Questions tagged [rootkit]
Questions about rootkits. What are signs that you got one? How to confirm or disprove the suspicion. Tools for the detection of rootkits.
57
questions
30
votes
2
answers
39k
views
chkrootkit says /sbin/init is infected, what does that mean?
I recently ran chkrootkit and got the following line:
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
What does this mean exactly? I heard this was a false positive, ...
- 34.5k
25
votes
4
answers
14k
views
chkrootkit shows "tcpd" as INFECTED. Is it a false positive?
Scan by chkrootkit shows "tcpd" as being INFECTED.
Although a scan by rkhunter shows ok,(except for regular false positives)
Shall I be worried?
(I'm on Ubuntu 16.10 with 4.8.0-37-generic)
- 253
20
votes
2
answers
1k
views
Signature-based rootkit scanner?
Currently the only rootkit scanners I know of have to be installed on the machine before the rootkit so that they can compare file changes etc (e.g.: chkrootkit and rkhunter), but what I really need ...
user364819
19
votes
3
answers
27k
views
Chkrootkit says "Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd", should I be worried?
I recently ran sudo chkrootkit and this was one of the results:
Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd
In my research on this ...
user364819
13
votes
2
answers
19k
views
chkrootkit scanner detected possible KLM Trojan
Today I scanned my machine with the chkrootkit tool by running:
sudo chkrootkit
And this was some of the output:
Checking `lkm'... You have
2 process ...
user364819
12
votes
1
answer
7k
views
If I have clamav do I need to install rootkit hunter
So I have clamav the antivirus but is that a protection against rootkits or do I need to install rootkit hunter as well with clamav?
10
votes
6
answers
16k
views
Popup ad virus on both chrome and firefox
A pop-up ad box appears whatever site I am opening. Tried resetting settings, disabling extensions, removing all users on chrome.
It seems it is not about chrome since same thing happens on Firefox ...
- 133
9
votes
4
answers
3k
views
Got a virus on Windows and Ubuntu [closed]
TLTR: I've encountered a virus what affects both Windows 8.1 and Ubuntu 14.04. This virus was proven to be impossible to be detected/removed by 50+ most popular antivirus programs/rootkits. What to do?...
- 107
9
votes
5
answers
4k
views
Preventing BIOS rootkit on Ubuntu Linux
Other than standard security "best practices" like having a good firewall, strong admin password, ensuring the latest security patches, and upping router security, is there anything more specific that ...
- 407
8
votes
2
answers
10k
views
How do I remove rootkits?
To my understanding, rootkits on linux infect the kernel to get root privileges and there are many scanners (I use rkhunter) to scan for rootkits in the kernel, but I have yet to find a program that ...
- 197
8
votes
1
answer
6k
views
Rootkits: Should I be concerned?
I was reading some texts about rootkits and the tools used to remove them.
I have Ubuntu 12.04.1 and rkhunter reported various warnings. I'm wondering what those are.
BTW I install only original ...
- 1,037
7
votes
2
answers
5k
views
6
votes
1
answer
13k
views
rkhunter psswd and group file changes warning
Today I did a scan of my machine with rkhunter:
sudo rkhunter --checkall
And these were the warnings that I got:
Checking for passwd file changes [ Warning ]
Checking for ...
user364819
6
votes
0
answers
462
views
Rkhunter still relevant in 2022?
I tried using the RKHunter 1.4.6 (http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz) in Ubuntu20.04 , it is around 4 years old , running it did not find any ...
- 61
5
votes
3
answers
8k
views
Packet Sniffer found, what next?
After a download yesterday my computer crashed.
I updated today and checked for rootkits. I found a packet sniffer
eth0: PACKET SNIFFER(/sbin/dhclient[3966])
How can I remove this?
- 55
5
votes
1
answer
617
views
Rootkit on port 60001 !? Tiger says so - how do I verify? [closed]
My system is an up-to-date Ubuntu 13.10
I've installed Tiger and I'm getting this
# Running chkrootkit (/usr/sbin/chkrootkit) to perform further checks...
OLD: --ALERT-- [rootkit005a] Chkrootkit has ...
- 262
4
votes
2
answers
1k
views
Could rootkits be effective for non-root users?
After mis-interpreting this question's meaning, I'm wondering if rootkits and other malicious programs could be effective if the user does not have root permissions.
Rootkits usually trick users ...
- 3,407
3
votes
1
answer
14k
views
How to install rkhunter in ubuntu?
