We make an example with CentOS 5 32bits (2016) and CentOS 7 64bits (2019).
Step 1: Install EPEL Repository
yum install epel-release
[root@tutorialspots ~]# yum install epel-release Loaded plugins: fastestmirror, protectbase, replace Loading mirror speeds from cached hostfile * addons: mirror.steadfast.net * base: mirror.steadfast.net * extras: mirror.steadfast.net * updates: mirror.steadfast.net 0 packages excluded due to repository protections Setting up Install Process Resolving Dependencies There are unfinished transactions remaining. You might consider running yum-comp lete-transaction first to finish them. The program yum-complete-transaction is found in the yum-utils package. --> Running transaction check ---> Package epel-release.noarch 0:5-4 set to be updated --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: epel-release noarch 5-4 extras 12 k Transaction Summary ================================================================================ Install 1 Package(s) Upgrade 0 Package(s) Total download size: 12 k Is this ok [y/N]: y Downloading Packages: epel-release-5-4.noarch.rpm | 12 kB 00:00 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : epel-release 1/1 Installed: epel-release.noarch 0:5-4 Complete!
Step 2: Installation Rootkit Hunter
yum -y install rkhunter
Result for CentOS 5
[root@tutorialspots ~]# yum -y install rkhunter Loaded plugins: fastestmirror, protectbase, replace Loading mirror speeds from cached hostfile * addons: mirror.steadfast.net * base: mirror.steadfast.net * epel: mirrors.cat.pdx.edu * extras: mirror.steadfast.net * updates: mirror.steadfast.net epel | 3.6 kB 00:00 epel/primary_db | 2.5 MB 00:00 0 packages excluded due to repository protections Setting up Install Process Resolving Dependencies There are unfinished transactions remaining. You might consider running yum-comp lete-transaction first to finish them. The program yum-complete-transaction is found in the yum-utils package. --> Running transaction check ---> Package rkhunter.noarch 0:1.4.0-1.el5 set to be updated --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: rkhunter noarch 1.4.0-1.el5 epel 202 k Transaction Summary ================================================================================ Install 1 Package(s) Upgrade 0 Package(s) Total download size: 202 k Downloading Packages: rkhunter-1.4.0-1.el5.noarch.rpm | 202 kB 00:00 warning: rpmts_HdrFromFdno: Header V4 DSA signature: NOKEY, key ID 217521f6 epel/gpgkey | 1.7 kB 00:00 Importing GPG key 0x217521F6 "Fedora EPEL <epel@fedoraproject.org>" from /etc/pk i/rpm-gpg/RPM-GPG-KEY-EPEL Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : rkhunter 1/1 Installed: rkhunter.noarch 0:1.4.0-1.el5 Complete!
Result for CentOS 7
[root@tutorialspots ~]# yum -y install rkhunter Loaded plugins: fastestmirror Determining fastest mirrors epel/x86_64/metalink | 15 kB 00:00 * base: mirror.fileplanet.com * epel: mirrors.cat.pdx.edu * extras: mirror.fileplanet.com * remi-safe: mirror.xeonbd.com * updates: mirror.keystealth.org base | 3.6 kB 00:00 epel | 5.4 kB 00:00 extras | 3.4 kB 00:00 mariadb | 2.9 kB 00:00 nodesource | 2.5 kB 00:00 remi-safe | 3.0 kB 00:00 updates | 3.4 kB 00:00 (1/9): base/7/x86_64/group_gz | 166 kB 00:01 (2/9): extras/7/x86_64/primary_db | 205 kB 00:01 (3/9): nodesource/x86_64/primary_db | 60 kB 00:00 (4/9): epel/x86_64/updateinfo | 995 kB 00:02 (5/9): mariadb/primary_db | 49 kB 00:01 (6/9): epel/x86_64/primary_db | 6.8 MB 00:03 (7/9): remi-safe/primary_db | 1.6 MB 00:02 (8/9): updates/7/x86_64/primary_db | 7.4 MB 00:05 (9/9): base/7/x86_64/primary_db | 6.0 MB 00:42 Resolving Dependencies --> Running transaction check ---> Package rkhunter.noarch 0:1.4.6-1.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: rkhunter noarch 1.4.6-1.el7 epel 207 k Transaction Summary ================================================================================ Install 1 Package Total download size: 207 k Installed size: 848 k Downloading packages: rkhunter-1.4.6-1.el7.noarch.rpm | 207 kB 00:01 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : rkhunter-1.4.6-1.el7.noarch 1/1 Verifying : rkhunter-1.4.6-1.el7.noarch 1/1 Installed: rkhunter.noarch 0:1.4.6-1.el7 Complete!
