DEV Community

Faruk
Faruk

Posted on • Originally published at Medium

The Linux Rootkit That Hid in Plain Sight: How I Finally Detected It | by Faruk Ahmed | Jun, 2025

Member-only story

The Linux Rootkit That Hid in Plain Sight: How I Finally Detected It

--

1

Share

Intro: I thought I had a hardened system. No open ports, auditd enabled, fail2ban watching SSH. Yet something felt off — my Ubuntu server occasionally lagged, even when idle. What I uncovered wasn’t just a misconfiguration — it was a rootkit hiding in plain sight. Here’s how I detected it, removed it, and hardened my system for good.

1. The First Red Flag: Unexplained CPU Spikes

I noticed persistent CPU spikes in top, often from kworker or seemingly harmless system processes. They’d vanish when I restarted—but always came back.

✅ Lesson: Rootkits often masquerade as kernel tasks or replace common binaries.

2. chkrootkit and rkhunter Didn’t Help Much

I ran:

sudo apt install chkrootkit rkhuntersudo chkrootkitsudo rkhunter --check
Enter fullscreen mode Exit fullscreen mode

Both came back clean.

✅ Why? Advanced rootkits modify binaries in /bin, /sbin, and even tamper with tools like ps, netstat, and ls.

3. What Finally Helped: A Live CD and File Comparison


👉 Read Full Blog on Medium Here

Top comments (0)