Ok I know the question sounds strange but I need help installing rkhunter the accurate way and do I need to follow all the steps in this article https://help.ubuntu.com/community/RKhunter?
user491354
3
votes
2
answers
2k
views
A bootable rootkit scanner for Ubuntu?
I was just wondering, is there any good app for Ubuntu that you could burn on a DVD from an *.iso file, choose it from the boot menu before Ubuntu even starts and then scan the system externally for ...
- 89
3
votes
1
answer
3k
views
Suspect of keylogger/screen logger in Ubuntu machine [closed]
Seems my Ubuntu was hacked by a site while browsing. Is there a way that I can remove any logging software that may have been installed, or identify if a threat is present?
- 31
3
votes
2
answers
4k
views
chrootkit suspicious files and directory detected
I made a chrootkit scan.And it found something,it doesnt say any recommendations on the detection of the files or directories.
Any suggestions?
results are:
The following suspicious files and ...
- 159
3
votes
1
answer
502
views
Root kit advice on ubuntu
I've been a Windows user for many years but recently Avast was bringing up 100's of Rootkit infected files. So I decided to make the switch to Ubuntu to wipe everything, and I’m quite enjoying the ...
- 31
3
votes
4
answers
628
views
myterious a.out file appeared in Downloads folder
Yesterday a file that should not exist appeared in my Downloads folder.
Virustotal knows the file since 2012 and reports it as clean - but it seems other people have had it appear.
Does anyone ...
- 163
3
votes
0
answers
444
views
Are Virus/rootkits via ubuntu updates possible? [duplicate]
Possible Duplicate:
How is the system kept secure?
What security policies exist in place for packages and scripts?
I fear that just like on Windows there might be ways to catch a malware/virus/...
- 1,589
2
votes
1
answer
247
views
Are rootkits something I should be concerned if I'm a normal user? [closed]
Hi recently I discovered that rootkits are a thing in Ubuntu too, and that their detection is hard. I has been pretty paranoid about getting one since I read about them.
I have my firewall enabled, ...
- 185
2
votes
1
answer
7k
views
eth0: PACKET SNIFFER(/sbin/dhclient [duplicate]
Im new to Ubuntu and would like help please, I ran ProShield and got this error -
eth0: PACKET SNIFFER(/sbin/dhclient
I ran the following programs below and nothing came up as far as I can see. ...
- 21
2
votes
1
answer
6k
views
use debsums to automatically check all installed packages
I want to use debsumsto check integrity of all my packages with
sudo dpkg -l | awk {'print $2'} | xargs | debsums |grep -v OK
But I get those errors:
debsums: can't open fwupd file /var/lib/polkit-...
- 32.8k
2
votes
2
answers
2k
views
Detecting rootkit without another computer
If a rootkit has been installed without my knowledge to remotely control the computer then I guess the Update manager should be affected too right, then the kernel updates etc... could be infected ...
- 31
2
votes
2
answers
2k
views
Rootkit scanner with graphical feedback or GUI
There are some rootkitscanners for linux, for example:
chkrootkit
rkhunter
But How would I get notified on a desktop?
Is it possible to get an alert, if the scanner found something?
- 32.8k
2
votes
1
answer
1k
views
rkhunter shows a possible rootkit or a false possitive?
When I do an rkhunter --check it shows me that I have possible rootkits:
/usr/bin/rkhunter: 14795: [: /usr/lib/firefox/firefox: unexpected operator
/usr/bin/rkhunter: 14795: [: /usr/lib/firefox/...
- 722
2
votes
1
answer
99
views
Does Aide compare against repo versions or only against my own files?
Is there any point in installing Aide on a long-installed machine? or is it only trustworthy if installed immediately after a fresh install or run from thumb drive?
Background:
A non-techy friend ...
- 121
2
votes
0
answers
86
views
How did I get a rootkit? [duplicate]
I am running Ubuntu 14.04 32bit.
Recently, I decided to install ClamAV. It keeps warning me about this pua.win.trojan.xored-1. I read online that this means I have a rootkit.
I download and ran ...
- 249
2
votes
0
answers
3k
views
Scanning Windows for Rootkits using Linux
I know of ClamAV for viruses, but is there an option for scanning AND getting rid of "rootkits" from Windows from inside Linux i.e. Live boot USB? Also spyware and malware scanning would be nice too. ...
- 600
2
votes
0
answers
1k
views
/etc/thnuclnt/.thnumod - what is that file for?
~ > sudo find / -user root -perm -4000 -ls
710826 44 -rwsr-xr-- 1 root messagebus 42500 Окт 3 22:31 /lib/dbus-1.0/dbus-daemon-launch-helper
658951 464 -rwsr-xr-x 1 root root ...
