2001-04-07 02:48:49 +02:00
|
|
|
Chkrootkit is a tool to locally check for signs of a rootkit. It
|
|
|
|
|
contains:
|
|
|
|
|
|
|
|
|
|
* chkrootkit: a shell script that checks system binaries for
|
|
|
|
|
rootkit modification.
|
2001-09-22 08:44:04 +02:00
|
|
|
|
2001-04-07 02:48:49 +02:00
|
|
|
* ifpromisc.c: checks if the network interface is in promiscuous
|
|
|
|
|
mode.
|
2001-09-22 08:44:04 +02:00
|
|
|
|
2001-04-07 02:48:49 +02:00
|
|
|
* chklastlog.c: checks for lastlog deletions.
|
2001-09-22 08:44:04 +02:00
|
|
|
|
2001-04-07 02:48:49 +02:00
|
|
|
* chkwtmp.c: checks for wtmp deletions.
|
2001-09-22 08:44:04 +02:00
|
|
|
|
|
|
|
|
* check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
|
|
|
|
|
|
|
|
|
|
* chkproc.c: checks for signs of LKM trojans.
|
2001-05-11 16:34:07 +02:00
|
|
|
|
|
|
|
|
The following rootkits, worms and LKMs are currently detected:
|
|
|
|
|
Solaris rootkit, FreeBSD rootkit, lrk3, lrk4, lrk5, lrk6, t0rn (and
|
|
|
|
|
t0rn v8), some lrk variants, Ambient's Rootkit for Linux (ARK), Ramen
|
|
|
|
|
Worm, rh[67]-shaper, RSHA, Romanian rootkit, RK17, Lion Worm, Adore
|
2001-09-22 08:44:04 +02:00
|
|
|
Worm, LPD Worm, kenny-rk, Adore LKM, ShitC Worm, Omega Worm, Wormkit
|
|
|
|
|
Worm, dsc-rootkit.
|
2001-04-07 02:48:49 +02:00
|
|
|
|
|
|
|
|
Nelson Murilo <nelson@pangeia.com.br>
|
|
|
|
|
|
2001-04-27 14:01:58 +02:00
|
|
|
WWW: http://www.chkrootkit.org/
|
