Rootcheck is an open source command line tool that looks for indicators of compromise on Linux or BSD systems. It tries to find known backdoors, kernel-level rootkits, malware and insecure configuration settings.
It is included as part of OSSEC, but can also be executed separately from here as needed. If you suspect your server has been compromised it will certainly help with your investigation.
Rootcheck takes a few seconds to install and get it running:
1- Download Rootcheck:
# wget https://dcid.me/ossec-packages/rootcheck-latest.tar.gz
2- Install gcc and make. A simple “apt-get install gcc make” on Ubuntu or “yum install gcc make” on CentOS/RedHat will do it for you.
3- Run “install.sh”. It will get rootcheck ready to run.
# tar -zxvf rootcheck-latest.tar.gz # cd *rootcheck* # sh ./install.sh
4- Once completed, just run rootcheck:
Enjoy. Rootcheck will take a few minutes to run and it will print the results in the screen as it goes.
I am keeping both the bitbucket and github repositories of my fork in sync. So you can submit PR’s and issues to either one of them:
I personally use more bitbucket, but either works.