Linux: How to Install Rootkit Hunter (rkhunter)


We make an example with Centos 5 32bits.

Step 1: Install EPEL Repository

yum install epel-release
[root@tutorialspots ~]# yum install epel-release
Loaded plugins: fastestmirror, protectbase, replace
Loading mirror speeds from cached hostfile
 * addons: mirror.steadfast.net
 * base: mirror.steadfast.net
 * extras: mirror.steadfast.net
 * updates: mirror.steadfast.net
0 packages excluded due to repository protections
Setting up Install Process
Resolving Dependencies
There are unfinished transactions remaining. You might consider running yum-comp
lete-transaction first to finish them.
The program yum-complete-transaction is found in the yum-utils package.
--> Running transaction check
---> Package epel-release.noarch 0:5-4 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                Arch             Version         Repository        Size
================================================================================
Installing:
 epel-release           noarch           5-4             extras            12 k

Transaction Summary
================================================================================
Install       1 Package(s)
Upgrade       0 Package(s)

Total download size: 12 k
Is this ok [y/N]: y
Downloading Packages:
epel-release-5-4.noarch.rpm                              |  12 kB     00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : epel-release                                             1/1

Installed:
  epel-release.noarch 0:5-4

Complete!

Step 2: Installation Rootkit Hunter

yum -y install rkhunter
[root@tutorialspots ~]# yum -y install rkhunter
Loaded plugins: fastestmirror, protectbase, replace
Loading mirror speeds from cached hostfile
 * addons: mirror.steadfast.net
 * base: mirror.steadfast.net
 * epel: mirrors.cat.pdx.edu
 * extras: mirror.steadfast.net
 * updates: mirror.steadfast.net
epel                                                     | 3.6 kB     00:00
epel/primary_db                                          | 2.5 MB     00:00
0 packages excluded due to repository protections
Setting up Install Process
Resolving Dependencies
There are unfinished transactions remaining. You might consider running yum-comp
lete-transaction first to finish them.
The program yum-complete-transaction is found in the yum-utils package.
--> Running transaction check
---> Package rkhunter.noarch 0:1.4.0-1.el5 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package            Arch             Version               Repository      Size
================================================================================
Installing:
 rkhunter           noarch           1.4.0-1.el5           epel           202 k

Transaction Summary
================================================================================
Install       1 Package(s)
Upgrade       0 Package(s)

Total download size: 202 k
Downloading Packages:
rkhunter-1.4.0-1.el5.noarch.rpm                          | 202 kB     00:00
warning: rpmts_HdrFromFdno: Header V4 DSA signature: NOKEY, key ID 217521f6
epel/gpgkey                                              | 1.7 kB     00:00
Importing GPG key 0x217521F6 "Fedora EPEL <epel@fedoraproject.org>" from /etc/pk
i/rpm-gpg/RPM-GPG-KEY-EPEL
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : rkhunter                                                 1/1

Installed:
  rkhunter.noarch 0:1.4.0-1.el5

Complete!

Step 3: Update Database

rkhunter --update

rkhunter update

[root@tutorialspots ~]# rkhunter --update
[ Rootkit Hunter version 1.4.0 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ Updated ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ Updated ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ Updated ]
  Checking file i18n/en                                      [ Updated ]
  Checking file i18n/tr                                      [ Updated ]
  Checking file i18n/tr.utf8                                 [ Updated ]
  Checking file i18n/zh                                      [ Updated ]
  Checking file i18n/zh.utf8                                 [ Updated ]

Step 4: Update system file properties

rkhunter --propupd
[root@tutorialspots ~]# rkhunter --propupd
[ Rootkit Hunter version 1.4.0 ]
File created: searched for 166 files, found 135

Installation is done!

Usage

Manual Scan:

rkhunter -c
[root@tutorialspots ~]# rkhunter -c
[ Rootkit Hunter version 1.4.0 ]

Checking system commands...

  Performing 'strings' command checks
    Checking 'strings' command                               [ OK ]

  Performing 'shared libraries' checks
    Checking for preloading variables                        [ None found ]
    Checking for preloaded libraries                         [ None found ]
    Checking LD_LIBRARY_PATH variable                        [ Not found ]

