Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


What You Need to Know About Linux Rootkits

  • Please log in to reply
1 reply to this topic

#1 NickAu


    Bleepin' Fish Doctor

  • Moderator
  • 13,688 posts
  • Gender:Male
  • Location: Australia
  • Local time:12:01 PM

Posted 23 November 2014 - 07:01 PM

I have been asked about rootkits on Linux many times.


Prevention and Monitoring
The best way to keep ones system secure and free of rootkits is to prevent them from being installed on ones system. One way for doing this is not allowing the attacker to have access to the administrative account. Without root access the attacker can't hide their tracks with a rootkit. To monitor a system a technique called file integrity checking is used to detect rootkits fast by looking at the machine for changes. The idea is to make a fingerprint of the machine right after a fresh install and after a newly installed program. A fingerprint is a cryptographic hash function which makes a hash that depends on every bit of data in a file. After this hash is made, by calculating and comparing the stored hash value with the current hash value, changes in the data can be detected. Also, there is Linux software which checks the integrity of files on a machine. One example of this type of software is Tripwire which uses a hash function and stores the information about the files in a password protected database. It will alert the user if the files which are being monitored have changed and then the user can see if a rootkit changed that file. However, the best way to prevent rootkits is by practicing smart security, for example, firewalls, good passwords, checking permissions etc


Thank you to Bill Keys for this informative post. Im sure he wont mind me linking to his post because anything that improves security is a good thing.

Bill is an experienced developer with all things open source and holds a BS in Computer Science with a minor in Math from SUNY Plattsburgh. Bill has been utilizing his skills with the Linuxsecurity team for more than year now, and holds the duo of Python and Perl as his tools of choice. And, like the rest of the Linuxsecurity team, Bill also runs Ubuntu for his desktop and EnGarde Linux for his server.

Edited by NickAu1, 23 November 2014 - 07:46 PM.

BC AdBot (Login to Remove)


#2 wizardfromoz


  • Banned
  • 2,799 posts
  • Gender:Male
  • Local time:11:01 AM

Posted 23 November 2014 - 09:05 PM

Nick I was wondering if you might care to duplicate the above and post it at Blackhats, or if not, may I?


It is a near-perfect fit for the type of strategems I would like to provide the readers there.


Let me know, ta


:wizardball: Wizard

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users