Check for root kits with rkhunter
Security means everything when it comes to your data. And for many, doing everything that is possible is still not enough. For most the checking ends at viruses, malware, and portscans. To think this is enough is a mistake. Rootkits are some of the most dangerous security threats around. No matter what your server OS, it is crucial to make sure there are no rootkits tucked away on your servers.
Those Linux servers you have chugging away need rootkit checks as well. Fortunately there is a simple tool to help you in your quest for server security nirvana. This tool is Rootkit Hunter. It's easy to install, easy to use, checks deep into your system, and offers outstanding reporting.
Rootkit Hunter supports all Linux distributions and most BSD distributions. Rootkit Hunter will test your system against:
- MD5 hash comparisons
- Default files used by rootkits
- Incorrect binary filepermissions
- Suspected strings in LKM and KLD modules
- Hidden files
RKhunter can also do optional scans within plaintext and binary files for even more complete checks.
Installing
Most distributions will include rkhunter in their standard repositories so you should be able to locate it with your Add/Remove Software utility. Open this tool up, do a search for "rkhunter", select the results, and apply the changes. Once rkhunter is installed you are ready to check.
Usage
Rootkit Hunter is a command line tool so you will first need to open up a terminal window. You will need root access to run the command. The basic usage is:
rkhunter [OPTIONS]
A basic check is issued like so:
rkhunter --check
As the check runs you will see output like this:
Checking the network...
Performing check for backdoor ports
Checking for UDP port 2001Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â [ Not found ]
Checking for TCP port 2006Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â [ Not found ]
Checking for TCP port 2128Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â [ Not found ]
Checking for TCP port 14856Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â [ Not found ]
Checking for TCP port 47107Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â [ Not found ]
Checking for TCP port 60922Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â [ Not found ]
Performing checks on the network interfaces
Checking for promiscuous interfaces                     [ None found ]
[Press <ENTER> to continue]
As each portion of the test completes you will have to hit enter to continue on to the next portion. A very nice feature of rkhunter is you know, as the test runs, if you do or do not have a root kit on your machine. During the group and accounts check on a Fedora machine I came across this:
Performing group and account checks
Checking for passwd file                                                [ Found ]
Checking for root equivalent (UID 0) accounts           [ None found ]
Checking for passwordless accounts                             [ None found ]
Checking for passwd file changes                                 [ Warning ]
Checking for group file changes                                    [ Warning ]
Checking root account shell history files                      [ OK ]
A warning should be examined, but in this case it is no root kit.
Once the test runs the results will be quite clear. The most telling section of the results is:
Rootkit checks...
Rootkits checked : 68
Possible rootkits: 0
This machine is clear.
There are other options for testing. One particular option you should run every so often (maybe even creating a cron job for it) is the --update option. This option checks to see if there is a later verion of rkhunters' text data files. This is critical especially when new (or new versions) of root kits are released into the wild.
Final Thoughts
If you are serious about security, and you have a Linux machine on your network, make sure you install rkhunter and use it often. You and your network will remain happy and healthy.
Advertisement
Running rkhunter –c for the first time gives me a warning on the following files:
/usr/sbin/unhide
/usr/sbin/unhide-linux26
Is this normal or is it something that requires further attention.
TNX