RootCheck (rootkit detection engine) is an open source software that scans all the system looking for possible trojans and rootkit detection on linux systems. It also performs system auditing and it is included with policy monitoring parts of OSSEC. This will really help if the server has been compromised. RootCheck detects kernel-level rootkits, malicious files, known backdoors and insecure configuration settings. The rootcheck (rootkit discovery motor) will be executed each X minutes (client indicated – as a matter of course at regular intervals) to identify any conceivable rootkit introduced.
The installation is very simple. Please follow the steps below to install RootCheck.
1. Download the latest version of Rootcheck.
# wget http://www.ossec.net/rootcheck/files/rootcheck-2.4.tar.gz
2. Unzip and unpack the Rootcheck and change into the new directory and compile it.
# tar -zxvf rootcheck-2.4.tar.gz
# cd rootcheck-2.4
3. Finally run the rootcheck scan using the command
Normally the RootCheck performs the following checks on the system.
Check the rootkit_files.txt which contains rootkit database files to detect public rootkits.
Check the rootkit_trojans.txt file which contains rootkit trojans database.
Scan the /dev directory to detect non-public rootkits.
Check the filesystem looking for unusual files and permission issues.
Check for the presence of hidden processes by Kernel-level rootkits
Check for any kernel-level rootkit hidden ports.
Scan all the network interfaces on the server.
” margin_top=”50px” margin_bottom=”” animation_type=”slide” animation_direction=”left” animation_speed=”0.3″ class=”” id=””]