Member-only story
The Linux Rootkit That Hid in Plain Sight: How I Finally Detected It
--
1
Share
Intro: I thought I had a hardened system. No open ports, auditd enabled, fail2ban watching SSH. Yet something felt off — my Ubuntu server occasionally lagged, even when idle. What I uncovered wasn’t just a misconfiguration — it was a rootkit hiding in plain sight. Here’s how I detected it, removed it, and hardened my system for good.
1. The First Red Flag: Unexplained CPU Spikes
I noticed persistent CPU spikes in top, often from kworker or seemingly harmless system processes. They’d vanish when I restarted—but always came back.
✅ Lesson: Rootkits often masquerade as kernel tasks or replace common binaries.
2. chkrootkit and rkhunter Didn’t Help Much
I ran:
sudo apt install chkrootkit rkhuntersudo chkrootkitsudo rkhunter --check
Both came back clean.
✅ Why? Advanced rootkits modify binaries in /bin, /sbin, and even tamper with tools like ps, netstat, and ls.
Top comments (0)