Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
In an ideal world, all of your machines would be patched instantly with the latest, up-to-the-minute versions of all installed software, providing the best protection against exploits and vulnerabilities. Unfortunately, that’s rarely the case. And with experienced crackers and 0-day exploits prevalent and on the prowl, there is a constant threat of a compromise.
Of course, you should still do everything possible at every layer in your infrastructure to mitigate your risks. Be paranoid and assume the worst.
The April 2004 “Tech Support” showed you how to use chkrootkit to find rootkits. This month, let’s look at a new tool called Rootkit Hunter that performs a similar function.
Rootkit Hunter, available from http://www.rootkit.nl/, is a scanning tool that consists of one shell script, a few text-based databases, and optional Perl modules. Written by Michael Boelen, it’s licensed under the GPL. Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers. It runs a variety of tests to look for default files used by rootkits (using an MD5 hash compare that), incorrect file permissions for binaries, suspected strings in Linux loadable kernel modules (and in FreeBSD’s equivalent called KLD modules), and hidden files.
Installation of Rootkit Hunter deviates from the standard ./configure&&make&&make install. After you download, verify, and unpack the source tarball, cd into the resulting directory and run:
$ sudo ./installer.sh
The installer places a shell script in /usr/local/bin/, the configuration file in /usr/local/etc/, and the rest of the files in /usr/local/rkhunter/. (You can override /usr/local/ with the ––installdir parameter.)
With everything installed, you’re ready to run the program. One nice thing about Rootkit Hunter is that it keeps a variety of information such as known good program versions, blacklisted tools and binaries, and MD5 hashes in continually updated databases, much like a virus scanner. The first thing to do is make sure all of the databases are current.
# /usr/local/bin/rkhunter ––update
If anything is out of date, it’s automatically updated. There’s also a quick and easy way to verify that you’re running the latest version of Rootkit Hunter itself:
# /usr/local/bin/rkhunter ––versioncheck
This version: 1.2.7
Latest version: 1.2.7
To run all of the Rootkit Hunter security checks and see a verbose, colorized status report, run:
# /usr/local/bin/rkhunter ––checkall
While the Rootkit Hunter script has extremely sane defaults, you can edit its configuration file if you’d like to whitelist hidden files or directories, change the install directory, or ignore the fact that remote root SSH logins are allowed. As with any software you install, take the time to thoroughly look through the configuration file to learn what the software is capable of and what each option does.
Once you’re confident that everything is installed and working correctly, add Rootkit Hunter to your list of regular system chores in the system cron file. To do that, first create a script with the following:
This script performs a version check, updates your databases, runs Rootkit Hunter in a mode conducive to cron (––cronjob disables colored output and ––report-warnings-only sets a severity level), and then mails the results to root. You should run this script as root, via cron, at least once a day.
Rootkit Hunter performs a similar function as chkrootkit. However, it works in a different manner and offers some additional features, such as storing information in live databases. Which one should you use? Since both are open source and are free to download and use, install both, see how each one works behind the scenes, and choose the one that best suits your needs and your environment.