Looking for Root Kits with chkrootkit

If you're familiar with Windows systems, chances are you're also familiar with virus scanners (aka antivirus tools). These programs scan a Windows system, or sometimes just specific files or e-mail attachments, for the presence of viruses, worms, Trojans, and other unfriendly programs. The Windows virus scanner market is large and supports several major commercial programs. There are even a few virus scanners for Linux, such as F-Prot Antivirus for Linux

(http://www.f-prot.com/products/). Such scanners typically scan Windows programs stored on a Linux system, or they scan incoming e-mail for worms that affect Windows. Viruses and worms that infect Linux systems are very rare, so there's very little market for a Linux virus scanner for Linux programs.

Although Linux viruses aren't common, Linux security is far from assured. Crackers can utilize root kits, which often leave traces behind. Detecting root kits is very much like detecting the leavings of a virus, and a tool to detect Linux root kits does exist: chkrootkit (http://www.chkrootkit.org). This program is available for many distributions, or you can download the source code and compile it yourself.

Tip Because chkrootkit works by examining specific files for specific symptoms of specific root kits, it's vitally important that you run the latest version of the program. If you can't find a precompiled package for the latest version, you should definitely download the source code and compile it on your system.

Fortunately, chkrootkit is fairly easy to use—type its name, and the program scans your system and reports what it finds. With luck, this will be a series of not infected, nothing found, not found, and similar reassuring messages. If the program reports the presence of a root kit, though, you'll have to take action, as described in the next section, "What to Do in the Event of a Breach."

Team LiB

1 previous

Team LIB

^ previous

0 0

Post a comment