{"id":13780,"date":"2019-04-06T03:23:35","date_gmt":"2019-04-06T03:23:35","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=13780"},"modified":"2019-04-06T03:23:35","modified_gmt":"2019-04-06T03:23:35","slug":"how-to-scan-for-rootkits-backdoors-and-exploits-using-rootkit-hunter-in-linux","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/04\/06\/how-to-scan-for-rootkits-backdoors-and-exploits-using-rootkit-hunter-in-linux\/","title":{"rendered":"How to Scan for Rootkits, backdoors and Exploits Using \u2018Rootkit Hunter\u2019 in Linux"},"content":{"rendered":"

Guys, if you are a regular reader of tecmint.com you will notice that this is our third article on security tools. In our previous two articles we have given you all the guidance in how to secure\u00a0Apache<\/strong>\u00a0and\u00a0Linux Systems<\/strong>\u00a0from\u00a0Malware<\/strong>,\u00a0DOS<\/strong>\u00a0and\u00a0DDOS<\/strong>\u00a0attacks using\u00a0mod_security and mod_evasive<\/a>\u00a0and\u00a0LMD (Linux Malware Detect)<\/a>.<\/p>\n

Again we are here to introduce a new security tool called\u00a0Rkhunter<\/strong>\u00a0(Rootkit Hunter<\/strong>). This article will guide you a way to install and configure\u00a0RKH<\/strong>\u00a0(RootKit Hunter<\/strong>) in Linux systems using source code.<\/p>\n

\n

\"Rootkit<\/a><\/p>\n

Rootkit Hunter \u2013 Scans Linux Systems for Rootkits, backdoors and Local Exploits<\/p>\n<\/div>\n

What Is Rkhunter?<\/h3>\n

Rkhunter<\/strong>\u00a0(Rootkit Hunter<\/strong>) is an open source Unix\/Linux based scanner tool for Linux systems released under\u00a0GPL<\/strong>\u00a0that scans backdoors, rootkits and local exploits on your systems.<\/p>\n

It scans hidden files, wrong permissions set on binaries, suspicious strings in kernel etc. To know more about Rkhunter and its features visit\u00a0http:\/\/www.rootkit.nl\/<\/a>.<\/p>\n

Install Rootkit Hunter Scanner in Linux Systems<\/h3>\n

Step 1: Downloading Rkhunter<\/h4>\n

First download the latest stable version of\u00a0Rkhunter<\/strong>\u00a0tool by going to\u00a0http:\/\/www.rootkit.nl\/projects\/rootkit_hunter.html<\/a>\u00a0or use below\u00a0Wget<\/strong>\u00a0command to download it on your systems.<\/p>\n

