and what schedule/sysadmin routine is recommended?
12 Answers
There are no automated rootkit removal tools for Ubuntu, only tools to check for rootkits.
chkrootkit and rkhunter are fairly robust tools when it comes to detecting rootkits, but they're only as good as their rules. Also look into tripwire, which checks critical files for changes.
You should have all of the above run regularly via cron.
If your system has a rootkit, you should:
- Collect any information about running processes on your machine.
- Make a copy of RAM and your harddrive.
- reformat/repartition your harddrive(s)
- Install a new system/restore your backup.
The first two points are useful, if you want to investigate in that issue. Maybe it is also useful to don't touch the system until your investigation has ended.
In case of a rootkit some other person had probably full access of your computer. So it is important to completely remove the old system. Thatswhy you should reformat your drive. If your lucky and have a recent backup, you have to restore it and you're done. If not, you have to reinstall the system. This is the only way to securely remove the rootkit and to come up with a clean system.
2
