🛡 Detect Medusa Rootkit on Linux – Test Guide

A new stealth rootkit called Medusa uses LD_PRELOAD to hijack dynamic libraries and hide files, processes, and ports from commands like ls, ps, and netstat.

Goal: Catch Medusa by bypassing its tricks.

⸻

How to Detect It (Step-by-Step)
1. Use statically built BusyBox – it doesn’t rely on dynamic libraries, so it ignores LD_PRELOAD.

2. Launch a clean shell:

busybox ash

3. Run commands inside it:

ls -la /lib
ps aux
netstat -tulpn

4. Compare output with normal shell.
If you see hidden files/processes appear in BusyBox but not in bash → You’re likely infected.

⸻

🔴 Don’t install BusyBox via apt on a live compromised system.
Instead:
• Run it from a USB or RAM (/dev/shm) to avoid overwriting evidence.


references:
github
blog


#Rootkit
@GoSecurity

The OWASP Smart Contract Top 10 (2025) is a standard awareness document providing Web3 developers and security teams with insights into the top 10 vulnerabilities found in smart contracts.

https://owasp.org/www-project-smart-contract-top-10/