Home » Debian, Hacking, Linux, Newbie, Security, Ubuntu

How to scan for rootkits in Ubuntu or Debian

7 March 2009 4 Comments

GNU/Linux and other unix operating systems are a very hostile environments for viruses, but they are still in the front of other malware / exploits. The most dangerous malware under GNU/Linux are the rootkits.

What is a rootkit? Is a program (or a set of programs or scripts) designed to hide the fact a system was compromised. Also a rootkit can leave a backdoor entrance for a malicious person and can modify your system (hiding files, process, network connections, blocks of memory) to don’t detect that person when is on your system .

Writing an rootkit is not such a simple job, you need to know a lot about the operating system where you want to deploy it and it takes time to write it and test it.

To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it, writes SecurityFocus columnist Scott Granneman.

To fight agains those malware programs I will show you how to install (under Ubuntu or Debian) and work with rkhunter (run a system check for rootkits or other malware)

Installing rkhunter

Under debian or ubuntu is just a simple step:

apt-get install rkhunter

after that I recommend you to update the rootkits “signature” database with the following command:

rkhunter –update

rkhunter updated

rkhunter updated

Now we are ready for a scan:

rkhunter –checkall

There are several types of scanning.

  • Applications
  • Directories
  • Exploits on the desktop
  • Ports that are commonly used for back door access
  • Startup files, groups and accounts, system configuration files, and the file system
  • MD5 hash compare
  • Look for suspected strings in LKM and KLD modules

When one type of scan is finished you will need to press enter to proceed to the next one.

rkhunter Security Advisory

rkhunter Security Advisory

Some files are generating false alarms because is very hard, for rkhunter developers, to keep the track of all the files or hidden files on all Linux distributions. The most common files what are generating this alarms are:

/dev/.static/, /dev/.udev & /dev/.udevdb/ – used by udev
/etc/.java/ – it is common for java installations to use this hidden directory
/dev/.initramfs, /dev/.initramfs-tools – created by initramfs-tools generated ramfs filesystems during boot

If you get an error something like:

Scanning for hidden files... [ Warning! ]
/etc/.pwd.lock /dev/.static
Please inspect: /dev/.static (directory) /dev/.udev (directory) /dev/.initramfs (directory)

just ignore it.

The most common rootkits detected by rkhunter:

55808 Trojan – Variant A
ADM W0rm
aPa Kit
Apache Worm
Ambient (ark) Rootkit
Balaur Rootkit
CiNIK Worm (Slapper.B variant)
Danny-Boy’s Abuse Kit
Devil RootKit
Dreams Rootkit
Duarawkz Rootkit
Flea Linux Rootkit
FreeBSD Rootkit
Fuck`it Rootkit
Heroin LKM
HjC Rootkit
Irix Rootkit
Li0n Worm
Lockit / LJK2
mod_rootme (Apache backdoor)
Ni0 Rootkit
NSDAP (RootKit for SunOS)
Optic Kit (Tux)
Oz Rootkit
R3dstorm Toolkit
RH-Sharpe’s rootkit
RSHA’s rootkit
Scalper Worm
SHV4 Rootkit
SHV5 Rootkit
Sin Rootkit
Sneakin Rootkit
SunOS Rootkit
TBD (Telnet BackDoor)
T0rn Rootkit
Trojanit Kit
URK (Universal RootKit)
Volc Rootkit
X-Org SunOS Rootkit
zaRwT.KiT Rootkit


  • Carl Nobile said:

    Your HOW-TO was quite informative for me. The only comment I would like to make is hat you escape and dashes as in rkhunter –checkall, the dash becomes a rich text m-dash not the two dashes you intended.

  • admin (author) said:

    Your HOW-TO was quite informative for me. The only comment I would like to make is hat you escape and dashes as in rkhunter –checkall, the dash becomes a rich text m-dash not the two dashes you intended.

    True. I think I should use code tag to fix that.


  • Witch said:

    I liked your howto better than the manpages, thanks! 🙂

  • nd said:

    Nice, nice, very nice. But I got some issues about the “unhide” command when running a clean, fresh rkhunter installation on a clean, fresh Debian lenny server. I was able to fix them with “rkhunter –propupd”.

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.