17 lines
945 B
Plaintext
17 lines
945 B
Plaintext
chkrootkit (Check Rootkit) is a common unix-based program intended to help
|
|
system administrators check their system for known rootkits. It is a shell
|
|
script using common UNIX/Linux tools like the strings and grep commands to
|
|
search core system programs for signatures and for comparing a traversal of the
|
|
/proc filesystem with the output of the ps (process status) command to look for
|
|
discrepancies.
|
|
|
|
It can be used from a "rescue disc" (typically a LiveCD) or it can optionally
|
|
use an alternative directory from which to run all of its own commands. These
|
|
techniques allow chkrootkit to trust the commands upon which it depends a bit
|
|
more.
|
|
|
|
There are inherent limitations to the reliability of any program that attempts
|
|
to detect compromises (such as rootkits and computer viruses). Newer rootkits
|
|
may specifically attempt to detect and compromise copies of the chkrootkit
|
|
programs or take other measures to evade detection by them.
|