Home » Blogs » sandip's blog

Checking for rootkits, exploits and backdoors with Rootkit Hunter

Fri, 04/14/2006 - 09:26 — sandip

rkhunter (or Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and local exploits. It does this by comparing MD5 hash of important files with known good ones in an online database, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules. It should run on almost every Unix clone.

Installation notes:

  • Download the gzipped tarball, extract it and run the installation script.
    # wget http://downloads.rootkit.nl/rkhunter-.tar.gz
# tar -xvzf rkhunter-.tar.gz
# cd rkhunter
# ./installer.sh
  • Or you can create an RPM file with the integrated rkhunter.spec file and install your own package. 
    # rpmbuild -ta rkhunter-.tar.gz

    If you are lazy you can install the prebuilt 1.2.8-1 rpm version via:

    # rpm -Uvh http://linuxweblog.com/downloads/packages/rkhunter/rkhunter-1.2.8-1.noarch.rpm
  • Test the installation with: 
    # rkhunter -c
  • Update the daily cron in "/etc/cron.daily/01-rkhunter" file to check for version and database updates: 
    #!/bin/sh
(
/usr/bin/rkhunter --versioncheck
/usr/bin/rkhunter --update
/usr/bin/rkhunter --cronjob
) | /bin/mail -s 'rkhunter Daily Run' root
  • You can customize the default configurations by editing "/etc/rkhunter.conf".
Bookmark/Search this post with
  • del.icio.us
  • Digg
  • Facebook
  • identi.ca
  • LinkedIn
  • SlashDot
  • StumbleUpon
  • Technorati
  • Twitter

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Tue, 08/05/2008 - 10:47 — Anonymous Better Way

Use the EPEL package repository for pulling the RPMs of rkhunter.

http://fedoraproject.org/wiki/EPEL/FAQ#howtouse

Then just set your email address in /etc/sysconfig/rkhunter

Package managers were invented for a reason! Kind of ironic how this is a security thread too ;)

Sat, 06/28/2008 - 11:13 — sandip rkhunter on plesk servers

rkhunter can be installed via the plesk watchdog module and can be run via command line:

/opt/psa/admin/sbin/modules/watchdog/rkhunter --configfile /opt/psa/etc/modules/watchdog/rkhunter.conf -c

Fri, 01/18/2008 - 23:10 — Paolo Zu (not verified) For the others who dont use

For the others who dont use a linux system that uses these packages, how to install from source -> http://www.vinno.net/linux/server/how-to-install-root-kit-hunter

Thu, 08/09/2007 - 14:30 — sandip FedoraCore6 rkhunter rpm

If you are lazy, you can get the rpm via:

# wget http://www.linuxweblog.com/downloads/packages/fc6/rkhunter-1.2.9-1.noarch.rpm

md5sum: ad9da1cd575f52619ee537c16d34d463

Fri, 01/19/2007 - 11:37 — sandip rkhunter in fedora core

rkhunter is now available in the yum extras repository.

# yum install rkhunter

Sun, 04/22/2007 - 14:11 — sandip easy rkhunter in CentOS 4.4

# cd /etc/yum.repos.d/
# wget http://centos.karan.org/kbsingh-CentOS-Extras.repo
# yum --enablerepo=kbs-CentOS-Extras install rkhunter

Comment