Checking for Rootkits

One of the plagues of a server getting hacked is not realizing there has been an intrusion. This can lead to savvy malicious intruders who leave hidden tools that can capture authentication data, damage critical system files and monitor/relay traffic through a compromised server, often without detection.

These threats often come in the form of rootkits.

While checking after the fact is probably not the best method, it is one way in keeping tabs on the integrity of your servers. The best practice is to have tools in place such as well-configured firewalls, difficult root passwords and applications that prevent or alarm on binary and configuration file changes (such as Tripwire).

That said, when an administrator is concerned that something may be amiss on a system, a tool called chkrootkit, authored by Nelson Murilo and Klaus Steding-Jessen, can detect up to 56 different root kits on numerous platform variants including FreeBSD, Linux, Solaris, HP UX and others.

It is amazingly easy to install, simply untar in a directory of your choice on your server, su to root and type ‘make sense’ within the chkrootkit directory. You can then execute ‘./chkrootkit’ as root and receive an onscreen report of the results. My preference is to let this run from time to time in cron and output the results to a file I can review when checking logs and performing general admin on my servers.

Replay

Category: open source Time: 2004-09-11 Views: 0
Tags:

Related post

iOS development

Android development

Python development

JAVA development

Development language

PHP development

Ruby development

search

Front-end development

Database

development tools

Open Platform

Javascript development

.NET development

cloud computing

server

Copyright (C) avrocks.com, All Rights Reserved.

processed in 0.275 (s). 12 q(s)