from a compromised machine
 on a machine you trust.  Just mount the disk and specify a new
 rootdir with the `-r' option.

 For example, suppose the disk you want to check is mounted under
 /mnt, then:

   # ./chkrootkit -r /mnt


 5. A trojaned command has been found.  What should I do now?
 ------------------------------------------------------------

 Your biggest problem is that your machine has been compromised and
 this bad guy has root privileges.

 Maybe you can solve the problem by just replacing the trojaned
 command -- the best way is to reinstall the machine from a safe media
 and to follow your vendor's security recommendations.


 6. Reports and questions
 ------------------------

 Please send comments, questions and bug reports to
 nelson@pangeia.com.br.

 A simple FAQ and Related information about rootkits and security can
 be found at chkrootkit's homepage, http://www.chkrootkit.org.


 7. Acknowledgments
 ------------------

 Agustin Navarro, anavarro@vip.eniac.com (debug help)
 Alberto Courrege Gomide, gomide@gomide.com (debug help)
 Andre Gustavo de Carvalho Albuquerque, gustavo@visualnet.com.br
 (debug help, performance and Solaris patches)
 Dave Ansalvish, davea@jcs.mil (Solaris debug help)
 Bruno Lopes, bruno@openline.com.br (debug help)
 Daniel Lafraia, lafraia@iron.com.br (source code addition)
 Josh Karp, jkarp@jother.com (debug help for Solaris 8)
 Klaus Steding-Jessen, jessen@acm.org (debug help, lots of good
 suggestions and Perl code for LKM checks)
 Paulo C. Marques F., paul@u-netsys.com.br (debug help)
 Pedro Vazquez, vazquez@iqm.unicamp.br (lots of good suggestions)
 Richard Eisenman, richarde@tricity.wsu.edu (Red Hat support)
 Manfred Bartz, mob@logi.cc (debug help)
 Luiz E. R. Cordeiro, cordeiro@iqm.unicamp.br (debug help)
 Vince Hillier, vince@lansystems.com (debug help)


 8. ChangeLog
 ------------

 02/20/1997 - Initial release
 02/25/1997 - Version 0.4, formal testing.
 03/30/1997 - Version 0.5, suspect files routine added.
 06/11/1997 - Version 0.6, minor fixes and Debian compatibility.
 06/24/1997 - Version 0.7, FreeBSD compatibility fixed.
 08/07/1997 - Version 0.8, yet another FreeBSD compatibility and
                           RedHat PAM fixed.
 04/02/1998 - Version 0.9, new r00tkits versions support.
 07/03/1998 - Version 0.10, another types of r00tkits supported.
 10/15/1998 - Version 0.11, bug found by Alberto Courrege Gomide fixed.
 11/30/1998 - Version 0.12, lrk4 support added.
 12/26/1998 - Version 0.13, minor fixes for Red Hat and glibc users.
 06/14/1999 - Version 0.14, Sun/Solaris initial support added.
 04/29/2000 - Version 0.15, lrk5 features added and minor fixes.
 07/09/2000 - Version 0.16, new r00tkits types support and contrib patches.
 09/16/2000 - Version 0.17, more contrib patches, rootkit types and
                            Loadable Kernel Modules (LKM) trojan checking
                            added.
 10/08/2000 - Version 0.18, new rookits types support and many bug fixes.
 12/24/2000 - Version 0.19, -r, -p, -l options added.  ARK support
                            added.  Some bug fixes.
 01/18/2001 - Version 0.20, Ramen Worm and latest t0rnkit detection,
                            temporay check for promisc mode disabled
                            on Solaris boxes.
 01/19/2001 - Version 0.21, Corrects a bug in the Ramen Worm detection.
 01/26/2001 - Version 0.22, chklastlog core dump bug fixed, login and
                            bindshell false positives fixed, cron test
                            improvement.
 03/12/2001 - Version 0.23, lrk6, rh[67]-shaper, RSHA and Romanian
                            rootkit detection.  Test for shell history
                            file anomalies.  More ports added to the
                            bindshell test.
 03/15/2001 - Version 0.23a fixes a bug found in the cron and
                            bindshell tests.

 03/22/2001 - Version 0.30  lots of new tests added.  RK17 and Lion
                            Worm detection.

 -------------- Thx for using chkrootkit ----------------
