The FreeBSD Ports Archive

Freebsd | Contact
Welcome to FreeBSD Software


FreeBSD security : chkrootkit

A tool to locally check for signs of a rootkit 

  Chkrootkit is a tool to locally check for signs of a rootkit.
 -------------------------------------------------------------

 It contains:

 * chkrootkit: a shell script that checks system binaries for
   rootkit modification.
 * ifpromisc.c: checks if the network interface is in promiscuous
   mode.
 * chklastlog.c: checks for lastlog deletions.
 * chkwtmp.c: checks for wtmp deletions.
 * check_wtmpx.c: checks for wtmpx deletions.  (Solaris only)
 * chkproc.c: checks for signs of LKM trojans.
 * chkdirs.c: checks for signs of LKM trojans.
 * strings.c: quick and dirty strings replacement.
 * chkutmp.c: checks for utmp deletions.

 For an updated list of rootkits, worms and LKMs detected by
 chkrootkit please visit: http://www.chkrootkit.org/

Nelson Murilo 
Klaus Steding-Jessen

http://www.chkrootkit.org/



chkrootkit history


v. 1.27
date: 2006/11/24 22:58:31;  author: miwi;  state: Exp;  lines: +22 -2
- Update to 0.47

PR:		ports/105816
Submitted by:	Luiz Eduardo Roncato Cordeiro  (maintainer)


v. 1.26
date: 2006/05/13 04:15:00;  author: edwin;  state: Exp;  lines: +0 -2
Remove USE_REINPLACE from all categories starting with S


v. 1.25
date: 2005/10/28 16:50:11;  author: garga;  state: Exp;  lines: +1 -3
- Unbreak: Update to 0.46a

Approved by:	maintainer


v. 1.24
date: 2005/10/28 12:07:35;  author: garga;  state: Exp;  lines: +2 -0
chkproc sends a 25 signal to init causing a reboot after a 30s sleep

Mark it as BROKEN until the problem is fixed.

Submitted by:	maintainer (by email)


v. 1.23
date: 2005/10/27 14:30:29;  author: garga;  state: Exp;  lines: +1 -1
- Update to 0.46

Approved by:	maintainer


v. 1.22
date: 2005/04/14 18:42:15;  author: leeym;  state: Exp;  lines: +21 -10
- Update to chkrookit version 0.45 [1]
- utilize PORTDOCS, DOCSDIR and PLIST_FILES

PR:		[1] 79865
Submitted by:	[1] Luiz Eduardo Roncato Cordeiro 


v. 1.21
date: 2004/09/02 11:42:23;  author: pav;  state: Exp;  lines: +1 -3
- Update to 0.44

PR:		ports/71249
Submitted by:	Luiz Eduardo Roncato Cordeiro  (maintainer)


v. 1.20
date: 2004/07/06 15:27:51;  author: pav;  state: Exp;  lines: +2 -0
- Mark IGNORE for now

PR:		ports/68726
Submitted by:	Luiz Eduardo Roncato Cordeiro  (maintainer)


v. 1.19
date: 2004/02/10 21:35:03;  author: linimon;  state: Exp;  lines: +1 -1
Update to 0.43:

  C++ comments removed from chkproc.c.  New rootkits detected: AjaKit
  and zaRwT.  New CGI backdoors detected.  ifpromisc.c: better detection
  of promisc mode on newer Linux kernels.  New command line option
  (-n) to skip NFS mounted dirs. Minor bug corrections.

PR:		ports/62577
Submitted by:	Luiz E. R. Cordeiro  (maintainer)


v. 1.18
date: 2003/10/01 21:08:48;  author: krion;  state: Exp;  lines: +1 -1
- Update to version 0.42b

PR:		57477
Submitted by:	maintainer


v. 1.17
date: 2003/09/26 22:08:33;  author: edwin;  state: Exp;  lines: +3 -3
Update port: security/chkrootkit: upgrade to version 0.42

	Version upgrade from 0.41 to 0.42.
	It works on FreeBSD 2.2.X, 3.X, 4.X and 5.X.

PR:		ports/56757
Submitted by:	Luiz Eduardo Roncato Cordeiro 


v. 1.16
date: 2003/09/04 13:03:05;  author: edwin;  state: Exp;  lines: +0 -4
Teach security/chkrootkit

	I finnaly got fed up with that FAQ about chkrootkit. The
	solution was either to add a Q+A to the FAQ or fix the port.

	This introduce a new variable, FreeBSD5, that is set to
	"yes" if we're running FreeBSD 5 or higher.

