Difference between revisions of "Rkhunter"

Latest revision as of 21:38, 10 September 2021

rkhunter (aka Rootkit Hunter) is a rootkit, backdoor, sniffer, and exploit scanner. It scans systems for known and unknown rootkits, backdoors, sniffers and exploits.

It checks for:

• MD5 hash changes;
• files commonly created by rootkits;
• executables with anomalous file permissions;
• suspicious strings in kernel modules;
• hidden files in system directories; and
• can optionally scan within files.

NOTE: Using rkhunter alone does not guarantee that a system is not compromised. Running additional tests, such as chkrootkit, is recommended.

Installation and usage

On CentOS systems, rkhunter can be installed from the EPEL repositories. If you do not have EPEL installed, you can get it setup by (for CentOS 6.x):

$ rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

• Install rkhunter:

$ yum install rkhunter

• Configure rkhunter to send email if a "warning" is found during a given scan:

$ vi /etc/rkhunter.conf
# Change
MAIL-ON-WARNING=""
# To
MAIL-ON-WARNING="bob@example.com"

• Finally, fetch the latest updates, create a baseline, and run an on-demand scan:

$ rkhunter --update
$ rkhunter --propupd
$ rkhunter -sk -c

You can also configure rkhunter to run automatically (via a cronjob) daily. On CentOS systems, there should already be a script for this:

$ cat /etc/cron.daily/rkhunter

Now, all you need to do is update the rkhunter configuration with your actual email address so you can receive the nightly reports:

$ vi /etc/sysconfig/rkhunter
# Change
MAILTO=root@localhost
# To
MAILTO=bob@example.com

• Check for latest version:

$ sudo rkhunter --versioncheck

[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter version...
  This version  : 1.4.6
  Latest version: 1.4.6

See also

• chkrootkit

External links

• Official website
• Investigating Compromised Servers