- 2,403
2
votes
1
answer
2k
views
Chkrootkit findings - what to do?
after my ubuntu runs slower and slower and google regularly asks me for prooving to be human, i had Chkrootkit running. here's what it found:
wlan0: PACKET SNIFFER
(/sbin/wpa_supplicant [870],
/...
- 21
1
vote
1
answer
2k
views
cat /dev/sda output contains references to malware
When using "cat /dev/sda" I see the word trojan appear a lot as well as many names of known trojans like Nymaim, Bedep and so on. Here is a snippet:
b5928a2d2656ba5ef3001dc04350e5a0:399262:Win.Malwar ...
1
vote
2
answers
1k
views
Networking security issue with suspicious traffic. How to track it down?
I have specific problem a bit advanced for me. On my router log I have seen following lines:
Internal Prot. External NAT Time-out
192.168.0.167:56396 TCP 186....
- 11
1
vote
1
answer
396
views
Checksum of system binaries changed
This morning I received several OSSEC notifications about changed integrity checksums.
Affected files are /bin/mv, /bin/dir, /bin/pwd, /bin/chrgrp and about 50 similar binaries from /bin and /usr/bin.
...
- 131
1
vote
1
answer
6k
views
Rkhunter 122 suspect files; do I have a problem?
I am new to ubuntu.
I am using Xfce Ubuntu 14.04 LTS.
I have ran rkhunter a few weeks age and only got a few warnings.
The forum said that they were normal.
But, this time rkhunter reported 122 ...
user276166
1
vote
1
answer
335
views
Is there any conflicts between running rkhunter and chkrootkit on one system?
Can I run rkhunter and chkrootkit at the same time on my Ubuntu Linux laptop without having to worry about conflicts?
user496917
1
vote
0
answers
527
views
Rkhunter show me "warning"
Why rkhunter shows me a "warning" in /usr/bin/lwp-request? At the end of the dialog shows: Files properties checks...
Files checked: 149
Suspect Files: 1
With ClamAV it ...
- 722
1
vote
0
answers
240
views
chkrootkit reports tcpd to be infected, should I be worried? [duplicate]
I ran sudo chkrootkit today and was told this as a part of the output:
Checking `tcpd'... INFECTED
I am running Ubuntu GNOME 16.10 with GNOME 3.22, what does ...
user364819
1
vote
0
answers
761
views
How to test rkhunter to make sure its functioning well?
I have a Ubuntu 15.10 Linux laptop PC with rkhunter installed now all I need to do is to confirm it working well like if there is an antivirus on your pc you will go to the eicar site and download the ...
user491354
1
vote
2
answers
3k
views
how to verify that sbin/init isn't infected?
for sometime chkrootkit has been showing sbin/init as being infected with SuckIt rootkit. early this year when the warning first appeared a quick google search indicated that it was most likely a ...
- 21
0
votes
1
answer
502
views
Is my computer secure?
I was using Rkhunter and this was displayed.
[ Rootkit Hunter version 1.4.2 ]
File updated: searched for 175 files, found 141
baymax@vostro:~$ sudo rkhunter -c --enable all --disable none --rwo
...
- 3
0
votes
1
answer
515
views
Can Chromium Browser's Permissions Facilitate a Root Kit Exploit?
I'm just learning about permissions and excuse me if I may have gone astray. But, I've noticed that Chromium Browser has a sandbox executable that is owned by root and has it's user id set to launch ...
- 991
0
votes
1
answer
3k
views
Infected by rootkit. How do I remove it?
Today, I launched tiger, which did report a root kit alert. Chkrootkit did agree.
How can I remove this root kit ? How can I find how it was installed, so I can take care of the weakness in my Ubuntu ...
- 1
0
votes
0
answers
54
views
How to fix Secure Boot error "Image failed to verify with *ACCESS DENIED*" [duplicate]
When attempting to boot a live OS via USB or CD, I get the secure boot error: "Image failed to verify with ACCESS DENIED".
There is no SSD/HDD installed. Secure Boot is enabled and while I ...
0
votes
0
answers
1k
views
rkhunter warnings
Hi I just ran rkhunters and got a lot of warnings which are not the first ones I found the first time a I ran it.
I'll drop here the results to see if someone can help me and tell tell me if they are ...
- 9
0
votes
0
answers
132
views
Packages were installed during reboot - journal data added
I am running kubuntu 21.04. I just rebooted my system, and as kubuntu was starting up it installed several packages and rebooted again before reaching the login screen.
I've never seen this behavior ...
- 81