Jump to content

Searching for Rootkits on Kali Linux using Chrootkit & Rkhunter


Cyb3rShot
 Share

Recommended Posts

What is Rootkit ?

Rootkit is a malicious software that allows an unauthorized user (read attacker) to get access to a system and to its restricted software. Basically, rootkits are a type of malware that designed to be hidden on our computer. We didn't notice it, but it will be active. Rootkits give the ability to remotely control our computer to cyber criminals.

Rootkits may contain a number of tools, malicious programs that allow attackers to steal our passwords to modules that make it easy for them to get our credit card information or online banking information or even our secretly stored data. It also contain keyloggers, credential stealers etc.

"Rootkit" is combined from of two words - "root" and "kit". Here "root" refers to the administrative account with full privileges on the computer system and "kit" refers to the program/code that allows the attacker to obtain unauthorized access.

In our Kali Linux, we can install various open-source tools to avert our systems from rootkits. Here we talk about two most famous open-source software "chkrootkit" and "rkhunter". We can install them our our Kali Linux or any other Linux distro and checks for rootkits on our computer (If we are working on Virtual environment on Linux then it only can detect rootkits only in the virtual system).

Chkrootkit

Chkrootkit can be run on Linux systems to determine if rootkits exist on the system, based on signatures and processes. Think of it as antivirus or anti-malware for Linux systems.

Chkrootkit is a simple program that can ensure our Kali Linux has not been infected. We can also run chkrootkit on other Linux distributions by installing it on those systems, it usually comes with almost every Linux distributions including Kali Linux. On our Kali Linux system we need to run following command to start the chkrootkit and scan for rootkits.

sudo chkrootkit

It will prompt for our sudo password then will start scan on our system, as we can see in the following screenshot:

To see the link, you must have 50+ comments (Rank User+) if you do not have you will need a subscription +Client, Gold or VIP! The link is currently hidden from you. Request a subscription from this link : --> https://forum.softinfo.org/subscriptions/

We can see it scans permissions of programs (most specifically third party programs), and we can see the infection status on the left table.

Rkhunter (Rootkit Hunter)

Rkhunter (Rootkit Hunter) is a Linux/Unix based tool to scan possible rootkits, backdoors and local exploits.

It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux. (To see the link, you must have 50+ comments (Rank User+) if you do not have you will need a subscription +Client, Gold or VIP! The link is currently hidden from you. Request a subscription from this link : --> https://forum.softinfo.org/subscriptions/ .

According to our team members "rkhunter" is the best open-source rootkit checker for Linux, because of it's additional functionality and also the other tools like chkrootkit is an old tool so there are many known exploits for that.

It doesn't comes pre-installed with Kali Linux but we can install it by applying simple following command:

sudo apt install rkhunter -y

The following screenshot shows the output of the above command;

To see the link, you must have 50+ comments (Rank User+) if you do not have you will need a subscription +Client, Gold or VIP! The link is currently hidden from you. Request a subscription from this link : --> https://forum.softinfo.org/subscriptions/

After the installation process is complete we can run it to scan our entire system by using following command:

sudo rkhunter -c

After this it will scan our entire system in some categories, like various malware scan, known rootkit scan, suspicious port scans etc. Also, it will go through all the system files as well as third party programs in order to look for the rootkits, we can see following screenshot:

To see the link, you must have 50+ comments (Rank User+) if you do not have you will need a subscription +Client, Gold or VIP! The link is currently hidden from you. Request a subscription from this link : --> https://forum.softinfo.org/subscriptions/

We need to type "Enter"⤶ to scan next category. It will also summarize the report at the end of scanning. Also saves the output log file in /var/log/rkhunter.log.

We can see the log file by entering following command:

sudo mousepad /var/log/rkhunter.log

In the following screenshot we can see the log file on mousepad text editor (we can use cat, nano, vim also to view/edit this file).

 

To see the link, you must have 50+ comments (Rank User+) if you do not have you will need a subscription +Client, Gold or VIP! The link is currently hidden from you. Request a subscription from this link : --> https://forum.softinfo.org/subscriptions/

This is how we can check for rootkits on our Linux system. It is very easier to scan for it.

 

How to Remove Rootkits / Security Warings from Linux

Well, we know that how we can check for rootkits on our Linux (Kali Linux) system. But what if we got a rootkit inside our system? How we can remove it?

There are different methods to fix different warnings. So it is impossible cover all in one place. Here search engines can easily help us. In the following screenshot we got an warning we had copied the line.

To see the link, you must have 50+ comments (Rank User+) if you do not have you will need a subscription +Client, Gold or VIP! The link is currently hidden from you. Request a subscription from this link : --> https://forum.softinfo.org/subscriptions/

We just select the line and copy it. Then just press it on search engine and search it. In the following screenshot we can see that we need got some articles and forums we got about our warning. This will help us to improve our security on Linux system.

 

To see the link, you must have 50+ comments (Rank User+) if you do not have you will need a subscription +Client, Gold or VIP! The link is currently hidden from you. Request a subscription from this link : --> https://forum.softinfo.org/subscriptions/

That's it for today. Hope our Linux system will be more stronger now.

  • Thanks 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...