Rootcheck

Rootcheck is an open source command line tool that looks for indicators of compromise on Linux or BSD systems. It tries to find known backdoors, kernel-level rootkits, malware and insecure configuration settings.

It is included as part of OSSEC, but can also be executed separately from here as needed. If you suspect your server has been compromised it will certainly help with your investigation.

Installation

Rootcheck takes a few seconds to install and get it running:

1- Download Rootcheck:

# wget https://dcid.me/ossec-packages/rootcheck-latest.tar.gz

2- Install gcc and make. A simple “apt-get install gcc make” on Ubuntu or “yum install gcc make” on CentOS/RedHat will do it for you.

3- Run “install.sh”. It will get rootcheck ready to run.

# tar -zxvf rootcheck-latest.tar.gz # cd *rootcheck* # sh ./install.sh

4- Once completed, just run rootcheck:

# ./rootcheck

Enjoy. Rootcheck will take a few minutes to run and it will print the results in the screen as it goes.

Current Versions

Current Versions of OSSEC available:
Latest: https://dcid.me/ossec-packages/rootcheck-latest.tar.gz
2016/Apr: https://dcid.me/ossec-packages/rootcheck-2016-04.tar.gz
2016/Feb: https://dcid.me/ossec-packages/rootcheck-2016-02.tar.gz

If you would like to contribute or send patches, please do so via my github repository:

https://github.com/dcid/rootcheck

Posted in rootcheck by Daniel Cid (dcid)

Daniel Cid Research

In this section you will find some of my research, project and articles. Look around and if you have any questions, reach out.

My companies

If you want to check out my current companies:

* CleanBrowsing
* Trunc
* NOC.org

And my other projects.

Latest articles

Latest articles from my blog.

2021-12-16
log4j honeypot logs - jndi exploit

2021-11-14
DNS Database repository available

2021-10-11
CleanBrowsing Anycast Network is Growing

2021-06-11
1st degree BJJ blackbelt

2020-09-02
Decentralize the web - again

2020-06-11
Mastodon Instance - noc.social

2019-03-20
OSSEC conference - 2019 - The untold story of OSSEC

2017-01-19
WordPress Performance Optimization Guide

2016-04-07
OSSEC v2016-04: Improving detection

2016-02-03
OSSEC v2016-02: New rules options + GeoIP by default

2015-12-30
OSSEC v2015-12: GeoIP + Integratord

2015-02-02
Sudo: The most misused security tool ever

2014-10-26
The S in HTTPS does not equal to a secure site

2014-10-09
Indicators of Compromised Behavior (IOCd-B)

2013-06-20
Always assume the worst

2013-05-12
How to get start contributing to an open source project

2013-04-19
Using your phone SMS as 2FA

2013-03-16
Sucuri WAF - Not your traditional WAF

2012-05-09
OSSEC rule for the PHP-CGI vulnerability

2012-05-08
Database Logging (PostgreSQL and MySQL)

2012-04-21
Setting up OSSEC - Step by step guide

2011-10-25
3WoO: Alerting on DNS (IP Address) changes

2011-09-21
Detecting outdated (web) applications with OSSEC

2011-05-26
Improved reporting for file changes on OSSEC

2011-04-05
Running multiple OSSEC decoders on the same event

2011-02-11
Blocking repeated offenders with OSSEC

2011-02-01
What is a good password?

2011-01-19
Automatically creating and setting up the agent keys for OSSEC

2010-10-20
OSSEC Award daemon

2010-10-19
How to contribute to OSSEC

2010-09-27
OSSEC v2.5 released

2010-04-01
OSSEC v2.4 released

2010-03-11
OSSEC Alerting when a log or output of a command changes

2010-02-09
New member of the OSSEC team: Priscila Cid

2009-12-07
OSSEC v2.3 released

2009-11-05
Process monitoring with OSSEC

2009-08-21
Q&A: OSSEC interview with Daniel Cid

2009-06-12
Compiling the Windows Agent from a Linux system

2009-02-27
OSSEC v2.0 released

2009-01-02
OSSEC book as Best Book Bejtlich Read in 2008

2008-07-25
Sending OSSEC alerts via syslog

2008-06-17
Third Brigade acquires OSSEC

2008-05-01
OSSEC v1.5 released

2008-01-24
Ugliest application logs ever

2008-01-23
OSSEC book is out

2007-12-18
Syslog - Last message repeated X times (rant)

2007-09-05
OSSEC at the 'Own the Box' competition

2007-08-20
Bruce Schneier on log analysis

2007-07-12
OSSEC switching to GPLv3

2007-06-29
Hidden ports on Linux

2007-06-06
Remote log injection paper

2007-06-02
OSSEC Presentations at AusCERT/Confidence

2007-05-01
Daily/Chained checksum of OSSEC alerts

2007-04-10
OSSEC performance testing (v2)

2007-03-18
New member of the OSSEC team: Davi Cid

2007-01-10
Security monitoring with your Logs

2007-01-09
2006 OSSEC download numbers

2006-11-13
Logging authentication events from Cisco IOS

2006-05-02
Log analysis for intrusion detection

2006-03-20
Analysis of SSH brute force attacks

Contact us!

Do you have an idea for an article that is not here? See something wrong? Contact us at realpeople@noc.org

Tired of price gouging

Clear pricing. No need to guess. Real people. Real logging.