Concerned that you may have a rootkit on your Linux server, desktop or laptop? If you want to check whether or not rootkits are present on your system, and get rid of them, you’ll need to scan you system first. One of the best tools to scan for rootkits on Linux is Tiger. When run, it does a complete security report of your Linux system that outlines where the problems are (including rootkits).
In this guide, we’ll go over how to install the Tiger security tool and scan for dangerous Rootkits.
Tiger doesn’t come with any Linux distributions out of the box, so before going over how to use the Tiger security tool on Linux, we will need to go over how to install it. You will need Ubuntu, Debian, or Arch Linux to install Tiger without compiling the source code.
Tiger has long been in the Ubuntu software sources. To install it, open up a terminal window and run the following apt command.
sudo apt install tiger
Debian has Tiger, and it is installable with the Apt-get install command.
sudo apt-get install tiger
The Tiger security software is on Arch Linux via the AUR. Follow the steps below to install the software on your system.
Step 1: Install the packages required to install AUR packages by hand. These packages are Git and Base-devel.
sudo pacman -S git base-devel
Step 2: Clone the Tiger AUR snapshot to your Arch PC using the git clone command.
git clone https://aur.archlinux.org/tiger.git
Step 3: Move the terminal session from its default directory (home) to the new tiger folder that holds the pkgbuild file.
Step 4: Generate an Arch installer for Tiger. Building a package is done with the makepkg command, but beware: sometimes package generation doesn’t work due to dependency problems. If this happens to you, check the official Tiger AUR page for the dependencies. Be sure also to read the comments, as other users may have insights.
Fedora and OpenSUSE
Sadly, both Fedora, OpenSUSE and other RPM/RedHat-based Linux distributions do not have an easy to install binary package to install Tiger with. To use it, consider converting the DEB package with alien. Or follow the source code instructions below.
To build the Tiger app from source, you’ll need to clone the code. Open up a terminal and do the following:
git clone https://git.savannah.nongnu.org/git/tiger.git
Install the program by running the included shell script.
Alternatively, if you’d like to run it (rather than install it) do the following:
Check for rootkits on Linux
Tiger is an automatic application. It doesn’t have any unique options or switches that users can use in the command-line. The user can’t just “run the rootkit” option to check for one. Instead, the user must use Tiger and run a full scan.
Each time the program runs, it does a scan of many different types of security threats on the system. You’ll be able to see everything it’s scanning. Some of the things that Tiger scans are:
- Linux password files.
- .rhost files.
- .netrc files.
- ttytab, securetty, and login configuration files.
- Group files.
- Bash path settings.
- Rootkit checks.
- Cron startup entries.
- “Break-in” detection.
- SSH configuration files.
- Listening processes.
- FTP configuration files.
To run a Tiger security scan on Linux, gain a root shell using the su or sudo -s command.
Using root privileges, execute the tiger command to start the security audit.
Let the tiger command run and go through the audit process. It will print out what it’s scanning, and how it is interacting with your Linux system. Let the Tiger audit process run its course; it’ll print out the location of the security report in the terminal.
View Tiger Logs
To determine if you have a rootkit on your Linux system, you must view the security report.
To look at any Tiger security report, open up a terminal and use the CD command to move into /var/log/tiger.
Note: Linux will not let non-root users in /var/log. You must use su.
Then, access the log folder with:
In the Tiger log directory, run the ls command. Using this command prints out all the files in the directory.
Take your mouse and highlight the security report file that ls reveals in the terminal. Then, view it with the cat command.
Look over the report and determine if Tiger has detected a rootkit on your system.
Removing rootkits on Linux
Removing Rootkits from Linux systems — even with the best tools, is hard and not successful 100% of the time. While it is true there are programs out there that may help get rid of these kinds of issues; they don’t always work.
Like it or not, if Tiger has determined a dangerous worm on your Linux PC, it’s best to back up your critical files, create a new live USB, and re-install the operating system altogether.