Malware is growing on Linux and rootkits are a problem for * nix systems for a long time. It is not true that * nix systems do not have to have antivirus or neglect security, who thinks this is very wrong. Although they are safer and the configuration possibilities allow us to shield them in a better way, we must not neglect security, since this makes us vulnerable.
For this reason, we present you three good tools that will remove malware and rootkit from our Linux distro. These three projects will help us keep our system clean of threats. One of these projects is chkrootkit, a command line tool that will help us detect rootkits. Another is Lynis, a good tool for auditing security and also acts as a rootkit scanner. Finally we will see ISPProject, a scanner for web servers that will help us scan malware.
For install chkrootkit we do the following:
wget --pasive-ftp ftp://ftp.pangeia.com/br/pub/seg/pac/chkrootkit.tar.gz tar xvfz chkrootkit.tar.gz cd chkrootkit-*/ make sense cd .. mv chkrootkit-<version>/ /usr/local/chrootkit ln -s /usr/local/chkrootkit/chkrootkit /usr/local/bin/chkrootkit
For use it, only:
chkrootkit
The other tool is Lynis as we have said, to install it:
cd /tmp wget https://cisofy.com/files/lynis-2.1.1.tar.gz tar xvfz lynis-2.1.1.tar.gz mv lynis /usr/local/ ln -s /usr/local/lynis/lynis /usr/local/bin/lynis lynis update info
Now, we can use it to track our system:
lynis audit system
Lastly, the ISPProtect web tool, that you will need to previously have PHP installed on our computer, if we do not already have it, install it before:
mkdir -p /usr/local/ispprotect chown -R root:root /usr/local/ispprotect chmod -R 750 /usr/local/ispprotect cd /usr/local/ispprotect wget http://www.ispprotect.com/download/ispp_scan.tar.gz tar xzf ispp_scan.tar.gz rm -f ispp_scan.tar.gz ln -s /usr/local/ispprotect/ispp_scan /usr/local/bin/ispp_scan
This last tool is especially good for scan computers that act as servers. And to use it:
ispp_scan
Rkhunter is far superior to Chkrootkit. Be careful with Chkrootkit, it usually gives false positives, the input is very good and especially the note to create your own distro. : D
Hello, of course, there are more than those that I have put in the article ... And as you say, I forgot to comment on the false positives, but it is true that sometimes it detects suspicious files that are not rootkits.
A greeting!
I am with you that Rkhunter is superior, because of the false positives. In any case, it would be good for you to comment on what to do in the event that malware is found in both the Chkrootkit or Rkhunter program, and if through these programs the bug or malware cannot be eliminated in unix or linux environments, what steps to follow next . I would also like to know if in these Antimalware environments for unix both the Rkhunter or Chkrootkit program are to what extent reliable and if the updates are constant of malware definitions, because as far as I know, their updates of these programs are updated very quickly. Every now and then, months can even pass between updates.
I also wanted to know if Clamav antivirus for unix and linux environments where security updates are more regular than Rkhunter and Chkrootkit if it serves only to detect and eliminate threats for windows in a unix environment, or it eliminates both threats for windows and also for unix environments at the same time. Thanks
I have the same doubts as José. But hey, I suppose that now that they are "attacking" us more will come out more information on how to protect Linux.
Latest news for Linux regarding your security:
http://www.redeszone.net/2016/02/17/un-fallo-en-la-libreria-c-de-gnu-expone-la-seguridad-de-miles-de-aplicaciones-y-dispositivos-linux/
Latest news on security threats:
http://www.redeszone.net/2016/02/17/wajam-un-adware-que-se-utiliza-para-distribuir-troyanos-y-exploits/
How to remove Wajam:
https://www.bugsfighter.com/es/remove-wajam-ads/
Why should I download chkrootkit from the unknown and dubious wget –pasive-ftp ftp://ftp.pangeia.com/br/pub/seg/pac/chkrootkit.tar.gz, if I have it in the Ubuntu repositories.