# cd \/tmp\r\n# wget http:\/\/downloads.sourceforge.net\/project\/rkhunter\/rkhunter\/1.4.2\/rkhunter-1.4.2.tar.gz<\/pre>\n
Step 2: Installing Rkhunter<\/h4>\n
Once you have downloaded the latest version, run the following commands as a\u00a0root<\/strong>\u00a0user to install it.<\/p>\n
# tar -xvf rkhunter-1.4.2.tar.gz \r\n# cd rkhunter-1.4.2\r\n# .\/installer.sh --layout default --install<\/pre>\n
Sample Output<\/h5>\n
Checking system for:\r\n Rootkit Hunter installer files: found\r\n A web file download command: wget found\r\nStarting installation:\r\n Checking installation directory \"\/usr\/local\": it exists and is writable.\r\n Checking installation directories:\r\n  Directory \/usr\/local\/share\/doc\/rkhunter-1.4.2: creating: OK\r\n  Directory \/usr\/local\/share\/man\/man8: exists and is writable.\r\n  Directory \/etc: exists and is writable.\r\n  Directory \/usr\/local\/bin: exists and is writable.\r\n  Directory \/usr\/local\/lib64: exists and is writable.\r\n  Directory \/var\/lib: exists and is writable.\r\n  Directory \/usr\/local\/lib64\/rkhunter\/scripts: creating: OK\r\n  Directory \/var\/lib\/rkhunter\/db: creating: OK\r\n  Directory \/var\/lib\/rkhunter\/tmp: creating: OK\r\n  Directory \/var\/lib\/rkhunter\/db\/i18n: creating: OK\r\n  Directory \/var\/lib\/rkhunter\/db\/signatures: creating: OK\r\n Installing check_modules.pl: OK\r\n Installing filehashsha.pl: OK\r\n Installing stat.pl: OK\r\n Installing readlink.sh: OK\r\n Installing backdoorports.dat: OK\r\n Installing mirrors.dat: OK\r\n Installing programs_bad.dat: OK\r\n Installing suspscan.dat: OK\r\n Installing rkhunter.8: OK\r\n Installing ACKNOWLEDGMENTS: OK\r\n Installing CHANGELOG: OK\r\n Installing FAQ: OK\r\n Installing LICENSE: OK\r\n Installing README: OK\r\n Installing language support files: OK\r\n Installing ClamAV signatures: OK\r\n Installing rkhunter: OK\r\n Installing rkhunter.conf: OK\r\nInstallation complete\r\n<\/pre>\n
Step 3: Updating Rkhunter<\/h4>\n
Run the\u00a0RKH<\/strong>\u00a0updater to fill the database properties by running the following command.<\/p>\n
# \/usr\/local\/bin\/rkhunter --update\r\n# \/usr\/local\/bin\/rkhunter --propupd<\/pre>\n
Sample Output<\/h5>\n
[ Rootkit Hunter version 1.4.2 ]\r\n\r\nChecking rkhunter data files...\r\n  Checking file mirrors.dat                                  [ No update ]\r\n  Checking file programs_bad.dat                             [ Updated ]\r\n  Checking file backdoorports.dat                            [ No update ]\r\n  Checking file suspscan.dat                                 [ No update ]\r\n  Checking file i18n\/cn                                      [ No update ]\r\n  Checking file i18n\/de                                      [ No update ]\r\n  Checking file i18n\/en                                      [ No update ]\r\n  Checking file i18n\/tr                                      [ No update ]\r\n  Checking file i18n\/tr.utf8                                 [ No update ]\r\n  Checking file i18n\/zh                                      [ No update ]\r\n  Checking file i18n\/zh.utf8                                 [ No update ]\r\n\r\n[ Rootkit Hunter version 1.4.2 ]\r\nFile created: searched for 174 files, found 137\r\n<\/pre>\n
Step 4: Setting Cronjob and Email Alerts<\/h4>\n
Create a file called\u00a0rkhunter.sh<\/strong>\u00a0under\u00a0\/etc\/cron.daily\/<\/strong>, which then scans your file system every day and sends email notifications to your email id. Create following file with the help of your favourite editor.<\/p>\n
# vi \/etc\/cron.daily\/rkhunter.sh<\/pre>\n
Add the following lines of code to it and replace \u201cYourServerNameHere<\/strong>\u201d with your \u201cServer Name<\/strong>\u201d and \u201cyour@email.com<\/strong>\u201d with your \u201cEmail Id<\/strong>\u201c.<\/p>\n
#!\/bin\/sh\r\n(\r\n\/usr\/local\/bin\/rkhunter --versioncheck\r\n\/usr\/local\/bin\/rkhunter --update\r\n\/usr\/local\/bin\/rkhunter --cronjob --report-warnings-only\r\n) | \/bin\/mail -s 'rkhunter Daily Run (PutYourServerNameHere<\/strong>)' your@email.com<\/strong><\/pre>\n
Set execute permission on the file.<\/p>\n
# chmod 755 \/etc\/cron.daily\/rkhunter.sh<\/pre>\n
Step 5: Manual Scan and Usage<\/h4>\n
To scan the entire file system, run the\u00a0Rkhunter<\/strong>\u00a0as a root user.<\/p>\n