Step 3: Update Database
rkhunter --update
Result for CentOS 5
[root@tutorialspots ~]# rkhunter --update [ Rootkit Hunter version 1.4.0 ] Checking rkhunter data files... Checking file mirrors.dat [ No update ] Checking file programs_bad.dat [ Updated ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ Updated ] Checking file i18n/cn [ No update ] Checking file i18n/de [ Updated ] Checking file i18n/en [ Updated ] Checking file i18n/tr [ Updated ] Checking file i18n/tr.utf8 [ Updated ] Checking file i18n/zh [ Updated ] Checking file i18n/zh.utf8 [ Updated ]
Result for CentOS 7:
[root@tutorialspots ~]# rkhunter --update [ Rootkit Hunter version 1.4.6 ] Checking rkhunter data files... Checking file mirrors.dat [ Updated ] Checking file programs_bad.dat [ Updated ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ Updated ] Checking file i18n/cn [ No update ] Checking file i18n/de [ Updated ] Checking file i18n/en [ No update ] Checking file i18n/tr [ Updated ] Checking file i18n/tr.utf8 [ Updated ] Checking file i18n/zh [ Updated ] Checking file i18n/zh.utf8 [ Updated ] Checking file i18n/ja [ Updated ]
Step 4: Update system file properties
rkhunter --propupd
Result for CentOS 5
[root@tutorialspots ~]# rkhunter --propupd [ Rootkit Hunter version 1.4.0 ] File created: searched for 166 files, found 135
Result for CentOS 7
[root@tutorialspots ~]# rkhunter --propupd [ Rootkit Hunter version 1.4.6 ] File created: searched for 175 files, found 131
Installation is done!
Usage
Manual Scan:
rkhunter -c
Result for CentOS 5
[root@tutorialspots ~]# rkhunter -c
[ Rootkit Hunter version 1.4.0 ]
Checking system commands...
Performing 'strings' command checks
Checking 'strings' command [ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
Performing file properties checks
Checking for prerequisites [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/curl [ OK ]
/usr/bin/cut [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/du [ OK ]
/usr/bin/env [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/GET [ OK ]
/usr/bin/groups [ OK ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/kill [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/last [ OK ]
/usr/bin/lastlog [ OK ]
/usr/bin/ldd [ OK ]
/usr/bin/less [ OK ]
/usr/bin/locate [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/lynx [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/newgrp [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/perl [ OK ]
/usr/bin/pgrep [ OK ]
/usr/bin/pkill [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/readlink [ OK ]
/usr/bin/rkhunter [ OK ]
/usr/bin/runcon [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/sha224sum [ OK ]
/usr/bin/sha256sum [ OK ]
/usr/bin/sha384sum [ OK ]
/usr/bin/sha512sum [ OK ]
...
[Press <ENTER> to continue]
Checking for rootkits...
Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
Adore Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
Balaur Rootkit [ Not found ]
BeastKit Rootkit [ Not found ]
beX2 Rootkit [ Not found ]
BOBKit Rootkit [ Not found ]
cb Rootkit [ Not found ]
CiNIK Worm (Slapper.B variant) [ Not found ]
Danny-Boy's Abuse Kit [ Not found ]
Devil RootKit [ Not found ]
Dica-Kit Rootkit [ Not found ]
Dreams Rootkit [ Not found ]
Duarawkz Rootkit [ Not found ]
Enye LKM [ Not found ]
Flea Linux Rootkit [ Not found ]
Fu Rootkit [ Not found ]
Fuck`it Rootkit [ Not found ]
GasKit Rootkit [ Not found ]
Heroin LKM [ Not found ]
HjC Kit [ Not found ]
ignoKit Rootkit [ Not found ]
IntoXonia-NG Rootkit [ Not found ]
Irix Rootkit [ Not found ]
Jynx Rootkit [ Not found ]
KBeast Rootkit [ Not found ]
Kitko Rootkit [ Not found ]
Knark Rootkit [ Not found ]
ld-linuxv.so Rootkit [ Not found ]
Li0n Worm [ Not found ]
Lockit / LJK2 Rootkit [ Not found ]
Mood-NT Rootkit [ Not found ]
MRK Rootkit [ Not found ]
Ni0 Rootkit [ Not found ]
Ohhara Rootkit [ Not found ]
Optic Kit (Tux) Worm [ Not found ]
Oz Rootkit [ Not found ]
Phalanx Rootkit [ Not found ]
Phalanx2 Rootkit [ Not found ]
Phalanx2 Rootkit (extended tests) [ Not found ]
Portacelo Rootkit [ Not found ]
R3dstorm Toolkit [ Not found ]
RH-Sharpe's Rootkit [ Not found ]
RSHA's Rootkit [ Not found ]
Scalper Worm [ Not found ]
Sebek LKM [ Not found ]
Shutdown Rootkit [ Not found ]
SHV4 Rootkit [ Not found ]
SHV5 Rootkit [ Not found ]
Sin Rootkit [ Not found ]
Slapper Worm [ Not found ]
Sneakin Rootkit [ Not found ]
'Spanish' Rootkit [ Not found ]
Suckit Rootkit [ Not found ]
Superkit Rootkit [ Not found ]
TBD (Telnet BackDoor) [ Not found ]
TeLeKiT Rootkit [ Not found ]
T0rn Rootkit [ Not found ]
trNkit Rootkit [ Not found ]
Trojanit Kit [ Not found ]
Tuxtendo Rootkit [ Not found ]
URK Rootkit [ Not found ]
Vampire Rootkit [ Not found ]
VcKit Rootkit [ Not found ]
Volc Rootkit [ Not found ]
Xzibit Rootkit [ Not found ]
zaRwT.KiT Rootkit [ Not found ]
ZK Rootkit [ Not found ]
[Press <ENTER> to continue]
Performing additional rootkit checks
Suckit Rookit additional checks [ OK ]
Checking for possible rootkit files and directories [ None found ]
Checking for possible rootkit strings [ None found ]
Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for login backdoors [ None found ]
Checking for suspicious directories [ None found ]
Checking for sniffer log files [ None found ]
Performing trojan specific checks
Checking for enabled xinetd services [ Warning ]
Checking for Apache backdoor [ Not found ]
Performing Linux specific checks
Checking loaded kernel modules [ Warning ]
Checking kernel module names [ Skipped ]
[Press <ENTER> to continue]
Checking the network...
