[EN] Rootkit Hunter - Checking Linux for Rootkits

3년 전

In this article I would like to introduce the tool rkhunter(Rootkit Hunter). This software makes it easy to scan your system for known / conspicuous rootkits.
Rkhunter is by no means the only tool. Another well-known is chrootkit



Image Source

What are rootkits

A rootkit is simply expressed software that disguises logins, processes or files on a compromised system. Often these are combined with back doors to allow easier access to the target system as an attacker. I do not want to go into the different types and characteristics any further at this point - but I would be happy to write a separate contribution on request.

Installation and setup

Debian based distributions can install rkhunter as usual with
apt-get install rkhunter or download from Sourceforge.

The following update with the command rkhunter --update caused an error for me:
VirtualBox_Kali-Linux-2017.2-vbox-amd64_11_03_2018_00_11_22.png

This can be fixed by making the following changes in /etc/rkhunter.conf:

 UPDATE_MIRRORS=0       -> UPDATE_MIRRORS=1
 MIRRORS_MODE=1         -> MIRRORS_MODE=0
 WEB_CMD="/bin/false"   -> WEB_CMD=""

Use

The system is scanned as follows: rkhunter -c --skip-keypress

The system is searched for incorrect file permissions, suspicious strings in kernel modules, created folders, etc. In addition, hash values of existing files are checked.

VirtualBox_Kali-Linux-2017.2-vbox-amd64_11_03_2018_00_57_26.png

In order to get more detailed information about the possible finds you should have a look at the warnings in the logs:

grep Warning /var/log/rkhunter.log

There is also the possibility of certain whitelist warnings (etc/rkhunter.conf).

Conclusion

rkhunter alone does not guarantee that there is no rootkit on the system, yet it provides a good overview and is easy to use. If many systems are to be monitored, it makes sense to run the scan regularly via cron-jobs and to send a mail if warnings occur.


Thank you for reading !

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
STEEMKR.COM IS SPONSORED BY
ADVERTISEMENT
Sort Order:  trending

Herzlichen Glückwunsch zur TOP 100 - Platzierung im aktuellen Ranking der effektivsten #deutsch -Kuratoren!

Es ist nicht entscheidend, welcher Algorithmus diesem Ranking letztendlich zu Grunde liegt, entscheidend ist, dass jeder Deiner Votes eine Rolle gespielt hat! Für jeden Einzelnen und damit für die #deutsch -Community insgesamt.

Dafür vielen Dank und mein Upvote, entsprechend meiner Ankündigung hier.

Shaka

Dies ist ein generischer comment an die TOP 100-Platzierten und damit ohne Bezug zum gevoteten Beitrag.

This is from notes on my old wiki:
https://github.com/kurtcoke/yoirtuts-wiki/wiki/Searching-For-Linux-Rootkits-with-Rkhunter

RKHunter aka RootKitHunter

https://help.ubuntu.com/community/RKhunter

http://xmodulo.com/how-to-scan-linux-for-rootkits.html

First Install:

 $ sudo apt-get install rkhunter 

Update the file properties database, will need to run this everytime you install new software or do updates:

$ sudo rkhunter --propupd

See the rkhunter version and check for new version:

$ sudo rkhunter --versioncheck

Run checkall:

$ sudo rkhunter --checkall

Hope it helps someone.