chkrootkit must run as root.  The simplest way is:

 
# ./chkrootkit


 This will perform all tests.  You can also specify only the tests you
 want, as shown below:



 Usage: ./chkrootkit [options] [testname ...]
 Options:
         -h                show this help and exit
         -V                show version information and exit
         -l                show available tests
         -d                debug
         -q                quiet mode
         -x                expert mode
         -r dir            use dir as the root directory
         -p dir1:dir2:dirN path for the external commands used by chkrootkit
         -n                skip NFS mounted dirs


 Where testname stands for one or more from the following list:

 aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper
 z2 chkutmp amd basename biff chfn chsh cron crontab date du dirname
 echo egrep env find fingerd gpm grep hdparm su ifconfig inetd
 inetdconf identd init killall ldsopreload login ls lsof mail mingetty
 netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd
 slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed
 traceroute vdir w write

 For example, the following command checks for trojaned ps and ls
 binaries and also checks if the network interface is in promiscuous
 mode.

 
  # ./chkrootkit ps ls sniffer


 The `-q' option can be used to put chkrootkit in quiet mode -- in
 this mode only output messages with `infected' status are shown.

 With the `-x' option the user can examine suspicious strings in the
 binary programs that may indicate a trojan -- all the analysis is
 left to the user.

 Lots of data can be seen with:


   # ./chkrootkit -x | more


 Pathnames inside system commands:


   # ./chkrootkit -x | egrep '^/'


 chkrootkit uses the following commands to make its tests: awk, cut,
 egrep, find, head, id, ls, netstat, ps, strings, sed, uname.  It is
 possible, with the `-p' option, to supply an alternate path to
 chkrootkit so it won't use the system's (possibly) compromised
 binaries to make its tests.

 To use, for example, binaries in /cdrom/bin:


   # ./chkrootkit -p /cdrom/bin


 It is possible to add more paths with a `:'


   # ./chkrootkit -p /cdrom/bin:/floppy/mybin


 Sometimes is a good idea to mount the disk from a compromised machine
 on a machine you trust.  Just mount the disk and specify a new
 rootdir with the `-r' option.

 For example, suppose the disk you want to check is mounted under
 /mnt, then:


   # ./chkrootkit -r /mnt
Official Website: http://www.chkrootkit.org/


Server is hosted by Alanstudio
Linux Operating System

Recommend screen resolution 1024 x 768 / IE / FireFox
Alan Studio © 2007 by Alan Cheung Hin Lun. All rights reserved.