🎁 Give the #1 gift request of 2024... a ZTM membership gift card! 🎁

How To Find Rootkits On Your Linux Device

Aleksa Tamburkovski
Aleksa Tamburkovski
hero image

Although Linux devices are known for their security, it doesn’t mean they can’t get infected, especially if you’ve fallen for some social engineering - aka being tricked into clicking something you shouldn’t have.

No one thinks it will happen to them, but literally thousands of people fall for it each month. In fact, more than 71 million people people year are the victim of phishing exploits alone!

Add in the knowledge that Hackers have been focusing on Enterprise systems and creating malware specifically for Linux devices, and the likelihood of your machine being compromised is growing by the day.

But the absolute worst part?

It's the fact that the most malicious malware out there (aka rootkits) can’t even be found by most standard antivirus software…

hidden rootkits

The good news is that there are specialist tools to find these hidden rootkits.

And in this guide, I'll share two of these that I think you should check out, walk you through how to use one of them step-by-step, and even talk about some rootkit prevention and potential removal methods.

So let’s dive in, and understand what we’re dealing with.

What are rootkits?

A rootkit is a malicious program (or multiple programs) that can give an attacker remote access over a computer system.

Similar to trojans or spyware, rootkits are even worse because they can be buried so deep inside your machine that it can be very hard to discover them or to even know that you’ve been infected with one.

There are four major types of rootkits out there:

  1. Kernel Mode Rootkits
  2. User Mode Rootkits
  3. Firmware Rootkits, and
  4. Memory Rootkits

All of them are bad, but the most dangerous are Kernel and Firmware rootkits.

Why?

Simply because these particular types of rootkit can be inside of your Operating System, maliciously changing the functionality of how your machine works.

rootkits in your linux os

Not great right!?

How to find out if you’ve been infected with a rootkit

You never want to be running a comprimised machine, so let's look at these two tools you can use to find out if you've got any sneaky rootkits on your device.

Option 1: Network monitoring

The first method that I recommend, is performing some network monitoring with a tool like TCPdump.

tcpdump

Don't worry about the early 90's looking website. A lot of these tools focus on function over form, and the websites leave a lot to be desired.

Anyways, back to TCPdump...

This tool will allow you to filter out any suspicious traffic that is coming from your device, which could hint at a rootkit being present.

Important: It's not just hiding in your OS that makes these things sneaky. With that in mind, I recommend always running any network monitoring from a different device if possible.

Why? Well, some rootkits can actually mask their actions and traffic, which might not be noticed if you are doing network monitoring from the infected device...

Now, this is too large a topic to cover in this guide, but I walk through exactly how to use this option in my complete Cybersecurity bootcamp.

learn cybersecurity

Not only do I cover this and more, but I go into so much detail that you can actually become an employed cybersecurity expert - even if you're starting with zero previous experience!

(Although if you're running a Linux machine, I'm going to guess you're a little tech savvy).

Check it out, learn how to secure your current machine and get a potential new job or pay rise out of it!

Option 2: Rkhunter

Rkhunter is a tool that is used to scan systems for known and unknown rootkits, backdoors, sniffers and exploits.

rkhunter

Again, ignore the low quality of the site. The tool is awesome, the site is meh.

Anyway, here’s how RKhunter works.

It checks for:

  1. SHA256 hash changes
  2. Files commonly created by rootkits
  3. Executables with anomalous file permissions
  4. Suspicious strings in kernel modules, and
  5. Hidden files in system directories

It actually comes pre-installed in some popular operating systems such as Debian or Fedora but on others it needs to be installed first.

You can read along below for the instructions on how to set this tool up and use it to find rootkits, or simply check out this video here from my cybersecurity course for free.

Anyways, back to the step-by-step walkthrough of this tool.

You can download Rkhunter here from their website, or through GitHub.

Once you’ve done that, you can install it with a command, like so:

install rkhunter

Once you have it up and running, the first thing to do is to look through the tools menu and options to see all of its possibilities.

Go ahead and type the command rkhunter —help.

rkhunter menu options

This is the short menu that we get with some of the basic commands, and below this you will also see the full menu with all the options that we can use with this tool.

How to run a rootkit scan

To run a simple scan for rootkits, you’re going to use the —check option, which can be run by typing sudo rkhunter -c, or by typing sudo rkhunter —check.

