18 lines
934 B
Plaintext
18 lines
934 B
Plaintext
chkrootkit (Check Rootkit) is a common unix-based program intended to
|
|
help system administrators check their system for known rootkits. It is
|
|
a shell script using common UNIX/Linux tools like the strings and grep
|
|
commands to search core system programs for signatures and for comparing
|
|
a traversal of the /proc filesystem with the output of the ps (process
|
|
status) command to look for discrepancies.
|
|
|
|
It can be used from a "rescue disc" (typically a LiveCD) or it can
|
|
optionally use an alternative directory from which to run all of its own
|
|
commands. These techniques allow chkrootkit to trust the commands upon
|
|
which it depends a bit more.
|
|
|
|
There are inherent limitations to the reliability of any program that
|
|
attempts to detect compromises (such as rootkits and computer viruses).
|
|
Newer rootkits may specifically attempt to detect and compromise copies
|
|
of the chkrootkit programs or take other measures to evade detection by
|
|
them.
|