Linux Scans For Rootkits, Trojans - Install / Configure Rkhunter

What is rkhunter?

rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by running tests like:

- MD5 hash compare.
- Look for default files used by rootkits.
- Wrong file permissions for binaries.
- Look for suspected strings in LKM and KLD modules.
- Look for hidden files.
- Optional scan within plaintext and binary files.

Rootkit Hunter is released as GPL licensed project and free for everyone to use. rkhunter requires certain commands to be present for it to be able to execute. Additionally, some tests require specific commands, but if these are not present then the test will be skipped. rkhunter needs run under a Bourne-type shell, typically bash or ksh. rkhunter can be run as a cron job or from the command-line.

How to install rkhunter on Linux.

1. Download the source file from sourceforge ‘http://sourceforge.net/projects/rkhunter/’.

wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz

2. Extract the compressed file and install it.

tar –xzf rkhunter-1.4.0.tar.gz
cd rkhunter-1.4.0
./installer.sh --install

3. Now, you can run rkhunter to scan the server.

rkhunter --check

By default, the log file '/var/log/rkhunter.log' will be created. It will contain the results of the checks made by RKH.

Command options for rkhunter.

1. --update

This command option causes rkhunter to check if there is a later version of any of its text data files. A command-line web browser, for example wget or lynx must be present on the system when using this option. It is suggested that this command option is run regularly in order to ensure that the data files are kept up to date. An exit code of zero for this command option means that no updates were available. An exit code of one means that a download error occurred and a code of two means that no error occurred but updates were available and have been installed.

rkhunter --update

2. --propupd

One of the checks rkhunter performs is to compare various current file properties of various commands against those it has previously stored. This command option causes rkhunter to update its data file of stored values with the current values.

rkhunter –propupd

3. --versioncheck

This command option causes rkhunter to check if there is a later version of the program. A command-line web browser must be present on the system when using this option.

rkhunter –versioncheck

4. --config-check

This command option causes rkhunter to check its configuration file(s) and then exit. The program will run through its normal configuration checks as specified by the enable and disable options on the command-line and in the configuration files. That is, only the configuration options for tests which would normally run are checked. In order to check all the configured options, then use the --enable all --disable none options on the command line.

rkhunter --config-check

5. -V, --version

This command option causes rkhunter to display its version number and then exit.

6. -h, --help

This command option displays the help screen menu and then exit.

Enable automatic server rkhunter scanning.

You can add a cron entry for running rkhunter automatically and send a scan report to your mail address. Create and add the following entries to “/etc/cron.daily/rkhunter.sh”

#!/bin/sh
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter –-check --cronjob
) | /bin/mail -s 'rkhunter Daily Scan Report (ServerName)' [email protected]

Bobbin Zachariah 12:37 pm

About Bobbin Zachariah

Founder of LinOxide, passionate lover of Linux and technology writer. Started his career in Linux / Opensource from 2000. Love traveling, blogging and listening music. Reach Bobbin Zachariah about me page and google plus page.

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.