Linux Security: Easily Scan Your Servers for Rootkits

Linux Security: Easily Scan Your Servers for Rootkits

Open-source tools like Linux Malware Detect and Chkrootkit can alert you to unwanted visitors on your server.

Translated from “Linux Security: Scan Your Servers for Rootkits With Ease” by Jack Wallen.

Linux is one of the most secure operating systems on the planet. However, nothing is absolutely secure, and if a server is connected to the network, it is vulnerable to attacks… even if that server is powered by Linux. There are always those lurking in the shadows hoping to access these servers and exploit them for profit.

Malware, ransomware, and perhaps the worst of all, rootkits, are secretly installed software that attackers use to take over your computer. They always seem ready to bring your company down.

Fortunately, in Linux, you can use some tools to scan for rootkits on these servers.

What is a Rootkit?

For those unfamiliar, a rootkit is a type of malware that can control an operating system or device and manipulate its behavior while hiding its presence.

The primary goal of a rootkit is to prevent security software, antivirus programs, and other monitoring tools from detecting it so that it can continue its operations (which are always malicious).

Rootkits typically operate at multiple levels:

  • Low-level system operations: Rootkits can modify underlying system files, registry entries, or kernel modules to evade detection.

  • Kernel mode operations: Some rootkits operate in what is known as kernel mode, allowing them to access low-level permissions of system resources and making it harder for other software to detect their presence.

  • File and process hiding: Rootkits almost always hide themselves by modifying file names, icons, processes, network connections, and other critical services.

There are two different types of rootkits:

  • Bootkit: Bootkits infect the master boot record (MBR) on the hard drive at boot time to prevent the system from booting from a legitimate operating system.

  • Kernel mode rootkit: These rootkits operate in kernel mode and can intercept system calls, manipulate memory, or create false network traffic.

Rootkits often include additional features such as network activity monitoring, process control, and data encryption.

Now that you have a basic understanding of rootkits, let’s find out how to scan for them on Linux.

Chkrootkit

Chkrootkit is a simple rootkit detector that checks for various signs of infection on Unix-like file systems. You can install Chkrootkit on Ubuntu-based systems using the following command:

sudo apt-get install chkrootkit -y

During installation, the system will ask if you want to configure Chkrootkit to send email alerts. If you choose to do so, make sure you have the information needed to use an SMTP server. If not, select local only.

If you are using a Fedora-based distribution, the installation command is:

sudo dnf install chkrootkit -y

After installing the software, you can run a scan using the following command:

The application will start immediately and begin checking for known rootkits. When finished, you will see a report of everything it found (or hopefully nothing).

You can set up a cron job to run Chkrootkit every night (at midnight) using the following command:

Add the following line to the bottom of the file:

0 0 * * * sudo chkrootkit | mail -s "Chkrootkit Report" EMAIL

Where EMAIL is your email address

Save and close the file. Your system will now automatically scan for rootkits at midnight and send the report to the email address you configured.

LMD

LMD stands for Linux Malware Detect, a fully-featured open-source malware scanner. LMD has a complete reporting system, email alerts, and uses threat data from network intrusion detection systems to create signatures for malware that is actively in use.

The best part of LMD is that it is regularly updated to keep up with the ever-changing landscape of malware in the wild.

Here are the steps to install LMD:

  1. Open a terminal window.

  2. Use the command<span>wget http://www.rfxn.com/downloads/maldetect-current.tar.gz</span> to download the source code.

  3. Use<span>tar xvzf maldetect-current.tar.gz</span> to extract the archive.

  4. Use<span>cd maldetect</span> to enter the maldetect directory.

  5. Run the installer using the command<span>sudo ./install.sh</span>.

The installation is quick and completed in the blink of an eye.

Next, you need to configure LMD. Use the following command to open the configuration file:

sudo nano /usr/local/maldetect/conf.maldet

This file contains many customization options. For example, the<span>quarantine_clean</span> option indicates to LMD to automatically clean any detected malware. Set this option to 1 to enable it. Be sure to read through the entire file and configure everything you need. Save the file when done.

Once LMD is configured, you can start a manual scan using the following command:

You can also specify a specific directory to scan. If you choose to scan everything under the root directory (/), be aware that this will take some time to complete. For example, on my Ubuntu Server 24.04 instance, there are over 62,000 files to scan.

Another nice feature is the ability to monitor directory changes. For example, you can monitor the<span>/etc</span> directory like this:

sudo maldet --monitor /etc

It is important to note that if you use the monitoring option, you will also need to install inotify-tools using the following command:

sudo apt-get install inotify-tools -y

Once the monitoring option is running, you can find logs in<span>/usr/local/maldetect/logs/inotify_log</span><span>. Be sure to check this file regularly to see if there are any changes in</span><code><span>/etc</span><span>. The log file updates in real-time, so any changes will be written to the file.</span>

You can also use the following command to list quarantined files:

To schedule daily scans with LMD, you will use a cron job. If you want the scan to run every midnight, you can add the necessary lines to cron. Use<span>sudo</span> to open<span>crontab</span> for editing:

Add the following line to the bottom of the file:

0 0 * * * maldet -a / &gt; /dev/nul 2&gt;&amp;1

Your Linux server is now monitoring for rootkits. Never assume that just because it is Linux, these servers are guaranteed not to be hacked.

Related posts

  1. JTAG Interface Surge ESD Protection Scheme
  2. OpenJTAG Debugging Example: Resolving SST39VF1601 Erase Issue
  3. How to Boot Linux on AMD SoC Devices via JTAG
  4. Troubleshooting JTAG Connection Issues
  5. Edge Impulse Makes TinyML Accessible for Millions of Arduino Developers
  6. Everything You Need to Know About JTAG
  7. Understanding the JTAG Boundary Scan (BSCAN) Component
  8. Detailed Usage Notes for Raspberry Pi JTAG
  9. Understanding JTAG: Interface Protocol and Boundary Scan
  10. Why IoT Devices Need Independent Communication Cards in Smart Water Projects
  11. How Windows Could Run Android Apps: A New Era of Compatibility
  12. Understanding the Evolution and Ecosystem of Arm Server Products
  13. Simplifying Device Cloud Connectivity in the IoT Era
  14. Exploring Nostalgia: The Classic Games of Mini PlayStation
  15. Killer Applications of Industrial IoT – Predictive Maintenance
  16. Innovative IoT-Based Remote Music Teaching Platform
  17. Importance of Medical-Grade Standards in IoT Remote Health Monitoring
  18. Unirest: A Lightweight HTTP Request Tool for Java
  19. Efficient HTTP Large Data Requests Using Go Language Streaming Processing

Leave a Comment