Administration FreeBSD Linux Security

Scanning for rootkits and possible exploits – RKHunter

Rootkits are malicious softwares that are installed by intruders to gain access to your server once the security of the server has been breached.  Intruders can leave some malicious softwares or back doors in your server to gain permanent access to your server after it has been compromised.

Rootkit Hunter (RKHunter) is a Unix-based tool that scans for such possible rootkits, backdoors and exploits.  Also, it checks the server for a list of known Trojans and viruses.

It is a very good tool to determine if any of your binary files have been compromised and then replaced in your system. However, it is to be noted that it does not prevent exploits being placed on your server but it will inform you if it finds a suspected exploit.


Installation:

 

You can get the latest version of rkhunter from http://sourceforge.net/projects/rkhunter/ . Once it is downloaded, unzip and install it as below:
tar -zxvf rkhunter-xxx..tar.gz
cd rkhunter-xxx
./installer.sh –install

You will need to update its database by running following commands:

rkhunter –update
rkhunter –propupd

You can then check the integrity of your server by running the following command:

rkhunter -c –rwo -sk

Here -c says to check local system, -rwo says to report warnings only and –sk says to skip needing to press Enter key after each set of tests.

It will check your system and the output will be something like below:

Warning: The command ‘/usr/sbin/adduser’ has been replaced by a script: /usr/sbin/adduser: POSIX shell script, ASCII text executable
Warning: The command ‘/usr/bin/whatis’ has been replaced by a script: /usr/bin/whatis: POSIX shell script, ASCII text executable
Warning: The file properties have changed:
File: /usr/bin/whoami
Current hash: da39a3ee5e6b4b0d3255bfef95601890afd80709
Stored hash : 60cf45f93270253bfb804779eac64ab701a98928
Current permissions: 0644    Stored permissions: 0555
Current inode: 1887328    Stored inode: 1884747
Current size: 0    Stored size: 12736
Current file modification time: 1427239989 (24-Mar-2015 19:33:09)
Stored file modification time : 1354613655 (4-Dec-2012 04:34:15)
Warning: The command ‘/usr/local/sbin/pkgdb’ has been replaced by a script: /usr/local/sbin/pkgdb: Ruby script, ASCII text executable
Warning: The file properties have changed:
File: /usr/local/bin/curl
Current permissions: 0666    Stored permissions: 0555

You can also setup a cron job to scan the server daily and then email you. Edit the cron job of root user
by running the command

crontab -u root -e

and then add the following line

0 1 * * * rkhunter –update && rkhunter –cronjob –report-warnings-only |mail -s “Rkhunter Log ” me@domain.com

Related Articles

  • Simple Stateful Load Balancer with iptables and NAT

    NOTE: To demonstrate how iptables can perform network address translation this how-to shows how to use it to implement a over-simplified load balancer. In practice we would use a daemon...
  • Password Strengths

    Today, everyone creates a password for a variety of services but in our growing digital age it’s imperative that your passwords be created strongly. Your passwords will act as your first...
  • SSL Certificate Installation for Courier IMAP and POP

    This guide will provide you information on how to setup and configure SSL certificates for the courier IMAP mail server.   Prior to the installation you will need to purchase...
  • How to get rid of ^M characters.

    When you edit a file in Windows and then open in UNIX, you must have seen ^M characters getting appended in the content. How to get rid of it ?...