4

Is there any way to detect rootkit/malware in linux servers? While for windows users the easiest way is to leave it for an antivirus/anti-malware application, but when you have a Linux machine that you have been using for longtime in a hostile environment, how can you be sure that you are not hacked/monitored and and that your data is not compromised.

Barttttt
  • 449
  • 4
  • 14

1 Answers1

3

You would want to use measured boot, a technique for verifying a chain of trust from the BIOS all the way up to the kernel. Once the kernel is verified, a feature called IMA, the Integrity Measurement Architecture, can be used which allows the kernel to verify executables before they run. This is similar to basic integrity checkers such as AIDE, but allow real-time prevention, not just detection after the fact. Measured boot requires the presence of a TPM, which most modern systems have.

If a system has been running for a long time and may be tainted, there is no simple and effective way to check for malware. While some simple utilities like unhide may be able to detect very simple rootkits, a well-designed rootkit will have hooked the kernel and can effectively prevent any userspace tool from detecting it. In these cases, you will need to dump the server's memory over specialized hardware and analyze it with a memory analysis framework such as Volatility.

For less sophisticated malware which does not use kernel hooks to hide itself from userspace, traditional digital forensic techniques can work well. A very non-exhaustive list of techniques to detect software-level tampering from malware or intrusion can include:

  • Checking vital system logs for suspicious entries (ideally from an offline backup).

  • Analyzing network activity to detect unauthorized outbound and inbound connections.

  • Viewing the process tree and loaded modules to look for unexpected entities.

  • Getting a list of setuid and setgid files to look for suspicious ones (e.g. setuid sed).

  • Checking that the inode numbers of critical system files are sequential.

Remember, just because you do not find anything suspicious does not mean malware is not present. Particularly sophisticated malware can run in system management context which is invisible to the kernel, or load itself to a programmable and DMA-capable device such as the GPU. If the service is highly sensitive, you should do a full re-install if malware is a real possibility.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
forest
  • 64,616
  • 20
  • 206
  • 257