chkrootkit
chkrootkit is a tool to locally check for signs of a rootkit. It contains a chkrootkit: shell script that checks system binaries for rootkit modification. The following tests are made: aliens, asp, bindshell, lkm, rexedcs, sniffer, wted, z2, amd, basename, biff, chfn, chsh, cron, date, du, dirname, echo, egrep, env, find, fingerd, gpm, grep, hdparm, su, ifconfig, inetd, inetdconf, identd, killall, login, ls, mail, mingetty, netstat, named, passwd, pidof, pop2, pop3, ps, pstree, rpcinfo, rlogind, rshd, slogin, sendmail, sshd, syslogd, tar, tcpd, top, telnetd, timed, traceroute, and write. ifpromisc.c checks whether the interface is in promiscuous mode, chklastlog.c checks for lastlog deletions, chkwtmp.c checks for wtmp deletions, check_wtmpx.c checks for wtmpx deletions (Solaris only), and chkproc.c checks for signs of LKM trojans.
| Tags | Security |
|---|---|
| Licenses | Freeware |
| Operating Systems | POSIX Solaris Linux BSD OpenBSD FreeBSD |
Recent releases
- 21 Apr 2008 07:30
Changes: New tests were added for common SSH brute force scanners and suspicious PHP files. The tests for login, netstat, top, and backdoor were enhanced. Some minor bugs were fixed.
- 07 Apr 2005 05:01
Changes: A chkutmp.c program that displays users that may have wiped themselves from the utmp log was added. chkproc.c now has better support for Linux threads. A new chkutmp test was added to chkrootkit, and Fu, Kenga3, and ESRK can now be detected.
- 05 Nov 2004 21:18
No changes have been submitted for this release.
- 09 Apr 2004 10:27
Changes: C++ comments have been removed from chkproc.c. New rootkits detected: AjaKit and zaRwT. New CGI backdoors are detected. ifpromisc.c has better detection of promiscuous mode on newer Linux kernels. There is a new command line option (-n) to skip NFS-mounted directories. There are minor bug corrections.
- 23 Jun 2003 15:02
Changes: There is a fix for NPTL threading mechanisms, minor corrections, chkrootkit, a new test (vdir), detection of the worms 55808.A and TC2, and detection of the rootkits Volc, Gold2, Anonoying, Suckit (improved), and ZK (improved).
- All comments
Recent commentscpanel cgi-sys folder for back door checks
chkrootkit does not include /usr/local/cpanel/cgi-sys
while checking for back door cgi's
We need to edit chkrootkit
line 708
from
var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \
to
var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin /usr/local/cpanel/cgi-sys \