(I hope this question is in the right section )

This question has been hitting me for a while now and I cannot figure out an answer. So, after removing a Rootkit, HOW would you know WHAT the Rootkit has actually done? I mean, the Rootkit might have been there for months and you don't see any changes to your system (to the naked eye anyway) but how would you know what the attacker has done with that Rootkit?

After removing it, does it leave a trail as to what the Rootkit has replaced/modified etc? Like API calls, system calls etc? How can you check what the Rootkit has done?

I know you can use the KSTAT tool with the -s option to see if any system call memory addresses have been changed, is there anything else?

Appreciate any replies, thanks. I understand what they are, how they hide, the types of Rootkits, their purpose etc but this one I don't get. I am stumped.

the truth
you do not
there really is no way to KNOW - 100% know

now if you have a back up from before you installed this rootkit
-- without any info ... the likely way is you installed it

with that backup you can check files

now the good news
photos are not likely effected
music ???? iffy on that
and HOME videos "should" be fine

"digital downloads" from that HD and blue-ray combo pack ???????????
re download them

bad news

your office spread sheet files
PRIME TARGET !!!!!!
they have a big red bulls eye on them .
and if Windows is dual booted and the linux os has access
then the HR-Block "tax-cut" and turbo-tax files are likely a target

but without knowing the details ??????? i am only guessing, it might not really have done much of anything

and only a guess on this
the MBR
reformat it and reinstall the bootloader
but that is a GOOD precaution

BUT to be 100 % SAFE !!!

if possible do a full reinstall
zero out the drive(s) ( google it - using dd and /dev/zero )
and reinstall

1 members found this post helpful.

not to speak about your logins, accounts and other personal informations. You will never know exactly what was stolen....

1 members found this post helpful.

you can sandbox it (the root kit), see what it does initially. if it provides C2 functionality then it may be tough to know 100% what had happened during the life of the root. after a root, finding remnants may be a daunting task. its generally accepted (common practice) that after an infection you rebuild the box, adding additional security controls or tweaking the existing to make sure the box is less vulnerable to rooting, etc.

so, my recommendation:
1) if your Q is around learning, then by all means, clone the system and then study it.
2) if your Q is around forensics for a report, then dont take it too far, find the weakness, then rebuild it stronger.

1 members found this post helpful.

Brilliant, just what I was looking for because I was running out of methods. Before these answers I had the KSTAT method for checking memory addresses, checking CPU utilisation, hidden processes using the ps and proc methods, MBR modification etc just needed a bit more. And yes you are right, this was the last question I needed to answer for my mini-Rootkit project, completing a 3500 word report on Rootkits.

And thanks John VV for the backup, didn't think of that. I kinda knew the answer would be that it's impossible to know what it did 100% (I'm sure it applies to any sort of other malware aswell, not just Rootkits?)