	This variable is used to fix the tests of the following
	binaries, so they would DTRT on FreeBSD 5: chfn chsh date
	ls ps

	I also fixed a bug in the cheking of vdir, but it's irrelevant
	for FreeBSD.

Informed maintainer.

PR:		ports/55919
Submitted by:	Yonatan@xpert.com 


v. 1.15
date: 2003/08/15 06:17:16;  author: kris;  state: Exp;  lines: +7 -1
Mark IGNORE on 5.x: chkrootkit reports false positives

Inspired by:	Yet another "have I been hacked" email on questions@


v. 1.14
date: 2003/06/25 16:40:08;  author: mich;  state: Exp;  lines: +1 -1
Update to 0.41

PR:		53675
Submitted by:	maintainer
Approved by:	roberto (mentor)


v. 1.13
date: 2003/04/09 08:22:12;  author: kevlo;  state: Exp;  lines: +6 -2
Update to 0.40

PR: 50722
Submitted by: Michael L. Hostbaek 


v. 1.12
date: 2003/02/21 13:26:42;  author: knu;  state: Exp;  lines: +1 -0
De-pkg-comment.


v. 1.11
date: 2003/02/02 13:40:13;  author: nork;  state: Exp;  lines: +1 -1
Update to 0.39a.

PR:		ports/47735
Submitted by:	Luiz Eduardo Roncato Cordeiro 
		(maintainer)


v. 1.10
date: 2003/01/11 03:18:51;  author: pat;  state: Exp;  lines: +4 -2
Update to 0.38

PR:		ports/46952
Submitted by:	maintainer


v. 1.9
date: 2002/11/04 02:15:26;  author: edwin;  state: Exp;  lines: +4 -2
PERL -> REINPLACE
Noticed on: bento


v. 1.8
date: 2002/10/25 20:48:02;  author: obraun;  state: Exp;  lines: +4 -3
Upgrade to 0.37.

PR:		44468
Submitted by:	maintainer


v. 1.7
date: 2002/06/18 23:49:07;  author: pat;  state: Exp;  lines: +6 -3
Update to 0.36

PR:		ports/39475
Submitted by:	maintainer


v. 1.6
date: 2002/02/01 04:06:34;  author: pat;  state: Exp;  lines: +2 -2
Update to 0.35

PR:		34485
Submitted by:	maintainer


v. 1.5
date: 2001/09/22 06:44:04;  author: sf;  state: Exp;  lines: +3 -3
update to 0.34.

PR:		30709
Submitted by:	maintainer


v. 1.4
date: 2001/05/11 14:34:07;  author: kevlo;  state: Exp;  lines: +2 -2
Update to 0.32

PR: 27257
Submitted by: MAINTAINER


v. 1.3
date: 2001/04/17 12:13:08;  author: roam;  state: Exp;  lines: +13 -12
Update to 0.31, lots of cleanup, add NOPORTDOCS handling.

PR:		26643
Submitted by:	maintainer


v. 1.2
date: 2001/04/17 05:56:57;  author: will;  state: Exp;  lines: +1 -2
Fix checksum problem on bento by updating to 0.31.  Also start using the
versioned distfiles since they are available.


v. 1.1
date: 2001/04/07 00:48:49;  author: will;  state: Exp;
Add chkrootkit 0.30, a tool to locally check for signs of a rootkit.

PR:		26115
Submitted by:	Luiz Eduardo R. Cordeiro
=============================================================================


v. 1.27
date: 2006/11/24 22:58:31;  author: miwi;  state: Exp;  lines: +22 -2
- Update to 0.47

PR:		ports/105816
Submitted by:	Luiz Eduardo Roncato Cordeiro  (maintainer)


v. 1.26
date: 2006/05/13 04:15:00;  author: edwin;  state: Exp;  lines: +0 -2
Remove USE_REINPLACE from all categories starting with S


v. 1.25
date: 2005/10/28 16:50:11;  author: garga;  state: Exp;  lines: +1 -3
- Unbreak: Update to 0.46a

Approved by:	maintainer


v. 1.24
date: 2005/10/28 12:07:35;  author: garga;  state: Exp;  lines: +2 -0
chkproc sends a 25 signal to init causing a reboot after a 30s sleep

Mark it as BROKEN until the problem is fixed.

