There is no way to be certain whether or not a machine has been rooted without booting from clean media. But these machines help — alot.
From the www.chkrootkit.org
website:
chkrootkit is a tool to locally check for signs of a rootkit. It
contains:
Read the man page, or simply:
root> chkrootkit -h Usage: /usr/sbin/chkrootkit [options] [test ...] Options: -h show this help and exit -V show version information and exit -l show available tests and exit -d debug -q quiet mode -x expert mode -r dir use dir as the root directory -p dir1:dir2:dirN path for the external commands used by chkrootkit -n skip NFS mounted dirsQuiet mode is good for a daily cron job.
From the www.rkhunter.org
(also rootkit.nl) website:
Rootkit Hunter
There are many usage options; here are some:
rkhunter <parameters> --checkall (or -c) Check the system, performs all tests. --createlogfile* Create a logfile (default /var/log/rkhunter.log) --cronjob Run as cronjob (removes colored layout) --help (or -h) Show help about usage --nocolors* Don't use colors for output (some terminals don't like colors or extended layout characters) --report-mode* Don't show uninteresting information for reports, like header/footer. Interesting when scanning from crontab or with usage of other applications. --skip-keypress* Don't wait after every test (makes it non-interactive)
...previous | up (conts) | next... |