Checking for Known Rootkits

A "rootkit" is a stealthy type of malicious software designed to hide the existence of certain processes or programs from normal methods of detection. Thus, it runs clandestinely while misusing your device or stealing passwords and other data.

Below you can find some useful tools to check whether your Linux system is compromized. For Windows, we recommend rebooting your PC from a Linux Live-DVD and using the same tools. If your device has been compromised, please inform Computer.Security@cern.ch immediately of any suspected break-in, pull out the network cable from that device, but leave it running.

CRK

If you have AFS, just run:

$ cd /afs/cern.ch/project/security/cern/public/tools
$ ./crk

If you do not have AFS, copy the above check-rootkit directory to a local directory and run the script from there:

$ scp -r username@lxplus:/afs/cern.ch/project/security/cern/public/tools /tmp/check-rootkit
$ cd /tmp/check-rootkit
$ ./crk

sucKIT

A simple, but insufficient, check for the "SucKIT" rootkit is

$ ls -li /sbin/init /sbin/telinit

On a “good” device this should give /sbin/telinit as a symbolic link to init. With the "SucKIT rootkit, both appear as regular files, with the same inode number (1st number in output) and reference count (2nd number)=1.

Alternatives

Alternatively, other useful tools for rootkit detection are "rkhunter" (yum install rkhunter; rkhunter --check) or "chrootkit".