Submitted by:	maintainer (by email)


v. 1.23
date: 2005/10/27 14:30:29;  author: garga;  state: Exp;  lines: +1 -1
- Update to 0.46

Approved by:	maintainer


v. 1.22
date: 2005/04/14 18:42:15;  author: leeym;  state: Exp;  lines: +21 -10
- Update to chkrookit version 0.45 [1]
- utilize PORTDOCS, DOCSDIR and PLIST_FILES

PR:		[1] 79865
Submitted by:	[1] Luiz Eduardo Roncato Cordeiro 


v. 1.21
date: 2004/09/02 11:42:23;  author: pav;  state: Exp;  lines: +1 -3
- Update to 0.44

PR:		ports/71249
Submitted by:	Luiz Eduardo Roncato Cordeiro  (maintainer)


v. 1.20
date: 2004/07/06 15:27:51;  author: pav;  state: Exp;  lines: +2 -0
- Mark IGNORE for now

PR:		ports/68726
Submitted by:	Luiz Eduardo Roncato Cordeiro  (maintainer)


v. 1.19
date: 2004/02/10 21:35:03;  author: linimon;  state: Exp;  lines: +1 -1
Update to 0.43:

  C++ comments removed from chkproc.c.  New rootkits detected: AjaKit
  and zaRwT.  New CGI backdoors detected.  ifpromisc.c: better detection
  of promisc mode on newer Linux kernels.  New command line option
  (-n) to skip NFS mounted dirs. Minor bug corrections.

PR:		ports/62577
Submitted by:	Luiz E. R. Cordeiro  (maintainer)


v. 1.18
date: 2003/10/01 21:08:48;  author: krion;  state: Exp;  lines: +1 -1
- Update to version 0.42b

PR:		57477
Submitted by:	maintainer


v. 1.17
date: 2003/09/26 22:08:33;  author: edwin;  state: Exp;  lines: +3 -3
Update port: security/chkrootkit: upgrade to version 0.42

	Version upgrade from 0.41 to 0.42.
	It works on FreeBSD 2.2.X, 3.X, 4.X and 5.X.

PR:		ports/56757
Submitted by:	Luiz Eduardo Roncato Cordeiro 


v. 1.16
date: 2003/09/04 13:03:05;  author: edwin;  state: Exp;  lines: +0 -4
Teach security/chkrootkit

	I finnaly got fed up with that FAQ about chkrootkit. The
	solution was either to add a Q+A to the FAQ or fix the port.

	This introduce a new variable, FreeBSD5, that is set to
	"yes" if we're running FreeBSD 5 or higher.

	This variable is used to fix the tests of the following
	binaries, so they would DTRT on FreeBSD 5: chfn chsh date
	ls ps

	I also fixed a bug in the cheking of vdir, but it's irrelevant
	for FreeBSD.

Informed maintainer.

PR:		ports/55919
Submitted by:	Yonatan@xpert.com 


v. 1.15
date: 2003/08/15 06:17:16;  author: kris;  state: Exp;  lines: +7 -1
Mark IGNORE on 5.x: chkrootkit reports false positives

Inspired by:	Yet another "have I been hacked" email on questions@


v. 1.14
date: 2003/06/25 16:40:08;  author: mich;  state: Exp;  lines: +1 -1
Update to 0.41

PR:		53675
Submitted by:	maintainer
Approved by:	roberto (mentor)


v. 1.13
date: 2003/04/09 08:22:12;  author: kevlo;  state: Exp;  lines: +6 -2
Update to 0.40

PR: 50722
Submitted by: Michael L. Hostbaek 


v. 1.12
date: 2003/02/21 13:26:42;  author: knu;  state: Exp;  lines: +1 -0
De-pkg-comment.


v. 1.11
date: 2003/02/02 13:40:13;  author: nork;  state: Exp;  lines: +1 -1
Update to 0.39a.

PR:		ports/47735
Submitted by:	Luiz Eduardo Roncato Cordeiro 
		(maintainer)


v. 1.10
date: 2003/01/11 03:18:51;  author: pat;  state: Exp;  lines: +4 -2
Update to 0.38

PR:		ports/46952
Submitted by:	maintainer


v. 1.9
date: 2002/11/04 02:15:26;  author: edwin;  state: Exp;  lines: +4 -2
PERL -> REINPLACE
Noticed on: bento


v. 1.8
date: 2002/10/25 20:48:02;  author: obraun;  state: Exp;  lines: +4 -3
Upgrade to 0.37.

PR:		44468
Submitted by:	maintainer


v. 1.7
date: 2002/06/18 23:49:07;  author: pat;  state: Exp;  lines: +6 -3
Update to 0.36

PR:		ports/39475
Submitted by:	maintainer


v. 1.6
date: 2002/02/01 04:06:34;  author: pat;  state: Exp;  lines: +2 -2
Update to 0.35

PR:		34485
Submitted by:	maintainer


v. 1.5
date: 2001/09/22 06:44:04;  author: sf;  state: Exp;  lines: +3 -3
update to 0.34.

