Today's article has you checking your computer for rootkits.

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
5,789
Reaction score
5,241
Credits
46,730
The tool we'll use is rkhunter. It's fairly easy and straightforward.


Feedback is always welcome.

Edit: It's worth scrolling through to page #2 where there's a link to an article that's written better than my own. It's much more thorough and I'm okay with admitting that. I tend to do lighter articles and shorter articles.
 
Last edited:


captain-sensible

Well-Known Member
Joined
Jun 14, 2019
Messages
2,774
Reaction score
1,881
Credits
17,041
one thing you can run is:
Code:
[[email protected]:~][130]$ sudo rkhunter --update                                              (07-12 16:59)
[sudo] password for andrew:
[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ No update
...................

Also chkrootkit is an alternative

If your 8 maybe false +ve is an actual output then it would be interesting for us; if you quote the lines in /var/log/rkhunter.log that prompted rkhunter to give a false +ve and maybe we could all discuss and learn


Also if you look at my post on clamav - have included an ignore flag for say /proc/ because my understanding is that files can be infected, but that a virtual representation of a file can not ?

Also that if clamav is used to run through a virtual representation of a file system then that can sometimes flag up false +ve's


Is that , do you think also the case with rkhunter ?
 
Last edited:

f33dm3bits

Gold Member
Gold Supporter
Joined
Dec 11, 2019
Messages
4,472
Reaction score
3,179
Credits
32,453
Is rkhunter still of any use, the last update was in 2018 from the changelog or all the rkhunter data files still getting update on a regular basis? I just ran it once and mine shows this. I ran it once and I get a few warnings but that's because you should actually run rkhunter with the --propupd option when you first install your system. As well as some warnings about a configuration option for sshd, but nothing to worry about since most distributions set a default what the a setting hasn't been specifically set.
 
Last edited:

captain-sensible

Well-Known Member
Joined
Jun 14, 2019
Messages
2,774
Reaction score
1,881
Credits
17,041
that might explain that on running rkhunter --update , i never saw an update. With AUR they flag pkgs as outdated. I haven't got around to finding a pacman man way to check if pkgs don't get updated except by looking in /var/cache/pacman/pkg and noticing when i run pacman -Syu .

I use paccache to clean out the cache but retain at least two versions .
 

f33dm3bits

Gold Member
Gold Supporter
Joined
Dec 11, 2019
Messages
4,472
Reaction score
3,179
Credits
32,453
I didn't get any updates with the update flag either. I removed it again since I never had it installed before, I had just installed it to try it again after having read @KGIII's article.
 

captain-sensible

Well-Known Member
Joined
Jun 14, 2019
Messages
2,774
Reaction score
1,881
Credits
17,041
i've had a go installing chkrootkit from the AUR but got an error with key missing. I guess i will have to look at alternatives for rkhunter it can't find todays rookits if its not updated to know about them; at least with clamav you can see newly created viruses are added to virus sigs, when you run freshclam
 
OP
K

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
5,789
Reaction score
5,241
Credits
46,730
if you quote the lines in /var/log/rkhunter.log that prompted rkhunter to give a false +ve and maybe we could all discuss and learn

LOL That'd be an article far longer than I normally write. I try to keep 'em all under a 5 minute read, 'cause people don't read much more than that. They're things like a /.java directory, Thunderbird, Filezilla, Chrome all eating more memory than it likes, that sort of stuff.

the last update was in 2018

Now that I didn't notice. It was 'next' in my list of notes, so it got written. I did not check that. Good catch!
 

captain-sensible

Well-Known Member
Joined
Jun 14, 2019
Messages
2,774
Reaction score
1,881
Credits
17,041
Maybe you could distill it down to concepts ; guidelines to help identify say the main differences beween a false +ve and a possible genuine rootkit

Maybe do it as a part 2 on rootkits .i think you would find that your hits would be significantly up . On the article length if they are all under 5 minute you are only catering for those with short attention spans.
 

craigevil

Well-Known Member
Joined
Feb 24, 2021
Messages
341
Reaction score
345
Credits
2,346
chkrootkit at least is still being developed> http://www.chkrootkit.org/
Release Date: Jun 11 2021

I would suggest tools like lynis, samhain, tiger, aide, etc as well.
On a Debian based distro you can also use debsecan, and debsums.
 
