user$ # Visit web site, download tar-ball, MD5 checksum, and gpg signature: user$ links http://www.chkrootkit.org/ user$ wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz --01:44:08-- ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz => `chkrootkit.tar.gz' Resolving ftp.pangeia.com.br... 200.239.53.35 Connecting to ftp.pangeia.com.br[200.239.53.35]:21... connected. Logging in as anonymous ... Logged in! ==> SYST ... done. ==> PWD ... done. ==> TYPE I ... done. ==> CWD /pub/seg/pac ... done. ==> PASV ... done. ==> RETR chkrootkit.tar.gz ... done. Length: 34,163 (unauthoritative) 100%[====================================================>] 34,163 7.31K/s ETA 00:00 01:44:18 (7.27 KB/s) - `chkrootkit.tar.gz' saved [34,163] user$ wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5 --01:45:15-- ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5 => `chkrootkit.md5' Resolving ftp.pangeia.com.br... 200.239.53.35 Connecting to ftp.pangeia.com.br[200.239.53.35]:21... connected. Logging in as anonymous ... Logged in! ==> SYST ... done. ==> PWD ... done. ==> TYPE I ... done. ==> CWD /pub/seg/pac ... done. ==> PASV ... done. ==> RETR chkrootkit.md5 ... done. Length: 52 (unauthoritative) 100%[====================================================>] 52 --.--K/s 01:45:19 (2.74 KB/s) - `chkrootkit.md5' saved [52] user$ wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz.sig --01:45:44-- ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz.sig => `chkrootkit.tar.gz.sig' Resolving ftp.pangeia.com.br... 200.239.53.35 Connecting to ftp.pangeia.com.br[200.239.53.35]:21... connected. Logging in as anonymous ... Logged in! ==> SYST ... done. ==> PWD ... done. ==> TYPE I ... done. ==> CWD /pub/seg/pac ... done. ==> PASV ... done. ==> RETR chkrootkit.tar.gz.sig ... done. Length: 65 (unauthoritative) 100%[====================================================>] 65 --.--K/s 01:45:51 (3.66 KB/s) - `chkrootkit.tar.gz.sig' saved [65] user$ user$ # Verify tar-ball MD5 checksum: user$ md5sum --check chkrootkit.md5 chkrootkit.tar.gz: OK user$ user$ # Verify tar-ball GPG signature: user$ # Note we need to fetch the indicated public key to verify the tar-ball. user$ # The highlighted text below indicates a sucessful check: user$ gpg chkrootkit.tar.gz.sig gpg: /home/wpollock.com/wpollock/.gnupg: directory created gpg: new configuration file `/home/wpollock.com/wpollock/.gnupg/gpg.conf' created gpg: WARNING: options in `/home/wpollock.com/wpollock/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/home/wpollock.com/wpollock/.gnupg/secring.gpg' created gpg: keyring `/home/wpollock.com/wpollock/.gnupg/pubring.gpg' created gpg: Signature made Wed 01 Sep 2004 10:49:12 AM EDT using DSA key ID A0E92110 gpg: Can't check signature: public key not found user$ gpg --keyserver pgp.mit.edu --recv-keys A0E92110 gpg: /home/wpollock.com/wpollock/.gnupg/trustdb.gpg: trustdb created gpg: key A0E92110: public key "Nelson Murilo de Oliveira Rufino <nelson@pangeia.com.br>" imported gpg: Total number processed: 1 gpg: imported: 1 user$ gpg chkrootkit.tar.gz.sig gpg: Signature made Wed 01 Sep 2004 10:49:12 AM EDT using DSA key ID A0E92110 gpg: Good signature from "Nelson Murilo de Oliveira Rufino <nelson@pangeia.com.br>" gpg: checking the trustdb gpg: no ultimately trusted keys found gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 75A5 F359 3633 EBC2 66A1 8AD3 5ED8 4BE4 A0E9 2110 user$ user$ # Now build the script: user$ tar -zxf chkrootkit.tar.gz user$ cd chkrootkit-0.44/ user$ less README user$ make sense gcc -DHAVE_LASTLOG_H -o chklastlog chklastlog.c gcc -DHAVE_LASTLOG_H -o chkwtmp chkwtmp.c gcc -DHAVE_LASTLOG_H -o ifpromisc ifpromisc.c gcc -o chkproc chkproc.c gcc -o chkdirs chkdirs.c gcc -o check_wtmpx check_wtmpx.c gcc -static -o strings-static strings.c user$ user$ # Now run it as root: user$ su -c "./chkrootkit" Password: ROOTDIR is `/' Checking `amd'... not infected Checking `basename'... not infected Checking `biff'... not infected Checking `chfn'... not infected Checking `chsh'... not infected . . . output truncated . . . Checking `w55808'... not infected Checking `wted'... nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'... nothing deleted user$
user$ # So what happens if the package is corrupted? user$ cd .. user$ echo "oops" >> chkrootkit.tar.gz user$ user$ md5sum --check chkrootkit.md5 chkrootkit.tar.gz: FAILED md5sum: WARNING: 1 of 1 computed checksum did NOT match user$ user$ gpg chkrootkit.tar.gz.sig gpg: Signature made Tue 22 Feb 2005 09:41:46 AM EST using DSA key ID A0E92110 gpg: BAD signature from "Nelson Murilo de Oliveira Rufino <nelson@pangeia.com.br>" user$