Checking for Root Kits on FreeBSD
Whether one uses a FreeBSD Server at home, at the office, or rents a dedicated server, it is important to scan for dangerous root kits especially if the server is facing the internet. In the FreeBSD Ports Collection, two root kit ports are available: revealrk and rkhunter. For this post, rkhunter was chosen.
Prerequisites:
In order to install rkhunter and the associated dependencies, especially the port sysutils/lsof, kernel sources must be installed in /usr/src. Although the kernel sources can be installed in a variety of ways, installing subversion provides added functionality for the future.
# cd /usr/ports/devel/subversion # make install clean
To update to the latest release:
# svn checkout svn://svn0.us-east.FreeBSD.org/base/release/10.0.0 /usr/src
To find paths to other repositories you can checkout http://svnweb.freebsd.org. For a complete list of FreeBSD subversion mirrors, please consult the Appendix on Subversion in the FreeBSD Handbook.
Once the source tree is checked out, the patch and options used are stored in /usr/src/.svn directory. Now, all it takes to update the FreeBSD source tree in the future is the following command:
# svn up /usr/src
The previous command updates the source to the latest revision and copies only the newer file changes. To find out the revision number of the source, issue the following command:
# svn info /usr/src Path: usr/src Working Copy Root Path: /usr/src URL: svn://svn0.us-east.freebsd.org/base/release/10.0.0 Relative URL: ^/release/10.0.0 Repository Root: svn://svn0.us-east.freebsd.org/base Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f Revision: 273281 Node Kind: directory Schedule: normal Last Changed Author: gjb Last Changed Rev: 260789 Last Changed Date: 2014-01-16 12:43:50 -0600 (Thu, 16 Jan 2014)
Of course, subversion can be utilized to update ports, docs, etc. Please refer to the section in the FreeBSD Handbook regarding subversion as well as the man pages.
Installing rkhunter:
# cd /usr/ports/security/rkhunter # make install clean
Check for Database Updates:
# rkhunter --update [ Rootkit Hunter version 1.4.2 ] Checking rkhunter data files... Checking file mirrors.dat [ No update ] Checking file programs_bad.dat [ No update ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ No update ] Checking file i18n/de [ No update ] Checking file i18n/en [ No update ] Checking file i18n/tr [ No update ] Checking file i18n/tr.utf8 [ No update ] Checking file i18n/zh [ No update ] Checking file i18n/zh.utf8 [ No update ]
Run a complete scan:
# rkhunter -c [ Rootkit Hunter version 1.4.2 ] Checking system commands... Performing 'strings' command checks Checking 'strings' command [ OK ] Performing 'shared libraries' checks Checking for preloading variables [ None found ] Checking for preloaded libraries [ None found ] Checking LD_LIBRARY_PATH variable [ Not found ] Performing file properties checks Checking for prerequisites [ Warning ] /usr/local/sbin/lsof [ OK ] /usr/local/bin/perl [ OK ] /usr/local/bin/rkhunter [ OK ] /usr/local/bin/wget [ OK ] /usr/local/bin/perl5.16.3 [ OK ] /sbin/dmesg [ OK ] /sbin/fsck [ OK ] /sbin/ifconfig [ OK ] /sbin/init [ OK ] /sbin/md5 [ OK ] /sbin/mount [ OK ] /sbin/nologin [ OK ] /sbin/ping [ OK ] /sbin/route [ OK ] /sbin/sha1 [ OK ] /sbin/sha256 [ OK ] /sbin/sha512 [ OK ] /sbin/sysctl [ OK ] /sbin/kldload [ OK ] /sbin/kldstat [ OK ] /sbin/kldunload [ OK ] /bin/cat [ OK ] /bin/chmod [ OK ] /bin/cp [ OK ] /bin/csh [ OK ] /bin/date [ OK ] /bin/df [ OK ] /bin/echo [ OK ] /bin/ed [ OK ] /bin/kill [ OK ] /bin/ls [ OK ] /bin/mv [ OK ] /bin/pgrep [ OK ] /bin/pkill [ OK ] /bin/ps [ OK ] /bin/pwd [ OK ] /bin/sh [ OK ] /bin/test [ OK ] /usr/sbin/adduser [ OK ] /usr/sbin/amd [ OK ] /usr/sbin/chown [ OK ] /usr/sbin/chroot [ OK ] /usr/sbin/cron [ OK ] /usr/sbin/inetd [ OK ] /usr/sbin/newsyslog [ OK ] /usr/sbin/nologin [ OK ] /usr/sbin/sshd [ OK ] /usr/sbin/syslogd [ OK ] /usr/sbin/vipw [ OK ] /usr/sbin/watch [ OK ] /usr/bin/awk [ OK ] /usr/bin/basename [ OK ] /usr/bin/cut [ OK ] /usr/bin/diff [ OK ] /usr/bin/dirname [ OK ] /usr/bin/du [ OK ] /usr/bin/egrep [ OK ] /usr/bin/env [ OK ] /usr/bin/fgrep [ OK ] /usr/bin/file [ OK ] /usr/bin/find [ OK ] /usr/bin/fuser [ OK ] /usr/bin/grep [ OK ] /usr/bin/groups [ OK ] /usr/bin/head [ OK ] /usr/bin/id [ OK ] /usr/bin/killall [ OK ] /usr/bin/last [ OK ] /usr/bin/ldd [ OK ] /usr/bin/less [ OK ] /usr/bin/locate [ OK ] /usr/bin/logger [ OK ] /usr/bin/login [ OK ] /usr/bin/mail [ OK ] /usr/bin/mktemp [ OK ] /usr/bin/more [ OK ] /usr/bin/netstat [ OK ] /usr/bin/newgrp [ OK ] /usr/bin/passwd [ OK ] /usr/bin/perl [ OK ] /usr/bin/pgrep [ OK ] /usr/bin/pkill [ OK ] /usr/bin/readlink [ OK ] /usr/bin/sed [ OK ] /usr/bin/size [ OK ] /usr/bin/sockstat [ OK ] /usr/bin/sort [ OK ] /usr/bin/ssh [ OK ] /usr/bin/stat [ OK ] /usr/bin/strings [ OK ] /usr/bin/su [ OK ] /usr/bin/systat [ OK ] /usr/bin/tail [ OK ] /usr/bin/telnet [ OK ] /usr/bin/top [ OK ] /usr/bin/touch [ OK ] /usr/bin/tr [ OK ] /usr/bin/uname [ OK ] /usr/bin/uniq [ OK ] /usr/bin/users [ OK ] /usr/bin/vmstat [ OK ] /usr/bin/w [ OK ] /usr/bin/wc [ OK ] /usr/bin/whatis [ OK ] /usr/bin/whereis [ OK ] /usr/bin/which [ OK ] /usr/bin/who [ OK ] /usr/bin/whoami [ OK ] /usr/bin/fstat [ OK ] /usr/bin/procstat [ OK ] /usr/libexec/tcpd [ OK ] /usr/local/etc/rkhunter.conf [ OK ] [Press <ENTER> to continue] Checking for rootkits... Performing check of known rootkit files and directories 55808 Trojan - Variant A [ Not found ] ADM Worm [ Not found ] AjaKit Rootkit [ Not found ] Adore Rootkit [ Not found ] aPa Kit [ Not found ] Apache Worm [ Not found ] Ambient (ark) Rootkit [ Not found ] Balaur Rootkit [ Not found ] BeastKit Rootkit [ Not found ] beX2 Rootkit [ Not found ] BOBKit Rootkit [ Not found ] cb Rootkit [ Not found ] CiNIK Worm (Slapper.B variant) [ Not found ] Danny-Boy's Abuse Kit [ Not found ] Devil RootKit [ Not found ] Dica-Kit Rootkit [ Not found ] Dreams Rootkit [ Not found ] Duarawkz Rootkit [ Not found ] Enye LKM [ Not found ] Flea Linux Rootkit [ Not found ] FreeBSD Rootkit [ Not found ] Fu Rootkit [ Not found ] Fuck`it Rootkit [ Not found ] GasKit Rootkit [ Not found ] Heroin LKM [ Not found ] HjC Kit [ Not found ] ignoKit Rootkit [ Not found ] IntoXonia-NG Rootkit [ Not found ] Irix Rootkit [ Not found ] Jynx Rootkit [ Not found ] KBeast Rootkit [ Not found ] Kitko Rootkit [ Not found ] Knark Rootkit [ Not found ] ld-linuxv.so Rootkit [ Not found ] Li0n Worm [ Not found ] Lockit / LJK2 Rootkit [ Not found ] Mood-NT Rootkit [ Not found ] MRK Rootkit [ Not found ] Ni0 Rootkit [ Not found ] Ohhara Rootkit [ Not found ] Optic Kit (Tux) Worm [ Not found ] Oz Rootkit [ Not found ] Phalanx Rootkit [ Not found ] Phalanx2 Rootkit [ Not found ] Portacelo Rootkit [ Not found ] R3dstorm Toolkit [ Not found ] RH-Sharpe's Rootkit [ Not found ] RSHA's Rootkit [ Not found ] Scalper Worm [ Not found ] Sebek LKM [ Not found ] Shutdown Rootkit [ Not found ] SHV4 Rootkit [ Not found ] SHV5 Rootkit [ Not found ] Sin Rootkit [ Not found ] Slapper Worm [ Not found ] Sneakin Rootkit [ Not found ] 'Spanish' Rootkit [ Not found ] Suckit Rootkit [ Not found ] Superkit Rootkit [ Not found ] TBD (Telnet BackDoor) [ Not found ] TeLeKiT Rootkit [ Not found ] T0rn Rootkit [ Not found ] trNkit Rootkit [ Not found ] Trojanit Kit [ Not found ] Turtle Rootkit [ Not found ] Tuxtendo Rootkit [ Not found ] URK Rootkit [ Not found ] Vampire Rootkit [ Not found ] VcKit Rootkit [ Not found ] Volc Rootkit [ Not found ] Xzibit Rootkit [ Not found ] zaRwT.KiT Rootkit [ Not found ] ZK Rootkit [ Not found ] [Press <ENTER> to continue] Performing additional rootkit checks Checking for possible rootkit files and directories [ None found ] Checking for possible rootkit strings [ None found ] Performing malware checks Checking running processes for suspicious files [ None found ] Checking for login backdoors [ None found ] Checking for suspicious directories [ None found ] Checking for sniffer log files [ None found ] Performing trojan specific checks Checking for enabled inetd services [ OK ] Performing FreeBSD specific checks Checking sockstat and netstat commands [ OK ] Checking for KLD backdoors [ OK ] Checking package database [ Skipped ] [Press <ENTER> to continue] Checking the network... Performing checks on the network ports Checking for backdoor ports [ None found ] Performing checks on the network interfaces Checking for promiscuous interfaces [ None found ] Checking the local host... Performing system boot checks Checking for local host name [ Found ] Checking for system startup files [ Found ] Checking system startup files for malware [ None found ] Performing group and account checks Checking for passed file [ Found ] Checking for root equivalent (UID 0) accounts [ None found ] Checking for passwordless accounts [ None found ] Checking for passwd file changes [ None found ] Checking for group file changes [ None found ] Checking root account shell history files [ OK ] Performing system configuration file checks Checking for an SSH configuration file [ Found ] Checking if SSH root access is allowed [ Not set ] Checking if SSH protocol v1 is allowed [ Not set ] Checking for a running system logging daemon [ Found ] Checking for a system logging configuration file [ Found ] Checking if syslog remote logging is allowed [ Not allowed ] Performing filesystem checks Checking /dev for suspicious file types [ None found ] Checking for hidden files and directories [ None found ] [Press <ENTER> to continue] Checking application versions... Checking version of Apache [ OK ] Checking version of OpenSSL [ OK ] Checking version of PHP [ OK ] Checking version of OpenSSH [ OK ] System checks summary ===================== File properties checks... Required commands check failed Files checked: 112 Suspect files: 0 Rootkit checks... Rootkits checked : 379 Possible rootkits: 0 Applications checks... Applications checked: 4 Suspect applications: 0 The system checks took: 1 minute and 2 seconds All results have been written to the log file: /var/log/rkhunter.log One or more warnings have been found while checking the system. Please check the log file (/var/log/rkhunter.log)
Summary:
Installing and running rkhunter is straight forward and relatively easy, however, installing and using subversion can be a little tricky. In any case, using subversion to update ports or source can be rewarding especially if custom kernels are in your future. At least now, confidence is high that our internet facing servers are root kit free.
Additional Resources:
http://rkhunter.sourceforge.net
man rkhunter