Hunting XOR DDoS and other Malware with RKHunter on CentOS 7

October 14, 2015 | By in LINUX HOWTO, SECURITY
| Reply More

Hello penguins, on this article we are going to learn to hunt rootkits with Rootkit Hunter, among other threats, you will be able to use it to find signs of some variants of the XOR.DDoS malware, that is currently being used to create botnets with Linux systems for massive distributed denial of service attacks.

Found XOR DDoS Rootkit

Table of Contents

  • Install
    • Download
    • Patch - (optional )
    • Install
  • Configure
    • tests
    • logs
    • whilelists
    • misc
  • Run
    • flags
    • cron scheduling


Download Rkhunter, try cURL to do this.

curl -o rkhunter-1.4.2.tar.gz

Then extract the contents of the package.

tar zxvf rkhunter-1.4.2.tar.gz

Enter tarball directory.

cd rkhunter-1.4.2

Patch  (Optional)

This step will against will patch the rkhunter script and its database to look for the XOR DDoS Linux malware. This patch is based on the port and files found on the reports made by Akamai, Avast and Malware Must Die.

Enter on the files directory under rkthunter directory.

cd files

Install the patch utility with yum.

yum install patch

Now download the patch.

curl -o rkhunter.patch

Alternatively, you can copy and past the contents of the rkhunter.patch file from here.

--- rkhunter    2014-03-12 17:54:55.000000000 -0300
+++        2015-10-02 17:01:25.040000000 -0300
@@ -7797,6 +7797,19 @@

+       # XOR.DDoS
+       XORDDOS_FILES="/lib/udev/udev
+                      /lib/udev/debug
+                      /etc/cron.hourly/
+                      /etc/cron.hourly/
+                      /lib/
+                      /var/run/
+                      /var/run/"
# 55808 Variant A
@@ -11907,6 +11920,13 @@

+       # XOR.DDoS Rootkit
+       SCAN_ROOTKIT="XOR.DDoS - Rootkit"
+       scanrootkit

# 55808 Trojan - Variant A

--- backdoorports.dat   2010-11-13 20:41:19.000000000 -0300
+++       2015-10-02 17:10:24.086000000 -0300
@@ -12,6 +12,7 @@
2006:CB Rootkit or w00tkit Rootkit SSH server:TCP:
+3502:Possible XOR.DDoS Botnet Malware:TCP:
6666:Possible rogue IRC bot:TCP:
6667:Possible rogue IRC bot:TCP:
6668:Possible rogue IRC bot:TCP:

Apply the patch on the rkhunter script and backdoors.dat files with the following command.

patch < rkhunter.patch

rkhunter.patch output

rkhunter.patch output

Patch is done, now go back to the tarball root directory to continue the install.

cd ..

Install files

Run the installer script with the following parameters to install it under /usr/local.

./ --install --layout /usr/local

You can also use the --examples flag to show more layout information and examples or and the --show option instead of the --install to show what is to be installed on your layout.

Install Unhide (recommended)

The unhide and unhide-tcp utilities will look for hidden process and ports, while not mandatory, it is highly recommended as most sophisticated rootkits will hide their presence.

First, we need to install GNU Compiler Collection.

yum install gcc

Install glibc-static, needed to create the striped binaries.

yum install glibc-static

Compile unhide-linux.

gcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux

Compile unhide-tcp.

gcc -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c  -o unhide-tcp

Install the files under /usr/local/bin and create a symbolic link to unhide.

cp unhide-linux unhide-tcp /usr/local/bin && cd /usr/local/bin/ && ln -s unhide-linux unhide && cd -


On this section I will show some of the options found on the rkhunter.conf file, the options are separated in group and their description are simplified, read the actual description on the file and if you are unsure just ignore as default options should be enough, most of them are commented.

You are encouraged to do a first run before do the actual changes on the configuration file, this will give you a better comprehension of how rkhunter works and the possibility to identify some false positives to be whitelisted on the configuration file.

Just call rkhunter with the -c or --check parameters.

rkhunter -c

Running rkhunter

Running rkhunter

As you can see on the image above, there will be some warnings about files like egrep or ifup to be script instead of ELF binaries, however they are legitimate system files and most of the options on the configuration file are about how make rkhunter ignore such occurrences.


