Staying one step ahead of the intruders
One of the most popular rootkit scanners on Linux is Chkrootkit . The toolkit by Nelson Murilo and Klaus Steding-Jessen comprises a collection of small C programs specially written to detect a specific anomaly. After unpacking the archive, build the applications by typing
and then perform a trial run by typing ./chkrootkit (Figure 1). Unfortunately, the rootkit scanner calls various binary programs on the infected system. For this reason, you should always run these tools directly from a separate, clean medium such as a CD or DVD drive:
./chkrootkit -p /cdrom/bin
in order to avoid infection.
Just like Chkrootkit, Rootkit Hunter also searches the infected system for specific characteristics that indicate the existence of a rootkit. Originally written by Michael Boelen, the tool was passed on to a team of developers in 2006, and the results are visible on SourceForge . After downloading and unpacking the archive, become root and enter the following to build:
./installer.sh --layout custom . --install
Then change to the files subdirectory and modify the rkhunter.conf configuration file. The following command line starts the check
In contrast to previous, simple scanners, OSSEC  launches a whole battery of functions (Figure 2). In addition to automatically performing period rootkit detection, it offers permanent monitoring and analysis of logfiles, integrity checks, and (rules-based) intrusion detection. The Rootcheck project has rootkit signatures up for grabs on its website .
OSSEC lets you set up a client/server team: Agents monitor the operating system on the client machines. Whenever a suspicious or atypical event occurs, a message is passed on to a central monitoring server, which then performs the analysis, draws conclusions, and raises the alarm if necessary.
To install OSSEC, just unpack the archive and type:
Say yes to all the prompts and choose local as the installation type, if you do not want to set up an agent/server operation.
Next, select one of the installation routine options for rootkit detection, then modify the configuration in /var/ossec/etc/ossec.conf, and launch OSSEC HIDS by typing
The program then starts to monitor the target system.
In a default installation, the configuration file is stored in /etc/ossec-init.conf, with all other files in /var/ossec. Rootkit signatures are stored in the files rootkit_files.txt and rootkit_trojans.txt in /var/ossec/etc/shared.
Buy this article as PDF
Linux users can now download and install the Windows code editor
New initiative will address security and interoperability concerns around container technology.
Developers can use RHEL as a development platform without a subscription fee.
Windows users will soon have native access to the Bash shell.
Improvements to SMTP will provide better guarantee of confidentiality
Graphics vendor embraces new reality in Linux graphics
Pioneer Ray Tomlinson bequeathed the @ sign to billions of Internet users
Redmond says its classic database tool will run without Windows
New intrusion technique affects most non-Bluetooth wireless mice
GENIVI Alliance announces the release of the first beta of the GENIVI Demo Platform ivi9.