#1 2017-06-16 23:42:29

KrunchTime

Member

Registered: 2015-09-29

Posts: 857

Rootkit Checker for Linux

I was reading headlines on LXer early this morning and came across an article that mentioned chkrootkit.  chkrootkit is a command-line utility that scans your system for rootkits.  chkrootkit is available in the Debian repos and must be run as superuser:

sudo chkrootkit

Also note that just because chkrootkit doesn't find anything doesn't necessarily mean you are safe.  chkrootkit only detects rootkits; it doesn't remove them.  More info on the project site.

Last edited by KrunchTime (2017-06-16 23:43:39)

Head_on_a_Stick

Member

From: London

Registered: 2015-09-29

Posts: 9,093

Website

Re: Rootkit Checker for Linux

One potential problem with that method is that chkrootkit uses the `ps` command and this won't work if the rootkit has replaced that (likely); also, once a rootkit is in place the kernel & running system is compromised and cannot be trusted.

The packets sent by a suspect machine could be captured and analysed to know for sure or a "live" ISO image could be used to inspect the system from a "clean" kernel & userspace.

I like to use https://packages.debian.org/jessie/tripwire to detect tampering of system files and https://packages.debian.org/jessie/apparmor for a rudimentary form of mandatory access control on my Debian stable systems.

For anything important I would use OpenBSD instead, whenever possible, obviously 8)

---

Para todos todo, para nosotros nada

martix

Kim Jong-un Stunt Double

Registered: 2016-02-19

Posts: 1,267

Re: Rootkit Checker for Linux

^OpenBSD has indeed high security standards, however there were those new leaks, mentioning tools for different OSs. Some of them were for OpenBSD. It seems even a security focused niche OS has weak points to exploit.