Archive for the tag 'Root Check'

SBDavid

Installing Root Check

Installing Root Check

RootCheck scans the system looking for possible trojans ,scans the ports for malicious activity ,and checks for rootkits,and also the logs,permissions and more.
Rootcheck is a very simple software. Just download, unpack, compile and execute it. It will scan the system and print if it found or not anything.

Installation Instructions

Login to your server and su to root.

[root@ossec ~]# wget http://www.ossec.net/rootcheck/files/rootcheck-2.0.tar.gz
[root@ossec ~]# tar -zxvf rootcheck-2.0.tar.gz
[root@ossec ~]# cd rootcheck-2.0
[root@ossec ~]# make all
[root@ossec ~]# ./ossec-rootcheck

This will take you to an interactive installtion. Make sure you have CPAN on
your box because rootcheck requires the Perl Modules IO::Interface.

If the installtion is finished you will get this message

Compilation sucessfull. Ready to go.
———————————————————
That’s it! If everything went ok, you should be ready to run RootCheck. If you any doubts about installation, please refer to INSTALL file.
You can also find additional information at :
http://www.ossec.net/rootcheck/
Improves, patches, comments are very welcome.
———————————————————
Scanning the System

Now you are ready to run rootcheck.
There are quite a few options butthe simplest one is

Just run ‘./ossec-rootcheck’ to execute it.


./ossec-rootcheck

** Starting Rootcheck v2.0 by Third Brigade **
** http://www.ossec.net/en/about.html#dev-team **
** http://www.ossec.net/rootcheck/ **

Be patient, it may take a few minutes to complete…

[INFO]: Starting rootcheck scan.

[OK]: No presence of public rootkits detected. Analyzed 269 files.

[OK]: No binaries with any trojan detected. Analyzed 79 files.

If the installation was perfect you would get a progress screen of the scan after which the results wiill be writen into results.txt the result is quite explanatory and gives details of all suspected files.

There is also an example file that explains the different options for root check

More Information about rootcheck is available at http://www.ossec.net/main/rootcheck