2

If a rootkit has been installed without my knowledge to remotely control the computer then I guess the Update manager should be affected too right, then the kernel updates etc... could be infected ones?

Is there a way to verify if a rootkit has been placed without my knowledge without having to use another computer?

I did a scan with chkrootkit and it gave a positive result saying the suckit rootkit is installed, but then RKHunter doesn't detect it, and I read that those programs are often useless (at least without the proper knowledge) and are giving false positives, and that if a good rootkit is installed on the computer it would control these programs and logs and I would never know it's there. Thanks.

Sum1
  • 31
  • If one of these answers solved your problem, just click the little grey under the number now turning it into beautiful green. This means "yes, this answer is correct"! ;-) If there are multiple answers that solve your problem please pick the best one. –  Nov 14 '15 at 15:04

2 Answers2

2

Rkhunter is actually better with its detections than Chrootkit (and as Rkhunter does additional checks for the suckit rootkit unlike Chrootkit, if only Chrootkit is detecting it then it is almost certainly a false-positive), however both need to be installed before the rootkit otherwise they will not detect it, so they are the sort of things that need to be installed when you install the OS and before you update, install, or change anything else.

So unless you've had them before having the rootkit they won't be any good because they focus on new changes, and assume that the system is currently safe.

There is a more advanced tool though called OSSEC HIDS which does a range of other things as well as being able to detect rootkits on systems without the need to be installed before the rootkit (though it is probably advisable as the rootkit could still alter it, but as it works in a different way, it is able to detect a rootkit installed before it).

And if I was worried that I had a kernel level rootkit, I wouldn't be worried about updates being infected, I would worry about the fact that the rootkit was already in my kernel and thus could do anything, even break the install system so that I can install anything to detect it.

Community
  • 1
0

If you suspect you have a rootkit installed on your system here is a good article on detecting them:

Cybercity Rootkit Tutorial

If you are concerned that aptitude may be suspect you can download them from source. For example:

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz tar -xvzf chkrootkit.tar.gz

"cd" into the directory this creates and follow the instructions in the README. This will rule out the possibility of a rootkit altering your sources list and pulling in something you dont want.

Ideally you would have detection software in place BEFORE someone installs a rootkit, but you can work around it in most cases. Bear in mind that any rootkit that is hiding in your kernel increases the size of the kernel. The more complicated the rootkit is, the larger the kernel will be. you can check the specs of recent kernels frm the source at kernel.org. If your kernel is taking up more resources than it should you may have a rootkit, but in 15 years of enterprise IT work in media, scientific, government, and telecommunicaitons industries I have only seen a rootkit deployed once, and it was on the T.V. show Mr. Robot.

Ultimately the best thing to do is wipe the machine and start over if you have a legitimate reason to suspect tampering.

spyderdyne
  • 685
  • 9
  • 23
  • Chrootkit checks for "telltale" signs of a rootkit violation regardless of whether it was installed beofre or after the rootkit is added. It doesnt try to tell you where it came from or identify it. Rkhunter attempts to identify rootkits via known patterns and examples, and can accurately detect them after tampering has occurred, and will tell you what the detected malware is if it identifies anything. – spyderdyne Nov 10 '15 at 17:41