Navigation

      Rootkits

      Rootkit malware is also possible on Linux and OSX. Those of us in UNIX-land (and yes, Mac people, that includes you) don’t often have to deal with malware. There is room for debate about the exact reasons for that, but few would argue that Linux, BSD and OSX get hit as hard or as often as Windows. This does not, however, make us immune to malware. We all download software online, and even those who stick with only their software provider’s packages can still be afflicted by bugs or security holes which may allow nasty people or software inside. As the old saying goes, “an ounce of prevention is worth a pound of cure”. Today we’d like to show you some ways that you can scan your system to make sure there are no nasty rootkits lurking in the shadows.

      The Quick and Dirty Personal Scan

      A common technique used by some malware authors is to replace a normal system binary with one that takes additional or alternative actions. Many of them try to protect themselves by making their corrupted versions immutable in an attempt to make the infection harder to remove. Fortunately, this leaves traces behind that can be picked up by normal system tools.
      Use the lsattr command to display the attributes of your system’s binary files in locations such as /bin, /sbin, and /usr/bin, as shown here.
      lsattr /usr/bin
      Normal, non-suspicious output should look something like this.
      rootkits-lsattr
      You may need root privileges to scan some places like /sbin. If the output contains other attributes like s, i, or a, that could possibly be a sign that something is
       wrong, and you may wish to try a deeper scan as shown below.

      To read about CHKrootkit and rootkit hunter
      Read further on this website

      sudo chkrootkit > mylogfile.txt

      sudo rkhunter -c

      Yes, so to help clean these up, as root you'll need to remove those s, i, or a attributes with:
      root-shell#  chattr -sia /usr/bin/whatever
      Once those attributes have been removed (note, read about the attributes first and make sure the other tools warn you!  /usr/bin/X11/ for example may intentionally have these set), you can once again manipulate those files to edit, delete, or whatever.

      So then you have incorrect/compromised binaries?  On a Debian system you can get older packages to manually download (wget http://...) and install (dpkg -i ___.deb) from http://snapshot.debian.org/
      Comments