PR:		30709
Submitted by:	maintainer


v. 1.4
date: 2001/05/11 14:34:07;  author: kevlo;  state: Exp;  lines: +2 -2
Update to 0.32

PR: 27257
Submitted by: MAINTAINER


v. 1.3
date: 2001/04/17 12:13:08;  author: roam;  state: Exp;  lines: +13 -12
Update to 0.31, lots of cleanup, add NOPORTDOCS handling.

PR:		26643
Submitted by:	maintainer


v. 1.2
date: 2001/04/17 05:56:57;  author: will;  state: Exp;  lines: +1 -2
Fix checksum problem on bento by updating to 0.31.  Also start using the
versioned distfiles since they are available.


v. 1.1
date: 2001/04/07 00:48:49;  author: will;  state: Exp;
Add chkrootkit 0.30, a tool to locally check for signs of a rootkit.

PR:		26115
Submitted by:	Luiz Eduardo R. Cordeiro
=============================================================================


v. 1.27
date: 2006/11/24 22:58:31;  author: miwi;  state: Exp;  lines: +22 -2
- Update to 0.47

PR:		ports/105816
Submitted by:	Luiz Eduardo Roncato Cordeiro  (maintainer)


v. 1.26
date: 2006/05/13 04:15:00;  author: edwin;  state: Exp;  lines: +0 -2
Remove USE_REINPLACE from all categories starting with S


v. 1.25
date: 2005/10/28 16:50:11;  author: garga;  state: Exp;  lines: +1 -3
- Unbreak: Update to 0.46a

Approved by:	maintainer


v. 1.24
date: 2005/10/28 12:07:35;  author: garga;  state: Exp;  lines: +2 -0
chkproc sends a 25 signal to init causing a reboot after a 30s sleep

Mark it as BROKEN until the problem is fixed.

Submitted by:	maintainer (by email)


v. 1.23
date: 2005/10/27 14:30:29;  author: garga;  state: Exp;  lines: +1 -1
- Update to 0.46

Approved by:	maintainer


v. 1.22
date: 2005/04/14 18:42:15;  author: leeym;  state: Exp;  lines: +21 -10
- Update to chkrookit version 0.45 [1]
- utilize PORTDOCS, DOCSDIR and PLIST_FILES

PR:		[1] 79865
Submitted by:	[1] Luiz Eduardo Roncato Cordeiro 


v. 1.21
date: 2004/09/02 11:42:23;  author: pav;  state: Exp;  lines: +1 -3
- Update to 0.44

PR:		ports/71249
Submitted by:	Luiz Eduardo Roncato Cordeiro  (maintainer)


v. 1.20
date: 2004/07/06 15:27:51;  author: pav;  state: Exp;  lines: +2 -0
- Mark IGNORE for now

PR:		ports/68726
Submitted by:	Luiz Eduardo Roncato Cordeiro  (maintainer)


v. 1.19
date: 2004/02/10 21:35:03;  author: linimon;  state: Exp;  lines: +1 -1
Update to 0.43:

  C++ comments removed from chkproc.c.  New rootkits detected: AjaKit
  and zaRwT.  New CGI backdoors detected.  ifpromisc.c: better detection
  of promisc mode on newer Linux kernels.  New command line option
  (-n) to skip NFS mounted dirs. Minor bug corrections.

PR:		ports/62577
Submitted by:	Luiz E. R. Cordeiro  (maintainer)


v. 1.18
date: 2003/10/01 21:08:48;  author: krion;  state: Exp;  lines: +1 -1
- Update to version 0.42b

PR:		57477
Submitted by:	maintainer


v. 1.17
date: 2003/09/26 22:08:33;  author: edwin;  state: Exp;  lines: +3 -3
Update port: security/chkrootkit: upgrade to version 0.42

	Version upgrade from 0.41 to 0.42.
	It works on FreeBSD 2.2.X, 3.X, 4.X and 5.X.

PR:		ports/56757
Submitted by:	Luiz Eduardo Roncato Cordeiro 


v. 1.16
date: 2003/09/04 13:03:05;  author: edwin;  state: Exp;  lines: +0 -4
Teach security/chkrootkit

	I finnaly got fed up with that FAQ about chkrootkit. The
	solution was either to add a Q+A to the FAQ or fix the port.

	This introduce a new variable, FreeBSD5, that is set to
	"yes" if we're running FreeBSD 5 or higher.

	This variable is used to fix the tests of the following
	binaries, so they would DTRT on FreeBSD 5: chfn chsh date
	ls ps

	I also fixed a bug in the cheking of vdir, but it's irrelevant
	for FreeBSD.

Informed maintainer.

