How do I remove rootkits?
To my understanding, rootkits on linux infect the kernel to get root privileges and there are many scanners (I use rkhunter) to scan for rootkits in the kernel, but I have yet to find a program that would remove rootkits.
How would I remove a rootkit in linux? Would I have to download the same kernel and replace the infected files? What is the best way to go about doing this?
Solution 1:
The intrinsic problem with a rootkit is that it worms it's way deep into your operating system ; if you infected with one, there is no safe way to eliminate it from within the rooted operating system, because if your kernel is compromised, you can't trust anything it says about your files, etc.
Thus to eliminate a rootkit, you have to shut down the OS and manipulate the file system from another OS, and in such a case, it's probably less costly to simply reinstall the operating system rather than try and audit the existing system and repair any rooted components.
As @Cumulus007 points out, the incidence of a rootkit on a desktop-usage Linux system is very low. The odds are a little worse for a server-usage installation, but still very low.
Solution 2:
I think the best and the safest approach to remove rootkits is to reinstall the system after backing up data. It is advisable to search for how the rootkit was installed.