The FreeBSD Ports Archive
FreeBSD security : chkrootkit4>
A tool to locally check for signs of a rootkit
Chkrootkit is a tool to locally check for signs of a rootkit.
-------------------------------------------------------------
It contains:
* chkrootkit: a shell script that checks system binaries for
rootkit modification.
* ifpromisc.c: checks if the network interface is in promiscuous
mode.
* chklastlog.c: checks for lastlog deletions.
* chkwtmp.c: checks for wtmp deletions.
* check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
* chkproc.c: checks for signs of LKM trojans.
* chkdirs.c: checks for signs of LKM trojans.
* strings.c: quick and dirty strings replacement.
* chkutmp.c: checks for utmp deletions.
For an updated list of rootkits, worms and LKMs detected by
chkrootkit please visit: http://www.chkrootkit.org/
Nelson Murilo
Klaus Steding-Jessen
http://www.chkrootkit.org/
|
chkrootkit history
v. 1.27
date: 2006/11/24 22:58:31; author: miwi; state: Exp; lines: +22 -2
- Update to 0.47
PR: ports/105816
Submitted by: Luiz Eduardo Roncato Cordeiro (maintainer)
v. 1.26
date: 2006/05/13 04:15:00; author: edwin; state: Exp; lines: +0 -2
Remove USE_REINPLACE from all categories starting with S
v. 1.25
date: 2005/10/28 16:50:11; author: garga; state: Exp; lines: +1 -3
- Unbreak: Update to 0.46a
Approved by: maintainer
v. 1.24
date: 2005/10/28 12:07:35; author: garga; state: Exp; lines: +2 -0
chkproc sends a 25 signal to init causing a reboot after a 30s sleep
Mark it as BROKEN until the problem is fixed.
Submitted by: maintainer (by email)
v. 1.23
date: 2005/10/27 14:30:29; author: garga; state: Exp; lines: +1 -1
- Update to 0.46
Approved by: maintainer
v. 1.22
date: 2005/04/14 18:42:15; author: leeym; state: Exp; lines: +21 -10
- Update to chkrookit version 0.45 [1]
- utilize PORTDOCS, DOCSDIR and PLIST_FILES
PR: [1] 79865
Submitted by: [1] Luiz Eduardo Roncato Cordeiro
v. 1.21
date: 2004/09/02 11:42:23; author: pav; state: Exp; lines: +1 -3
- Update to 0.44
PR: ports/71249
Submitted by: Luiz Eduardo Roncato Cordeiro (maintainer)
v. 1.20
date: 2004/07/06 15:27:51; author: pav; state: Exp; lines: +2 -0
- Mark IGNORE for now
PR: ports/68726
Submitted by: Luiz Eduardo Roncato Cordeiro (maintainer)
v. 1.19
date: 2004/02/10 21:35:03; author: linimon; state: Exp; lines: +1 -1
Update to 0.43:
C++ comments removed from chkproc.c. New rootkits detected: AjaKit
and zaRwT. New CGI backdoors detected. ifpromisc.c: better detection
of promisc mode on newer Linux kernels. New command line option
(-n) to skip NFS mounted dirs. Minor bug corrections.
PR: ports/62577
Submitted by: Luiz E. R. Cordeiro (maintainer)
v. 1.18
date: 2003/10/01 21:08:48; author: krion; state: Exp; lines: +1 -1
- Update to version 0.42b
PR: 57477
Submitted by: maintainer
v. 1.17
date: 2003/09/26 22:08:33; author: edwin; state: Exp; lines: +3 -3
Update port: security/chkrootkit: upgrade to version 0.42
Version upgrade from 0.41 to 0.42.
It works on FreeBSD 2.2.X, 3.X, 4.X and 5.X.
PR: ports/56757
Submitted by: Luiz Eduardo Roncato Cordeiro
v. 1.16
date: 2003/09/04 13:03:05; author: edwin; state: Exp; lines: +0 -4
Teach security/chkrootkit
I finnaly got fed up with that FAQ about chkrootkit. The
solution was either to add a Q+A to the FAQ or fix the port.
