Rootcheck

Rootcheck is an open source command line tool that looks for indicators of compromise on Linux or BSD systems. It tries to find known backdoors, kernel-level rootkits, malware and insecure configuration settings.

It is included as part of OSSEC, but can also be executed separately from here as needed. If you suspect your server has been compromised it will certainly help with your investigation.

Installation

Rootcheck takes a few seconds to install and get it running:

1- Download Rootcheck:

# wget https://dcid.me/ossec-packages/rootcheck-latest.tar.gz

2- Install gcc and make. A simple “apt-get install gcc make” on Ubuntu or “yum install gcc make” on CentOS/RedHat will do it for you.

3- Run “install.sh”. It will get rootcheck ready to run.

# tar -zxvf rootcheck-latest.tar.gz
# cd *rootcheck*
# sh ./install.sh

4- Once completed, just run rootcheck:

# ./rootcheck

Enjoy. Rootcheck will take a few minutes to run and it will print the results in the screen as it goes.

Contributing and patches

I am keeping both the bitbucket and github repositories of my fork in sync. So you can submit PR’s and issues to either one of them:

https://bitbucket.org/dcid/rootcheck

https://github.com/dcid/rootcheck

I personally use more bitbucket, but either works.

OSSEC

If you need continuous monitoring and to integrate rootcheck as part of your security process, I recommend using OSSEC instead:

http://dcid.me/ossec

Rootcheck should only be used on demand and to investigate compromised servers.

Quick Links

Social

External Projects