Chkrootkit – Locally Checks for Signs of Rootkit

Chkrootkit is tool that allow user to check rootkit. Rootkits are malicious applications designed to covertly penetrate the server and mask itself under a normal processes or programs in order to gain full access to the system.

Chkrootkit - Locally Checks for Signs of Rootkit
Chkrootkit – Locally Checks for Signs of Rootkit

Chkrootkit shell script is designed to help system administrators check the system for known rootkits. developers made the script in shell format to make it usable on all systems.

The tool consists of the following modules:

  • chkrootkit: shell script that checks system binaries for rootkit modification.
  • ifpromisc.c: checks if the interface is in promiscuous mode.
  • chklastlog.c: checks for lastlog deletions.
  • chkwtmp.c: checks for wtmp deletions.
  • check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
  • chkproc.c: checks for signs of LKM trojans.
  • chkdirs.c: checks for signs of LKM trojans.
  • strings.c: quick and dirty strings replacement.
  • chkutmp.c: checks for utmp deletions.

There are some symptom that usually system administrator will doubt that there is a malware or rootkit running on the system such as a suspicious connection to non trusted domain, spikes in network traffic to external IP, email account sending spam message, changing a iptable firewall rule and more. Scanning the system with AV will be required and maybe to reinstall the system in case detecting the malware.

You can read more and download this tool over here: http://www.chkrootkit.org/

Share
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments