Security1O1 avatar

[EN] Rootkit Hunter - Checking Linux for Rootkits

security101

Published: 23 Mar 2018 › Updated: 23 Mar 2018[EN] Rootkit Hunter - Checking Linux for Rootkits

[EN] Rootkit Hunter - Checking Linux for Rootkits

In this article I would like to introduce the tool rkhunter(Rootkit Hunter). This software makes it easy to scan your system for known / conspicuous rootkits.
Rkhunter is by no means the only tool. Another well-known is chrootkit


Image Source

What are rootkits

A rootkit is simply expressed software that disguises logins, processes or files on a compromised system. Often these are combined with back doors to allow easier access to the target system as an attacker. I do not want to go into the different types and characteristics any further at this point - but I would be happy to write a separate contribution on request.

Installation and setup

Debian based distributions can install rkhunter as usual with
apt-get install rkhunter or download from Sourceforge.

The following update with the command rkhunter --update caused an error for me:
VirtualBox_Kali-Linux-2017.2-vbox-amd64_11_03_2018_00_11_22.png

This can be fixed by making the following changes in /etc/rkhunter.conf:

 UPDATE_MIRRORS=0       -> UPDATE_MIRRORS=1
 MIRRORS_MODE=1         -> MIRRORS_MODE=0
 WEB_CMD="/bin/false"   -> WEB_CMD=""

Use

The system is scanned as follows: rkhunter -c --skip-keypress

The system is searched for incorrect file permissions, suspicious strings in kernel modules, created folders, etc. In addition, hash values of existing files are checked.

VirtualBox_Kali-Linux-2017.2-vbox-amd64_11_03_2018_00_57_26.png

In order to get more detailed information about the possible finds you should have a look at the warnings in the logs:

grep Warning /var/log/rkhunter.log

There is also the possibility of certain whitelist warnings (etc/rkhunter.conf).

Conclusion

rkhunter alone does not guarantee that there is no rootkit on the system, yet it provides a good overview and is easy to use. If many systems are to be monitored, it makes sense to run the scan regularly via cron-jobs and to send a mail if warnings occur.

Thank you for reading !

Leave [EN] Rootkit Hunter - Checking Linux for Rootkits to:

Written by

IT Security / Kryptowährungen

Read more #linux posts


Best Posts From Security1O1

We have not curated any of security101's posts yet. But you can encourage our curation team to review posts by visiting them regularly and by referring other readers. Because we give priority to frequently read content.

More Posts From Security1O1