# rkhunter --check<\/pre>\n
Sample Output<\/h5>\n
[ Rootkit Hunter version 1.4.2 ]\r\n\r\nChecking system commands...\r\n\r\n  Performing 'strings' command checks\r\n    Checking 'strings' command                               [ OK ]\r\n\r\n  Performing 'shared libraries' checks\r\n    Checking for preloading variables                        [ None found ]\r\n    Checking for preloaded libraries                         [ None found ]\r\n    Checking LD_LIBRARY_PATH variable                        [ Not found ]\r\n\r\n  Performing file properties checks\r\n    Checking for prerequisites                               [ OK ]\r\n    \/usr\/local\/bin\/rkhunter                                  [ OK ]\r\n    \/usr\/sbin\/adduser                                        [ OK ]\r\n    \/usr\/sbin\/chkconfig                                      [ OK ]\r\n    \/usr\/sbin\/chroot                                         [ OK ]\r\n    \/usr\/sbin\/depmod                                         [ OK ]\r\n    \/usr\/sbin\/fsck                                           [ OK ]\r\n    \/usr\/sbin\/fuser                                          [ OK ]\r\n    \/usr\/sbin\/groupadd                                       [ OK ]\r\n    \/usr\/sbin\/groupdel                                       [ OK ]\r\n    \/usr\/sbin\/groupmod                                       [ OK ]\r\n    \/usr\/sbin\/grpck                                          [ OK ]\r\n    \/usr\/sbin\/ifconfig                                       [ OK ]\r\n    \/usr\/sbin\/ifdown                                         [ Warning ]\r\n    \/usr\/sbin\/ifup                                           [ Warning ]\r\n    \/usr\/sbin\/init                                           [ OK ]\r\n    \/usr\/sbin\/insmod                                         [ OK ]\r\n    \/usr\/sbin\/ip                                             [ OK ]\r\n    \/usr\/sbin\/lsmod                                          [ OK ]\r\n    \/usr\/sbin\/lsof                                           [ OK ]\r\n    \/usr\/sbin\/modinfo                                        [ OK ]\r\n    \/usr\/sbin\/modprobe                                       [ OK ]\r\n    \/usr\/sbin\/nologin                                        [ OK ]\r\n    \/usr\/sbin\/pwck                                           [ OK ]\r\n    \/usr\/sbin\/rmmod                                          [ OK ]\r\n    \/usr\/sbin\/route                                          [ OK ]\r\n    \/usr\/sbin\/rsyslogd                                       [ OK ]\r\n    \/usr\/sbin\/runlevel                                       [ OK ]\r\n    \/usr\/sbin\/sestatus                                       [ OK ]\r\n    \/usr\/sbin\/sshd                                           [ OK ]\r\n    \/usr\/sbin\/sulogin                                        [ OK ]\r\n    \/usr\/sbin\/sysctl                                         [ OK ]\r\n    \/usr\/sbin\/tcpd                                           [ OK ]\r\n    \/usr\/sbin\/useradd                                        [ OK ]\r\n    \/usr\/sbin\/userdel                                        [ OK ]\r\n    \/usr\/sbin\/usermod                                        [ OK ]\r\n....\r\n[Press  to continue]\r\n\r\n\r\nChecking for rootkits...\r\n\r\n  Performing check of known rootkit files and directories\r\n    55808 Trojan - Variant A                                 [ Not found ]\r\n    ADM Worm                                                 [ Not found ]\r\n    AjaKit Rootkit                                           [ Not found ]\r\n    Adore Rootkit                                            [ Not found ]\r\n    aPa Kit                                                  [ Not found ]\r\n.....\r\n\r\n[Press  to continue]\r\n\r\n\r\n  Performing additional rootkit checks\r\n    Suckit Rookit additional checks                          [ OK ]\r\n    Checking for possible rootkit files and directories      [ None found ]\r\n    Checking for possible rootkit strings                    [ None found ]\r\n\r\n....\r\n[Press  to continue]\r\n\r\n\r\nChecking the network...\r\n\r\n  Performing checks on the network ports\r\n    Checking for backdoor ports                              [ None found ]\r\n....