Home » Fixes » Rootkit scan with Ubuntu Live System

Rootkit scan with Ubuntu Live System

By in Fixes, Linux, Tutorial on .
Black man with mobile computer

Basic Information

Sometimes it is the case that Linux, like other Operating Systems, shows odd behavior. And in some cases the cause of the odd behavior cannot be comprehended although log files are verified and the hardware is checked. I had this problem too often in the past years.

Then often I check the system for malicious software. On Linux are programs available which are scanning for a so called Rootkits. A Rootkit is a malicious software which grant administrative access to the attacker or hacker.

Well known detection software for Rootkits are programs like Rootkit Hunter, Unhide or Chkrootkit.

The difference between a Rootkit and a Virus is that the Virus doesn’t necessarily administrative access to the system.


The Problem

If the Rootkit scan is done on a System which is already infected, then the Rootkit is probably not found because the Rootkit is hidden. There are only hints which are only difficult to distinguish from false positives.


The Fix

Rootkit scans can then be done from a Linux Live system. Just follow the following steps:

1. Step

Download Ubuntu Live Iso file and install the Iso file to a USB stick.

2. Step

Boot the Ubuntu Live system and select “Try Ubuntu”.

3. Step

Install Chkrootkit:

apt-get update
apt-get install chkrootkit

4. Step

On my system the following partitions exist:

  • sda1 – swap space
  • sda2 – this is the root partition /
  • sda3 – this is my home partition /home
  • sda4 – this is the home directory of the root user /root

5. Step

mkdir /mnt/disk – creates a directory
mount /dev/sda2 /mnt/disk – provides access to the filesystem and the files on the system which I want to scan
mount /dev/sda4 /mnt/disk/root – this location will be also scanned, so it is important to grant access to it

6. Step

Do the Scan with the following command:

chkrootkit -r /mnt/disk/

Normally the output should say things like “nothing found” or “not infected”.


Conclusion

If there is a detected Rootkit do another scan with Rkhunter. It could still be a false positive.
Rkhunter needs to be installed and updated.
If there is a Rootkit installed you should reinstall the Operating System.

Leave a comment

Your email address will not be published. Required fields are marked *

consulting picture

WordPress Cookie Notice by Real Cookie Banner