Linux Rootkits – Rootkit Hunter

As an incident responder, one of you first port of calls should be to look for any signs of a rootkit. A good rootkit finder for Linux systems is ‘rootkit hunter’.

Rootkit Hunter tests for such things as hidden ports and processes.

In an ideal situation you would want to acquire a disk image and boot from the image with ‘rootkit hunter’ running its tests on the copied host.

Download ‘rootkit hunter’

fyi I should mention an excellent memory forensics utility called Volatility which can analyze memory dumps (you will need a separate memory acquisition tool), and show you the state of the machine at acquisition time.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s