🦟 rkhunter: Rootkit / Backdoor Detectio ...

🦟 rkhunter: Rootkit / Backdoor Detection πŸ” (PUBLIC)

Nov 27, 2022

Heard a few stories this week from users feeling their network insecure, and / or devices compromised.


[ Click Image Below To Watch On Tor Friendly Peertube ]image

Recently we talked about the existence of BIOS based backdoors. Once in a while these are discovered on brand new routers, computers. The only real solution there is either re-flashing a clean BIOS (such as Coreboot), or buying another computer with clean UEFI / BIOS (limited offer: coreboot laptops supporting public blog / tutorials).

Another article on another BIOS backdoor [source of below image], here.

Reinstalling Windows / Linux (for example) will not change or overwrite issues within BIOS.

image

It shouldn't surprise anyone to imagine used computers carrying the same risk (if not higher risk: cases where a seller is either malicious, or not aware of previous owner / handler potential misdeeds).

Seeking out more open hardware is ideal, where possible (ie: Coreboot for x86), Arm options.


Another reason not to leave personal / business devices in locations beyond our control. Physical access is the most dangerous access to offer.


πŸ”’ SECURITY SCANNERS

Previously we covered Lynis. An excellent security scanner to audit your Linux server, laptop, desktop, tablet (even phone such as Pinephone / Librem5).

If you follow, you likely recall a suggestion to install rootkit / backdoor scanning software.


Earlier, I was somewhat hesitant to cover, as this type of scanner give off "false positive" scan results. New users may not be able to interpret such (leave comment if concerned about results). And my goal has always been creating content that is approachable by most anyone.

If you have trouble understanding a result, leave a comment and share with the community. Your comment could help someone else in the future (and comments on videos help the channel move up in rankings / search results, win-win).


πŸ›‘οΈ rkhunter

rkhunter: standing for "rootkit hunter".

Linux Kernel Modules (LKM) could be hiding something they aren't telling you about. My goal is not to create paranoia, but share in awareness. These are tools everyone can take advantage of.

A Kernel module is an object / selection of code which can be loaded into the Linux kernel, on demand.

Convenient for loading drivers, but potentially malicious as well.

Many years ago attackers realized they could escalate using kernel modules, to hide within Linux systems.

Other times we see backdoors in the form of leveraging access to common workings within a given system. Many times attempting to blend in among normal system processes.

The danger lies in ability to hide their existence.

This is where tools like rkhunter come in.


πŸ“Ί TODAY'S VIDEO / TIPS

[ πŸ§… Invidious Tor Browser Viewing ]

https://youtu.be/we8GK_A8Yrg


πŸ›‘οΈ AVOID MOST COMMON 🦟 BACKDOOR PATHWAY

The best solution is to avoid the problem to begin with.

Most common of security threats, is the one you "open" yourself.

What I mean by that: be careful what you download.

Beware low engagement "forks", emails encouraging opening attached files, even clicking links.

When it comes to targeted attack, none is more prevalent than spear phishing.

Spearphishing: targeted malicious file attacks, usually by email.

The attacker will likely craft something personal (using data they have collected on you). Quite likely spoofing the "from" field in email, using an open SMTP server.

In cases like these, the email server allows an attacker to "forge" an email from a sender you likely recognize.

And if not, it may appear important. Something related to a debt, or death of family member.

In business, it may be a known client list.

Scraping email contacts and issuing "worm" / "chain-mail" style messages: another way trust is gained (target more likely to open attachments from those they know).

Real-world Example: "Modified Elephant".

Key point for the attacker, is creating a sense of urgency / trust for the receiver.

Once you open it, it's game over. Especially opening at higher privileges (ie: root). The file could be a simply "ip grabber", or (worse), a readily accessible backdoor awaiting attacker entry.

πŸ”“ Careful what you open.


(may add more details -- check back if this topic interests you)


[ β˜• Now Public: supporters get early access, everything possible becomes public, eventually; other posts are more personal, written to thank supporters]


⭐ Make sure to SHARE this πŸ”— Help unique content grow against algorithms not promoting this


What Does Your rkhunter Scan Report Say?

πŸ’¬ SHARE IN THE COMMENTS:

Enjoy this post?

Buy πŸ₯· (RTP) Privacy Tech Tips πŸ“‘ a coffee

More from πŸ₯· (RTP) Privacy Tech Tips πŸ“‘