In this article I would like to introduce the tool rkhunter(Rootkit Hunter). This software makes it easy to scan your system for known / conspicuous rootkits.
Rkhunter is by no means the only tool. Another well-known is chrootkit
What are rootkits
A rootkit is simply expressed software that disguises logins, processes or files on a compromised system. Often these are combined with back doors to allow easier access to the target system as an attacker. I do not want to go into the different types and characteristics any further at this point - but I would be happy to write a separate contribution on request.
Installation and setup
Debian based distributions can install rkhunter as usual with
apt-get install rkhunter or download from Sourceforge.
The following update with the command
rkhunter --update caused an error for me:
This can be fixed by making the following changes in /etc/rkhunter.conf:
UPDATE_MIRRORS=0 -> UPDATE_MIRRORS=1 MIRRORS_MODE=1 -> MIRRORS_MODE=0 WEB_CMD="/bin/false" -> WEB_CMD=""
The system is scanned as follows:
rkhunter -c --skip-keypress
The system is searched for incorrect file permissions, suspicious strings in kernel modules, created folders, etc. In addition, hash values of existing files are checked.
In order to get more detailed information about the possible finds you should have a look at the warnings in the logs:
grep Warning /var/log/rkhunter.log
There is also the possibility of certain whitelist warnings (etc/rkhunter.conf).
rkhunter alone does not guarantee that there is no rootkit on the system, yet it provides a good overview and is easy to use. If many systems are to be monitored, it makes sense to run the scan regularly via cron-jobs and to send a mail if warnings occur.
Thank you for reading !