[SOLVED] How to detect malware, keylogers, viruses, rootkits, malicious code, etc
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Don't be paranoid, just be safe and sensible. Use the likes of uBlock Origin and NoScript on your browser, backed up by a sandbox/resettable virtual machine if you're going to insist on browsing dodgy sites, don't open unknown attachments/documents or run unknown executables, exercise good judgement as to what you allow to run as root, occasionally run a malware checker (clamTK, Sophos AV, rkhunter, etc.). Make regular system backups and restore to a previous clean one (or even do a wipe & fresh install) if you suspect that you may have contracted some malware. It's all common sense and it should become second nature.
It may be a little complicated, but if you have a file you're suspicious of and want to verify that it hasn't been replaced with a trojaned copy you can always perform a stat of the file to look at inode numbers. Generally, files installed together (as part of the same package or packages installed concurrently, which you can figure out by looking at your install logs) will take inodes next to each other. So a file which is part of Package A might have 11554730, while a file which is also part of Package A = 11554731. If files of an important system package aren't lining up, you might want to investigate further.
you can always perform a stat of the file to look at inode numbers. Generally, files installed together (as part of the same package or packages installed concurrently, which you can figure out by looking at your install logs) will take inodes next to each other
this is a very nice gotcha, which makes me wonder is there any security scanner software that does such kind of filesystem checks?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.