Chkrootkit configuration in debian
chkrootkit identifies whether the target computer is infected with a rootkit
chkrootkit is a tool to locally check for signs of a rootkit. It contains:
* chkrootkit: a shell script that checks system binaries for rootkit modification.
* ifpromisc.c: checks if the network interface is in promiscuous mode.
* chklastlog.c: checks for lastlog deletions.
* chkwtmp.c: checks for wtmp deletions.
* check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
* chkproc.c: checks for signs of LKM trojans.
* chkdirs.c: checks for signs of LKM trojans.
* strings.c: quick and dirty strings replacement.
* chkutmp.c: checks for utmp deletions.
chkwtmp and chklastlog *try* to check for deleted entries in the wtmp and lastlog files,
but it is *not* guaranteed that any modification will be detected.
Aliens tries to find sniffer logs and rootkit config files. It looks for some default file locations --
so it is also not guaranteed it will succeed in all cases.
chkproc checks if /proc entries are hidden from ps and the readdir system call. This could be
the indication of a LKM trojan. You can also run this command with the -v option (verbose).
Rootkits, Worms and LKMs detected
For an updated list of rootkits, worms and LKMs detected by chkrootkit please visit
chkrootkit has been tested on: Linux 2.0.x, 2.2.x, 2.4.x and 2.6.x, FreeBSD 2.2.x, 3.x, 4.x and 5.x,
OpenBSD 2.x and 3.x., NetBSD 1.6.x, Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11, Tru64, BSDI and
Mac OS X.
Installing chkrootkit in debian
enter the following command
#apt-get install chkrootkit
Now it will prompt you for ‘Would you like to run chkrootkit automatically every day? ‘.
If you want select ‘yes’ and enter
If you want to run manually enter the following command in you shell
This will check your computer is infected with rootkit or not.
For more information vist this website http://www.chkrootkit.org/