Where can I look for malware that may have been installed on my machine?
Solution 1
The objective of malware is to do something. So it will need to communicate with the outside world. So the best approach is to have a look at the network traffic that is occurring on your computer.
I like dnstop utility. Install by sudo apt-get install dnstop
Then run the utility against your network card
sudo dnstop -l 3 eth0
When the utility runs press the 3 key, this will change the screen to display all the dns requests that are made by your computer.
In my case I went to Ubuntu and it tried to access the following
Query Name Count % cum%
-------------------- --------- ------ ------
www.gravatar.com 2 40.0 40.0
askubuntu.com 2 40.0 80.0
ny.stackexchange.com 1 20.0 100.0
This gives me an idea of what web sites were accessed. What you need to do is not do anything and sit back and wait for a while to see what your computer accesses. Then laboriously follow up on all those web sites it accesses.
There are many tools you could use, I thought this was an easy one for you to try out.
Solution 2
You can never know if your PC is already infected or not. You might be able to tell by listening to the traffic coming from your computer. Below are something that you can do to ensure that your system is OK. Keep in mind that nothing is a 100%.
- Make sure that you don't enable root account
- Make sure that you have the latest security updates as soon as they come out
- Don’t install software that you know you’ll hardly or never use
- Make sure that your system has strong passwords
- Turn off any services or processes that aren't needed
- Install a good AV (if you’ll be dealing a lot with Windows, or maybe an email that may contain a Windows-based virus.)
As far as finding out if you've been hacked; you'll get pop-up ads, redirects to sites you didn't intend to visit, etc.
I would have to say that /sys /boot /etc among others are considered important.
Linux malware can also be detected using memory forensics tools, such as Volatility or Volatility
Also you may want to look at Why do I need anti-virus software?. If you want to install an Anti-virus software I would recommend that you install ClamAV
Solution 3
You can also try rkhunter which scans your pc for a lot of common rootkits and trojan horses.
Solution 4
It's obvious to you (for others sake I'll mention it) if your running your system as a VM then your risk potental is limited. Power button fixes thing in that case, Keep programs inside their sandbox (per~se). Strong passwords. Cant say it enough. From an SA view point, it's your first line defence. My rule of thumb, dont go belove 9 charaters, use Specials, and Upper+ Lower case+ Numbers also. It sounds hard right. IT's easy. Example... 'H2O=O18+o16=water'I use chemestry for some intersting passwords. H2O is water, but the O18 and O16 are diffrent Oxygen isotopes, but in the end, there result is water, there fore "H2O=O18+o16=water'.. Strong pasword. Go with it.. Common complaint is remebering it. SO call that computer/server/terminal 'Waterboy' It may help.
Am I nerding out?!?!
Solution 5
There are specialized distributions like BackTrack that contain software to analyse situations like yours. Due to the highly specialized nature of these tools there is usually a quite steep learning curve associated with them. But then if this is truly a concern for you, it is time well spent.
Related videos on Youtube
05 : 05
00 : 07
10 : 14
00 : 26
10 : 48
Luigi
Updated on September 18, 2022Comments
-
Luigi over 1 year
I want to analyze my ubuntu box to detect if it was been hacked. My question is: what are all the place where to look to discover if some malicious software are started ? The following is some kind of raw list:
- mbr
- kernel image (I have md5)
- /sbin/init (I have md5)
- Kernel modules in /etc/modules
- all the services script in /etc/init.d and /etc/init (I have md5)
- /etc/rc.local
- gnome autorun
and ?
My question is totally honest and not malicious. It's only to detect if my box was been compromised.
-
Luigi almost 11 yearsuhmm I think that the most stupid rootkit hide itself and its traffic.
-
Luigi almost 11 yearsrkhunter detect only the known rootkit, furthermore it's very easy to take any public rootkit and change the source making it undetectable from rkhunter..
-
Luigi almost 11 yearsI know backtrack, but there is not any software that make such kind of check automatically.
-
Meer Borg almost 11 years@Luigi as I said, there are lots of tools for forensic analysis. If. you are that worried use Wireshark and look at the traffic on your network segment which is pretty impossible to fake as you are working at a hardware level. If you are more paranoid you could run Wireshark on a clean computer on your segment.
-
Luigi almost 11 yearsok, but I think that the best way is to analyze the offline system by livecd. I think it's more easy because a clever malware can send informations outside only if there is others streams of data, or could send info on a covert channel.
-
Meer Borg almost 11 years@Luigi and how do you establish which one of the thousands of programs has been compromised? Running md5 hashes against a clean system and comparing it to your system? Best option is to wipe computer, mbr, even throw out the hard disk? Bios? Lots of attack vectors. It is a hard job, and you seem to be well informed. But what leads you to believe that you have been infected by this super stealth "virus"?
-
Luigi almost 11 yearsMost linux distro have almost all md5 of the files contained in the packages. For example in Ubuntu there is debsums. So it's pretty easy make a big check of the full system. But of course some files are not hashed.. for example the mbr. But the kernel image and all the modules have their md5 (and sha1 or sha256 to avoid md5 collision), and the same for the /sbin/init. I have just to check only the stuff that is not hashed but I have to know in a very in deep the boot process.
-
hmayag almost 11 years@Luigi If it was that easy I would be a IT security/forensic analyst with a six-figure salary...
