chkrootkit
chkrootkit is a tool to locally check for signs of a rootkit. It contains a chkrootkit: shell script that checks system binaries for rootkit modification. The following tests are made: aliens, asp, bindshell, lkm, rexedcs, sniffer, wted, z2, amd, basename, biff, chfn, chsh, cron, date, du, dirname, echo, egrep, env, find, fingerd, gpm, grep, hdparm, su, ifconfig, inetd, inetdconf, identd, killall, login, ls, mail, mingetty, netstat, named, passwd, pidof, pop2, pop3, ps, pstree, rpcinfo, rlogind, rshd, slogin, sendmail, sshd, syslogd, tar, tcpd, top, telnetd, timed, traceroute, and write. ifpromisc.c checks whether the interface is in promiscuous mode, chklastlog.c checks for lastlog deletions, chkwtmp.c checks for wtmp deletions, check_wtmpx.c checks for wtmpx deletions (Solaris only), and chkproc.c checks for signs of LKM trojans.
| Tags | Security |
|---|---|
| Licenses | Freeware |
| Operating Systems | POSIX Solaris Linux BSD OpenBSD FreeBSD |
Recent releases
- 21 Apr 2008 07:30
Release Notes: New tests were added for common SSH brute force scanners and suspicious PHP files. The tests for login, netstat, top, and backdoor were enhanced. Some minor bugs were fixed.
- 07 Apr 2005 05:01
Release Notes: A chkutmp.c program that displays users that may have wiped themselves from the utmp log was added. chkproc.c now has better support for Linux threads. A new chkutmp test was added to chkrootkit, and Fu, Kenga3, and ESRK can now be detected.
- 05 Nov 2004 21:18
No changes have been submitted for this release.
- 09 Apr 2004 10:27
Release Notes: C++ comments have been removed from chkproc.c. New rootkits detected: AjaKit and zaRwT. New CGI backdoors are detected. ifpromisc.c has better detection of promiscuous mode on newer Linux kernels. There is a new command line option (-n) to skip NFS-mounted directories. There are minor bug corrections.
- 23 Jun 2003 15:02
Release Notes: There is a fix for NPTL threading mechanisms, minor corrections, chkrootkit, a new test (vdir), detection of the worms 55808.A and TC2, and detection of the rootkits Volc, Gold2, Anonoying, Suckit (improved), and ZK (improved).
Recent comments
is there an english version of the home page ::: www.chkrootkit.org/ or another online documentation page
cpanel cgi-sys folder for back door checks
chkrootkit does not include /usr/local/cpanel/cgi-sys
while checking for back door cgi's
We need to edit chkrootkit
line 708
from
var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \
to
var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin /usr/local/cpanel/cgi-sys \
live
28 Dec 2001 12:58
Heartbeat
- Popularity Score
- 926.75
- Vitality Score
- 5.19
- Subscriptions
- 337
