Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
This question has been hitting me for a while now and I cannot figure out an answer. So, after removing a Rootkit, HOW would you know WHAT the Rootkit has actually done? I mean, the Rootkit might have been there for months and you don't see any changes to your system (to the naked eye anyway) but how would you know what the attacker has done with that Rootkit?
After removing it, does it leave a trail as to what the Rootkit has replaced/modified etc? Like API calls, system calls etc? How can you check what the Rootkit has done?
I know you can use the KSTAT tool with the -s option to see if any system call memory addresses have been changed, is there anything else?
Appreciate any replies, thanks. I understand what they are, how they hide, the types of Rootkits, their purpose etc but this one I don't get. I am stumped.
the truth
you do not
there really is no way to KNOW - 100% know
now if you have a back up from before you installed this rootkit
-- without any info ... the likely way is you installed it
with that backup you can check files
now the good news
photos are not likely effected
music ???? iffy on that
and HOME videos "should" be fine
"digital downloads" from that HD and blue-ray combo pack ???????????
re download them
bad news
your office spread sheet files
PRIME TARGET !!!!!!
they have a big red bulls eye on them .
and if Windows is dual booted and the linux os has access
then the HR-Block "tax-cut" and turbo-tax files are likely a target
but without knowing the details ??????? i am only guessing, it might not really have done much of anything
and only a guess on this
the MBR
reformat it and reinstall the bootloader
but that is a GOOD precaution
BUT to be 100 % SAFE !!!
if possible do a full reinstall
zero out the drive(s) ( google it - using dd and /dev/zero )
and reinstall
you can sandbox it (the root kit), see what it does initially. if it provides C2 functionality then it may be tough to know 100% what had happened during the life of the root. after a root, finding remnants may be a daunting task. its generally accepted (common practice) that after an infection you rebuild the box, adding additional security controls or tweaking the existing to make sure the box is less vulnerable to rooting, etc.
so, my recommendation:
1) if your Q is around learning, then by all means, clone the system and then study it.
2) if your Q is around forensics for a report, then dont take it too far, find the weakness, then rebuild it stronger.
you can sandbox it (the root kit), see what it does initially. if it provides C2 functionality then it may be tough to know 100% what had happened during the life of the root. after a root, finding remnants may be a daunting task. its generally accepted (common practice) that after an infection you rebuild the box, adding additional security controls or tweaking the existing to make sure the box is less vulnerable to rooting, etc.
so, my recommendation:
1) if your Q is around learning, then by all means, clone the system and then study it.
2) if your Q is around forensics for a report, then dont take it too far, find the weakness, then rebuild it stronger.
Brilliant, just what I was looking for because I was running out of methods. Before these answers I had the KSTAT method for checking memory addresses, checking CPU utilisation, hidden processes using the ps and proc methods, MBR modification etc just needed a bit more. And yes you are right, this was the last question I needed to answer for my mini-Rootkit project, completing a 3500 word report on Rootkits.
And thanks John VV for the backup, didn't think of that. I kinda knew the answer would be that it's impossible to know what it did 100% (I'm sure it applies to any sort of other malware aswell, not just Rootkits?)
Last edited by Sasuke92; 02-18-2014 at 08:23 AM.
Reason: Typos
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.