What is rkhunter?
rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by running tests like:
- MD5 hash compare.
- Look for default files used by rootkits.
- Wrong file permissions for binaries.
- Look for suspected strings in LKM and KLD modules.
- Look for hidden files.
- Optional scan within plaintext and binary files.
Rootkit Hunter is released as GPL licensed project and free for everyone to use. rkhunter requires certain commands to be present for it to be able to execute. Additionally, some tests require specific commands, but if these are not present then the test will be skipped. rkhunter needs run under a Bourne-type shell, typically bash or ksh. rkhunter can be run as a cron job or from the command-line.
How to install rkhunter on Linux.
1. Download the source file from sourceforge ‘http://sourceforge.net/projects/rkhunter/’.
2. Extract the compressed file and install it.
tar –xzf rkhunter-1.4.0.tar.gz
3. Now, you can run rkhunter to scan the server.
By default, the log file '/var/log/rkhunter.log' will be created. It will contain the results of the checks made by RKH.
Command options for rkhunter.
This command option causes rkhunter to check if there is a later version of any of its text data files. A command-line web browser, for example wget or lynx must be present on the system when using this option. It is suggested that this command option is run regularly in order to ensure that the data files are kept up to date. An exit code of zero for this command option means that no updates were available. An exit code of one means that a download error occurred and a code of two means that no error occurred but updates were available and have been installed.
One of the checks rkhunter performs is to compare various current file properties of various commands against those it has previously stored. This command option causes rkhunter to update its data file of stored values with the current values.
This command option causes rkhunter to check if there is a later version of the program. A command-line web browser must be present on the system when using this option.
This command option causes rkhunter to check its configuration file(s) and then exit. The program will run through its normal configuration checks as specified by the enable and disable options on the command-line and in the configuration files. That is, only the configuration options for tests which would normally run are checked. In order to check all the configured options, then use the --enable all --disable none options on the command line.
5. -V, --version
This command option causes rkhunter to display its version number and then exit.
6. -h, --help
This command option displays the help screen menu and then exit.
Enable automatic server rkhunter scanning.
You can add a cron entry for running rkhunter automatically and send a scan report to your mail address. Create and add the following entries to “/etc/cron.daily/rkhunter.sh”
/usr/local/bin/rkhunter –-check --cronjob
) | /bin/mail -s 'rkhunter Daily Scan Report (ServerName)' [email protected]