Detect linux rootkits using Rootkit Hunter

Bookmark and Share

From ipinfinity.com

Jump to: navigation, search

<digg/>

Rootkit Hunter is scanning tool that tests for rootkits, backdoors and local exploits by running tests like:

  • MD5 hash compare
  • Look for default files used by rootkits
  • Wrong file permissions for binaries
  • Look for suspected strings in LKM and KLD modules
  • Look for hidden files
  • Optional scan within plaintext and binary files

Rootkit Hunter is released as GPL licensed project and free for everyone to use. Most rootkits use the power of the kernel to hide themselves, they are only visible from within the kernel. This guide shows you how to setup automatic scanning of your Linux computer.

How to install Rkhunter

  • Download the latest version from SourceForge
  • Open the tar-zipped file 
 tar -zxvf rkhunter-1.3.4.tar.gz
  • CD to the new directory 
 cd rkhunter-1.3.4
  • Run the installer 
 ./installer.sh

Setup a daily scan report

  • Use vi (or a similar text editor) to create a new script /etc/cron.daily/rkhunter.sh using the following detail: 
 #!/bin/bash
 (/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "Daily Rkhunter Scan Report" email@domain.com)

Replace the email address with your own reporting mailbox.

  • Change the permissions of the script: 
 chmod 755 /etc/cron.daily/rkhunter.sh
  • You can use weekly reporting, instead of daily, by simply creating the script in the /etc/cron.weekly/ directory instead.

Related Links

Retrieved from "http://www.ipinfinity.com/index.php/Detect_linux_rootkits_using_Rootkit_Hunter"