Administration FreeBSD Linux Security

Scanning for rootkits and possible exploits – RKHunter

Rootkits are malicious softwares that are installed by intruders to gain access to your server once the security of the server has been breached.  Intruders can leave some malicious softwares or back doors in your server to gain permanent access to your server after it has been compromised.

Rootkit Hunter (RKHunter) is a Unix-based tool that scans for such possible rootkits, backdoors and exploits.  Also, it checks the server for a list of known Trojans and viruses.

It is a very good tool to determine if any of your binary files have been compromised and then replaced in your system. However, it is to be noted that it does not prevent exploits being placed on your server but it will inform you if it finds a suspected exploit.


Installation:

 

You can get the latest version of rkhunter from http://sourceforge.net/projects/rkhunter/ . Once it is downloaded, unzip and install it as below:
tar -zxvf rkhunter-xxx..tar.gz
cd rkhunter-xxx
./installer.sh –install

You will need to update its database by running following commands:

rkhunter –update
rkhunter –propupd

You can then check the integrity of your server by running the following command:

rkhunter -c –rwo -sk

Here -c says to check local system, -rwo says to report warnings only and –sk says to skip needing to press Enter key after each set of tests.

It will check your system and the output will be something like below:

Warning: The command ‘/usr/sbin/adduser’ has been replaced by a script: /usr/sbin/adduser: POSIX shell script, ASCII text executable
Warning: The command ‘/usr/bin/whatis’ has been replaced by a script: /usr/bin/whatis: POSIX shell script, ASCII text executable
Warning: The file properties have changed:
File: /usr/bin/whoami
Current hash: da39a3ee5e6b4b0d3255bfef95601890afd80709
Stored hash : 60cf45f93270253bfb804779eac64ab701a98928
Current permissions: 0644    Stored permissions: 0555
Current inode: 1887328    Stored inode: 1884747
Current size: 0    Stored size: 12736
Current file modification time: 1427239989 (24-Mar-2015 19:33:09)
Stored file modification time : 1354613655 (4-Dec-2012 04:34:15)
Warning: The command ‘/usr/local/sbin/pkgdb’ has been replaced by a script: /usr/local/sbin/pkgdb: Ruby script, ASCII text executable
Warning: The file properties have changed:
File: /usr/local/bin/curl
Current permissions: 0666    Stored permissions: 0555

You can also setup a cron job to scan the server daily and then email you. Edit the cron job of root user
by running the command

crontab -u root -e

and then add the following line

0 1 * * * rkhunter –update && rkhunter –cronjob –report-warnings-only |mail -s “Rkhunter Log ” me@domain.com

Related Articles

  • How to clear the YUM cache?

    What is yum? The Yellowdog Updater, Modified (yum) is an open-source command-line package-management utility for Linux operating systems using the RPM Package Manager. Yum allows automatic updates, package and dependency...
  • TOP 50 LINUX COMMANDS

    Linux can be extremely scary. However, it is always great to have your hands on these nifty commands since you will have to use them all the time as a...
  • WordPress Security Tips

    Introduction While WordPress is a great tool to use to manage and update your website, it’s also a frequent target for hackers or other users with malicious intent- this makes...
  • Redis install steps on FreeBSD

      Install redis FreeBSD port collection: $ cd /usr/ports/databases/redis/ && make install clean # or with portmaster $ portmaster databases/redis   ===>  CONFIGURATION NOTE:   To setup “redis” you need...