Sometimes it is the case that Linux, like other Operating Systems, shows odd behavior. And in some cases the cause of the odd behavior cannot be comprehended although log files are verified and the hardware is checked. I had this problem too often in the past years.
Then often I check the system for malicious software. On Linux are programs available which are scanning for a so called Rootkits. A Rootkit is a malicious software which grant administrative access to the attacker or hacker.
Well known detection software for Rootkits are programs like Rootkit Hunter, Unhide or Chkrootkit.
The difference between a Rootkit and a Virus is that the Virus doesn’t necessarily administrative access to the system.
If the Rootkit scan is done on a System which is already infected, then the Rootkit is probably not found because the Rootkit is hidden. There are only hints which are only difficult to distinguish from false positives.
Rootkit scans can then be done from a Linux Live system. Just follow the following steps:
Download Ubuntu Live Iso file and install the Iso file to a USB stick.
Boot the Ubuntu Live system and select “Try Ubuntu”.
apt-get update apt-get install chkrootkit
On my system the following partitions exist:
- sda1 – swap space
- sda2 – this is the root partition /
- sda3 – this is my home partition /home
- sda4 – this is the home directory of the root user /root
mkdir /mnt/disk – creates a directory
mount /dev/sda2 /mnt/disk – provides access to the filesystem and the files on the system which I want to scan
mount /dev/sda4 /mnt/disk/root – this location will be also scanned, so it is important to grant access to it
Do the Scan with the following command:
chkrootkit -r /mnt/disk/
Normally the output should say things like “nothing found” or “not infected”.
If there is a detected Rootkit do another scan with Rkhunter. It could still be a false positive.
Rkhunter needs to be installed and updated.
If there is a Rootkit installed you should reinstall the Operating System.