Linux Detecting / Checking Rootkits with Chkrootkit and rkhunter Software
Q. Most rootkits use the power of the kernel to hide themselves, they are only visible from within the kernel. How do I detect rootkits under CentOS or Debian Linux server?
A.. A rootkit is a program (or combination of several programs) designed to take fundamental control (in Unix terms "root" access, in Windows terms "Administrator" access) of a computer system, without authorization by the system's owners and legitimate managers.
Detecting rootkits under Linux
You can try the following tools to detect Linux rootkits:
WARNING! These examples should run from Live CD (Linux Live Security CD) for the best result.Zeppoo Software
Zeppoo - Zeppoo allows you to detect rootkits on i386 and x86_64 architecture under Linux, by using /dev/kmem and /dev/mem. Moreover it can also detect hidden tasks, connections, corrupted symbols, system calls and so many other things. Download source code here
Chkrootkit Software
Chkrootkit - chkrootkit is a tool to locally check for signs of a rootkit. Type the following command to install chkrootkit
$ sudo apt-get install chkrootkit
Start looking for rootkits, enter:
$ sudo chkrootkit
Look for suspicious strings, enter:
$ sudo chkrootkit -x | less
You need to specify the path for the external commands used by chkrootkit such as awk, grep and others. Mount /mnt/safe using nfs in read-only mode and set /mnt/safe binaries PATH as trusted one, enter:
$ sudo chkrootkit -p /mnt/safe
rkhunter software
rkhunter - rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. rkhunter is a shell script which carries out various checks on the local system to try and detect known rootkits and malware. It also performs checks to see if commands have been modified, if the system startup files have been modified, and various checks on the network interfaces, including checks for listening applications. Type the following command to install rkhunter:
$ sudo apt-get install rkhunter
The following command option tells rkhunter to perform various checks on the local system:
$ sudo rkhunter --check
The following command option causes rkhunter to check if there is a later version of any of its text data files:
$ sudo rkhunter --update
The following option tells rkhunter which directories to look in to find the various commands it requires:
$ sudo rkhunter --check --bindir /mnt/safe
Recommended readings:
- man pages - rkhunter and chkrootkit
- rkhunter Project home page
- chkrootkit Project home page
Subscribe to our free e-mail newsletter or RSS feed to get all updates.
You can Email this page to a friend.
Related Linux / UNIX FAQ:
- Linux Check The Health of Adaptec RAID array
- MySQL error 28 and solution
- How do I check and repair MS-DOS file systems under Linux?
- Troubleshoot Linux / UNIX bind dns server zone problems with named-checkzone tool
- How To Test Linux Operating System for IPv6 Networking Support
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Please do not use the comment form to ask for help / question. Ask your question on the excellent Linux tech support forum. Thank you very much for stopping by our site!
Tags: Chkrootkit, detecting rootkits, exploits, linux check root kits, linux kernel rootkit, linux rootkit, linux rootkit check, linux rootkit checker, linux rootkit detect, linux rootkit detection, linux rootkit detector, linux rootkit scanner, linux rootkits, rkhunter, rootkit for linux, rootkit hunter linux, suspicious strings ~ Last updated on: January 21, 2008



Recent Comments
Today ~ 2 Comments
Today ~ 37 Comments
Today ~ 46 Comments
Yesterday ~ 2 Comments
Yesterday ~ 9 Comments