Security means everything when it comes to your data. And for many, doing everything that is possible is still not enough. For most the checking ends at viruses, malware, and portscans. To think this is enough is a mistake. Rootkits are some of the most dangerous security threats around. No matter what your server OS, it is crucial to make sure there are no rootkits tucked away on your servers.
Those Linux servers you have chugging away need rootkit checks as well. Fortunately there is a simple tool to help you in your quest for server security nirvana. This tool is Rootkit Hunter. It's easy to install, easy to use, checks deep into your system, and offers outstanding reporting.
Rootkit Hunter supports all Linux distributions and most BSD distributions. Rootkit Hunter will test your system against:
RKhunter can also do optional scans within plaintext and binary files for even more complete checks.
Most distributions will include rkhunter in their standard repositories so you should be able to locate it with your Add/Remove Software utility. Open this tool up, do a search for "rkhunter", select the results, and apply the changes. Once rkhunter is installed you are ready to check.
Rootkit Hunter is a command line tool so you will first need to open up a terminal window. You will need root access to run the command. The basic usage is:
A basic check is issued like so:
As the check runs you will see output like this:
Checking the network...
Performing check for backdoor ports
Checking for UDP port 2001 [ Not found ]
Checking for TCP port 2006 [ Not found ]
Checking for TCP port 2128 [ Not found ]
Checking for TCP port 14856 [ Not found ]
Checking for TCP port 47107 [ Not found ]
Checking for TCP port 60922 [ Not found ]
Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]
[Press <ENTER> to continue]
As each portion of the test completes you will have to hit enter to continue on to the next portion. A very nice feature of rkhunter is you know, as the test runs, if you do or do not have a root kit on your machine. During the group and accounts check on a Fedora machine I came across this:
Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ Warning ]
Checking for group file changes [ Warning ]
Checking root account shell history files [ OK ]
A warning should be examined, but in this case it is no root kit.
Once the test runs the results will be quite clear. The most telling section of the results is:
Rootkits checked : 68
Possible rootkits: 0
This machine is clear.
There are other options for testing. One particular option you should run every so often (maybe even creating a cron job for it) is the --update option. This option checks to see if there is a later verion of rkhunters' text data files. This is critical especially when new (or new versions) of root kits are released into the wild.
If you are serious about security, and you have a Linux machine on your network, make sure you install rkhunter and use it often. You and your network will remain happy and healthy.Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.