Staying one step ahead of the intruders
One of the most popular rootkit scanners on Linux is Chkrootkit . The toolkit by Nelson Murilo and Klaus Steding-Jessen comprises a collection of small C programs specially written to detect a specific anomaly. After unpacking the archive, build the applications by typing
and then perform a trial run by typing ./chkrootkit (Figure 1). Unfortunately, the rootkit scanner calls various binary programs on the infected system. For this reason, you should always run these tools directly from a separate, clean medium such as a CD or DVD drive:
./chkrootkit -p /cdrom/bin
in order to avoid infection.
Just like Chkrootkit, Rootkit Hunter also searches the infected system for specific characteristics that indicate the existence of a rootkit. Originally written by Michael Boelen, the tool was passed on to a team of developers in 2006, and the results are visible on SourceForge . After downloading and unpacking the archive, become root and enter the following to build:
./installer.sh --layout custom . --install
Then change to the files subdirectory and modify the rkhunter.conf configuration file. The following command line starts the check
In contrast to previous, simple scanners, OSSEC  launches a whole battery of functions (Figure 2). In addition to automatically performing period rootkit detection, it offers permanent monitoring and analysis of logfiles, integrity checks, and (rules-based) intrusion detection. The Rootcheck project has rootkit signatures up for grabs on its website .
OSSEC lets you set up a client/server team: Agents monitor the operating system on the client machines. Whenever a suspicious or atypical event occurs, a message is passed on to a central monitoring server, which then performs the analysis, draws conclusions, and raises the alarm if necessary.
To install OSSEC, just unpack the archive and type:
Say yes to all the prompts and choose local as the installation type, if you do not want to set up an agent/server operation.
Next, select one of the installation routine options for rootkit detection, then modify the configuration in /var/ossec/etc/ossec.conf, and launch OSSEC HIDS by typing
The program then starts to monitor the target system.
In a default installation, the configuration file is stored in /etc/ossec-init.conf, with all other files in /var/ossec. Rootkit signatures are stored in the files rootkit_files.txt and rootkit_trojans.txt in /var/ossec/etc/shared.
Buy this article as PDF
Upcoming switch to HTML5-only ads is further evidence the Flash is entering its final days.
US government invests $19 billion on enhancing security and replacing ancient computer systems.
But you can still be a non-voting “individual supporter” if you pay the money
Several current systems could fall victim to the attack
Latest Linux engine comes with better graphics and support for Intel's new power-saving chips.
Hackers send a message of beauty and liberation to server logs
Citrix gets excited about new Pi-Powered XenDesktop client system
Linux on Azure cert heralds a new era for Redmond.
Proposals for presentations at the CeBIT Open Source Forum will be accepted through 24 January 2016.
Adobe looks for a new start; renames its embattled Flash tool.