Are there any good services or ways to scan for rootkits and backdoors?
I know there are rkhunter and chkrootkit but are they even ideal anymore? They never seem updated and look more like they were good in the early 2000’s
Answer
I don’t know how often OSSEC updates their rootkit detection but I know it has the capability built in. Below is the link that shows the various checks that are performed – http://www.ossec.net/doc/manual/rootcheck/index.html. Overall I love the product due to it being able to do rootkit checking, integrity checking, and still being a HIDS/HIPS. You can also easily create your own rules to alert on basically anything.
Edit: As far as backdoors go, you can use the process monitoring feature – http://www.ossec.net/doc/manual/monitoring/process-monitoring.html. There is an example on the page that will alert you if the output of a netstat command changes. So if your server is fairly consistent on what ports should be open, this could definitely be a red flag.
Attribution
Source : Link , Question Author : Tiffany Walker , Answer Author : Eric
