Questions about rootkits with chkrootkit and rkhunter

P

Priest_Apostate

Member
Joined
Nov 7, 2023
Messages
63
Reaction score
11
Credits
904
I'm working with Debian version 12, and trying out both applications above - but they don't seem to be very helpful in narrowing down where they are seeing their particular alerts. Because both are giving different locations for alerts, I am thinking that they are pulling up false positives. However, I was curious about something: if I am getting alerts under one kernel version, wouldn't it be possible to just roll back the version to an uncorrupted kernel, delete/reinstall the updated kernel version, in order to easily circumvent confirmed rootkits?
I don't think I have one now - I was just curious as to whether this was a viable way to resolve rootkit issues (if one had multiple kernel versions available, that is).
 
Last edited:


These are not needed or wanted...remove them and enjoy Linux as we say...this is Linux not windoze.
m1212.gif
 
When I was running rkhunter it continued to kick out false positives. Over time I removed it because it proved unreliable.
Yes, you can roll back to a later kernel. Be careful not to remove your current kernel and don't remove your fallback kernel.
Are you suspicious or have evidence that your current kernel is problematic?
 
Alexzee said:
When I was running rkhunter it continued to kick out false positives. Over time I removed it because it proved unreliable.
Yes, you can roll back to a later kernel. Be careful not to remove your current kernel and don't remove your fallback kernel.
Are you suspicious or have evidence that your current kernel is problematic?
Click to expand...
I don't think that it is problematic: checking the rkhunter.log file seemed to indicate a false positive - especially when coupled with the fact that chkrootkit didn't alert to the same issues (chkrootkit didn't like the Ruby support files).

Also, there didn't seem to be any excessive memory requests/utilization when I checked with the "free" command.

The main issue for my laptop was that the /var directory was at max - which took some effort to resolve, as the logrotate didn't seem to be working.

I was just asking to satisfy my curiosity, as I thought that the logic seemed sound - but wondered if I was missing/overlooking something.
 
Last edited:
I wrote an article about rkroothunter and the feedback was that it has been supplanted by chkrootkit.

So, there's that.
 
You must log in or register to reply here.

Members online

Total: 768 (members: 4, guests: 764)

Latest posts

Top