- chkrootkit: a shell script that checks system binaries for
- ifpromisc.c: checks if the network interface is in promiscuous
- chklastlog.c: checks for lastlog deletions.
- chkwtmp.c: checks for wtmp deletions.
- check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
- chkproc.c: checks for signs of LKM trojans.
- chkdirs.c: checks for signs of LKM trojans.
- strings.c: quick and dirty strings replacement.
- chkutmp.c: checks for utmp deletions.
chkwtmp and chklastlog *try* to check for deleted entries in the wtmp and lastlog files, but it is *not* guaranteed that any modification will be detected.
Aliens tries to find sniffer logs and rootkit config files. It looks for some default file locations — so it is also not guaranteed it will succeed in all cases.
chkproc checks if /proc entries are hidden from ps and the readdir system call. This could be the indication of a LKM trojan. You can also run this command with the -v option (verbose).
chkrootkit in action: (remember you have to be root in order to run chkrootkit.)