Checking for rootkits, exploits and backdoors with Rootkit Hunter

rkhunter (or Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and local exploits. It does this by comparing MD5 hash of important files with known good ones in an online database, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules. It should run on almost every Unix clone.

Installation notes:

  • Download the gzipped tarball, extract it and run the installation script.
    # wget http://downloads.rootkit.nl/rkhunter-.tar.gz
    # tar -xvzf rkhunter-.tar.gz
    # cd rkhunter
    # ./installer.sh
    
  • Or you can create an RPM file with the integrated rkhunter.spec file and install your own package.
    # rpmbuild -ta rkhunter-.tar.gz
    

    If you are lazy you can install the prebuilt 1.2.8-1 rpm version via:

    # rpm -Uvh http://linuxweblog.com/downloads/packages/rkhunter/rkhunter-1.2.8-1.noarch.rpm
    
  • Test the installation with:
    # rkhunter -c
    
  • Update the daily cron in "/etc/cron.daily/01-rkhunter" file to check for version and database updates:
    #!/bin/sh
    (
    /usr/bin/rkhunter --versioncheck
    /usr/bin/rkhunter --update
    /usr/bin/rkhunter --cronjob
    ) | /bin/mail -s 'rkhunter Daily Run' root
    
  • You can customize the default configurations by editing "/etc/rkhunter.conf".

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Better Way

Use the EPEL package repository for pulling the RPMs of rkhunter.

http://fedoraproject.org/wiki/EPEL/FAQ#howtouse

Then just set your email address in /etc/sysconfig/rkhunter

Package managers were invented for a reason! Kind of ironic how this is a security thread too ;)

rkhunter on plesk servers

rkhunter can be installed via the plesk watchdog module and can be run via command line:

/opt/psa/admin/sbin/modules/watchdog/rkhunter --configfile /opt/psa/etc/modules/watchdog/rkhunter.conf -c

For the others who dont use

For the others who dont use a linux system that uses these packages, how to install from source -> http://www.vinno.net/linux/server/how-to-install-root-kit-hunter

FedoraCore6 rkhunter rpm

If you are lazy, you can get the rpm via:

# wget http://www.linuxweblog.com/downloads/packages/fc6/rkhunter-1.2.9-1.noarch.rpm

md5sum: ad9da1cd575f52619ee537c16d34d463

rkhunter in fedora core

rkhunter is now available in the yum extras repository.

# yum install rkhunter

easy rkhunter in CentOS 4.4

# cd /etc/yum.repos.d/
# wget http://centos.karan.org/kbsingh-CentOS-Extras.repo
# yum --enablerepo=kbs-CentOS-Extras install rkhunter

Comment