This site was designed by Bootpolish.net
© Bootpolish.net, All rights reserved
home » howto » protect against rootkits
This is how I checked and protected against rootkits and is not how I would recommend that anyone else should do so.
Apparently rootkits are a major problem in the linux world. Unlike viruses, you are much more likely to be infected without realising that you even have a problem. The purpose of this document is twofold:
Before proceeding, please read the Wikipedia page on rootkits;
I suggest you visit the rkhunter website at:
$ sudo apt-get install rkhunter $ sudo rkhunter --upgrade $ sudo rkhunter --checkall --createlogfile
Read the output and take corrective action as required.
I suggest you visit the chkrootkit website at:
In particular, the FAQS would suggest that you shouldn't trust the chkrootkit to use the commands on your system, bearing in mind that you suspect that they might be compromised; I chose not to take this additional precaution - you should make your decision based on the exposure of your server to the Internet and your assessment of the likelihood of your having a rootkit.
$ sudo apt-get install chkrootkit $ sudo chkrootkit
Tripwire creates a database of your system files and then tracks any changes to them.
$ sudo apt-get install tripwire
Follow all the prompts, which will require you to create a Site Key Pass-phrase and a Local key Pass-phrase. Next we need to create the database:
$ sudo tripwire --init Wrote database file: /var/lib/tripwire/hostname.domain.com.twd The database was successfully generated.
Next we run a first check:
$ sudo tripwire --check
This will doubtless come back with far more information than you really want. For example I received loads of lines about "/proc/PIDNO/".
This site was designed by Bootpolish.net
© Bootpolish.net, All rights reserved