PR:		ports/55919
Submitted by:	Yonatan@xpert.com 


v. 1.15
date: 2003/08/15 06:17:16;  author: kris;  state: Exp;  lines: +7 -1
Mark IGNORE on 5.x: chkrootkit reports false positives

Inspired by:	Yet another "have I been hacked" email on questions@


v. 1.14
date: 2003/06/25 16:40:08;  author: mich;  state: Exp;  lines: +1 -1
Update to 0.41

PR:		53675
Submitted by:	maintainer
Approved by:	roberto (mentor)


v. 1.13
date: 2003/04/09 08:22:12;  author: kevlo;  state: Exp;  lines: +6 -2
Update to 0.40

PR: 50722
Submitted by: Michael L. Hostbaek 


v. 1.12
date: 2003/02/21 13:26:42;  author: knu;  state: Exp;  lines: +1 -0
De-pkg-comment.


v. 1.11
date: 2003/02/02 13:40:13;  author: nork;  state: Exp;  lines: +1 -1
Update to 0.39a.

PR:		ports/47735
Submitted by:	Luiz Eduardo Roncato Cordeiro 
		(maintainer)


v. 1.10
date: 2003/01/11 03:18:51;  author: pat;  state: Exp;  lines: +4 -2
Update to 0.38

PR:		ports/46952
Submitted by:	maintainer


v. 1.9
date: 2002/11/04 02:15:26;  author: edwin;  state: Exp;  lines: +4 -2
PERL -> REINPLACE
Noticed on: bento


v. 1.8
date: 2002/10/25 20:48:02;  author: obraun;  state: Exp;  lines: +4 -3
Upgrade to 0.37.

PR:		44468
Submitted by:	maintainer


v. 1.7
date: 2002/06/18 23:49:07;  author: pat;  state: Exp;  lines: +6 -3
Update to 0.36

PR:		ports/39475
Submitted by:	maintainer


v. 1.6
date: 2002/02/01 04:06:34;  author: pat;  state: Exp;  lines: +2 -2
Update to 0.35

PR:		34485
Submitted by:	maintainer


v. 1.5
date: 2001/09/22 06:44:04;  author: sf;  state: Exp;  lines: +3 -3
update to 0.34.

PR:		30709
Submitted by:	maintainer


v. 1.4
date: 2001/05/11 14:34:07;  author: kevlo;  state: Exp;  lines: +2 -2
Update to 0.32

PR: 27257
Submitted by: MAINTAINER


v. 1.3
date: 2001/04/17 12:13:08;  author: roam;  state: Exp;  lines: +13 -12
Update to 0.31, lots of cleanup, add NOPORTDOCS handling.

PR:		26643
Submitted by:	maintainer


v. 1.2
date: 2001/04/17 05:56:57;  author: will;  state: Exp;  lines: +1 -2
Fix checksum problem on bento by updating to 0.31.  Also start using the
versioned distfiles since they are available.


v. 1.1
date: 2001/04/07 00:48:49;  author: will;  state: Exp;
Add chkrootkit 0.30, a tool to locally check for signs of a rootkit.

PR:		26115
Submitted by:	Luiz Eduardo R. Cordeiro
=============================================================================


Main menu

FreeBSD

Program categories

Freebsd accessibility
Freebsd archivers
Freebsd astro
Freebsd audio
Freebsd benchmarks
Freebsd biology
Freebsd cad
Freebsd chinese
Freebsd comms
Freebsd converters
Freebsd databases
Freebsd deskutils
Freebsd devel
Freebsd dns
Freebsd editors
Freebsd emulators
Freebsd finance
Freebsd french
Freebsd ftp
Freebsd games
Freebsd german
Freebsd graphics
Freebsd hebrew
Freebsd hungarian
Freebsd irc
Freebsd japanese
Freebsd java
Freebsd korean
Freebsd lang
Freebsd mail
Freebsd math
Freebsd mbone
Freebsd misc
Freebsd multimedia
Freebsd net
Freebsd net-im
Freebsd net-mgmt
Freebsd net-p2p
Freebsd news
Freebsd palm
Freebsd polish
Freebsd ports-mgmt
Freebsd portuguese
Freebsd print
Freebsd russian
Freebsd science
Freebsd security
Freebsd shells
Freebsd sysutils
Freebsd textproc
Freebsd ukrainian
Freebsd vietnamese
Freebsd www
Freebsd x11
Freebsd x11-clocks
Freebsd x11-drivers
Freebsd x11-fm
Freebsd x11-fonts
Freebsd x11-servers
Freebsd x11-themes
Freebsd x11-toolkits
Freebsd x11-wm