Results 1 to 4 of 4

Thread: How do I scan my Linux system for rootkits, worms, trojans, etc.?

  1. #1
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,638

    How do I scan my Linux system for rootkits, worms, trojans, etc.?

    http://www.howtoforge.com/faq/1_38_en.html


    Either with ckrootkit or with rkhunter.

    chkrootkit:

    Either install the package that comes with your distribution (on Debian you would run

    apt-get install chkrootkit

    or download the sources from www.chkrootkit.org and install manually:

    wget --passive-ftp ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

    tar xvfz chkrootkit.tar.gz

    cd chkrootkit-<version>/

    make sense


    Afterwards, you can move the chkrootkit directory somewhere else, e.g. /usr/local/chkrootkit:

    cd ..

    mv chkrootkit-<version>/ /usr/local/chkrootkit


    Now you can run chkrootkit manually:

    cd /usr/local/chkrootkit

    ./chkrootkit


    (if you installed a chkrootkit package coming with your distribution, your chkrootkit might be somewhere else).

    You can even run chkrootkit by a cron job and get the results emailed to you:

    Run

    crontab -e

    to create a cron job like this:

    0 3 * * * (cd /usr/local/chkrootkit-<version>; ./chkrootkit 2>&1 | mail -s "chkrootkit output my server" you@yourdomain.com)

    That would run chkrootkit every night a 3.00h.

    rkhunter:

    Download the latest rkhunter sources from www.rootkit.nl:

    wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz

    tar xvfz rkhunter-1.2.7.tar.gz

    cd rkhunter/

    ./installer.sh


    This will install rkhunter to the directory /usr/local/rkhunter. Now run

    rkhunter --update

    to download the latest chkrootkit/trojan/worm signatures (you should do this regularly).

    Now you can scan your system for malware by running

    rkhunter -c

  2. #2
    Super Moderator Super Moderator Big Booger's Avatar
    Join Date
    Apr 2002
    Location
    JAPAN
    Posts
    10,660
    The question is do you really need to? Maybe.

  3. #3
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,638
    I think the danger isn't necessarily to the Linux box itself, but in it's ability to become infected and possibly passing that on. Zombies and such ya know...Always gotta have a good firewall at the very least.

  4. #4
    Banned adeydas's Avatar
    Join Date
    Apr 2005
    Location
    Some parallel universe
    Posts
    109
    lokkit is also a good firewall and can be customised a lot. Clam AV can be a good antivirus!!! just do a sudo about it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •