Checking for damage with rootkit hunter

Rob

Administrator
Staff member
Joined
Oct 27, 2011
Messages
1,263
Reaction score
2,444
Credits
3,941
Damage Checking and Control with RootKit Hunter

Hopefully, between good administration and maintenance practices, an effective firewall and a solid intrusion detection system you shouldn't have any problem with break-ins. But the world being what it is, even the unlikely can happen. To periodically check to see if all your security measures are holding up, a tool that checks for a compromised system is also a must have. One of the better tools to do this is called 'RootKit Hunter'.

RookHit Hunter is a command-line utility that will search your machine for malicious binaries - also known as 'rootkits' - which will let the bad guys (or gals) get 'root' on your machine. As you now now, with root privileges, your machine is theirs. You have been '0wn3d' as they say in cracker land. RootKit Hunter is available at:http://www.rootkit.nl/projects/rootkit_hunter.html

Installation is easy. Just unpack the tarball and run the install script provided. To run the utility, just do the following:
Code:
rkhunter -c --createlogfile

This will check everything and create a log file in /var/log/ called rkhunter.log
Essentially, the utility has two main functions. One is to look for rootkits (logically) on the system. The other is to check binaries and other files for evidence of tampering and vulnerabilities. It will even inform you about bad practices. For example, if it finds that your SSH configuration file allows root logins, it will warn you. It will also track down suspicious looking dot files and tell you about those.

The tool is interactive, meaning that by default, you need to push enter after the phases of checking are completed. However, you can run it from a cron job and disable this interactive mode.

The best way to approach using this is to install it and use it directly after a clean install of the entire operating system. Then use it periodically. It's a good idea to run it right before you update your system after security alerts. When you run it subsequently, you should be on the alert for false positive, as rootkit hunter makes hash checks of your binaries. A systems update could theoretically set off an alert as the checksums on the binaries should change.
 


their website seems to be a dead link but the Ubuntu repository lists their homepage @ sourceforge now:
Code:
Package: rkhunter
Architecture: all
Version: 1.4.6-8
Priority: optional
Section: universe/admin
Origin: Ubuntu
Maintainer: Ubuntu Developers <[email protected]>
Original-Maintainer: Debian Security Tools <[email protected]>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 1081
Pre-Depends: debconf (>= 0.5) | debconf-2.0
Depends: binutils, file, lsof, net-tools, ucf (>= 0.28), perl:any
Recommends: bsd-mailx | mailutils | s-nail | mailx, default-mta | mail-transport-agent, e2fsprogs, iproute2, unhide, unhide.rb, wget | curl
Suggests: liburi-perl, libwww-perl, powermgmt-base
Filename: pool/universe/r/rkhunter/rkhunter_1.4.6-8_all.deb
Size: 212864
MD5sum: 2ca62bed8d95c27504a1e3bcdc6373a4
SHA1: d109f2cf16ce4d548d9ae263a4095dd7c9eb1048
SHA256: 9b58f058e1abb0d412a29f08d3547770d396d2c00e13929fe7ecfb0edae8907c
Homepage: http://rkhunter.sourceforge.net

it might be good to know in case you're kind of paranoid and don't trust the package manager version for whatever reason
 
rhkunter is a nice little scanner. There is one command that it important if using rkhunter:

Code:
rkhunter --propupd

because rkhunter compares current system state to the last checked, each time one updates system and runs rkhunter it will generate false positives. The command above should be run after each system update to let rkhunter add system changes to the database. Obviously, as with any scanner, rkhunter is as good as system admin ;)
 
Damage Checking and Control with...
I am new to Linux (LM22). Reading about Linux I was under the impression that with the Firewall ON AND with common sense use of the Internet and email, Linux was far more secure than other OS's (primarily Microsoft products).

I have read many times here and around the Internet that the Firewall ON should be all I need. Especially as the type of user I am.

Since I turned my Firewall ON, literally the first action after installing LM22 I felt this should be all that was needed.

I came across this thread while doing my "homework" about Linux and a couple of things struck me.

Original post on this thread 2013
First response six years later 2019
Next, five more years (2024) for a comment on a product that hasn't been updated since 2018. This also included that "if I do not trust" the Package Manager Version, give RKHunter a spin. I'm not sure I want to try a security product that has not been updated recently. But I do like to be prepared.

Any comments on the product in LM22 Software Manager, Chkrootkit?

The other thing I find interesting is, while the original post was informative as to locating rootkits, other damages, or threats, what do I do IF I need clean up something. Since these products do not seem to address this (at least before installing their product) where do I find this type of info?

I realize that the rootkit cleanup topic could be huge. Could the answer be just have planned safe data storage and just Clone a clean, up to date OS over the mess?
 
I have read many times here and around the Internet that the Firewall ON should be all I need. Especially as the type of user I am.

You should be fine but there's no harm in checking if things seem unusual.

Also, this is a very old thread. You'd be better off just starting a new thread of your own.
 

Members online


Top