rkhunter

From S23Wiki

rootkit-hunter

On Debian:

apt-cache show rkhunter

Package: rkhunter
Priority: optional
Section: admin
Installed-Size: 476
Maintainer: Micah Anderson <micah@debian.org>
Architecture: all
Version: 1.2.8-3
Depends: wget, file, mailx, perl, debconf (>= 0.5) | debconf-2.0
Recommends: libmd5-perl
Filename: pool/main/r/rkhunter/rkhunter_1.2.8-3_all.deb
Size: 114020
MD5sum: 5d9a4a118a2e45ea09521500babc0794
Description: rootkit, backdoor, sniffer and exploit scanner
 Rootkit Hunter scans your system for known and unknown rootkits,
 backdoors, sniffers and exploits.
 .
 Some of the tests it does:
   - MD5 hash compare
   - Look for default files used by rootkits
   - Wrong file permissions for binaries
   - Look for suspected strings in LKM and KLD modules
   - Look for hidden files
   - Optional scan within plaintext and binary files
 .
 Please note that rkhunter does *not* guarantee your system has
 not been compromised! You should also run additional tests, e.g. using
 chkrootkit and other measures.

[edit] Valid parameters

--checkall (-c)           : Check system
--createlogfile*          : Create logfile
--cronjob                 : Run as cronjob (removes colored layout)
--display-logfile         : Show logfile at end of the output
--help (-h)               : Show this help
--nocolors*               : Don't use colors for output
--report-mode*            : Don't show uninteresting information for reports
--report-warnings-only*   : Show only warnings (lesser output than --report-mode
,
                            more than --quiet)
--skip-application-check* : Don't run application version checks
--skip-keypress*          : Don't wait after every test (non-interactive)
--quick*                  : Perform quick scan (instead of full scan)
--quiet*                  : Be quiet (only show warnings)
--update                  : Run update tool and check for database updates
--version                 : Show version and quit
--versioncheck            : Check for latest version

--bindir <bindir>*        : Use <bindir> instead of using default binaries
--configfile <file>*      : Use different configuration file
--dbdir <dir>*            : Use <dbdir> as database directory
--rootdir <rootdir>*      : Use <rootdir> instead of / (slash at end)
--tmpdir <tempdir>*       : Use <tempdir> as temporary directory

Explicit scan options:
--allow-ssh-root-user*    : Allow usage of SSH root user ogin
--disable-md5-check*      : Disable MD5 checks
--disable-passwd-check*   : Disable passwd/group checks
--scan-knownbad-files*    : Perform besides 'known good' check a 'known bad' che
ck

Multiple parameters are allowed
*) Parameter can only be used with other parameters

apt-get install rkhunter

• http://www.rootkit.nl/projects/rootkit_hunter.html