This introduce a new variable, FreeBSD5, that is set to
"yes" if we're running FreeBSD 5 or higher.
This variable is used to fix the tests of the following
binaries, so they would DTRT on FreeBSD 5: chfn chsh date
ls ps
I also fixed a bug in the cheking of vdir, but it's irrelevant
for FreeBSD.
Informed maintainer.
PR: ports/55919
Submitted by: Yonatan@xpert.com
v. 1.15
date: 2003/08/15 06:17:16; author: kris; state: Exp; lines: +7 -1
Mark IGNORE on 5.x: chkrootkit reports false positives
Inspired by: Yet another "have I been hacked" email on questions@
v. 1.14
date: 2003/06/25 16:40:08; author: mich; state: Exp; lines: +1 -1
Update to 0.41
PR: 53675
Submitted by: maintainer
Approved by: roberto (mentor)
v. 1.13
date: 2003/04/09 08:22:12; author: kevlo; state: Exp; lines: +6 -2
Update to 0.40
PR: 50722
Submitted by: Michael L. Hostbaek
v. 1.12
date: 2003/02/21 13:26:42; author: knu; state: Exp; lines: +1 -0
De-pkg-comment.
v. 1.11
date: 2003/02/02 13:40:13; author: nork; state: Exp; lines: +1 -1
Update to 0.39a.
PR: ports/47735
Submitted by: Luiz Eduardo Roncato Cordeiro
(maintainer)
v. 1.10
date: 2003/01/11 03:18:51; author: pat; state: Exp; lines: +4 -2
Update to 0.38
PR: ports/46952
Submitted by: maintainer
v. 1.9
date: 2002/11/04 02:15:26; author: edwin; state: Exp; lines: +4 -2
PERL -> REINPLACE
Noticed on: bento
v. 1.8
date: 2002/10/25 20:48:02; author: obraun; state: Exp; lines: +4 -3
Upgrade to 0.37.
PR: 44468
Submitted by: maintainer
v. 1.7
date: 2002/06/18 23:49:07; author: pat; state: Exp; lines: +6 -3
Update to 0.36
PR: ports/39475
Submitted by: maintainer
v. 1.6
date: 2002/02/01 04:06:34; author: pat; state: Exp; lines: +2 -2
Update to 0.35
PR: 34485
Submitted by: maintainer
v. 1.5
date: 2001/09/22 06:44:04; author: sf; state: Exp; lines: +3 -3
update to 0.34.
PR: 30709
Submitted by: maintainer
v. 1.4
date: 2001/05/11 14:34:07; author: kevlo; state: Exp; lines: +2 -2
Update to 0.32
PR: 27257
Submitted by: MAINTAINER
v. 1.3
date: 2001/04/17 12:13:08; author: roam; state: Exp; lines: +13 -12
Update to 0.31, lots of cleanup, add NOPORTDOCS handling.
PR: 26643
Submitted by: maintainer
v. 1.2
date: 2001/04/17 05:56:57; author: will; state: Exp; lines: +1 -2
Fix checksum problem on bento by updating to 0.31. Also start using the
versioned distfiles since they are available.
v. 1.1
date: 2001/04/07 00:48:49; author: will; state: Exp;
Add chkrootkit 0.30, a tool to locally check for signs of a rootkit.
PR: 26115
Submitted by: Luiz Eduardo R. Cordeiro
=============================================================================
v. 1.27
date: 2006/11/24 22:58:31; author: miwi; state: Exp; lines: +22 -2
- Update to 0.47
PR: ports/105816
Submitted by: Luiz Eduardo Roncato Cordeiro (maintainer)
v. 1.26
date: 2006/05/13 04:15:00; author: edwin; state: Exp; lines: +0 -2
Remove USE_REINPLACE from all categories starting with S
v. 1.25
date: 2005/10/28 16:50:11; author: garga; state: Exp; lines: +1 -3
- Unbreak: Update to 0.46a
Approved by: maintainer
v. 1.24
date: 2005/10/28 12:07:35; author: garga; state: Exp; lines: +2 -0
chkproc sends a 25 signal to init causing a reboot after a 30s sleep
Mark it as BROKEN until the problem is fixed.
