Root Kit Detection
Comparing with installed RPM based packages
This is generally only relevant to Red Hat based distributions which use the RPM packaging system.
Boot off a clean disk image and mount the partitions you want to check.
$ for foo in `rpm -q -a` ; do rpm -V --nomd5 $foo ; done
$ find / -type f \! -exec rpm --quiet -q -f {} \; -printYou’ll need to modify them to –root and use the –redhatprovides to do the job. You’ll probably want to remove the –nomd5 from the options also to be more secure.
You also need to replace the initrd images on /boot to be absolutely certain everything is clean. See man mkinitrd(8).
Packages installed since date
- rpm -q -a –queryformat “%{INSTALLTIME:date} %{NAME}\n”
Links
- http://sourceforge.net/projects/tripwire/
- http://www.cert.org/tech_tips/root_compromise.html
- http://www.rootkit.nl/
- http://www.chkrootkit.org/
– Frank Dean - 13 Dec 2004