What is Rootkit ?
Rootkit is a malicious software that allows an unauthorized user (read attacker) to get access to a system and to its restricted software. Basically, rootkits are a type of malware that designed to be hidden on our computer. We didn't notice it, but it will be active. Rootkits give the ability to remotely control our computer to cyber criminals.
Rootkits may contain a number of tools, malicious programs that allow attackers to steal our passwords to modules that make it easy for them to get our credit card information or online banking information or even our secretly stored data. It also contain keyloggers, credential stealers etc.
"Rootkit" is combined from of two words - "root" and "kit". Here "root" refers to the administrative account with full privileges on the computer system and "kit" refers to the program/code that allows the attacker to obtain unauthorized access.
In our Kali Linux, we can install various open-source tools to avert our systems from rootkits. Here we talk about two most famous open-source software "chkrootkit" and "rkhunter". We can install them our our Kali Linux or any other Linux distro and checks for rootkits on our computer (If we are working on Virtual environment on Linux then it only can detect rootkits only in the virtual system).
Chkrootkit
Chkrootkit can be run on Linux systems to determine if rootkits exist on the system, based on signatures and processes. Think of it as antivirus or anti-malware for Linux systems.
Chkrootkit is a simple program that can ensure our Kali Linux has not been infected. We can also run chkrootkit on other Linux distributions by installing it on those systems, it usually comes with almost every Linux distributions including Kali Linux. On our Kali Linux system we need to run following command to start the chkrootkit and scan for rootkits.
It will prompt for our sudo password then will start scan on our system, as we can see in the following screenshot:
We can see it scans permissions of programs (most specifically third party programs), and we can see the infection status on the left table.
Rkhunter (Rootkit Hunter)
Rkhunter (Rootkit Hunter) is a Linux/Unix based tool to scan possible rootkits, backdoors and local exploits.
It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux. (Wikipedia).
According to our team members "rkhunter" is the best open-source rootkit checker for Linux, because of it's additional functionality and also the other tools like chkrootkit is an old tool so there are many known exploits for that.
It doesn't comes pre-installed with Kali Linux but we can install it by applying simple following command:
The following screenshot shows the output of the above command;
After the installation process is complete we can run it to scan our entire system by using following command:
After this it will scan our entire system in some categories, like various malware scan, known rootkit scan, suspicious port scans etc. Also, it will go through all the system files as well as third party programs in order to look for the rootkits, we can see following screenshot:
We need to type "Enter"⤶ to scan next category. It will also summarize the report at the end of scanning. Also saves the output log file in /var/log/rkhunter.log.
We can see the log file by entering following command:
In the following screenshot we can see the log file on mousepad text editor (we can use cat, nano, vim also to view/edit this file).
This is how we can check for rootkits on our Linux system. It is very easier to scan for it.How to Remove Rootkits / Security Warings from Linux
Well, we know that how we can check for rootkits on our Linux (Kali Linux) system. But what if we got a rootkit inside our system? How we can remove it?
There are different methods to fix different warnings. So it is impossible cover all in one place. Here search engines can easily help us. In the following screenshot we got an warning we had copied the line.
We just select the line and copy it. Then just press it on search engine and search it. In the following screenshot we can see that we need got some articles and forums we got about our warning. This will help us to improve our security on Linux system.
That's it for today. Hope our Linux system will be more stronger now.Love our articles? Make sure to follow us on Twitter and GitHub, we post article updates there. To join our KaliLinuxIn family, join our Telegram Group. We are trying to build a community for Linux and Cybersecurity. For anything we always happy to help everyone on the comment section. As we know our comment section is always open to everyone. We read each and every comment and we always reply.