Submitted by: maintainer (by email)
v. 1.23
date: 2005/10/27 14:30:29; author: garga; state: Exp; lines: +1 -1
- Update to 0.46
Approved by: maintainer
v. 1.22
date: 2005/04/14 18:42:15; author: leeym; state: Exp; lines: +21 -10
- Update to chkrookit version 0.45 [1]
- utilize PORTDOCS, DOCSDIR and PLIST_FILES
PR: [1] 79865
Submitted by: [1] Luiz Eduardo Roncato Cordeiro
v. 1.21
date: 2004/09/02 11:42:23; author: pav; state: Exp; lines: +1 -3
- Update to 0.44
PR: ports/71249
Submitted by: Luiz Eduardo Roncato Cordeiro (maintainer)
v. 1.20
date: 2004/07/06 15:27:51; author: pav; state: Exp; lines: +2 -0
- Mark IGNORE for now
PR: ports/68726
Submitted by: Luiz Eduardo Roncato Cordeiro (maintainer)
v. 1.19
date: 2004/02/10 21:35:03; author: linimon; state: Exp; lines: +1 -1
Update to 0.43:
C++ comments removed from chkproc.c. New rootkits detected: AjaKit
and zaRwT. New CGI backdoors detected. ifpromisc.c: better detection
of promisc mode on newer Linux kernels. New command line option
(-n) to skip NFS mounted dirs. Minor bug corrections.
PR: ports/62577
Submitted by: Luiz E. R. Cordeiro (maintainer)
v. 1.18
date: 2003/10/01 21:08:48; author: krion; state: Exp; lines: +1 -1
- Update to version 0.42b
PR: 57477
Submitted by: maintainer
v. 1.17
date: 2003/09/26 22:08:33; author: edwin; state: Exp; lines: +3 -3
Update port: security/chkrootkit: upgrade to version 0.42
Version upgrade from 0.41 to 0.42.
It works on FreeBSD 2.2.X, 3.X, 4.X and 5.X.
PR: ports/56757
Submitted by: Luiz Eduardo Roncato Cordeiro
v. 1.16
date: 2003/09/04 13:03:05; author: edwin; state: Exp; lines: +0 -4
Teach security/chkrootkit
I finnaly got fed up with that FAQ about chkrootkit. The
solution was either to add a Q+A to the FAQ or fix the port.
This introduce a new variable, FreeBSD5, that is set to
"yes" if we're running FreeBSD 5 or higher.
This variable is used to fix the tests of the following
binaries, so they would DTRT on FreeBSD 5: chfn chsh date
ls ps
I also fixed a bug in the cheking of vdir, but it's irrelevant
for FreeBSD.
Informed maintainer.
PR: ports/55919
Submitted by: Yonatan@xpert.com
v. 1.15
date: 2003/08/15 06:17:16; author: kris; state: Exp; lines: +7 -1
Mark IGNORE on 5.x: chkrootkit reports false positives
Inspired by: Yet another "have I been hacked" email on questions@
v. 1.14
date: 2003/06/25 16:40:08; author: mich; state: Exp; lines: +1 -1
Update to 0.41
PR: 53675
Submitted by: maintainer
Approved by: roberto (mentor)
v. 1.13
date: 2003/04/09 08:22:12; author: kevlo; state: Exp; lines: +6 -2
Update to 0.40
PR: 50722
Submitted by: Michael L. Hostbaek
v. 1.12
date: 2003/02/21 13:26:42; author: knu; state: Exp; lines: +1 -0
De-pkg-comment.
v. 1.11
date: 2003/02/02 13:40:13; author: nork; state: Exp; lines: +1 -1
Update to 0.39a.
PR: ports/47735
Submitted by: Luiz Eduardo Roncato Cordeiro
(maintainer)
v. 1.10
date: 2003/01/11 03:18:51; author: pat; state: Exp; lines: +4 -2
Update to 0.38
PR: ports/46952
Submitted by: maintainer
v. 1.9
date: 2002/11/04 02:15:26; author: edwin; state: Exp; lines: +4 -2
PERL -> REINPLACE
Noticed on: bento
v. 1.8
date: 2002/10/25 20:48:02; author: obraun; state: Exp; lines: +4 -3
Upgrade to 0.37.
