Those Linux servers you have chugging away need rootkit checks as well. Fortunately there is a simple tool to help you in your quest for server security nirvana. This tool is Rootkit Hunter. It’s easy to install, easy to use, checks deep into your system, and offers outstanding reporting.

Rootkit Hunter supports all Linux distributions and most BSD distributions. Rootkit Hunter will test your system against:

• MD5 hash comparisons
• Default files used by rootkits
• Incorrect binary filepermissions
• Suspected strings in LKM and KLD modules
• Hidden files

RKhunter can also do optional scans within plaintext and binary files for even more complete checks.

Installing

Most distributions will include rkhunter in their standard repositories so you should be able to locate it with your Add/Remove Software utility. Open this tool up, do a search for “rkhunter”, select the results, and apply the changes. Once rkhunter is installed you are ready to check.

Usage

Rootkit Hunter is a command line tool so you will first need to open up a terminal window. You will need root access to run the command. The basic usage is:

rkhunter [OPTIONS]

A basic check is issued like so:

rkhunter –check

As the check runs you will see output like this:

Checking the network…

[Press <ENTER> to continue]

As each portion of the test completes you will have to hit enter to continue on to the next portion. A very nice feature of rkhunter is you know, as the test runs, if you do or do not have a root kit on your machine. During the group and accounts check on a Fedora machine I came across this:

Performing group and account checks
Checking for passwd file                                                 [ Found ]
Checking for root equivalent (UID 0) accounts            [ None found ]
Checking for passwordless accounts                              [ None found ]
Checking for passwd file changes                                  [ Warning ]
Checking for group file changes                                     [ Warning ]
Checking root account shell history files                       [ OK ]

A warning should be examined, but in this case it is no root kit.

Once the test runs the results will be quite clear. The most telling section of the results is:

Rootkit checks…
Rootkits checked : 68
Possible rootkits: 0

This machine is clear.

There are other options for testing. One particular option you should run every so often (maybe even creating a cron job for it) is the –update option. This option checks to see if there is a later verion of rkhunters’ text data files. This is critical especially when new (or new versions) of root kits are released into the wild.

Final Thoughts

If you are serious about security, and you have a Linux machine on your network, make sure you install rkhunter and use it often. You and your network will remain happy and healthy.

Related posts

• How to scan your Linux-Distro for Root Kits (2)
• Yoggie PICO Personal Mobile Security Computer (3)
• World of Warcraft hackers using Sony BMG rootkit (0)
• With Ubuntu 9.10 Arrives Wubi 9.10 (2)
• Widgets for Linux: SuperKaramba (6)