Performing checks on the network ports
Checking for backdoor ports [ None found ]
Checking for hidden ports [ Skipped ]
Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]
Checking the local host...
Performing system boot checks
Checking for local host name [ Found ]
Checking for system startup files [ Found ]
Checking system startup files for malware [ None found ]
Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ Warning ]
Checking for group file changes [ Warning ]
Checking root account shell history files [ OK ]
Performing system configuration file checks
Checking for a system logging configuration file [ Found ]
Checking if SSH root access is allowed [ Not set ]
Checking if SSH protocol v1 is allowed [ Not allowed ]
Checking for a running system logging daemon [ Found ]
Checking for a system logging configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]
Performing filesystem checks
Checking /dev for suspicious file types [ None found ]
Checking for hidden files and directories [ None found ]
[Press <ENTER> to continue]
System checks summary
=====================
File properties checks...
Files checked: 135
Suspect files: 0
Rootkit checks...
Rootkits checked : 310
Possible rootkits: 0
Applications checks...
All checks skipped
The system checks took: 12 minutes and 25 seconds
All results have been written to the log file: /var/log/rkhunter/rkhunter.log
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)
Note: after installation, it will create automatically the file /etc/cron.daily/rkhunter with content:
#!/bin/sh
# 01-rkhunter A shell script to update and run rkhunter via CRON
XITVAL=0
# Get a secure tempfile
TMPFILE1=`/bin/mktemp -p /var/lib/rkhunter rkhcronlog.XXXXXXXXXX` || exit 1
if [ ! -e /var/lock/subsys/rkhunter ]; then
# Try to keep the SysInit boot scan from colliding with us (highly unlikely)
/bin/touch /var/lock/subsys/rkhunter
# Source system configuration parameters.
if [ -e /etc/sysconfig/rkhunter ] ; then
. /etc/sysconfig/rkhunter
else
MAILTO=root@localhost
fi
# If a diagnostic mode scan was requested, setup the parameters
if [ "$DIAG_SCAN" == "yes" ]; then
RKHUNTER_FLAGS="--checkall --skip-keypress --nocolors --quiet --appendlog --
display-logfile"
else
RKHUNTER_FLAGS="--cronjob --nocolors --report-warnings-only"
fi
# Set a few critical parameters
RKHUNTER=/usr/bin/rkhunter
LOGFILE=/var/log/rkhunter/rkhunter.log
# Run RootKit Hunter if available
if [ -x $RKHUNTER ]; then
/bin/echo -e "\n--------------------- Start Rootkit Hunter Update ----------
-----------" \
> $TMPFILE1
/bin/nice -n 10 $RKHUNTER --update --nocolors 2>&1 >> $TMPFILE1
/bin/echo -e "\n---------------------- Start Rootkit Hunter Scan -----------
-----------" \
>> $TMPFILE1
/bin/nice -n 10 $RKHUNTER $RKHUNTER_FLAGS 2>&1 >> $TMPFILE1
XITVAL=$?
/bin/echo -e "\n----------------------- End Rootkit Hunter Scan ------------
-----------" \
>> $TMPFILE1
if [ $XITVAL != 0 ]; then
/bin/cat $TMPFILE1 | /bin/mail -s "rkhunter Daily Run on $(hostname)" $
MAILTO
fi
/bin/cat $TMPFILE1 >> $LOGFILE
fi
# Delete the gating lockfile
/bin/rm -f /var/lock/subsys/rkhunter
fi
# Delete the secure tempfile
/bin/rm -f $TMPFILE1
exit $XITVAL
If you don’t want to use this cronjob (daily), you can delete this file.
Recent search terms:
- diagnostic mode rkhunter