OP
K

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
5,789
Reaction score
5,241
Credits
46,730
chkrootkit

I may need to do an article on that.

On the article length if they are all under 5 minute you are only catering for those with short attention spans.

The majority of people (according to the research I read) tend to not read anything longer than six minutes. It's also why I give a time estimate.

I do like the idea of doing multi-part articles. Hmm...
 

captain-sensible

Well-Known Member
Joined
Jun 14, 2019
Messages
2,774
Reaction score
1,881
Credits
17,041
i've only just started understanding pkgbuild : https://linux.org/threads/exploring-the-pkgbuild-arch-script.35313/

The AUR for chkrootkit doesn't work; something to do with key. Also their pkgbuild looks like its dragging in "tiger" which i don't want


However i got chkrootkit working . I simple downloaded the tar from http://www.chkrootkit.org/

i manually unpacked , ran make sense then found it ran ./chkrootkit :
Code:
gunzip chkrootkit.tar.gz
tar xvf chkrootkit.tar

cd chkrootkit-0.55

make sense
./chkrootkit

So i think i will get rid of rkhunter.

I think if i add "make sense" to the build function in PKGBUILD and a bit of tweaking i should be able to produce a pkg. Any help getting that to work please see my basic PKGBUILD at link top of this post
 
Last edited:
OP
K

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
5,789
Reaction score
5,241
Credits
46,730
The AUR for chkrootkit doesn't work; something to do with key. Also their pkgbuild looks like its dragging in "tiger" which i don't want

For Debian/derivatives users, it's available in the default repos. So, there's that.
 

captain-sensible

Well-Known Member
Joined
Jun 14, 2019
Messages
2,774
Reaction score
1,881
Credits
17,041
a temporary hack is that i got the ASCII text executable file chkrootkit moved it to /usr/local/bin
and run as "sudo chkrootkit" output is:
Code:
[[email protected]:~][1]$ chkrootkit -V                             (07-13 18:18)
chkrootkit version 0.55
[[email protected]:~][1]$  sudo chkrootkit -r /                     (07-13 18:18)
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
 
Last edited:

captain-sensible

Well-Known Member
Joined
Jun 14, 2019
Messages
2,774
Reaction score
1,881
Credits
17,041
I managed to get a pkgbuild working and installed version "Brazilian valentine 0.55 " chkrootkit properly via pacman
 

Attachments

  • pkgbuild.zip
    498 bytes · Views: 142

captain-sensible

Well-Known Member
Joined
Jun 14, 2019
Messages
2,774
Reaction score
1,881
Credits
17,041
I may need to do an article on that.



The majority of people (according to the research I read) tend to not read anything longer than six minutes. It's also why I give a time estimate.

I do like the idea of doing multi-part articles. Hmm...
we are waiting with anticipation
 
OP
K

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
5,789
Reaction score
5,241
Credits
46,730
My network is messed up. I can reach some sites, but not others. Some of the 'net works fine, the rest won't even load.

Among those that won't load is linux-tips.us. Hopefully it works in time for me to write tomorrow's article.
 

f33dm3bits

Gold Member
Gold Supporter
Joined
Dec 11, 2019
Messages
4,472
Reaction score
3,179
Credits
32,453
My network is messed up. I can reach some sites, but not others. Some of the 'net works fine, the rest won't even load.

Among those that won't load is linux-tips.us. Hopefully it works in time for me to write tomorrow's article.
Have you tried turning it off and on again?
 

stan

Well-Known Member
Joined
Mar 19, 2018
Messages
1,004
Reaction score
1,134
Credits
9,370
My network is messed up. I can reach some sites, but not others. Some of the 'net works fine, the rest won't even load.

Among those that won't load is linux-tips.us. Hopefully it works in time for me to write tomorrow's article.
Sometimes changing the DNS server in your router can help you to find a path around the outage.

Cloudflare
Primary 1.1.1.1
Secondary 1.0.0.1

Google
Primary 8.8.8.8
Secondary 8.8.4.4

OpenDNS
Primary 208.67.222.222
Secondary 208.67.220.220
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!


Top