Added forensics section

2025-10-29 16:59:26 +00:00 · 2014-04-23 10:38:32 -05:00
parent b3e2f78615
commit 788305a83e
78 changed files with 3731 additions and 0 deletions
--- a/tools/chkrootkit.md
+++ b/tools/chkrootkit.md
@@ -0,0 +1,41 @@
+# chkrootkit
+
+Notes
+-------
+```
+chkrootkit is a tool to locally check for signs of a rootkit. It contains:
+ * chkrootkit: a shell script that checks system binaries for rootkit modification.
+ * ifpromisc.c: checks if the network interface is in promiscuous mode.
+ * chklastlog.c: checks for lastlog deletions.
+ * chkwtmp.c: checks for wtmp deletions.
+ * check_wtmpx.c: checks for wtmpx deletions.  (Solaris only)
+ * chkproc.c: checks for signs of LKM trojans.
+ * chkdirs.c: checks for signs of LKM trojans.
+ * strings.c: quick and dirty strings replacement.
+ * chkutmp.c: checks for utmp deletions.
+```
+
+Help Text
+-------
+```
+Usage: /usr/sbin/chkrootkit [options] [test ...]
+Options:
+        -h                show this help and exit
+        -V                show version information and exit
+        -l                show available tests and exit
+        -d                debug
+        -q                quiet mode
+        -x                expert mode
+        -e                exclude known false positive files/dirs, quoted,
+                          space separated, READ WARNING IN README
+        -r dir            use dir as the root directory
+        -p dir1:dir2:dirN path for the external commands used by chkrootkit
+        -n                skip NFS mounted dirs
+```
+
+Example Usage
+-------
+
+Links
+-------
+Homepage: http://www.chkrootkit.org/