لطفا منتظر باشید ...
Recipe 9.12 Looking for Rootkits
9.12.1 Problem
You want to check for evidence that a
rootkita program to create or exploit security holeshas
been run on your system.
9.12.2 Solution
Use chkrootkit. Download the tarfile from http://www.chkrootkit.org, verify its
checksum:
$ md5sum chkrootkit.tar.gz
unpack it:
$ tar xvzpf chkrootkit.tar.gz
build it:
$ cd chkrootkit-*
$ make sense
and run it as root:
# ./chkrootkit
More securely, run it using known, good binaries you have previously
copied to a secure medium, such as CD-ROM, e.g.:
# ./chkrootkit -p /mnt/cdrom
9.12.3 Discussion
chkrootkit tests for the presence of certain
rootkits, worms, and trojans on your system.
If you suspect you've been hacked, this is a good
first step toward confirmation and diagnosis.chkrootkit invokes a handful of standard Linux
commands. At press time they are awk,
cut, egrep,
find,
head, id,
ls, netstat,
ps, strings,
sed, and uname. If these
programs have been compromised on your system,
chkrootkit's output cannot be
trusted. So ideally, you should keep around a CD-ROM or
write-protected floppy disk with these programs, and run
chkrootkit with the -p option
to use these known good binaries.Be sure to use the latest version of chkrootkit,
which will be aware of the most recently discovered threats.
9.12.4 See Also
The README file included with
chkrootkit explains the tests conducted, and lists
the full usage information.
