-3

Are there any good services or ways to scan for rootkits and backdoors?

I know there are rkhunter and chkrootkit but are they even ideal anymore? They never seem updated and look more like they were good in the early 2000's

Tiffany Walker
  • 6,541
  • 13
  • 53
  • 77
  • Might be worth popping over to SuperUser as opposed to ServerFault. –  Jun 13 '12 at 20:47
  • 1
    The rkhunter data (signatures) file was last updated this morning. The rkhunter engine was last updated in April. I wouldn't call that out of date... – Zoredache Jun 13 '12 at 21:11

2 Answers2

0

http://www.tenable.com/products/nessus

nessus is free for personal use I think. this is up to date.

johnshen64
  • 5,747
  • 23
  • 17
  • That's more of an external vulnerability scanner. Most rootkits periodically check for updates from Command and Control instead of opening a listening port now. – Hyppy Jun 13 '12 at 20:47
  • what you said is true, though nessus does find things that rootkits tend to modify and indirectly can discover problems related to rk attacks. – johnshen64 Jun 13 '12 at 20:56
0

I don't know how often OSSEC updates their rootkit detection but I know it has the capability built in. Below is the link that shows the various checks that are performed - http://www.ossec.net/doc/manual/rootcheck/index.html. Overall I love the product due to it being able to do rootkit checking, integrity checking, and still being a HIDS/HIPS. You can also easily create your own rules to alert on basically anything.

Edit: As far as backdoors go, you can use the process monitoring feature - http://www.ossec.net/doc/manual/monitoring/process-monitoring.html. There is an example on the page that will alert you if the output of a netstat command changes. So if your server is fairly consistent on what ports should be open, this could definitely be a red flag.

Eric
  • 1,373
  • 3
  • 17
  • 33