※EPELを利用
# yum -y install chkrootkit
※上記でインストールできない場合
# yum -y install http://downloads.sourceforge.net/project/sys-integrity-mgmt-platform/yum/el/7/ext/x86_64/chkrootkit-0.50-4el7.x86_64.rpm

# chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not found
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... 
/usr/lib/ocf/resource.d/heartbeat/.ocf-binaries
    \ /usr/lib/ocf/resource.d/heartbeat/.ocf-shellfuncs
    \ /usr/lib/ocf/resource.d/heartbeat/.ocf-returncodes
    \ /usr/lib/ocf/resource.d/heartbeat/.ocf-directories
    \ /usr/lib/.libssl.so.10.hmac
    \ /usr/lib/.libssl.so.1.0.0.hmac
    \ /usr/lib/.libcrypto.so.1.0.0.hmac
    \ /usr/lib/.libcrypto.so.10.hmac
    \ /usr/lib/.libssl.so.6.hmac
    \ /usr/lib/.libssl.so.0.9.8e.hmac
    \ /usr/lib/.libcrypto.so.6.hmac
    \ /usr/lib/.libcrypto.so.0.9.8e.hmac
    \ /lib/.libfipscheck.so.1.1.0.hmac
    \ /lib/.libgcrypt.so.11.hmac
    \ /lib/.libcryptsetup.so.1.1.0.hmac
    \ /lib/.libcryptsetup.so.1.hmac
    \ /lib/.libfipscheck.so.1.hmac
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
eth0:0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root         2866 tty1   /usr/bin/Xorg :0 -nr -verbose -audit 4
    \ -auth /var/run/gdm/auth-for-gdm-X4JWrf/database -nolisten tcp vt1
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected
# chkrootkit | grep "INFECTED"　←　INFECTEDのみを抽出
# ←　何も出力されなければ問題なし

※以前のスクリプト
# vi /etc/cron.daily/chkrootkit
#!/bin/sh
PATH=/usr/bin:/bin
chkrootkit | grep "INFECTED" | mail -s "chkrootkit `hostname` `date +%Y-%m-%d`" root > /dev/null
# chmod +x /etc/cron.daily/chkrootkit
※リンク先のスクリプト
#!/bin/bash
# chkrootkit実行
chkrootkit > /var/log/chkrootkit.log 2>&1
# SMTPSのbindshell誤検知対応
TMPLOG=`mktemp`
grep INFECTED /var/log/chkrootkit.log > $TMPLOG
if [ ! -z "$(grep 465 $TMPLOG)" ]; then
    if [ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then
        sed -i '/465/d' $TMPLOG
    fi
fi
# upstartパッケージ更新時のSuckit誤検知対応
if [ ! -z "$(grep Suckit $TMPLOG)" ] && \
   [ -z $(rpm -V `rpm -qf /sbin/init`) ]; then
        sed -i '/Suckit/d' $TMPLOG
fi
# chkrootkit実行結果にINFECTED行があった場合のみroot宛メール送信
if [ -s $TMPLOG ]; then
    cat $TMPLOG|mail -s "chkrootkit report in `hostname`" root
fi
rm -f $TMPLOG

Jun  5 03:16:14 nezumi userhelper[1637]: PAM unable to dlopen(/lib/security/pam_stack.so): /lib/security/pam_stack.so: cannot open shared object file: No such file or directory
Jun  5 03:16:14 nezumi userhelper[1637]: PAM adding faulty module: /lib/security/pam_stack.so
Jun  5 03:16:14 nezumi userhelper[1637]: pam_timestamp(chkrootkit:session): updated timestamp file `/var/run/sudo/root/unknown'
Jun  5 03:16:14 nezumi userhelper[1642]: running '/usr/lib/chkrootkit-0.49/chkrootkit.sh ' with root privileges on behalf of 'root'
Jun  6 03:15:16 nezumi userhelper[12081]: PAM unable to dlopen(/lib/security/pam_stack.so): /lib/security/pam_stack.so: cannot open shared object file: No such file or directory
Jun  6 03:15:16 nezumi userhelper[12081]: PAM adding faulty module: /lib/security/pam_stack.so
Jun  6 03:15:16 nezumi userhelper[12081]: pam_timestamp(chkrootkit:session): updated timestamp file `/var/run/sudo/root/unknown'
Jun  6 03:15:16 nezumi userhelper[12086]: running '/usr/lib/chkrootkit-0.49/chkrootkit.sh ' with root privileges on behalf of 'root'
Jun  7 03:08:11 nezumi userhelper[14261]: PAM unable to dlopen(/lib/security/pam_stack.so): /lib/security/pam_stack.so: cannot open shared object file: No such file or directory
Jun  7 03:08:11 nezumi userhelper[14261]: PAM adding faulty module: /lib/security/pam_stack.so
Jun  7 03:08:11 nezumi userhelper[14261]: pam_timestamp(chkrootkit:session): updated timestamp file `/var/run/sudo/root/unknown'
Jun  7 03:08:11 nezumi userhelper[14266]: running '/usr/lib/chkrootkit-0.49/chkrootkit.sh ' with root privileges on behalf of 'root'

# ls -l /lib/security/pam_stack.so
ls: cannot access /lib/security/pam_stack.so: そのようなファイルやディレクトリはありません

auth       required	pam_stack.so service=system-auth
　　↓
auth       include      system-auth
# vi /etc/pam.d/chkrootkit
変更内容をdiffで確認
# diff /etc/pam.d/chkrootkit.20120608 /etc/pam.d/chkrootkit
4c4
< auth       required	pam_stack.so service=system-auth
---
> auth       include      system-auth

Checking `bindshell'... INFECTED (PORTS:  465)
Checking `lkm'... find: ‘/proc/30973’: そのようなファイルやディレクトリはありません
You have     1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed

# /usr/lib64/chkrootkit-0.50/chkproc -v -v -p 3

# cd /proc/30973
-bash: cd: /proc/30973: そのようなファイルやディレクトリはありません
# ps -eLF | grep 30973
root      8853 26356  8853  0    1 28166   960   0 17:26 pts/2    00:00:00 grep --color=auto 30973

Checking `bindshell'... INFECTED (PORTS:  465)
Checking `lkm'... find: ‘/proc/30973’: そのようなファイルやディレクトリはありません
You have     1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed

# /usr/sbin/lsof -i tcp:465
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
master  2839 root   23u  IPv4  29569      0t0  TCP *:urd (LISTEN)
master  2839 root   24u  IPv6  29570      0t0  TCP *:urd (LISTEN)
# cat /etc/services|grep urd
urd             465/tcp         smtps   # URL Rendesvous Directory for SSM / SMTP over SSL (TLS)