chkrootkit

chkrootkit is a utility that searches your system for installed rootkits. It is a host-based intrusion detection system (HIDS) that should be used in conjunction with a tool such as FCheck or Tripwire.

Here are chkrootkit 0.40 RPMs I created for Red Hat Linux 9:
http://brandonhutchinson.com/chkrootkit-0.40-1.src.rpm
http://brandonhutchinson.com/chkrootkit-0.40-1-i386.rpm

If you install the chkrootkit RPM, make sure to add a crontab entry (such as the one below) to run chkrootkit at a regular time interval.

Here are steps used to manually install chkrootkit on a Linux system:

1. wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
2. tar zxvf chkrootkit.tar.gz
3. cd chkrootkit-version_number
4. make
5. Copy chkrootkit and associated executables into /usr/local/bin
find . -type f -perm +001 -exec cp {} /usr/local/bin \;


Next, create a root crontab entry to run chkrootkit daily.

0 3 * * * (cd /usr/local/bin; ./chkrootkit 2>&1 | /bin/mail -s "`/bin/hostname` chkrootkit output for `/bin/date +\%m`-`/bin/date +\%d`-`/bin/date +\%y`" root)

For more information, check the chkrootkit homepage.

Back to brandonhutchinson.com.

Last modified: 05/09/2003