Administration FreeBSD Linux Security

Scanning for rootkits and possible exploits – RKHunter

Rootkits are malicious softwares that are installed by intruders to gain access to your server once the security of the server has been breached.  Intruders can leave some malicious softwares or back doors in your server to gain permanent access to your server after it has been compromised.

Rootkit Hunter (RKHunter) is a Unix-based tool that scans for such possible rootkits, backdoors and exploits.  Also, it checks the server for a list of known Trojans and viruses.

It is a very good tool to determine if any of your binary files have been compromised and then replaced in your system. However, it is to be noted that it does not prevent exploits being placed on your server but it will inform you if it finds a suspected exploit.


Installation:

 

You can get the latest version of rkhunter from http://sourceforge.net/projects/rkhunter/ . Once it is downloaded, unzip and install it as below:
tar -zxvf rkhunter-xxx..tar.gz
cd rkhunter-xxx
./installer.sh –install

You will need to update its database by running following commands:

rkhunter –update
rkhunter –propupd

You can then check the integrity of your server by running the following command:

rkhunter -c –rwo -sk

Here -c says to check local system, -rwo says to report warnings only and –sk says to skip needing to press Enter key after each set of tests.

It will check your system and the output will be something like below:

Warning: The command ‘/usr/sbin/adduser’ has been replaced by a script: /usr/sbin/adduser: POSIX shell script, ASCII text executable
Warning: The command ‘/usr/bin/whatis’ has been replaced by a script: /usr/bin/whatis: POSIX shell script, ASCII text executable
Warning: The file properties have changed:
File: /usr/bin/whoami
Current hash: da39a3ee5e6b4b0d3255bfef95601890afd80709
Stored hash : 60cf45f93270253bfb804779eac64ab701a98928
Current permissions: 0644    Stored permissions: 0555
Current inode: 1887328    Stored inode: 1884747
Current size: 0    Stored size: 12736
Current file modification time: 1427239989 (24-Mar-2015 19:33:09)
Stored file modification time : 1354613655 (4-Dec-2012 04:34:15)
Warning: The command ‘/usr/local/sbin/pkgdb’ has been replaced by a script: /usr/local/sbin/pkgdb: Ruby script, ASCII text executable
Warning: The file properties have changed:
File: /usr/local/bin/curl
Current permissions: 0666    Stored permissions: 0555

You can also setup a cron job to scan the server daily and then email you. Edit the cron job of root user
by running the command

crontab -u root -e

and then add the following line

0 1 * * * rkhunter –update && rkhunter –cronjob –report-warnings-only |mail -s “Rkhunter Log ” me@domain.com

Related Articles

  • WordPress security tips

      WordPress is one of the most used application to post content on the internet.  WordPress is an open source platform where people have been using it free of charge,...
  • How to List Which Apache 2 Modules are Enabled on CentOS 6.x

    View Loaded Apache Modules Just one command: apachectl -M Or, if you want to view the list in alphabetical order: apachectl -M | sort Or, if you want to view...
  • Identify the process that is using some specific port

    Sometimes, you may encounter a situation where you see some ports being used by some service, but you cannot exactly determine which application/service is using it. This article talks about how...
  • Add IP to CentOS 5/6

    If you recently got a secondary IP block for your server but you do not know how to bind the secondary IP address, please follow the steps below:   First, run...