If you are compromised, running tools on the same system using the same installed OS is never a way to know. Boot from an ISO, install any rootkit detector, if you feel strongly about this and have it scan the connected storage. I doubt anything will be found. Most of the rootkit search tools have many false positives, so plan to look up each report and see what the false positives for it look like.
My #1 security tool is versioned backups. If I thought a system were compromised recently, I'd compare all the files on the current system with all the files from prior "known clean" backup. Any files that are different, are suspect. Most of the time, I'll recognize any files that have changed recently, especially programs. I don't allow patching daily, so any updates that happened since the most recent patch day, including snaps, would be highly suspect. I only allow snap updates to happen on early Saturday mornings. The logs show snap updates happening a few minutes after midnight on Saturday mornings. Anyway, with versioned backups, comparisons are possible.
Of course, before doing the comparisons, boot from a new ISO. Wouldn't want to connect to the backup storage for the comparisons on a system with active malware/cryptoware or just a nasty virus.
So, ensure you have a flash drive to boot from available and ready, always.
The last time I had a virus was over 20 yrs ago and my versioned backups made determining what they'd tried to accomplish and where they'd dropped their temporary files pretty easy. My laptop was hacked at a security conference a few years ago. I'd wiped the system completely and did a fresh install, applied all patches the day before leaving. However, I didn't disable bluetooth and during the king of the hill contest, one of the other teams was hacking all their competition. They got into my laptop. I don't use BT and hadn't in a fewyears prior to then, but the default Ubuntu desktop install enabled it. I forgot to disable it. Sigh.
Bookmarks