Linux Rootkits – Rootkit Hunter

As an incident responder, one of you first port of calls should be to look for any signs of a rootkit. A good rootkit finder for Linux systems is ‘rootkit hunter’.

Rootkit Hunter tests for such things as hidden ports and processes.

In an ideal situation you would want to acquire a disk image and boot from the image with ‘rootkit hunter’ running its tests on the copied host.

Download ‘rootkit hunter’ http://rkhunter.sourceforge.net/

fyi I should mention an excellent memory forensics utility called Volatility which can analyze memory dumps (you will need a separate memory acquisition tool), and show you the state of the machine at acquisition time.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s