linux poison RSS
linux poison Email

Rootkit detectors for Linux

chkrootkit is a tool to locally check for signs of a rootkit.

It tests the following applications: aliens, asp, bindshell, lkm, rexedcs, sniffer, w55808, wted, scalper, slapper, z2, chkutmp, amd, basename, biff, chfn, chsh, cron, crontab, date, du, dirname, echo, egrep, env, find, fingerd, gpm, grep, hdparm, su, ifconfig, inetd, inetdconf, identd, init, killall, ldsopreload, login, ls, lsof, mail, mingetty, netstat, named, passwd, pidof, pop2, pop3, ps, pstree, rpcinfo, rlogind, rshd, slogin, sendmail, sshd, syslogd, tar, tcpd, tcpdump, top, telnetd, timed, traceroute, vdir, w, and write.

* chkrootkit: shell script that checks system binaries for rootkit modification.
* ifpromisc.c: checks if the interface is in promiscuous mode.
* chklastlog.c: checks for lastlog deletions.
* chkwtmp.c: checks for wtmp deletions.
* check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
* chkproc.c: checks for signs of LKM trojans.
* chkdirs.c: checks for signs of LKM trojans.
* strings.c: quick and dirty strings replacement.
* chkutmp.c: checks for utmp deletions.

Rootkit Hunter
rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits.

Specifically, rkhunter is a shell script which carries out various checks on the local system to try and detect known rootkits and malware. It also performs checks to see if commands have been modified, if the system startup files have been modified, and various checks on the network interfaces, including checks for listening applications.

rkhunter has been written to be as generic as possible, and so should run on most Linux and UNIX systems. It is provided with some support scripts should certain commands be missing from the system, and some of these are Perl scripts.

Features include:
* Compares MD5 hashes of important files with known good ones in online database
* Searches for:
o Default directories of rootkits
o Wrong permissions
o Hidden files
o Suspicious strings in kernel modules, and
o Special tests

OSSEC is an Open Source Host-based Intrusion Detection System.

It performs log analysis, integrity checking, monitoring, rootkit detection, real-time alerting and active response. In addition to being deployed as an HIDS, it is commonly used strictly as a log analysis tool, monitoring and analyzing firewalls, IDSs, web servers and authentication logs.

Features include:
* Unix-only:
o Unix PAM
o sshd (OpenSSH)
o Solaris telnetd
o Samba
o Su
o Sudo
* FTP servers:
o ProFTPd
o Pure-FTPd
o vsftpd
o Microsoft FTP Server
o Solaris ftpd
* Mail servers:
o Imapd and pop3d
o Postfix
o Sendmail
o vpopmail
o Microsoft Exchange Server
* Databases:
o PostgreSQL
* Web servers:
o Apache HTTP Server (access log and error log)
o IIS web server (NSCA and W3C extended)
o Zeus Web Server errors log
* Web applications:
o Horde IMP
o Modsecurity
* Firewalls:
o Iptables firewall
o Solaris IPFilter firewall
o AIX ipsec/firewall
o Netscreen firewall
o Windows Firewall
o Cisco PIX
o Cisco FWSM
o Cisco ASA
o Cisco IOS IDS/IPS module
o Snort IDS (snort full, snort fast and snort syslog)
* Security tools:
o Symantec AntiVirus
o Nmap
o Arpwatch
o Cisco VPN Concentrator
* Others:
o Named (BIND)
o Squid proxy
o Zeus eXtensible Traffic Manager
* Generic unix authentication (adduser, logins, etc)

Nixory is an innovative, new, fast and powerful Anti Spyware program,with an User-Friendly Graphical Interface. It protects Mozilla Firefox from dangerous spywares, and harmful cookies.

Features include:
* Mozilla Firefox fast and accurate anti-spyware scan
* Ice Eye heuristic system
* Update stats for number of scans, removed objects and more
* Customizable options
* Remove Tool for found data miner
* Enable to ignore selected data miner groups
* Enable to write a Scan Log with accurate details
* Multi-Language support (English, Italian, Dutch, Spanish, Spanish(AR), Catalan)
* Multi-profiles of Firefox support
* Flexible management of memory


Anonymous said...

dude that link to "" is broken ;)

DevOps said...


It's fixed now.

Post a Comment

Related Posts with Thumbnails