Archive for the tag 'rootkit'

Can chkrootkit detect modified (or new) rootkit versions?

If chkrootkit can’t find a known signature inside a file, it can’t automatically determine if it has been trojaned. Try to run chkrootkit in expert mode (-x option) — in this mode the user can examine suspicious strings in the binary programs that may indicate a trojan.

For example, lots of data can be seen with:

# ./chkrootkit -x | more

Pathnames inside system commands:

# ./chkrootkit -x | egrep ‘^/’