Detect Linux rootkits

A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Detection methods include using an alternate, trusted operating system; behavioral-based methods; signature scanning; difference scanning; and memory dump analysis. Removal can be complicated or impossible, especially if the rootkit resides in the kernel; reinstallation of the operating system may be the only alternative. Unix rootkit detection offerings:

  • Rootkit Hunter – scans files and systems for known and unknown rootkits, backdoors, sniffers, and malware. The application consists of the main shell script, a few text-based databases, and optional Perl scripts. It can recognise and run external applications like ‘skdet’ and ‘unhide’. It should run on almost every Unix clone
  • chkrootkit – a tool to locally check for signs of a rootkit. It contains a chkrootkit: shell script that checks system binaries for rootkit modification
  • OSSEC HIDS – a host-based intrusion detection system. It performs log analysis, integrity checking, rootkit detection, time-based alerting, and active response

Leave a Reply