# Whether there is a any program for searching rootkits?



## Handy92 (May 6, 2017)

I want to check all files for searching rootkits, or modified files from LiveCD. Is exist any automatic way, with do campare weight, or mdsum?


----------



## Oko (May 6, 2017)

Handy92 said:


> I want to check all files for searching rootkits, or modified files from LiveCD. Is exist any automatic way, with do campare weight, or mdsum?


You can use mtree(8) to build host intrusion detection system. Please read the following

https://security.stackexchange.com/...ystem-and-network-intrusion-detection-systems

to learn a bit about vocabulary. IIRC Dry Lavigne in 100 BSD hacks have described use of mtree to built a primitive HIDS. Building a real HIDS would require some serious knowledge of machine learning (anomaly detection).


----------



## ShelLuser (May 6, 2017)

Handy92 said:


> I want to check all files for searching rootkits, or modified files from LiveCD. Is exist any automatic way, with do campare weight, or mdsum?


My personal favorite to check for rootkits is security/rkhunter, fully integrated with FreeBSD and supports a large variety of rootkit checksums.

When it comes to checking for changed files (note that rkhunter can also do that to a certain degree) then you'd want an IDS (Intrusion Detection System). There are plenty, as Oko  mentioned there's even mtree which is provided in the base system. However, I've become a big fan of security/tripwire. A full blown IDS which can check for just about everything. I've posted a tutorial on setting up & using Tripwire, maybe it can give you some impressions. You can find that tutorial here.


----------

