Detect RootKit with RKHunter.

  11 Dec 2015


One of a few things to do after server installation is to install the Rootkit Detection tool to secure the server a bit more. And this article will instruct how to install RKHunter on Linux which is a well-known Rootkit Dectector tool. The installation and test are done in CentOS6.7

  1. Download the source.

     $cd /usr/src
     $curl -O http://jaist.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz
       % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                      Dload  Upload   Total   Spent    Left  Speed
     100  271k  100  271k    0     0  1203k      0 --:--:-- --:--:-- --:--:-- 1749k
    
  2. Extract source files.

     $tar -xvzf rkhunter-1.4.2.tar.gz
     rkhunter-1.4.2/
     rkhunter-1.4.2/files/
     rkhunter-1.4.2/files/LICENSE
     rkhunter-1.4.2/files/README
     rkhunter-1.4.2/files/ACKNOWLEDGMENTS
     rkhunter-1.4.2/files/rkhunter.8
     rkhunter-1.4.2/files/suspscan.dat
     rkhunter-1.4.2/files/filehashsha.pl
     rkhunter-1.4.2/files/programs_bad.dat
     rkhunter-1.4.2/files/i18n/
     rkhunter-1.4.2/files/i18n/zh
     rkhunter-1.4.2/files/i18n/tr
     rkhunter-1.4.2/files/i18n/de
     rkhunter-1.4.2/files/i18n/cn
     rkhunter-1.4.2/files/i18n/zh.utf8
     rkhunter-1.4.2/files/i18n/en
     rkhunter-1.4.2/files/i18n/tr.utf8
     rkhunter-1.4.2/files/rkhunter.conf
     rkhunter-1.4.2/files/signatures/
     rkhunter-1.4.2/files/signatures/RKH_dso.ldb
     rkhunter-1.4.2/files/signatures/RKH_Glubteba.ldb
     rkhunter-1.4.2/files/signatures/RKH_sniffer.ldb
     rkhunter-1.4.2/files/signatures/RKH_shv.ldb
     rkhunter-1.4.2/files/signatures/RKH_libkeyutils1.ldb
     rkhunter-1.4.2/files/signatures/RKH_libkeyutils.ldb
     rkhunter-1.4.2/files/signatures/RKH_sshd.ldb
     rkhunter-1.4.2/files/signatures/RKH_xsyslog.ldb
     rkhunter-1.4.2/files/signatures/RKH_turtle.ldb
     rkhunter-1.4.2/files/signatures/RKH_kbeast.ldb
     rkhunter-1.4.2/files/signatures/RKH_libncom.ldb
     rkhunter-1.4.2/files/signatures/RKH_pamunixtrojan.ldb
     rkhunter-1.4.2/files/signatures/RKH_jynx.ldb
     rkhunter-1.4.2/files/backdoorports.dat
     rkhunter-1.4.2/files/FAQ
     rkhunter-1.4.2/files/mirrors.dat
     rkhunter-1.4.2/files/rkhunter.spec
     rkhunter-1.4.2/files/contrib/
     rkhunter-1.4.2/files/contrib/rkhunter_remote_howto.txt
     rkhunter-1.4.2/files/contrib/run_rkhunter.sh
     rkhunter-1.4.2/files/contrib/README.txt
     rkhunter-1.4.2/files/rkhunter
     rkhunter-1.4.2/files/CHANGELOG
     rkhunter-1.4.2/files/stat.pl
     rkhunter-1.4.2/files/check_modules.pl
     rkhunter-1.4.2/files/readlink.sh
     rkhunter-1.4.2/installer.sh
    
  3. Install rkhunter

     /usr/src/rkhunter-1.4.2$ ./installer.sh --install
     Checking system for:
      Rootkit Hunter installer files: found
      A web file download command: wget found
     Starting installation:
      Checking installation directory "/usr/local": it exists and is writable.
      Checking installation directories:
       Directory /usr/local/share/doc/rkhunter-1.4.2: creating: OK
       Directory /usr/local/share/man/man8: exists and is writable.
       Directory /etc: exists and is writable.
       Directory /usr/local/bin: exists and is writable.
       Directory /usr/local/lib64: exists and is writable.
       Directory /var/lib: exists and is writable.
       Directory /usr/local/lib64/rkhunter/scripts: creating: OK
       Directory /var/lib/rkhunter/db: creating: OK
       Directory /var/lib/rkhunter/tmp: creating: OK
       Directory /var/lib/rkhunter/db/i18n: creating: OK
       Directory /var/lib/rkhunter/db/signatures: creating: OK
      Installing check_modules.pl: OK
      Installing filehashsha.pl: OK
      Installing stat.pl: OK
      Installing readlink.sh: OK
      Installing backdoorports.dat: OK
      Installing mirrors.dat: OK
      Installing programs_bad.dat: OK
      Installing suspscan.dat: OK
      Installing rkhunter.8: OK
      Installing ACKNOWLEDGMENTS: OK
      Installing CHANGELOG: OK
      Installing FAQ: OK
      Installing LICENSE: OK
      Installing README: OK
      Installing language support files: OK
      Installing ClamAV signatures: OK
      Installing rkhunter: OK
      Installing rkhunter.conf: OK
     Installation complete
    
  4. Add daily cron job.

     root@localhost:/etc/cron.daily# cat rkhunter
     #!/bin/sh
     ( /usr/local/bin/rkhunter --versioncheck
     /usr/local/bin/rkhunter --update
     /usr/local/bin/rkhunter --cronjob --report-warnings-only
     ) | /usr/bin/mail -s "rkhunter Report - `date +%D`" admin@emailaddress
    
  5. After finished setting up. Let’s check version rkhunter --versioncheck Update rkhunter database rkhunter --update Do yum update, if everything looks good. Then, then set the baseline for current state of the filesystem or properties update rkhunter --propupd And, let’s scan for rootkit! by running rkhunter -c Or, we could run rkhunter -c --sk --rwo to only report warnings.

comments powered by Disqus