Rootkits can be a real nightmare for any administrator, these elusive programs hide in such a way that they are transparent to the system’s own Kernel.
To “catch” these little bastards we will use two tools:
- Chkrootkit
- Rkhunter
If we suspect that our system has been compromised, we can always boot with a LiveCD with these tools installed and perform the analysis from there.
To run the tools is as simple as:
rkhunter -c
NOTE: These types of programs perform file signature checks in the style of Tripwire. This system has a drawback, when the system is updated, some things always change, and this program detects these changes and warns that something strange is happening.
It is the administrator’s job to determine whether the changes are simple modifications made by updates or a real threat.