3.2. chkrootkit

To see if your frontend has been infected by a rootkit, simply run:

# /opt/chkrootkit/bin/chkrootkit

This will return output similar to:

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected

Make sure none of the tests report INFECTED.

For more information, login to the frontend and read /opt/chkrootkit/README.