The following options ENABLE_TESTS and DISABLE_TESTS sets what types of testes are to be made, enable all and then disable the undesired ones. It is a good idea to have at least suspscan disabled by default as it is prone to false positives.



Secure Shell

It's never a good idea to enable root login on SSH connections, use su/sudo instead, otherwise set this to yes.


The version 1 of the SSH protocol is known to be insecure, set this to 1 need to ignore this protocol check


Network ports

Allowed network ports with format  protocol:port


Set the whitelist for some programs with the syntax path_to_binary:protocol:port_number


Application Version

This option let you run some outdated applications, this is generally not recommended and you must be sure that the application is safe before you put it on this list.

APP_WHITELIST=openssl:0.9.7d gpg httpd:1.3.29


Allow the use of sniffers, software that capture network packets.

Allow the following process to listen to the network, as the following line.


This will allow the listed network interface to listen to the network in promiscuous mode.



You will need create some exceptions to the tests made by rkhunter, the following options let you to bypass tests to specific objects, such as files, directories.

Allow some hidden directories.


Allow some hidden files.


This whitelist will allow some files to be scripts instead of an ELF  binary.


Allow file to be world writable.


Allow file to have attributes changes.


Allow process to query deleted files.


Log Options

This will define which file to log to.


Set this one to 1 if you want to continue logging on the same file every time rkhunter runs, default is 0, that will append '.old' to the log file and create a new one.


If you want to keep the log file when there is something wrong, set the following option to 1.


Uncomment and set the log facility if you want to use syslog.


By default, whitelisted itens will report ok on tests, if you want to highlight whitlisted items you must set this option to 1.


Operating System options

Set the package manager option to RPM on Red Hat like systems, which include CentOS.


Enable this to report warning when operating system changes version/release.


Should we update our database when operating system change?


Where to find the operating system release file, set to /etc/redhat-release on CentOS.



If you are likely to have more than one rkhunter running at the same time you should enable this option to enable the use of lock files and avoid database corruption.


If you enabled the use of locks, then you should set a timeout to avoid deadlocks.


Should we warn about locked sessions?


Startup and Superdeamon

Where is the inetd config file.


Which services are allowed to run through the inetd.

INETD_ALLOWED_SVC=/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd

Xinetd config file.


RC startup files paths.

STARTUP_PATHS=/etc/rc.d /etc/rc.local


The file that contains the shadowed passwords.


Allow user accounts other than root to have UID 0.

UID0_ACCOUNTS=toor rooty

Allow accounts without password.



Syslog config file.


Allow syslog to log remotely.



Report the number of warnings?


Show the total time needed to run the tests?


To receive mail reports when rkhunter find something you must set the following options as well as to have a mail application.

Who will receive the email.


Which command used to send email.

MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"

Running rkhunter

OK, at this point you should already had run rkhunter at least once, now take a look at some other flags that can be used with rkhunter.

Check Your Changes

After you are done with the configuration, run rkhunter with the -C or --check-config flag to check for any error in the file.

rkhunter -C

Properties Update

Now, and every time you change the configuration file, make sure to update the file properties database.

rkhunter --propupd

Report Warnings Only.

rkhunter --rwo

Sometimes you want to run only a specific test, for this try --list tests to get the names of the available tests and then use the --enable flag followed by the test name.

rkhunter --list tests

rkhunter checking network

rkhunter checking network

The following option will disable the key press prompt.

rkhunter --sk

To run rkhunter on a  cronjob use the --cronjob flag, create the executable file /etc/cron.daily/ with the following contents to do a daily check


( /usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update

/usr/local/bin/rkhunter --cronjob -c ) >> /dev/null 2>&1


This should get you started with rkhunter, providing you with one more security layer, however this will not be enough if you neglect basic security principles as well as if you put every warning you met on whitelists instead of mitigating the problems. Also have in mind that rkhunter will help you to prevent you machines to become members of a Linux botnet but will not protect your site from being target of a DDoS campaign. Thanks for reading!



Share This :

Free Linux Ebook to Download

Leave a Reply

Commenting Policy:
Promotion of your products ? Comment gets deleted.
All comments are subject to moderation.