Guides 11791 Published by

Dedoimedo published an article explaining how to properly react to chkrootkit scanner warning messages about malware infections by understanding how the system works, correlating results, testing with different kernels, examining services, startup scripts and the shell login, and more.



First, a fact. There's no malware for Linux. Why? The primary reason is neither financial gain, nor interest, nor market share, nor the user skill, not even the security defaults built into the operating system. It is the simple fact that Linux code, while extremely highly portable, is in fact, not at all portable. The delicate combination of ever so slight differences between distro flavors, the headers, the libraries, and the variety of kernels and compilers makes executing random code on random machines extremely difficult. It is one thing to bundle a static application and get it running. Planting a module into the kernel, live and without errors, well, that's quite another.

But as it happens, many Linux users are also Windows users. And what do you do in Windows? You scan your system for malware. Can you name some malware scanners for Linux? Sure. There's chkrootkit and rkhunter. So you run them. And then you see chkrootkit report a warning about a possible LKM Trojan installed. Fear. What now?
  Chkrootkit LKM Trojan installed warning - What now?