You are not logged in.

#1 2017-06-16 23:42:29

KrunchTime
Member
Registered: 2015-09-29
Posts: 857

Rootkit Checker for Linux

I was reading headlines on LXer early this morning and came across an article that mentioned chkrootkitchkrootkit is a command-line utility that scans your system for rootkits.  chkrootkit is available in the Debian repos and must be run as superuser:

sudo chkrootkit

Also note that just because chkrootkit doesn't find anything doesn't necessarily mean you are safe.  chkrootkit only detects rootkits; it doesn't remove them.  More info on the project site.

Last edited by KrunchTime (2017-06-16 23:43:39)

Offline

#2 2017-06-17 10:35:24

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Rootkit Checker for Linux

One potential problem with that method is that chkrootkit uses the `ps` command and this won't work if the rootkit has replaced that (likely); also, once a rootkit is in place the kernel & running system is compromised and cannot be trusted.

The packets sent by a suspect machine could be captured and analysed to know for sure or a "live" ISO image could be used to inspect the system from a "clean" kernel & userspace.

I like to use https://packages.debian.org/jessie/tripwire to detect tampering of system files and https://packages.debian.org/jessie/apparmor for a rudimentary form of mandatory access control on my Debian stable systems.

For anything important I would use OpenBSD instead, whenever possible, obviously glasses


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#3 2017-06-17 15:02:56

martix
Kim Jong-un Stunt Double
Registered: 2016-02-19
Posts: 1,267

Re: Rootkit Checker for Linux

^OpenBSD has indeed high security standards, however there were those new leaks, mentioning tools for different OSs. Some of them were for OpenBSD. It seems even a security focused niche OS has weak points to exploit.

Offline

Board footer

Powered by FluxBB