PR: 44468
Submitted by: maintainer
v. 1.7
date: 2002/06/18 23:49:07; author: pat; state: Exp; lines: +6 -3
Update to 0.36
PR: ports/39475
Submitted by: maintainer
v. 1.6
date: 2002/02/01 04:06:34; author: pat; state: Exp; lines: +2 -2
Update to 0.35
PR: 34485
Submitted by: maintainer
v. 1.5
date: 2001/09/22 06:44:04; author: sf; state: Exp; lines: +3 -3
update to 0.34.
PR: 30709
Submitted by: maintainer
v. 1.4
date: 2001/05/11 14:34:07; author: kevlo; state: Exp; lines: +2 -2
Update to 0.32
PR: 27257
Submitted by: MAINTAINER
v. 1.3
date: 2001/04/17 12:13:08; author: roam; state: Exp; lines: +13 -12
Update to 0.31, lots of cleanup, add NOPORTDOCS handling.
PR: 26643
Submitted by: maintainer
v. 1.2
date: 2001/04/17 05:56:57; author: will; state: Exp; lines: +1 -2
Fix checksum problem on bento by updating to 0.31. Also start using the
versioned distfiles since they are available.
v. 1.1
date: 2001/04/07 00:48:49; author: will; state: Exp;
Add chkrootkit 0.30, a tool to locally check for signs of a rootkit.
PR: 26115
Submitted by: Luiz Eduardo R. Cordeiro
=============================================================================
v. 1.27
date: 2006/11/24 22:58:31; author: miwi; state: Exp; lines: +22 -2
- Update to 0.47
PR: ports/105816
Submitted by: Luiz Eduardo Roncato Cordeiro (maintainer)
v. 1.26
date: 2006/05/13 04:15:00; author: edwin; state: Exp; lines: +0 -2
Remove USE_REINPLACE from all categories starting with S
v. 1.25
date: 2005/10/28 16:50:11; author: garga; state: Exp; lines: +1 -3
- Unbreak: Update to 0.46a
Approved by: maintainer
v. 1.24
date: 2005/10/28 12:07:35; author: garga; state: Exp; lines: +2 -0
chkproc sends a 25 signal to init causing a reboot after a 30s sleep
Mark it as BROKEN until the problem is fixed.
Submitted by: maintainer (by email)
v. 1.23
date: 2005/10/27 14:30:29; author: garga; state: Exp; lines: +1 -1
- Update to 0.46
Approved by: maintainer
v. 1.22
date: 2005/04/14 18:42:15; author: leeym; state: Exp; lines: +21 -10
- Update to chkrookit version 0.45 [1]
- utilize PORTDOCS, DOCSDIR and PLIST_FILES
PR: [1] 79865
Submitted by: [1] Luiz Eduardo Roncato Cordeiro
v. 1.21
date: 2004/09/02 11:42:23; author: pav; state: Exp; lines: +1 -3
- Update to 0.44
PR: ports/71249
Submitted by: Luiz Eduardo Roncato Cordeiro (maintainer)
v. 1.20
date: 2004/07/06 15:27:51; author: pav; state: Exp; lines: +2 -0
- Mark IGNORE for now
PR: ports/68726
Submitted by: Luiz Eduardo Roncato Cordeiro (maintainer)
v. 1.19
date: 2004/02/10 21:35:03; author: linimon; state: Exp; lines: +1 -1
Update to 0.43:
C++ comments removed from chkproc.c. New rootkits detected: AjaKit
and zaRwT. New CGI backdoors detected. ifpromisc.c: better detection
of promisc mode on newer Linux kernels. New command line option
(-n) to skip NFS mounted dirs. Minor bug corrections.
