To know when a Linux box is owned... take a Second Look®.
If you try to chase after the signatures and IOCs of ever-evolving adversaries, they'll always be a step ahead. Instead, make sure Linux systems are running exactly the software they're supposed to be running, and nothing more. Combining memory forensics and integrity verification, Second Look uncovers stealth malware and alerts on unknown or unexpectedly modified software.
Second Look can be particularly useful for detecting artifacts of malware in memory such as memory injection and system call manipulation...
Tabs within Second Look provide easy access to the extracted information associated with each process...
Second Look is a powerful tool for detecting potential [malware] concealment techniques...
Read more from the Malware Forensics Field Guide for Linux Systems
Second Look provides unparalleled assurance that the programs and libraries in memory on Linux servers and workstations, from the kernel to system services and applications, are of known origin and have not been tampered with. There is no more effective tool available for detecting rootkits, backdoors, and other unauthorized processes on Linux systems.
Whether you are investigating an incident now, or want to have the best shot at catching intrusions going foward: if you run Linux, Second Look is your tool. Our customers include the IT security teams of major corporations, firms which have investigated numerous high-profile security breaches, and government agencies responsible for protecting extraordinarily sensitive data. We support all Linux distributions, with extensive reference data collections for Amazon Linux, CentOS, Debian, Fedora, Red Hat Enterprise Linux (RHEL), and Ubuntu.
The short video above shows Second Look in action. Real-time memory analysis of a remote target system detects an unauthorized process running there. After the process is hidden with a rootkit, not only can Second Look still see the suspect process, it also produces additional alerts on the rootkit itself.