Rootkit Checkers

SECURITY: ROOTKIT CHECKERS

A far bigger danger to your Linux system then viruses are rootkits. Most of them will be stopped entering your system by a decent firewall, but still a regular check is strongly recommended.
Rootkits are self-hiding toolkits used by blackhats/crackers/scriptkiddies to avoid the eye of the sysadmin.

A rootkit scanner is scanning tool to ensure you are about 99.9% clean of nasty tools. This tool scans for rootkits, backdoors and local exploits.

There are two tools I recommend:

chkrootkit ( http://www.chkrootkit.org ) is an easy to use tool, included in many distro's either installed by default or on the install CDs.
Simply, as root, running:

CODE

# chkrootkit

will do the job.

rkhunter ( http://www.rootkit.nl ) is a tool that just does a bit more than only looking for rootkits, it performs a system-wide check for vunerable files and dependencies on your system:
- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files

The install file is available as tarball and rpm and will be installed in /usr/local/bin . . . . on some distro's you additionally need "Perl-Digest-SHA1" for a succesful install.

Running the program:

CODE

# rkhunter -c --createlogfile

Making rkhunter a cron job to run daily and report by mail to root is ultra simple, all you have to do is:

CODE

# rkhunter --cronjob

More info ? See the thread on the forum: http://forums.scotsnewsletter.com/index.ph...=ST&f=14&t=6506

Have FUN securing your system

Bruno

QUOTE = www.kanenas.net

ATTENTION !!! DO NOT install chkrootkit on your system and simply run it periodically. An attacker may simply find the installation and change it so that it doesn't detect his presence. Compile it and put it on removable or read-only media.

-- Apr 28 2004 ( Revised May 10 2006 ) --