PR: ports/62577
Submitted by: Luiz E. R. Cordeiro (maintainer)
v. 1.18
date: 2003/10/01 21:08:48; author: krion; state: Exp; lines: +1 -1
- Update to version 0.42b
PR: 57477
Submitted by: maintainer
v. 1.17
date: 2003/09/26 22:08:33; author: edwin; state: Exp; lines: +3 -3
Update port: security/chkrootkit: upgrade to version 0.42
Version upgrade from 0.41 to 0.42.
It works on FreeBSD 2.2.X, 3.X, 4.X and 5.X.
PR: ports/56757
Submitted by: Luiz Eduardo Roncato Cordeiro
v. 1.16
date: 2003/09/04 13:03:05; author: edwin; state: Exp; lines: +0 -4
Teach security/chkrootkit
I finnaly got fed up with that FAQ about chkrootkit. The
solution was either to add a Q+A to the FAQ or fix the port.
This introduce a new variable, FreeBSD5, that is set to
"yes" if we're running FreeBSD 5 or higher.
This variable is used to fix the tests of the following
binaries, so they would DTRT on FreeBSD 5: chfn chsh date
ls ps
I also fixed a bug in the cheking of vdir, but it's irrelevant
for FreeBSD.
Informed maintainer.
PR: ports/55919
Submitted by: Yonatan@xpert.com
v. 1.15
date: 2003/08/15 06:17:16; author: kris; state: Exp; lines: +7 -1
Mark IGNORE on 5.x: chkrootkit reports false positives
Inspired by: Yet another "have I been hacked" email on questions@
v. 1.14
date: 2003/06/25 16:40:08; author: mich; state: Exp; lines: +1 -1
Update to 0.41
PR: 53675
Submitted by: maintainer
Approved by: roberto (mentor)
v. 1.13
date: 2003/04/09 08:22:12; author: kevlo; state: Exp; lines: +6 -2
Update to 0.40
PR: 50722
Submitted by: Michael L. Hostbaek
v. 1.12
date: 2003/02/21 13:26:42; author: knu; state: Exp; lines: +1 -0
De-pkg-comment.
v. 1.11
date: 2003/02/02 13:40:13; author: nork; state: Exp; lines: +1 -1
Update to 0.39a.
PR: ports/47735
Submitted by: Luiz Eduardo Roncato Cordeiro
(maintainer)
v. 1.10
date: 2003/01/11 03:18:51; author: pat; state: Exp; lines: +4 -2
Update to 0.38
PR: ports/46952
Submitted by: maintainer
v. 1.9
date: 2002/11/04 02:15:26; author: edwin; state: Exp; lines: +4 -2
PERL -> REINPLACE
Noticed on: bento
v. 1.8
date: 2002/10/25 20:48:02; author: obraun; state: Exp; lines: +4 -3
Upgrade to 0.37.
PR: 44468
Submitted by: maintainer
v. 1.7
date: 2002/06/18 23:49:07; author: pat; state: Exp; lines: +6 -3
Update to 0.36
PR: ports/39475
Submitted by: maintainer
v. 1.6
date: 2002/02/01 04:06:34; author: pat; state: Exp; lines: +2 -2
Update to 0.35
PR: 34485
Submitted by: maintainer
v. 1.5
date: 2001/09/22 06:44:04; author: sf; state: Exp; lines: +3 -3
update to 0.34.
PR: 30709
Submitted by: maintainer
v. 1.4
date: 2001/05/11 14:34:07; author: kevlo; state: Exp; lines: +2 -2
Update to 0.32
PR: 27257
Submitted by: MAINTAINER
v. 1.3
date: 2001/04/17 12:13:08; author: roam; state: Exp; lines: +13 -12
Update to 0.31, lots of cleanup, add NOPORTDOCS handling.
PR: 26643
Submitted by: maintainer
v. 1.2
date: 2001/04/17 05:56:57; author: will; state: Exp; lines: +1 -2
Fix checksum problem on bento by updating to 0.31. Also start using the
versioned distfiles since they are available.
v. 1.1
date: 2001/04/07 00:48:49; author: will; state: Exp;
Add chkrootkit 0.30, a tool to locally check for signs of a rootkit.
PR: 26115
Submitted by: Luiz Eduardo R. Cordeiro
=============================================================================
|
| |

|