How to detect a rootkit presence.

Daniel B. Cid <daniel@underlinux.com.br>
http://www.ossec.net/rootcheck/


The purpose of this article is to explain some important steps to
detect the presence of rootkits on a Unix system and to show
how the rootcheck implement them.


1- Check the binaries for signatures of known trojans.
2- Scan the file system looking for the presence of known rootkits.
3- Scan the /dev directory looking for anomalies.
4- Check all process and see if anything is being hidden.
5- Scan all open ports for hidden remote access.
6- Scan the interfaces looking for anomalies.
7- Verify the integrity of the log files.
8- Scan the whole file system looking for anomalies.