How to scan for rootkits in Ubuntu or Debian
GNU/Linux and other unix operating systems are a very hostile environments for viruses, but they are still in the front of other malware / exploits. The most dangerous malware under GNU/Linux are the rootkits.
What is a rootkit? Is a program (or a set of programs or scripts) designed to hide the fact a system was compromised. Also a rootkit can leave a backdoor entrance for a malicious person and can modify your system (hiding files, process, network connections, blocks of memory) to don’t detect that person when is on your system .
Writing an rootkit is not such a simple job, you need to know a lot about the operating system where you want to deploy it and it takes time to write it and test it.
To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it, writes SecurityFocus columnist Scott Granneman.
To fight agains those malware programs I will show you how to install (under Ubuntu or Debian) and work with rkhunter (run a system check for rootkits or other malware)
Under debian or ubuntu is just a simple step:
apt-get install rkhunter
after that I recommend you to update the rootkits “signature” database with the following command:
Now we are ready for a scan:
There are several types of scanning.
- Exploits on the desktop
- Ports that are commonly used for back door access
- Startup files, groups and accounts, system configuration files, and the file system
- MD5 hash compare
- Look for suspected strings in LKM and KLD modules
When one type of scan is finished you will need to press enter to proceed to the next one.
Some files are generating false alarms because is very hard, for rkhunter developers, to keep the track of all the files or hidden files on all Linux distributions. The most common files what are generating this alarms are:
/dev/.static/, /dev/.udev & /dev/.udevdb/ – used by udev
/etc/.java/ – it is common for java installations to use this hidden directory
/dev/.initramfs, /dev/.initramfs-tools – created by initramfs-tools generated ramfs filesystems during boot
If you get an error something like:
Scanning for hidden files... [ Warning! ]
Please inspect: /dev/.static (directory) /dev/.udev (directory) /dev/.initramfs (directory)
just ignore it.
The most common rootkits detected by rkhunter:
55808 Trojan – Variant A
Ambient (ark) Rootkit
CiNIK Worm (Slapper.B variant)
Danny-Boy’s Abuse Kit
Flea Linux Rootkit
Lockit / LJK2
mod_rootme (Apache backdoor)
NSDAP (RootKit for SunOS)
Optic Kit (Tux)
TBD (Telnet BackDoor)
URK (Universal RootKit)
X-Org SunOS Rootkit