rkhunter (aka Rootkit Hunter) is a rootkit, backdoor, sniffer, and exploit scanner. It scans systems for known and unknown rootkits, backdoors, sniffers and exploits.
It checks for:
- MD5 hash changes;
- files commonly created by rootkits;
- executables with anomalous file permissions;
- suspicious strings in kernel modules;
- hidden files in system directories; and
- can optionally scan within files.
NOTE: Using `rkhunter` alone does not guarantee that a system is not compromised. Running additional tests, such as chkrootkit, is recommended.
Installation and usage
On CentOS systems, `rkhunter` can be installed from the EPEL repositories. If you do not have EPEL installed, you can get it setup by (for CentOS 6.x):
$ rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
- Install `rkhunter`:
$ yum install rkhunter
- Configure `rkhunter` to send email if a "warning" is found during a given scan:
$ vi /etc/rkhunter.conf # Change MAIL-ON-WARNING="" # To MAIL-ON-WARNING="email@example.com"
- Finally, fetch the latest updates, create a baseline, and run an on-demand scan:
$ rkhunter --update $ rkhunter --propupd $ rkhunter -sk -c
You can also configure `rkhunter` to run automatically (via a cronjob) daily. On CentOS systems, there should already be a script for this:
$ cat /etc/cron.daily/rkhunter
Now, all you need to do is update the `rkhunter` configuration with your actual email address so you can receive the nightly reports:
$ vi /etc/sysconfig/rkhunter # Change MAILTO=root@localhost # To MAILTOfirstname.lastname@example.org