Install Chkrootkit on AlmaLinux 9 | Free Antivirus

In this guide, we will explore How To Install Chkrootkit on AlmaLinux 9. Chkrootkit is a free and open-source antivirus tool available on GitHub. This tool checks locally in the binary system of your machine and scans your Linux server for trojans. Chkrootkit is a shell script that checks system binaries for rootkit modification. This tool is used for scanning botnets, rootkits, malware, etc.

You can now proceed to the guide steps below on the Orcacore website to set up the Chkrootkit tool on AlmaLinux 9. This is a valuable method to Install Chkrootkit on AlmaLinux 9.

Steps To Install and Use Chkrootkit on AlmaLinux 9

To download Chkrootkit on AlmaLinux 9 and start using it, log in to your server as a root user and follow the steps below.

1. Install Chkrootkit on AlmaLinux 9

By default, chkrootkit packages aren’t available in the default AlmaLinux repository. First, you need to update your local package index with the following command:

dnf update -y

Then, install the required packages on AlmaLinux 9 with the following command:

dnf install wget gcc-c++ glibc -y

Download Chkrootkit

Next, you need to visit the chkrootkit downloads page and download the latest source tarball with the wget command:

wget -c ftp://chkrootkit.org/pub/seg/pac/chkrootkit.tar.gz

Here you need to check that the chkrootkit download has not been tampered with or damaged. For this, you can download the md5 hash file associated with your chkrootkit download using the following command:

wget ftp://chkrootkit.org/pub/seg/pac/chkrootkit.md5

Check the chkrootkit download:

md5sum -c chkrootkit.md5

At this point, you need to extract your chkrootkit downloaded file on AlmaLinux 9 with the command below:

tar -xvzf chkrootkit.tar.gz

Now you need to create a folder and move the extracted contents to the file:

mkdir /usr/local/chkrootkit

To check your chkrootkit file name you can use the ls command and use the command below to move it to your new folder:

mv chkrootkit-0.56/* /usr/local/chkrootkit

Switch to your chkrootkit directory on AlmaLinux 9:

cd /usr/local/chkrootkit

Then, run the make sense command:

make sense

When it is completed, you can start to scan the server.

2. How To Use Chkrootkit on AlmaLinux 9

At this point, you need to scan your AlmaLinux 9 server by running the chkrootkit:

/usr/local/chkrootkit/chkrootkit

To enable automatic scanning, you can automatically add a cron entry for running chkrootkit and send a scan report to your mail address. Create and add the following entries to /etc/cron.daily/chkrootkit.sh:

#!/bin/sh
(
/usr/local/chkrootkit/chkrootkit
) | /bin/mail -s 'CHROOTKIT Daily Run (ServerName)' your@email.com

These are some commonly used options of chkrootkit:

-h: Displays help information.
-d: Enables debug mode.
-q: Enables quiet mode, suppressing most output.
-r dir: Specifies the root directory to check.
-p dir1 dir2 ...: Specifies directories containing programs to check.
-x: Enables expert mode, showing more detailed information.
-n eth0: Specifies a network interface to check.
-l: Lists available tests.
-V: Displays the version number.

Conclusion

At this point, you have learned to Install Chkrootkit on AlmaLinux 9. Chkrootkit is used on AlmaLinux 9 to detect rootkits and hidden security threats. It scans system binaries and logs for signs of malicious activity. Understanding How To Install Chkrootkit on AlmaLinux 9 can significantly enhance your server security.

Hope you enjoy it. You may also like these articles:

Install Apache Maven on AlmaLinux 9

How To Install Redis on AlmaLinux 9

How To Set up Bind on AlmaLinux 9

FAQs

What is Chkrootkit?

Chkrootkit is a security tool that scans a Linux system for rootkits, hidden backdoors, and other malware.

How does Chkrootkit work?

It checks system binaries, logs, and hidden files for signs of known rootkits and suspicious activity.

Alternative Solutions for Rootkit Detection on AlmaLinux 9

While Chkrootkit is a useful tool, there are alternative methods for detecting rootkits and malware on AlmaLinux 9. These alternatives often provide different detection mechanisms and may be more suitable depending on your specific needs and environment. Here are two alternative solutions:

1. Using Rkhunter (Rootkit Hunter)

Rkhunter (Rootkit Hunter) is another popular open-source rootkit scanner for Linux systems. It offers a more comprehensive approach to rootkit detection compared to Chkrootkit. Rkhunter performs various checks, including:

MD5 hash comparison: Checks if system binaries have been modified.
File properties checks: Looks for suspicious file permissions and ownership.
Rootkit-specific tests: Scans for known rootkit signatures and techniques.
System command checks: Verifies the integrity of essential system commands.
Kernel module checks: Detects suspicious or malicious kernel modules.

Installation and Usage:

Rkhunter is available in the EPEL (Extra Packages for Enterprise Linux) repository. You can install it using the following steps:

Enable the EPEL repository:
```
dnf install epel-release -y
```
Install Rkhunter:
```
dnf install rkhunter -y
```
Update Rkhunter’s database: This is crucial to ensure Rkhunter has the latest signatures and checks.
```
rkhunter --update
```
Perform a system scan:
```
rkhunter --checkall
```
Rkhunter will output detailed information about its findings. Pay close attention to any warnings or suspicious entries.
Review the log file: Rkhunter creates a log file with the scan results. You can find it at /var/log/rkhunter.log.
```
less /var/log/rkhunter.log
```

Advantages of Rkhunter:

More comprehensive checks than Chkrootkit.
Database updates ensure detection of newer threats.
Detailed logging for analysis.

Disadvantages of Rkhunter:

Can produce false positives, requiring careful analysis of the results.
Requires regular updates to remain effective.

2. Utilizing AIDE (Advanced Intrusion Detection Environment)

AIDE is a file integrity monitoring tool that can be used to detect unauthorized changes to system files. Unlike Chkrootkit and Rkhunter, which actively scan for rootkits, AIDE works by creating a database of file attributes (e.g., checksums, permissions, ownership) and then periodically comparing the current file attributes against the database. Any discrepancies indicate that a file has been modified.

Installation and Usage:

Install AIDE:
```
dnf install aide -y
```
Initialize the AIDE database: This creates the initial snapshot of your system.
```
aide --init
```

Copy the database to the configuration directory:

cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Run a check to detect changes:
```
aide --check
```
AIDE will report any changes found. You should carefully review these changes to determine if they are legitimate or indicate a compromise.
Update the database if legitimate changes are found: If you’ve made legitimate changes to your system (e.g., installed new software), you need to update the AIDE database to reflect these changes.
```
aide --update
cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
```

Advantages of AIDE:

Provides proactive detection of unauthorized changes.
Can detect changes that rootkits might try to hide.
Relatively low resource usage compared to active scanning.

Disadvantages of AIDE:

Requires careful initial configuration and database maintenance.
Doesn’t identify the specific rootkit or malware responsible for the changes, only that changes have occurred.
Dependent on the integrity of the initial database; if the database is compromised, AIDE will be ineffective.

Choosing the Right Tool:

The best tool for rootkit detection depends on your specific needs and resources. Chkrootkit is a quick and easy option for basic scanning. Rkhunter provides more comprehensive checks but can produce false positives. AIDE offers proactive detection of unauthorized changes but requires careful configuration and maintenance. In many cases, using a combination of these tools can provide the most robust security posture. Regular security audits and updates are also crucial for maintaining a secure AlmaLinux 9 system.