How to scan for rootkits in Ubuntu or Debian

7 March 2009 4 Comments

Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on this topic.

Powered by WP Greet Box WordPress Plugin

GNU/Linux and other unix operating systems are a very hostile environments for viruses, but they are still in the front of other malware / exploits. The most dangerous malware under GNU/Linux are the rootkits.

What is a rootkit? Is a program (or a set of programs or scripts) designed to hide the fact a system was compromised. Also a rootkit can leave a backdoor entrance for a malicious person and can modify your system (hiding files, process, network connections, blocks of memory) to don’t detect that person when is on your system .

Writing an rootkit is not such a simple job, you need to know a lot about the operating system where you want to deploy it and it takes time to write it and test it.

To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it, writes SecurityFocus columnist Scott Granneman.

To fight agains those malware programs I will show you how to install (under Ubuntu or Debian) and work with rkhunter (run a system check for rootkits or other malware)

Installing rkhunter

Under debian or ubuntu is just a simple step:

apt-get install rkhunter

after that I recommend you to update the rootkits “signature” database with the following command:

rkhunter –update

rkhunter updated

Now we are ready for a scan:

rkhunter –checkall

There are several types of scanning.

Applications
Directories
Exploits on the desktop
Ports that are commonly used for back door access
Startup files, groups and accounts, system configuration files, and the file system
MD5 hash compare
Look for suspected strings in LKM and KLD modules

When one type of scan is finished you will need to press enter to proceed to the next one.

rkhunter Security Advisory

Some files are generating false alarms because is very hard, for rkhunter developers, to keep the track of all the files or hidden files on all Linux distributions. The most common files what are generating this alarms are:

/dev/.static/, /dev/.udev & /dev/.udevdb/ – used by udev
/etc/.pwd.lock
/etc/.java/ – it is common for java installations to use this hidden directory
/dev/.initramfs, /dev/.initramfs-tools – created by initramfs-tools generated ramfs filesystems during boot

If you get an error something like:

Scanning for hidden files... [ Warning! ] --------------- /etc/.pwd.lock /dev/.static /dev/.udev /dev/.initramfs /dev/.initramfs-tools --------------- Please inspect: /dev/.static (directory) /dev/.udev (directory) /dev/.initramfs (directory)

just ignore it.

The most common rootkits detected by rkhunter:

55808 Trojan – Variant A
ADM W0rm
AjaKit
aPa Kit
Apache Worm
Ambient (ark) Rootkit
Balaur Rootkit
BeastKit
beX2
BOBKit
CiNIK Worm (Slapper.B variant)
Danny-Boy’s Abuse Kit
Devil RootKit
Dica
Dreams Rootkit
Duarawkz Rootkit
Flea Linux Rootkit
FreeBSD Rootkit
Fuck`it Rootkit
GasKit
Heroin LKM
HjC Rootkit
ignoKit
ImperalsS-FBRK
Irix Rootkit
Kitko
Knark
Li0n Worm
Lockit / LJK2
mod_rootme (Apache backdoor)
MRK
Ni0 Rootkit
NSDAP (RootKit for SunOS)
Optic Kit (Tux)
Oz Rootkit
Portacelo
R3dstorm Toolkit
RH-Sharpe’s rootkit
RSHA’s rootkit
Scalper Worm
Shutdown
SHV4 Rootkit
SHV5 Rootkit
Sin Rootkit
Slapper
Sneakin Rootkit
Suckit
SunOS Rootkit
Superkit
TBD (Telnet BackDoor)
TeLeKiT
T0rn Rootkit
Trojanit Kit
URK (Universal RootKit)
VcKit
Volc Rootkit
X-Org SunOS Rootkit
zaRwT.KiT Rootkit