this is what i know so far on Rootkits and possibly food for thought ?
Rootkits are complicated and they use different approaches for insurgency . The approach is that they simply exchange existing parts of system with their own modified versions.
The idea of tripwire was that it should be installed immediately after a clean install; then theoretically differences to the system of as it was at install to the present could be compared and any differences looked at for anything suspicious. I noticed that previous opensource code over time stops being opensource with developers maybe “selling out” or deciding they wanted to earn a few pennies from it.
Looks like Tripwire has succumbed to that scenario ; its flagged out of date on the AUR and going to their web site results in seeing a web that has the hand of marketing guys written all over it and classics such as “start for free trial now”.
One alternative was Ossec but looking at
https://aur.archlinux.org/packages/ossec-hids/ that's flagged out of date as well.
Aide looks like a possibility
https://aur.archlinux.org/packages/aide/ which I will checkout later . Chkrootkit luckily is still going strong; I even got an email back from the developer regarding a custom pkgbuild I’m playing with.
Because rootkits are complicated there’s not actually much out there to read that makes any sense unless your a nuclear physicist with masters degree in calculus. But there iare one of two nuggets out there hopefully
@KGIII will add a lot more
What signs might you see if you’ve been hacked ? A rootkit is designed not to reveal itself and even monitors usage of the hard drive so that it can block access to code it had hidden. Its much harder then to identify a rootkit on a running machine and better to run a rootkit scanner maybe from a live OS on a USB to check the laptop its booted from. Thus the OS on the laptop is not running neither is the rootkit, but sins are still there such as modified files.
In terms of running a rootkit scanner such as chkrootkit that's been installed via your OS repo you need to check that its all working since I found that chkrootkit couldn’t launch the supporting executables such as chkutmp, strings-static, chkdirs and so on. If chkrootkit could launch the other executables then that would imply that chkrootkit would use and know the “path” to them. In the email from Nelson Murilo, he stated
If the Unix environment is compromised the PATH would not reliable
.
So maybe instead of running chkrootkit as an installed package from the menu, simply run it directly from the unpacked source directory. There are some tasks to do firs tsuch as running "make sense" .
Although rootkits aim to remain hidden and work so that your Linux system seems the same, hints of intrusion can be that the login process acts differently from usual;system utilities are slower. Another might be unexplained band width usage.
Chkrootkit is one tool that can be used to check for rootkits. False positives are not uncommon, so how d you confirm. One well know writer simply suggest you use another rootkit scanner to confirm. I’m not sure on that one; first choice would have been rkhunter but as we have identified or seemed to have identified on this site; rkhunter does not seem to have been updated. I read somewhere a quote that rkhunter morphed into lynis ?
It seems that if a rootkit is detected the only option maybe a complete wipe and getting stuff you need from say home and back it. How do you know though that what you save is clean ?
[a 2 minute, 3 second read for me KG]