chkrootkit
Locally checks for signs of a rootkit.
chkrootkit is a tool to locally check for signs of a rootkit. It contains:
- chkrootkit: a shell script that checks system binaries for rootkit modification.
- ifpromisc.c: checks if the network interface is in promiscuous mode.
- chklastlog.c: checks for lastlog deletions.
- chkwtmp.c: checks for wtmp deletions.
- check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
- chkproc.c: checks for signs of LKM trojans.
- chkdirs.c: checks for signs of LKM trojans.
- strings.c: quick and dirty strings replacement.
- chkutmp.c: checks for utmp deletions.
chkwtmp and chklastlog *try* to check for deleted entries in the wtmp and lastlog files, but it is *not* guaranteed that any modification will be detected.
Aliens tries to find sniffer logs and rootkit config files. It looks for some default file locations -- so it is also not guaranteed it will succeed in all cases.
chkproc checks if /proc entries are hidden from ps and the readdir system call. This could be the indication of a LKM trojan. You can also run this command with the -v option (verbose).