A rootkit is malicious software designed to hide its presence while giving attackers persistent, privileged access to a compromised system. Rootkits are among the most dangerous threats in cybersecurity because they are specifically designed to evade detection by standard security tools. This guide covers every method for finding and eliminating rootkits on Linux servers.
Types of Linux Rootkits
- User-space rootkits - Replace system binaries (ls, ps, netstat) with trojanized versions that hide malicious files and processes
- Kernel-level rootkits - Load as kernel modules (LKM), can hide files, processes, and network connections at the kernel level
- Bootkits - Infect the boot process (MBR/UEFI), load before the operating system
- Memory-only rootkits - Live only in RAM with no disk footprint, disappear on reboot but may reinstall via persistence mechanism
- Library rootkits - Replace or hook shared libraries (LD_PRELOAD injection)
1. Automated Detection with chkrootkit
# Install chkrootkit
sudo apt install chkrootkit # Debian/Ubuntu
sudo dnf install chkrootkit # Fedora/RHEL
# Run full scan
sudo chkrootkit
# Quiet mode - only show suspicious findings
sudo chkrootkit -q
# Expert mode with detailed output
sudo chkrootkit -x
# Check specific tests
sudo chkrootkit sniffer # Check for network sniffers
sudo chkrootkit wtmp # Check wtmp integrity
sudo chkrootkit chkutmp # Check utmp integrity
# What chkrootkit checks:
# - Known rootkit signatures in system binaries
# - Signs of LKM trojans
# - Network interface promiscuous mode (sniffing)
# - Deleted log file entries (log wiping)
# - lastlog and wtmp integrity
# Automated daily scan via cron
echo "0 3 * * * root /usr/sbin/chkrootkit -q 2>&1 | mail -s 'chkrootkit $(hostname)' admin@example.com" | sudo tee -a /etc/crontab2. Rootkit Hunter (rkhunter)
# Install rkhunter
sudo apt install rkhunter # Debian/Ubuntu
sudo dnf install rkhunter # Fedora/RHEL
# Update rootkit signatures database
sudo rkhunter --update
# Create baseline of current file properties (do this on a CLEAN system)
sudo rkhunter --propupd
# Run complete system check
sudo rkhunter --check
# Skip interactive key presses
sudo rkhunter --check --skip-keypress
# Run specific test categories
sudo rkhunter --check --enable rootkits
sudo rkhunter --check --enable filesystem
sudo rkhunter --check --enable properties
sudo rkhunter --check --enable network
# View scan results
sudo cat /var/log/rkhunter.log | grep -E "Warning|Suspect"
# What rkhunter checks:
# - SHA256 hash comparisons of system binaries
# - Known rootkit files and directories
# - Suspicious file permissions
# - Hidden files in system directories
# - Kernel module integrity
# - Network ports and listening services
# - Startup file modifications3. File Integrity Monitoring with AIDE
# Install AIDE (Advanced Intrusion Detection Environment)
sudo apt install aide
# Initialize the baseline database (MUST do on a clean system)
sudo aideinit
# This creates /var/lib/aide/aide.db.new
# Copy to active database
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# Run integrity check (compare current state to baseline)
sudo aide --check
# After legitimate changes (updates, new software), update baseline
sudo aide --update
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# Automate daily checks
echo "0 5 * * * root /usr/bin/aide --check 2>&1 | mail -s 'AIDE $(hostname)' admin@example.com" | sudo tee -a /etc/crontab4. Package Integrity Verification
