Intrusion detection: Linux rootkits

Intrusion detection: Linux rootkits


Rootkits are installed components on a server by a person with malicious intent. The main goal is hiding its presence and avoid the eye of the system administrator. Rootkits usually consist of a set of tools, to manipulate the Linux kernel, alter output to the screen or avoid some software from doing its tasks.

Nowadays rootkits are less popular than they were before. One of the reasons is the increased security in the Linux kernel, making it harder to circumvent some areas (like using some system calls). Still they occur, or in a slightly different form. For example backdoors are still very popular. Often the attacker doesn’t even need full root access to abuse a system for other purposes. Helping in a Distributed Denial of Service (DDoS), sending spam, or act as a hop to attack other systems, to name a few.

Detection methods

Since rootkits are malicious, they should be detected as soon as possible.

File integrity tools

One method to detect alterations to a system is with the help of file integrity tools. These suites consist of a file database, checksums and utilities to check the current state compared with an earlier moment in time. Well-known tools are AIDE, Samhain and Tripwire in this area.

Rootkit scanners

Specialized tools exist to detect for traces of rootkits. These rootkit scanners search for common and uncommon files, compare the outputs of different utilities and try to trick a rootkit in revealing itself again. Rootkit Hunter and Chkrootkit are the most known tools.

Log file analysis

Suspicious events like daemons crashing could be a first trace in a system break-in. While not directly related with a rootkit, monitoring log files for special events will definitely help in protecting a system from a different level.


For detecting rootkits we advice the combination of file integrity tools and rootkit scanners. The latter aren’t always 100% reliable in detection, but usually they are still the best bet in detecting a rootkit.


Some tools mentioned in this post:

Stay secure!

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package

Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.



  • Hi Michael… I Would add Unhide to this list…. Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique. .. Te project page is… …..

    • Thanks, that is indeed a useful addition for the readers. Being the original author of Rootkit Hunter, I’m familiar with this great tool. So thanks for sharing!


Leave a Reply

Your email address will not be published. Required fields are marked *