Rkhunter
From Christoph's Personal Wiki
rkhunter (aka Rootkit Hunter) is a rootkit, backdoor, sniffer, and exploit scanner. It scans systems for known and unknown rootkits, backdoors, sniffers and exploits.
It checks for:
- MD5 hash changes;
- files commonly created by rootkits;
- executables with anomalous file permissions;
- suspicious strings in kernel modules;
- hidden files in system directories; and
- can optionally scan within files.
NOTE: Using rkhunter alone does not guarantee that a system is not compromised. Running additional tests, such as chkrootkit, is recommended.
Installation and usage
On CentOS systems, rkhunter can be installed from the EPEL repositories. If you do not have EPEL installed, you can get it setup by (for CentOS 6.x):
$ rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
- Install
rkhunter:
$ yum install rkhunter
- Configure
rkhunterto send email if a "warning" is found during a given scan:
$ vi /etc/rkhunter.conf # Change MAIL-ON-WARNING="" # To MAIL-ON-WARNING="bob@example.com"
- Finally, fetch the latest updates, create a baseline, and run an on-demand scan:
$ rkhunter --update $ rkhunter --propupd $ rkhunter -sk -c
You can also configure rkhunter to run automatically (via a cronjob) daily. On CentOS systems, there should already be a script for this:
$ cat /etc/cron.daily/rkhunter
Now, all you need to do is update the rkhunter configuration with your actual email address so you can receive the nightly reports:
$ vi /etc/sysconfig/rkhunter # Change MAILTO=root@localhost # To MAILTO=bob@example.com
- Check for latest version:
$ sudo rkhunter --versioncheck [ Rootkit Hunter version 1.4.6 ] Checking rkhunter version... This version : 1.4.6 Latest version: 1.4.6