# Debian/Ubuntu: verify installed package file integrity
sudo debsums -c # Show only CHANGED files
sudo debsums -a # Check ALL installed package files
sudo debsums -s # Silent mode, only errors
# RHEL/CentOS/Fedora: verify RPM packages
sudo rpm -Va # Verify ALL installed packages
# Output meaning:
# S = Size changed
# M = Mode (permissions) changed
# 5 = MD5 checksum changed
# T = Modification time changed
# Compare critical binary hashes against known-good
sha256sum /bin/ls /bin/ps /bin/netstat /usr/bin/ssh /usr/bin/sudo
# Compare these hashes against a clean reference system5. Manual Forensic Detection Techniques
# Check for hidden processes
# If /proc shows more processes than ps, something is hiding
ps aux | wc -l
ls /proc/ | grep -E "^[0-9]+$" | wc -l
# Significant mismatch = hidden processes!
# Look for suspicious kernel modules
lsmod | sort
cat /proc/modules | wc -l
# Compare against known-good baseline
# Check for hidden files in system directories
find / -name ".*" -type f -not -path "/home/*" -not -path "/root/.*" 2>/dev/null | head -50
find / -name "..." -type d 2>/dev/null # Triple-dot directories (classic hiding spot)
find / -name ".. " -type d 2>/dev/null # Dot-dot-space directories
# Check for recently modified system binaries (should NOT change without updates)
find /bin /sbin /usr/bin /usr/sbin -mtime -7 -type f 2>/dev/null
stat /bin/ls /bin/ps /usr/bin/ssh # Check modification times
# Check for LD_PRELOAD hijacking (library injection)
echo $LD_PRELOAD # Should be empty
cat /etc/ld.so.preload # Should be empty or non-existent
# Verify network connections
ss -tunap | grep -v "127.0.0.1" # Look for unexpected connections
# Suspicious: connections to unknown IPs, unusual ports
# Check for unauthorized SSH keys
find / -name "authorized_keys" 2>/dev/null -exec echo "=== {} ===" ; -exec cat {} ;
# Check all cron jobs for persistence
for u in $(cut -d: -f1 /etc/passwd); do
crontab -l -u "$u" 2>/dev/null | grep -v "^#" | grep . && echo "^^^ User: $u ^^^"
done
cat /etc/crontab
ls -la /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/
# Check systemd services for unauthorized persistence
systemctl list-unit-files --type=service --state=enabled
find /etc/systemd/system -name "*.service" -newer /etc/passwd -type f
# Check for setuid/setgid binaries (potential privilege escalation)
find / -perm -4000 -type f 2>/dev/null # SUID binaries
find / -perm -2000 -type f 2>/dev/null # SGID binaries6. Kernel-Level Detection
# Check system call table integrity
cat /proc/kallsyms | grep sys_call_table
# Monitor kernel module loading with auditd
sudo auditctl -w /sbin/insmod -p x -k kernel_modules
sudo auditctl -w /sbin/rmmod -p x -k kernel_modules
sudo auditctl -w /sbin/modprobe -p x -k kernel_modules
# Search audit logs for module activity
sudo ausearch -k kernel_modules
# Check kernel ring buffer for suspicious module loads
dmesg | grep -iE "module|insmod|rootkit|suspicious"
# List currently loaded kernel modules with details
lsmod
modinfo # Get details about specific module 7. Incident Response: Removal and Recovery
# STEP 1: Network Isolation (prevent data exfiltration)
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP
sudo iptables -P FORWARD DROP
# Allow only your forensics workstation
sudo iptables -A INPUT -s YOUR_FORENSICS_IP -j ACCEPT
sudo iptables -A OUTPUT -d YOUR_FORENSICS_IP -j ACCEPT
# STEP 2: Create forensic disk image BEFORE changes
sudo dd if=/dev/sda of=/forensics/compromised-$(date +%Y%m%d).img bs=4M status=progress
# STEP 3: Capture volatile evidence
date > /tmp/forensics-$(date +%Y%m%d).txt
w >> /tmp/forensics-*.txt # Who is logged in
ps auxef >> /tmp/forensics-*.txt # All processes
ss -tunap >> /tmp/forensics-*.txt # Network connections
lsmod >> /tmp/forensics-*.txt # Kernel modules
# STEP 4: RECOMMENDED - Full system rebuild
# Rootkits are designed to survive removal attempts
# The ONLY reliable remediation is:
# 1. Reinstall the OS from trusted media
# 2. Restore data (NOT binaries) from verified clean backups
# 3. Rotate ALL passwords and SSH keys
# 4. Regenerate SSL certificates
# STEP 5: If rebuild is absolutely not possible, attempt cleaning:
sudo apt install --reinstall coreutils procps net-tools openssh-server
sudo rkhunter --propupd
# STEP 6: Post-recovery hardening
# - Change ALL passwords (root, users, database, application)
# - Regenerate SSH host keys: sudo ssh-keygen -A
# - Review and clean authorized_keys files
# - Enable and configure AIDE for ongoing monitoring
# - Enable auditd for system call auditing
# - Review firewall rules and tighten access
# - Implement log forwarding to remote syslog serverPrevention Best Practices
- Keep systems updated - Most rootkits exploit known vulnerabilities
- Use AIDE or OSSEC for continuous file integrity monitoring
- Enable auditd for system call auditing
- Restrict kernel module loading when possible
- Use Secure Boot to prevent bootkit attacks
- Implement least privilege - minimize root access
- Forward logs to a remote server attackers cannot modify
- Regular baseline scans with rkhunter and chkrootkit
Recommended Reading
Build your cybersecurity expertise:
Download our Rootkit Detection Cheat Sheet for a printable quick-reference with all detection commands and tools.
