Hopefully, between good administration and maintenance
practices, an effective firewall and a solid intrusion detection
system you shouldn't have any problem with break-ins. But the world
being what it is, even the unlikely can happen. To periodically
check to see if all your security measures are holding up, a tool
that checks for a compromised system is also a must have. One of
the better tools to do this is called 'RootKit Hunter'.
RookHit Hunter is a command-line utility that will search your
machine for malicious binaries - also known as 'rootkits' - which
will let the bad guys (or gals) get 'root' on your machine. As you
now know, with root privileges, your machine is theirs. You have
been '0wn3d' as they say in cracker land. RootKit Hunter is
available at: http://www.rootkit.nl/projects/rootkit_hunter.html
Installation is easy. Just unpack the tarball and run the
install script provided. To run the utility, just do the
following:
rkhunter -c --createlogfile
|
This will check everything and create a log file in /var/log/
called rkhunter.log
Essentially, the utility has two main functions. One is to look
for rootkits (logically) on the system. The other is to check
binaries and other files for evidence of tampering and
vulnerabilities. It will even inform you about bad practices. For
example, if it finds that your SSH configuration file allows root
logins, it will warn you. It will also track down suspicious
looking dot files and tell you about those.
The tool is interactive, meaning that by default, you need to
push enter after the phases of checking are completed. However, you
can run it from a cron job and disable this interactive mode.
The best way to approach using this is to install it and use it
directly after a clean install of the entire operating system. Then
use it periodically. It's a good idea to run it right before you
update your system after security alerts. When you run it
subsequently, you should be on the alert for false positive, as
rootkit hunter makes hash checks of your binaries. A systems update
could theoretically set off an alert as the checksums on the
binaries should change.
![[ Register ]](/images/navbar/register.gif){kind=small}
![[ Applications ]](/images/navbar/applications.gif){kind=small}
![[ Documentation ]](/images/navbar/documentation.gif){kind=small}
![[ Distributions ]](/images/navbar/distributions.gif){kind=small}
![[ Download Info ]](/images/navbar/download.gif){kind=small}
![[ General Info ]](/images/navbar/geninfo.gif){kind=small}
![[ Book Store ]](/images/navbar/bookstore.gif){kind=small}
![[ Courses ]](/images/navbar/courses.gif){kind=small}
![[ News ]](/images/navbar/news.gif){kind=small}
![[ People ]](/images/navbar/people.gif){kind=small}
![[ Hardware ]](/images/navbar/hardware.gif){kind=small}
![[ Vendors ]](/images/navbar/vendors.gif){kind=small}
![[ Projects ]](/images/navbar/projects.gif){kind=small}
![[ Events ]](/images/navbar/events.gif){kind=small}
![[ User Groups ]](/images/navbar/usergroups.gif){kind=small}
![[ User Area ]](/images/navbar/user_area.gif){kind=small}
![[ About Us ]](/images/navbar/aboutus.gif){kind=small}
![[ Home Page ]](/images/navbar/homepage.gif){kind=small}
![[ Advertise ]](/images/navbar/advertise.gif){kind=small}