\r\n  Performing system configuration file checks\r\n    Checking for an SSH configuration file                   [ Found ]\r\n    Checking if SSH root access is allowed                   [ Warning ]\r\n    Checking if SSH protocol v1 is allowed                   [ Warning ]\r\n    Checking for a running system logging daemon             [ Found ]\r\n    Checking for a system logging configuration file         [ Found ]\r\n    Checking if syslog remote logging is allowed             [ Not allowed ]\r\n...\r\nSystem checks summary\r\n=====================\r\n\r\nFile properties checks...\r\n    Files checked: 137\r\n    Suspect files: 6\r\n\r\nRootkit checks...\r\n    Rootkits checked : 383\r\n    Possible rootkits: 0\r\n\r\nApplications checks...\r\n    Applications checked: 5\r\n    Suspect applications: 2\r\n\r\nThe system checks took: 5 minutes and 38 seconds\r\n\r\nAll results have been written to the log file: \/var\/log\/rkhunter.log\r\n\r\nOne or more warnings have been found while checking the system.\r\nPlease check the log file (\/var\/log\/rkhunter.log)\r\n<\/pre>\n
The above command generates log file under\u00a0\/var\/log\/rkhunter.log<\/strong>\u00a0with the checks results made by\u00a0Rkhunter<\/strong>.<\/p>\n
# cat \/var\/log\/rkhunter.log\r\n<\/pre>\n
Sample Output<\/h5>\n
03:33:40] Running Rootkit Hunter version 1.4.2 on server\r\n[03:33:40]\r\n[03:33:40] Info: Start date is Tue May 31 03:33:40 EDT 2016\r\n[03:33:40]\r\n[03:33:40] Checking configuration file and command-line options...\r\n[03:33:40] Info: Detected operating system is 'Linux'\r\n[03:33:40] Info: Found O\/S name: CentOS Linux release 7.2.1511 (Core) \r\n[03:33:40] Info: Command line is \/usr\/local\/bin\/rkhunter --check\r\n[03:33:40] Info: Environment shell is \/bin\/bash; rkhunter is using bash\r\n[03:33:40] Info: Using configuration file '\/etc\/rkhunter.conf'\r\n[03:33:40] Info: Installation directory is '\/usr\/local'\r\n[03:33:40] Info: Using language 'en'\r\n[03:33:40] Info: Using '\/var\/lib\/rkhunter\/db' as the database directory\r\n[03:33:40] Info: Using '\/usr\/local\/lib64\/rkhunter\/scripts' as the support script directory\r\n[03:33:40] Info: Using '\/usr\/lib64\/qt-3.3\/bin \/usr\/local\/sbin \/usr\/local\/bin \/usr\/sbin \/usr\/bin \/bin \/sbin \/usr\/libexec \/usr\/local\/libexec' as the command directories\r\n[03:33:40] Info: Using '\/var\/lib\/rkhunter\/tmp' as the temporary directory\r\n[03:33:40] Info: No mail-on-warning address configured\r\n[03:33:40] Info: X will be automatically detected\r\n[03:33:40] Info: Found the 'basename' command: \/usr\/bin\/basename\r\n[03:33:40] Info: Found the 'diff' command: \/usr\/bin\/diff\r\n[03:33:40] Info: Found the 'dirname' command: \/usr\/bin\/dirname\r\n[03:33:40] Info: Found the 'file' command: \/usr\/bin\/file\r\n[03:33:40] Info: Found the 'find' command: \/usr\/bin\/find\r\n[03:33:40] Info: Found the 'ifconfig' command: \/usr\/sbin\/ifconfig\r\n[03:33:40] Info: Found the 'ip' command: \/usr\/sbin\/ip\r\n...\r\n<\/pre>\n
For more information and options please run the following command.<\/p>\n
# rkhunter --help<\/pre>\n
If you liked this article, then sharing is the right way to say thanks.<\/p>\n
Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Guys, if you are a regular reader of tecmint.com you will notice that this is our third article on security tools. In our previous two articles we have given you all the guidance in how to secure\u00a0Apache\u00a0and\u00a0Linux Systems\u00a0from\u00a0Malware,\u00a0DOS\u00a0and\u00a0DDOS\u00a0attacks using\u00a0mod_security and mod_evasive\u00a0and\u00a0LMD (Linux Malware Detect). Again we are here to introduce a new security tool called\u00a0Rkhunter\u00a0(Rootkit … <\/p>\n
Continue reading “How to Scan for Rootkits, backdoors and Exploits Using \u2018Rootkit Hunter\u2019 in Linux”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-13780","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13780","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=13780"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13780\/revisions"}],"predecessor-version":[{"id":13781,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13780\/revisions\/13781"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=13780"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=13780"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=13780"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}