Root Kit Detection

Comparing with installed RPM based packages

This is generally only relevant to Red Hat based distributions which use the RPM packaging system.

Boot off a clean disk image and mount the partitions you want to check.

    $ for foo in `rpm -q -a` ; do rpm -V --nomd5 $foo ; done

    $ find / -type f \! -exec rpm --quiet -q -f {} \; -print

You'll need to modify them to --root and use the --redhatprovides to do the job. You'll probably want to remove the --nomd5 from the options also to be more secure.

You also need to replace the initrd images on /boot to be absolutely certain everything is clean. See man mkinitrd(8).

Packages installed since date

  • rpm -q -a --queryformat "%{INSTALLTIME:date} %{NAME}\n"


-- Frank Dean - 13 Dec 2004