Detecting Rootkits And Kernel-level Compromises In Linux

by Mariusz Burdach
Sept. 25, 2017 1 comment Symantec Rootkits

This article is intended to outline useful ways of detecting hidden modifications to a Linux kernel. Often known as a rootkit, this stealthy type of malware gets installed in the kernel of an operating system and requires special techniques by Incident handlers and Linux system administrators to be detected. In this article we will make use of just one tool, gdb, the GNU debugger, to detect whether a Linux operating system has been compromised. The package that includes this tool can be found in almost every Linux distribution by default. The second goal of this paper is a presentation of an intruder's popular methods of "patching" the kernel of a Linux operating system. By understanding the attack vector, we can easily detect that our machine has been compromised or select the right tools to monitor our critical machines.

2flash 4 months, 3 weeks ago

Always when I read an article about Linux, I am thinking twice before doing it. Why? Because you never know what to expect :)