Rootkits: what they are and how to detect them in linux

It is likely that an intruder can sneak into your system, the first thing they will do is install a series of rootkits. With this you will gain control of the system from that moment. These mentioned tools represent a great risk. Therefore, it is extremely necessary to know what they are about, their operation and how to detect them.

The first time they noticed its existence was in the 90's, in the SUN Unix operating system. The first thing administrators noticed was strange behavior on the server. Overused CPU, shortage of hard disk space, and unidentified network connections through the netstat command.

ROOTKITS: What are they and how to detect them in Linux

What are Rootkits?

They are tools, whose main objective is to hide themselves and hide any other instance that reveals the intrusive presence in the system. For example, any modification in processes, programs, directories or files. This allows the intruder to enter the system remotely and imperceptibly, in most cases for malicious purposes such as extracting information of great importance or executing destructive actions. Its name comes from the idea that a rootkit allows you to access it easily as a root user, after its installation.

Its operation focuses on the fact of replacing system program files with altered versions, in order to execute specific actions. That is, they mimic the behavior of the system, but keep other actions and evidence of the existing intruder hidden. These modified versions are called Trojans. So basically, a rootkit is a set of Trojans.

As we know, in Linux, viruses are not a danger. The greatest risk is the vulnerabilities that are discovered day by day in your programs. Which can be exploited for an intruder to install a rootkit. Herein lies the importance of keeping the system updated in its entirety, continually verifying its status.

Some of the files that are usually victims of Trojans are login, telnet, su, ifconfig, netstat, find, among others.

As well as, those belonging to the /etc/inetd.conf list.

You might be interested in reading: Tips to stay malwares-free on Linux

Types of rootkits

We can classify them according to the technology they use. Accordingly, we have three main types.

• Binaries: Those that manage to affect a set of critical system files. Replacing certain files with their modified similar. Core: Those that affect the core components. From libraries: They make use of system libraries to retain Trojans.

Detecting Rootkits

We can do this in several ways:

• Verification of legitimacy of the files. This through algorithms used to check the sum. These algorithms are MD5 checksum style, which indicate that for the sum of two files to be equal, it is necessary that both files are identical. So, as a good administrator, I must store my system checksum on an external device. In this way, later on I will be able to detect the existence of rootkits through a comparison of those results with those of a certain moment, with some measurement tool designed for that purpose. For example, Tripwire . Another way that allows us to detect the existence of rootkits is to perform port scans from other computers, in order to verify if there are backdoors that are listening on ports that are normally unused. There are also specialized daemons such as rkdet for detect installation attempts and in some cases even prevent it from happening and notify the administrator. Another tool is the shell script type, such as Chkrootkit , which is responsible for verifying the existence of binaries in the system, modified by rootkits.

WE RECOMMEND YOU The best alternatives to Microsoft Paint on Linux

Tell us if you have been the victim of an attack with rootkits, or what are your practices to avoid it?

Contact us for any questions. And of course, go to our Tutorials section or our Linux category, where you will find lots of useful information to get the most out of our system.