Administration FreeBSD Linux Security

Scanning for rootkits and possible exploits – RKHunter

Rootkits are malicious softwares that are installed by intruders to gain access to your server once the security of the server has been breached.  Intruders can leave some malicious softwares or back doors in your server to gain permanent access to your server after it has been compromised.

Rootkit Hunter (RKHunter) is a Unix-based tool that scans for such possible rootkits, backdoors and exploits.  Also, it checks the server for a list of known Trojans and viruses.

It is a very good tool to determine if any of your binary files have been compromised and then replaced in your system. However, it is to be noted that it does not prevent exploits being placed on your server but it will inform you if it finds a suspected exploit.


Installation:

 

You can get the latest version of rkhunter from http://sourceforge.net/projects/rkhunter/ . Once it is downloaded, unzip and install it as below:
tar -zxvf rkhunter-xxx..tar.gz
cd rkhunter-xxx
./installer.sh –install

You will need to update its database by running following commands:

rkhunter –update
rkhunter –propupd

You can then check the integrity of your server by running the following command:

rkhunter -c –rwo -sk

Here -c says to check local system, -rwo says to report warnings only and –sk says to skip needing to press Enter key after each set of tests.

It will check your system and the output will be something like below:

Warning: The command ‘/usr/sbin/adduser’ has been replaced by a script: /usr/sbin/adduser: POSIX shell script, ASCII text executable
Warning: The command ‘/usr/bin/whatis’ has been replaced by a script: /usr/bin/whatis: POSIX shell script, ASCII text executable
Warning: The file properties have changed:
File: /usr/bin/whoami
Current hash: da39a3ee5e6b4b0d3255bfef95601890afd80709
Stored hash : 60cf45f93270253bfb804779eac64ab701a98928
Current permissions: 0644    Stored permissions: 0555
Current inode: 1887328    Stored inode: 1884747
Current size: 0    Stored size: 12736
Current file modification time: 1427239989 (24-Mar-2015 19:33:09)
Stored file modification time : 1354613655 (4-Dec-2012 04:34:15)
Warning: The command ‘/usr/local/sbin/pkgdb’ has been replaced by a script: /usr/local/sbin/pkgdb: Ruby script, ASCII text executable
Warning: The file properties have changed:
File: /usr/local/bin/curl
Current permissions: 0666    Stored permissions: 0555

You can also setup a cron job to scan the server daily and then email you. Edit the cron job of root user
by running the command

crontab -u root -e

and then add the following line

0 1 * * * rkhunter –update && rkhunter –cronjob –report-warnings-only |mail -s “Rkhunter Log ” me@domain.com

Related Articles