7

and what schedule/sysadmin routine is recommended?

Jorge Castro
  • 71,754
Aviah Laor
  • 562
  • 1
    While automatically running a rootkit removal/detection tool on a live system might help you discover less sophisticated rootkits, you should also be aware of its limitation. Assuming your system has been infested by a rootkit, how do you know that the rootkit hasn't been tampering with your rootkit removal/detection tool? – andol Jul 30 '10 at 17:54

2 Answers2

6

There are no automated rootkit removal tools for Ubuntu, only tools to check for rootkits.

chkrootkit and rkhunter are fairly robust tools when it comes to detecting rootkits, but they're only as good as their rules. Also look into tripwire, which checks critical files for changes.

You should have all of the above run regularly via cron.

lfaraone
  • 4,697
4

If your system has a rootkit, you should:

  1. Collect any information about running processes on your machine.
  2. Make a copy of RAM and your harddrive.
  3. reformat/repartition your harddrive(s)
  4. Install a new system/restore your backup.

The first two points are useful, if you want to investigate in that issue. Maybe it is also useful to don't touch the system until your investigation has ended.

In case of a rootkit some other person had probably full access of your computer. So it is important to completely remove the old system. Thatswhy you should reformat your drive. If your lucky and have a recent backup, you have to restore it and you're done. If not, you have to reinstall the system. This is the only way to securely remove the rootkit and to come up with a clean system.

qbi
  • 19,125
  • 1
    off course you have to know that the backup is clean – Aviah Laor Aug 06 '10 at 08:21
  • 2
    +1 for nuke and re-install. It's the only way to be sure (and as aviah has already added, you need to know that your backup is clean as well, if you're going to be restoring from backup).

    Best rootkit removal tool for Ubuntu server? rm -rf / :)

     – Ben Williams Aug 09 '10 at 05:19