Intrusion detection: Linux rootkits

Intrusion detection: Linux rootkits


Rootkits are installed components on a server by a person with malicious intent. The main goal is hiding its presence and avoid the eye of the system administrator. Rootkits usually consist of a set of tools, to manipulate the Linux kernel, alter output to the screen or avoid some software from doing its tasks.

Nowadays rootkits are less popular than they were before. One of the reasons is the increased security in the Linux kernel, making it harder to circumvent some areas (like using some system calls). Still they occur, or in a slightly different form. For example backdoors are still very popular. Often the attacker doesn’t even need full root access to abuse a system for other purposes. Helping in a Distributed Denial of Service (DDoS), sending spam, or act as a hop to attack other systems, to name a few.

Detection methods

Since rootkits are malicious, they should be detected as soon as possible.

File integrity tools

One method to detect alterations to a system is with the help of file integrity tools. These suites consist of a file database, checksums and utilities to check the current state compared with an earlier moment in time. Well-known tools are AIDE, Samhain and Tripwire in this area.

Rootkit scanners

Specialized tools exist to detect for traces of rootkits. These rootkit scanners search for common and uncommon files, compare the outputs of different utilities and try to trick a rootkit in revealing itself again. Rootkit Hunter and Chkrootkit are the most known tools.

Log file analysis

Suspicious events like daemons crashing could be a first trace in a system break-in. While not directly related with a rootkit, monitoring log files for special events will definitely help in protecting a system from a different level.


For detecting rootkits we advice the combination of file integrity tools and rootkit scanners. The latter aren’t always 100% reliable in detection, but usually they are still the best bet in detecting a rootkit.


Some tools mentioned in this post:

Stay secure!

Automate security audits with Lynis and Lynis Enterprise
Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series to get Linux (and Unix-based) systems more secure.

Daily security checks

Want to go to the next level of security scanning and system hardening? Start with automated security scans for Linux: Lynis and Lynis Enterprise.

Automate Scanning »


  • Hi Michael… I Would add Unhide to this list…. Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique. .. Te project page is… …..

    • Thanks, that is indeed a useful addition for the readers. Being the original author of Rootkit Hunter, I’m familiar with this great tool. So thanks for sharing!


Leave a Reply

Your email address will not be published. Required fields are marked *