  Performing file properties checks
    Checking for prerequisites                               [ OK ]
    /usr/bin/awk                                             [ OK ]
    /usr/bin/chattr                                          [ OK ]
    /usr/bin/curl                                            [ OK ]
    /usr/bin/cut                                             [ OK ]
    /usr/bin/diff                                            [ OK ]
    /usr/bin/dirname                                         [ OK ]
    /usr/bin/du                                              [ OK ]
    /usr/bin/env                                             [ OK ]
    /usr/bin/file                                            [ OK ]
    /usr/bin/find                                            [ OK ]
    /usr/bin/GET                                             [ OK ]
    /usr/bin/groups                                          [ OK ]
    /usr/bin/head                                            [ OK ]
    /usr/bin/id                                              [ OK ]
    /usr/bin/kill                                            [ OK ]
    /usr/bin/killall                                         [ OK ]
    /usr/bin/last                                            [ OK ]
    /usr/bin/lastlog                                         [ OK ]
    /usr/bin/ldd                                             [ OK ]
    /usr/bin/less                                            [ OK ]
    /usr/bin/locate                                          [ OK ]
    /usr/bin/logger                                          [ OK ]
    /usr/bin/lsattr                                          [ OK ]
    /usr/bin/lynx                                            [ OK ]
    /usr/bin/md5sum                                          [ OK ]
    /usr/bin/newgrp                                          [ OK ]
    /usr/bin/passwd                                          [ OK ]
    /usr/bin/perl                                            [ OK ]
    /usr/bin/pgrep                                           [ OK ]
    /usr/bin/pkill                                           [ OK ]
    /usr/bin/pstree                                          [ OK ]
    /usr/bin/readlink                                        [ OK ]
    /usr/bin/rkhunter                                        [ OK ]
    /usr/bin/runcon                                          [ OK ]
    /usr/bin/sha1sum                                         [ OK ]
    /usr/bin/sha224sum                                       [ OK ]
    /usr/bin/sha256sum                                       [ OK ]
    /usr/bin/sha384sum                                       [ OK ]
    /usr/bin/sha512sum                                       [ OK ]
...
[Press <ENTER> to continue]


Checking for rootkits...

  Performing check of known rootkit files and directories
    55808 Trojan - Variant A                                 [ Not found ]
    ADM Worm                                                 [ Not found ]
    AjaKit Rootkit                                           [ Not found ]
    Adore Rootkit                                            [ Not found ]
    aPa Kit                                                  [ Not found ]
    Apache Worm                                              [ Not found ]
    Ambient (ark) Rootkit                                    [ Not found ]
    Balaur Rootkit                                           [ Not found ]
    BeastKit Rootkit                                         [ Not found ]
    beX2 Rootkit                                             [ Not found ]
    BOBKit Rootkit                                           [ Not found ]
    cb Rootkit                                               [ Not found ]
    CiNIK Worm (Slapper.B variant)                           [ Not found ]
    Danny-Boy's Abuse Kit                                    [ Not found ]
    Devil RootKit                                            [ Not found ]
    Dica-Kit Rootkit                                         [ Not found ]
    Dreams Rootkit                                           [ Not found ]
    Duarawkz Rootkit                                         [ Not found ]
    Enye LKM                                                 [ Not found ]
    Flea Linux Rootkit                                       [ Not found ]
    Fu Rootkit                                               [ Not found ]
    Fuck`it Rootkit                                          [ Not found ]
    GasKit Rootkit                                           [ Not found ]
    Heroin LKM                                               [ Not found ]
    HjC Kit                                                  [ Not found ]
    ignoKit Rootkit                                          [ Not found ]
    IntoXonia-NG Rootkit                                     [ Not found ]
    Irix Rootkit                                             [ Not found ]
    Jynx Rootkit                                             [ Not found ]
    KBeast Rootkit                                           [ Not found ]
    Kitko Rootkit                                            [ Not found ]
    Knark Rootkit                                            [ Not found ]
    ld-linuxv.so Rootkit                                     [ Not found ]
    Li0n Worm                                                [ Not found ]
    Lockit / LJK2 Rootkit                                    [ Not found ]
    Mood-NT Rootkit                                          [ Not found ]
    MRK Rootkit                                              [ Not found ]
    Ni0 Rootkit                                              [ Not found ]
    Ohhara Rootkit                                           [ Not found ]
    Optic Kit (Tux) Worm                                     [ Not found ]
    Oz Rootkit                                               [ Not found ]
    Phalanx Rootkit                                          [ Not found ]
    Phalanx2 Rootkit                                         [ Not found ]
    Phalanx2 Rootkit (extended tests)                        [ Not found ]
    Portacelo Rootkit                                        [ Not found ]
    R3dstorm Toolkit                                         [ Not found ]
    RH-Sharpe's Rootkit                                      [ Not found ]
    RSHA's Rootkit                                           [ Not found ]
    Scalper Worm                                             [ Not found ]
    Sebek LKM                                                [ Not found ]
    Shutdown Rootkit                                         [ Not found ]
    SHV4 Rootkit                                             [ Not found ]
    SHV5 Rootkit                                             [ Not found ]
    Sin Rootkit                                              [ Not found ]
    Slapper Worm                                             [ Not found ]
    Sneakin Rootkit                                          [ Not found ]
    'Spanish' Rootkit                                        [ Not found ]
    Suckit Rootkit                                           [ Not found ]
    Superkit Rootkit                                         [ Not found ]
    TBD (Telnet BackDoor)                                    [ Not found ]
    TeLeKiT Rootkit                                          [ Not found ]
    T0rn Rootkit                                             [ Not found ]
    trNkit Rootkit                                           [ Not found ]
    Trojanit Kit                                             [ Not found ]
    Tuxtendo Rootkit                                         [ Not found ]
    URK Rootkit                                              [ Not found ]
    Vampire Rootkit                                          [ Not found ]
    VcKit Rootkit                                            [ Not found ]
    Volc Rootkit                                             [ Not found ]
    Xzibit Rootkit                                           [ Not found ]
    zaRwT.KiT Rootkit                                        [ Not found ]
    ZK Rootkit                                               [ Not found ]

