Rootkit Hunter是一个基于linux的rootkit扫描工具，它可以扫描rootkit、后门程序和潜在的本地提权漏洞。Rootkit Hunter 使用的技术包括：
    * Comparing the MD5 hash with a known MD5 algorithm so it scans the most important files.
    *  Default files:  scanning a lot of ‘default’ files and directories (used by rootkits).so no much time is consumed.
    * Hidden files:  scanning for hidden files on places where they are not supposed to be (like in /tmp), to track down malicous files.
    * Operating system specific tests: you can select the OS you are using the advantage is that some parts of an operating system are not available to others, so you can use not all tests every time. For example in Linux we can compare processes in `ps` against the available files in /proc.
    * File permissions: All clean system have ‘normal’ permissions. Searching for unusual file permissions can help in detecting any rootkit installed.
    * Kernel modules: Operating systems like Linux and FreeBSD support the use of ‘kernel modules’. These modules give an administrator the power to load and unload modules (on the fly) to extend the possibilities of the kernel.
    * Listening ports some rootkits listen to a static port for incoming connections. Here it will be possible to grab some rootkits over port listening.

    * String scanner:  scanner scans plaintext and binary files on the presence of strings which are used in malicious files. Scanner will use a dictionary to compare scanned files with known Trojans, sniffers, backdoors etc.
工具下载:http://www.rootkit.nl/projects/rootkit_hunter.html