We have already spoken on several occasions about rootkits, and about security in general. But this time we are going to focus on how to detect and eliminate them. First of all, for those who do not know what a rootkit is, it is a malware that can be composed of a program or set of malicious programs that disguise themselves to carry out unwanted tasks and without the user's consent.
Well, in Unix environments and of course in Linux, you can find a multitude of antivirus and other specific tools to eliminate this type of malware, such as chkrootkit and rkhunter, which are the most famous. They will sound familiar to you because we have also talked about them on numerous occasions in this blog, in addition they both act in a similar way and by not doing work in the background, they do not infer each other if they are both installed.
For its installation and use, only a couple of commands are needed in both cases, nothing complicated. For example, in the case of wanting to install it on a Debian or derivatives, we just have to type the following:
sudo apt-get intsall chkrootkit sudo apt-get install rkhunter
To use it (although you can see more options in man to refine the analyzes):
sudo chkrootkit sudo rkhunter --list tests
En the case of rkhunterBefore the first analysis, it will be necessary to update the signature base with the –update option. There are also other options like –check, –disable , etc., so I recommend that you check man rkhunter for more options.
Eye! There may be false positives, that is to say, that it detects some possible rootkits that are not such, therefore, some of the threats that they detect may not be. Normally it is good to use both, because they do not usually give the same false positives and you can rule out that it is a lack of alarm by contrasting the results. However, before removing the rootkit, search for information on Google so as not to delete important files.