[Press <ENTER> to continue]


  Performing additional rootkit checks
    Suckit Rookit additional checks                          [ OK ]
    Checking for possible rootkit files and directories      [ None found ]
    Checking for possible rootkit strings                    [ None found ]

  Performing malware checks
    Checking running processes for suspicious files          [ None found ]
    Checking for login backdoors                             [ None found ]
    Checking for suspicious directories                      [ None found ]
    Checking for sniffer log files                           [ None found ]
  Performing trojan specific checks
    Checking for enabled xinetd services                     [ Warning ]
    Checking for Apache backdoor                             [ Not found ]

  Performing Linux specific checks
    Checking loaded kernel modules                           [ Warning ]
    Checking kernel module names                             [ Skipped ]

[Press <ENTER> to continue]


Checking the network...

  Performing checks on the network ports
    Checking for backdoor ports                              [ None found ]
    Checking for hidden ports                                [ Skipped ]

  Performing checks on the network interfaces
    Checking for promiscuous interfaces                      [ None found ]

Checking the local host...

  Performing system boot checks
    Checking for local host name                             [ Found ]
    Checking for system startup files                        [ Found ]
    Checking system startup files for malware                [ None found ]

  Performing group and account checks
    Checking for passwd file                                 [ Found ]
    Checking for root equivalent (UID 0) accounts            [ None found ]
    Checking for passwordless accounts                       [ None found ]
    Checking for passwd file changes                         [ Warning ]
    Checking for group file changes                          [ Warning ]
    Checking root account shell history files                [ OK ]

  Performing system configuration file checks
    Checking for a system logging configuration file         [ Found ]
    Checking if SSH root access is allowed                   [ Not set ]
    Checking if SSH protocol v1 is allowed                   [ Not allowed ]
    Checking for a running system logging daemon             [ Found ]
    Checking for a system logging configuration file         [ Found ]
    Checking if syslog remote logging is allowed             [ Not allowed ]

  Performing filesystem checks
    Checking /dev for suspicious file types                  [ None found ]
    Checking for hidden files and directories                [ None found ]

[Press <ENTER> to continue]



System checks summary
=====================

File properties checks...
    Files checked: 135
    Suspect files: 0

Rootkit checks...
    Rootkits checked : 310
    Possible rootkits: 0

Applications checks...
    All checks skipped

The system checks took: 12 minutes and 25 seconds

All results have been written to the log file: /var/log/rkhunter/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)

Note: after installation, it will create automatically the file /etc/cron.daily/rkhunter with content:

#!/bin/sh
# 01-rkhunter  A shell script to update and run rkhunter via CRON

XITVAL=0

# Get a secure tempfile
TMPFILE1=`/bin/mktemp -p /var/lib/rkhunter rkhcronlog.XXXXXXXXXX` || exit 1

if [ ! -e /var/lock/subsys/rkhunter ]; then

  # Try to keep the SysInit boot scan from colliding with us (highly unlikely)
  /bin/touch /var/lock/subsys/rkhunter

  # Source system configuration parameters.
  if [ -e /etc/sysconfig/rkhunter ] ; then
    . /etc/sysconfig/rkhunter
  else
    MAILTO=root@localhost
  fi

  # If a diagnostic mode scan was requested, setup the parameters
  if [ "$DIAG_SCAN" == "yes" ]; then
    RKHUNTER_FLAGS="--checkall --skip-keypress --nocolors --quiet --appendlog --
display-logfile"
  else
    RKHUNTER_FLAGS="--cronjob --nocolors --report-warnings-only"
  fi

  # Set a few critical parameters
  RKHUNTER=/usr/bin/rkhunter
  LOGFILE=/var/log/rkhunter/rkhunter.log

  # Run RootKit Hunter if available
  if [ -x $RKHUNTER ]; then
    /bin/echo -e "\n--------------------- Start Rootkit Hunter Update ----------
-----------" \
      > $TMPFILE1
    /bin/nice -n 10 $RKHUNTER --update --nocolors 2>&1 >> $TMPFILE1
    /bin/echo -e "\n---------------------- Start Rootkit Hunter Scan -----------
-----------" \
      >> $TMPFILE1
    /bin/nice -n 10 $RKHUNTER $RKHUNTER_FLAGS 2>&1 >> $TMPFILE1
    XITVAL=$?
    /bin/echo -e "\n----------------------- End Rootkit Hunter Scan ------------
-----------" \
      >> $TMPFILE1

    if [ $XITVAL != 0 ]; then
         /bin/cat $TMPFILE1 | /bin/mail -s "rkhunter Daily Run on $(hostname)" $
MAILTO
    fi
    /bin/cat $TMPFILE1 >> $LOGFILE
  fi

  # Delete the gating lockfile
  /bin/rm -f /var/lock/subsys/rkhunter
fi

# Delete the secure tempfile
/bin/rm -f $TMPFILE1

exit $XITVAL

If you don’t want to use this cronjob (daily), you can delete this file.

Related Post

, , ,

No comments yet.

Leave a Reply