ChkRootKit
Get the chkrootkit package :
sudo apt-get install chkrootkit
Make a Cron Job to do the scan daily at 0700 hours :
sudo crontab -e
0 7 * * * /usr/sbin/chkrootkit; /usr/sbin/chkrootkit -q 2 >&1 | mail -s "Daily ChkRootKit Scan" samiux@gmail.com
Do a manual scan :
sudo /usr/sbin/chkrootkit
Rootkit Hunter
sudo apt-get install rkhunter
Make a Cron Job to do the scan daily at 0500 hours :
sudo crontab -e
0 5 * * * rkhunter --cronjob --rwo | mail -s "Daily Rootkit Hunter Scan" samiux@gmail.com
Do a manual scan :
sudo rkhunter --check
Forensic tool to find hidden processes and ports – unhide
Get the unhide package :
sudo apt-get install unhide
Make a Cron Job to do the scan daily between 0800 and 0930 hours :
sudo crontab -e
0 8 * * * unhide proc; unhide proc -q 2 >&1 | mail -s "Daily unhide proc Scan" samiux@gmail.com
30 8 * * * unhide sys; unhide sys -q 2 >&1 | mail -s "Daily unhide sys Scan" samiux@gmail.com
0 9 * * * unhide brute; unhide brute -q 2 >&1 | mail -s "Daily unhide brute Scan" samiux@gmail.com
30 9 * * * unhide-tcp; unhide-tcp -q 2 >&1 | mail -s "Daily unhide-tcp Scan" samiux@gmail.com
Do a manual scan :
sudo unhide proc
sudo unhide sys
sudo unhide brute
sudo unhide-tcp
Beware :
There will be produced some false positive by RootKit Hunter or ChkRootKit when your packages or files had been updated or have the similar behavior as the rootkit.
If this happened, you can do the following the reset it if anything is alright.
sudo rkhunter --propupd
Remarks :
It is not 100% to proof that your system is away from the attack of Rootkits.
That's all. See you!
No comments:
Post a Comment