how to check for a root kit

[str34m3r]

As part of my job, I've done a fair amount of work on detecting rootkits, though I've mainly been working with detecting the kernel module rootkits. But as far as normal rootkits go, everyone has had lots of good things to say about chkrootkit, so that's probably your best bet. I hope you're good with C, because some (most?) of these programs take some tweaking to get them to work right with more modern kernels. Good luck.

[bxrluvr]

Thanks for your answer str34m3r.

[Phactorial]

How do you expect us to figure out if there is a rootkit installed?

Paste some of the strange log entries you've been having or strange activities. There are many rootkits with many differences.

[bxrluvr]

Who said anything about you figuring out if a rootkit is installed? I asked what the best utility for seeing if one is installed and where to find it. I found many sites with programs to find them. I wanted opions as to what is the best and a secure place to find it. I am a long way off from being any kind of a security expert, but downloading programs and scripts from a Geocities website and running them as root on my servers does not seem like a smart idea.

[nebulus200]

If you are having to detect a rootkit after the fact, without tripwire installed, you have pretty much already lost. The entire idea of a rootkit is too seamlessly blend into the underlying OS and to hide itself from detection. Since you don't have tripwire installed, I would recommend building a new copy of what you have trying to match it as closely as possible and then comparing the differences in file sizes, dates of creation, processes running, etc.

There are some helpful tools at : http://www.incident-response.org/unix.html

But be mindful, just because you have run tools and they didn't find anything does not mean that you have not had a rootkit installed. It is still possible one is installed, it is just very good at hiding itself (through kernel mods, etc).

Neb