3

My Debian 8.5 (x64) server is infected with a rootkit, which I have detected by using a live CD to display the contents of /tmp and /var/tmp.

I found out about the infection by seeing high CPU loads due to a cryptominer.

The above directories contain binaries that ls does not display, when the system is running - I guess, the rookit is intercepting system calls?

I've already runned chkrootkit and lynis, but without any results, except warnings (changed) about:

kernel.core_uses_pid
kernel.dmesg_restrict
kernel.kptr_restrict
kernel.sysrq
kernel.yama.ptrace_scope

I want to achieve:

  • Locate the rootkit.
  • Remove the rootkit (if possible).

Any suggestions?

Shuzheng
  • 1,097
  • 4
  • 22
  • 37
  • 1
    It's not really clear how you came to the conclusion that you have a rootkit. "High CPU loads" and "files that don't show up as running" (maybe because they really are nut running?) are very weak signs. ... Anyways, the most useful way of getting rid of malware is not to try it, but to wipe the system. When you copy off important files before, only take what you really need, and use a different OS for this. – deviantfan Jun 23 '18 at 16:14
  • That doesn't make sense; usually "/tmp" isn't persistent storage so you shouldn't be able to see things there from a live CD. You can also try `rkhunter` – multithr3at3d Jun 23 '18 at 16:45
  • @multithr3at3d - maybe because the rootkit downloads them. – Shuzheng Jun 23 '18 at 18:14
  • @Shuzheng The point of multithr3at3d's reply is that default /tmp on the live cd has absolutely nothing to do with your hard disks content. Files that you see there while the live CD is running do no exist on the hard disk, that's why you won't see them while running your main OS. – deviantfan Jun 23 '18 at 20:01
  • @deviantfan - using the live CD I mount the partition of the main OS to inspect its contents offline... – Shuzheng Jun 23 '18 at 20:20
  • `kernel.kptr_restrict` is pretty useless on a precompiled distribution kernel. – forest Jun 23 '18 at 20:23

2 Answers2

2

The best way to really identify if you have a rootkit is performing a forensic analysis. But first of all: be sure you have and updated backup.

If you are seeing files "offline" with the liveCD, and not with the normal system running, maybe they have some kernel hooks. To verify this point, you can compile busybox with -static flag in a different computer, then check if the results with the system ls and busybox ls are different.

Usually rootkits hide themselves from system commands, you can also check for process with system ps and busybox ps to see if there are any differences.

Finally, you can use volatility to analyze a memory dump from your system to see the process you have running and discover that rootkit.

Hugo Glez
  • 121
  • 3
  • What exactly is busybox? – Shuzheng Aug 31 '18 at 04:52
  • **[BusyBox](https://busybox.net/) : The Swiss Army Knife of Embedded Linux** It is a single command that provide multiple functionallities. Like ls, ps and others. You can compile it statically and have like a full shell with this tool. – Hugo Glez Aug 31 '18 at 14:21
1

A disadvantage of chkrootkit is that its algorithmics just compares against known rootkits. There is also debcheckroot (https://www.elstel.org/debcheckroot/). It compares file content or sha256 sums against your installation repo which is most effective in spotting file alterations of unknown provenance. It was also used by the French ministry of defence in 2022.

Elmar Stellnberger
  • 11
  • 1