projects:security:rootkit

How to check your Linux servers for rootkits and malware

Linux is a reliable, secure choice for your data center. Even so, doing regular checks for rootkits and malware is always an advised best practice. Jack Wallen shows you how.

By Jack Wallen | April 11, 2017, 12:07 PM PST

If your data center makes use of Linux, you want to ensure those servers are free from both rootkits and malware. Although Linux, in general, is safe from a vast amount of malicious software, it is a mistake to assume it completely impervious. Not only could you wind up with a data-destroying rootkit, if one of your Linux machines happens to work as a web server, that machine could have been compromised and is now serving up malicious code.

How do you avoid such issues? You take precautions. One such precaution is using the right tools to scan your machines for both rootkits and malicious code. I want to walk you through the process of installing and using two tools that will scan for both. I'll be demonstrating on Ubuntu Server 16.04, so if you use a different platform, adjust accordingly.

Rootkits

The first check we want to run is for rootkits. One tool that serves this purpose is called chkrootkit. This tool is fairly straight-forward and can be installed with the command:

sudo apt-get install chkrootkit

To run the check, issue the command:

sudo chkrootkit

The check will run (Figure A) and take some time to complete.

Figure A

So far so good with the rootkit check.

When chkrootkit begins to search for sniffer logs, the process will seem to stop; this is normal, so you might as well busy yourself with something else.

If you get a positive hit from chkrootkit, it will be important to do a bit of research, as there are known false positives. On a scan of Ubuntu Server 16.04, the following was reported:

Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd

This is one of the known false-positives (related to the openssh-server package) and can be ignored.

If you receive any other warnings or errors, be sure to immediately research what chkrootkit reports. The application will not instruct you on how to fix the problem, only that the problem exists.