Important: Remember to use sudo every time you run this tool to give it all the privileges that it might need.

remember to use sudo

Once this command is started, you just need to sit back and let rkhunter do its job for a minute or two.

let rkhunter do its job

The first thing the tool will do is run “Performing ‘strings’ command checks”.

If you’re not sure if its working correctly, then the output should look something like this:

strings command checks

On the right side you’ll see the results, stating either ‘OK’ or ‘Warning’.

Important: Keep in mind if you see a ‘Warning’ notification, it doesn’t necessarily mean that there is a backdoor or rootkit present, but rather that there is something found that you should double check after the tool is done scanning.

After performing your first scan, the tool will then get onto specific rootkit scanning:

checking for rootkits

Similar to how your standard antivirus works, rkhunter is simply going through and checking your machine against a list of known rootkits and rootkit variants, to see if your device has been infected with them.

As you probably can guess, if you get a “Not Found” result next to the rootkit name it means that that type of rootkit is most likely not present. Huzzah!

It doesn’t stop there though.

Once rkhunter has gone through the list of known rootkits, it will then perform additional rootkit checks to see if any common rootkit exploits are present (indicating a possible new issue from a new, undocumented rootkit).

Finally, it will also perform some network security and local host checks, along with filesystem, group, and accounts checks.

Important: A common warning that you might get here is for 'root ssh access'.

Don't freak out. All that's happened is you probably dont have this enabled in the settings, so check, enable it, and then run again.

So that's the 4 major checks done by the tool.

As long as you didn’t get any positive result for rootkits that is a good sign, and your machine is clean. Huzzah!

But what if you actually do find a rootkit? Well, that's a tough one...

How to remove rootkits

Unfortunately, rootkits are a complete pain in the ass to get rid of, and the only 100% sure fire way to remove a rootkit from a device that has been infected is to wipe the device and reinstall the operating system.

rootkit removal

Hold off on doing that just yet though! As long as they are not kernel or firmware ones in your OS or boot level, you might be able to get rid of them.

How?

You can grab a copy of the premium version of common antivirus tools, such as Malwarebytes, Avast rootkit scanner, or Kaspersky, and run them.

Then, go ahead and run rkhunter again to see if they worked and removed the issue.

If yes then everything is good to go. But if not, then I'm sorry but you have to go nuclear and a full-wipe is the only surefire way of getting rid of those more stubborn rootkits out of your OS.

I know it's not the most appealing solution, but you never want to be running a compromised machine! This is why it is always important to have a backup of all your important data in case something like this happens.

Some good news though?

Its not guaranteed to stay this way forever, but the majority of malware out there right now is often a simple trojan or a backdoor, and not a low-level rootkit.

Sure, you still need to keep your machine clean and remove these, but they are much easier to fix, and don't require a system wipe!

Also?

Remember that prevention is better than cure, so make sure that you're still practicing good security habits!

  • Periodically scan your system with premium Antivirus software that has additional rootkit scanners included
  • Regularly update your operating system since unpatched vulnerabilities make it easier for rootkit to find its way deep into the system
  • And use specialist tools every few weeks just to double check your machine is safe

What are you waiting for? Go scan your machine now!

Like I said up top, most users have no idea that their machine is compromised - especially when you think of how secure Linux devices are.

But it could be that your machine is logging every keystroke, every search, and every purchase, so go check now, and get some peace of mind!

P.S.

If you want to learn more about cybersecurity, and level up your skills, then check out my complete cybersecurity bootcamp. You can watch the first few lessons here for free.

You can start with absolutely zero experience, and I'll walk you through everything you need to know to be hired in one of the most indemand and growing industries in tech today.

More from Zero To Mastery

Top 5 In-Demand Tech Jobs For 2024 (+ How To Land A Job In Each!) preview
Top 5 In-Demand Tech Jobs For 2024 (+ How To Land A Job In Each!)

Want to get hired in a tech job in 2024? Pick one of these 5 if you want: 1) High salary 2) Jobs available now 3) Can learn the skills as a complete beginner.

Complete Guide to the CompTIA Security+ Certification preview
Complete Guide to the CompTIA Security+ Certification

Everything you need to know. What is the CompTIA security+ certification? Is CompTIA security+ worth it? How to pass the security+ exam? & much more 🔐

Top 5 Reasons To Learn Cyber Security preview
Top 5 Reasons To Learn Cyber Security

From getting paid to find exploits to defending against hackers, it's never a boring job in Cyber Security! Here are the top 5 reasons to learn cybersecurity.