Member-only story
How I Hunt for Silent Rootkits on Linux (Before They Hunt Me)
--
Share
Rootkits are the ninjas of the malware world — quiet, stealthy, and often invisible to traditional detection methods. By the time you “see” one, it’s already been hiding for days or weeks.
Over the years, I’ve developed a routine for detecting rootkits before they fully settle in. Here’s the process I follow when I suspect a Linux system might be harboring something nasty.
🔍 1. Start Outside the Suspect System
If a rootkit hooks system calls, tools like ps, ls, and netstat can lie to you.
Whenever possible:
- Boot from trusted rescue media
- Mount the suspect filesystem for offline inspection
- Use known-good binaries from your toolkit
🧾 2. Compare Binary Checksums
rpm -Va | grep '^..5'
or for Debian-based:
debsums -s
Any mismatch in critical binaries like /bin/login, /usr/bin/sshd, or /bin/ls deserves immediate investigation.
📜 3. Inspect the Kernel for Hidden Modules
lsmod
Top comments (0)