Rkhunter

From Christoph's Personal Wiki
Jump to: navigation, search

rkhunter (aka Rootkit Hunter) is a rootkit, backdoor, sniffer, and exploit scanner. It scans systems for known and unknown rootkits, backdoors, sniffers and exploits.

It checks for:

  • MD5 hash changes;
  • files commonly created by rootkits;
  • executables with anomalous file permissions;
  • suspicious strings in kernel modules;
  • hidden files in system directories; and
  • can optionally scan within files.

NOTE: Using `rkhunter` alone does not guarantee that a system is not compromised. Running additional tests, such as chkrootkit, is recommended.

Installation and usage

On CentOS systems, `rkhunter` can be installed from the EPEL repositories. If you do not have EPEL installed, you can get it setup by (for CentOS 6.x):

$ rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
  • Install `rkhunter`:
$ yum install rkhunter
  • Configure `rkhunter` to send email if a "warning" is found during a given scan:
$ vi /etc/rkhunter.conf
# Change
MAIL-ON-WARNING=""
# To
MAIL-ON-WARNING="bob@example.com"
  • Finally, fetch the latest updates, create a baseline, and run an on-demand scan:
$ rkhunter --update
$ rkhunter --propupd
$ rkhunter -sk -c

You can also configure `rkhunter` to run automatically (via a cronjob) daily. On CentOS systems, there should already be a script for this:

$ cat /etc/cron.daily/rkhunter

Now, all you need to do is update the `rkhunter` configuration with your actual email address so you can receive the nightly reports:

$ vi /etc/sysconfig/rkhunter
# Change
MAILTO=root@localhost
# To
MAILTO=bob@example.com

External links