• Root Kit Detection
  • Comparing with installed RPM based packages
  • Packages installed since date
  • Links

Root Kit Detection

Comparing with installed RPM based packages

This is generally only relevant to Red Hat based distributions which use the RPM packaging system.

Boot off a clean disk image and mount the partitions you want to check.

    $ for foo in `rpm -q -a` ; do rpm -V --nomd5 $foo ; done

    $ find / -type f \! -exec rpm --quiet -q -f {} \; -print

You'll need to modify them to --root and use the --redhatprovides to do the job. You'll probably want to remove the --nomd5 from the options also to be more secure.

You also need to replace the initrd images on /boot to be absolutely certain everything is clean. See man mkinitrd(8).

Packages installed since date

• rpm -q -a --queryformat "%{INSTALLTIME:date} %{NAME}\n"

---

Links

• http://sourceforge.net/projects/tripwire/
• http://www.cert.org/tech_tips/root_compromise.html
• http://www.rootkit.nl/
• http://www.chkrootkit.org/

---

-- Frank Dean - 13 Dec 2004

• Viki
• Business
• Tech