Scanning for rootkits with rkhunter
Continuing with the scanning for rootkits articles, we now concentrate on installing and configuring rkhunter.
Rkhunter works in the same manner as chkrootkit (see this article) but rkhunter also scans for other types of exploits.
Which one?
Neither rkhunter nor chkrootkit are necessarily better than the other and can easily be run at the same time, giving added defence measures and peace of mind.
As with chkrootkit, rkhunter is not an active defence method. It does not prevent exploits being placed on your Slice but it will inform you if there is a suspected exploit. Again, as with chkrootkit, if you have been exploited then the only real option is to reinstall with a fresh Slice.
Installation
Log into your VPS and move to your sources directory:
cd ~/sourcesOnce there, download the latest version of rkhunter from the SourceForge download area:
wget http://superb-west.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.2.9.tar.gzVersion 1.2.9 is the latest stable version but do check with the rkhunter home page to see if a newer version is available (at the time of writing there is a 1.3.0 beta2 version available but my advice would be to wait until a stable release before upgrading).
md5sum
Being good sysadmins we want to check the md5sum of the downloaded file before extracting it and installing it.
To find the md5 signature of the downloaded package:
md5sum rkhunter-1.2.9.tar.gzCompare this with the signature available on the Debian package list - ensure you look at the original download and not the diff patch that Debian applies.
extract
Once happy, extract the source code:
tar xvfz rkhunter-1.2.9.tar.gzThen move into the newly created directory:
cd rkhunter-1.2.9/install
To install the code, simply issue the following command:
sudo ./installer.shDocs
At the end of the install a message tells me:
Installation ready.
See /usr/local/rkhunter/lib/rkhunter/docs for more information.
Run 'rkhunter' (/usr/local/bin/rkhunter)Have a read of the main docs:
sudo nano /usr/local/rkhunter/lib/rkhunter/docs/READMEI won't go through what it says but do take some time to have a look and see what configurations are available.
Update
First thing is to update the signatures and files rkhunter uses to detect anomalies:
sudo /usr/local/bin/rkhunter --updateDo that at least once or until you get an output like this:
Running updater...
Mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated
Using mirror http://rkhunter.sourceforge.net
[DB] Mirror file : Up to date
[DB] MD5 hashes system binaries : Up to date
[DB] Operating System information : Up to date
[DB] MD5 blacklisted tools/binaries : Up to date
[DB] Known good program versions : Up to date
[DB] Known bad program versions : Up to dateScanning
Let's run it:
sudo /usr/local/bin/rkhunter -cThis runs rkhunter in an interactive mode. In other words, when it gets to the end of a particular scan, you need to press 'enter' to continue.
My scan results were as follows:
---------------------------- Scan results ----------------------------
MD5 scan
Scanned files: 0
Incorrect MD5 checksums: 0
File scan
Scanned files: 342
Possible infected files: 0
Application scan
Vulnerable applications: 0
Scanning took 79 seconds
-----------------------------------------------------------------------Which is nice.
If you want to skip the interactive but add the -sk option at the end:
sudo /usr/local/bin/rkhunter -c -skTo see other options available for use:
sudo /usr/local/bin/rkhunterConfiguration
You may have configured your Slice in a way that triggers warnings from rkhunter.
Firstly, I would say listen to what it says and decide if you really need something that is a security risk and, secondly, if you do want the risk, there are ways of configuring rkhunter so it ignores certain things.
Hey?
Here's an example. Let's say I ran rkhunter and got this message:
Checking for allowed root login... Watch out Root login possible. Possible risk!
info: "PermitRootLogin yes" found in file /etc/ssh/sshd_config
Hint: See logfile for more information about this issueThat's fairly straight forward: I left the "PermitRootLogin" set to "yes" in my sshd_config file.
Now we know that's a silly thing to do and it's a nice reminder to tighten up our SSH configuration.
But let's say we do want to enable root logins via SSH but don't want a warning every time we run rkhunter.
Enter /usr/local/etc/rkhunter.conf. Open it up:
sudo nano /usr/local/etc/rkhunter.confScan down until you reach this line:
#ALLOW_SSH_ROOT_USER=0Uncomment the line and change the 0 to a 1
ALLOW_SSH_ROOT_USER=1Now when we run rkhunter there are no highlighted warnings and this message:
Checking for allowed root login... [ OK (Remote root login permitted by explicit option) ]Now it's says root logins are OK, but specifies why it's OK: You explicitly allowed it.
However, please don't allow root logins. Thanks.
Automation
Lastly, we know that automation and email notification make an administrator's life a lot easier, so now we can add rkhunter to a cronjob.
This is straight from the rkhunter website: You need to create a short shell script as follows:
#!/bin/sh
( /usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /usr/bin/mail -s "rkhunter output" admin@yourdomain.comSave the file and call it something like 'rkhunterscript'. Make the file executable:
chmod 750 rkhunterscriptand place in your local bin folder or in a public bin folder. Now set a root cronjob as follows:
sudo crontab -eMy cronjob looks like this:
10 3 * * * /home/demo/bin/rkhunterscript -c --cronjobThis will run the script at 3.10am each day. Why 3.10am? Well, I have chkrootkit running at 3.00am, I'd like that to finish before starting this one.
PickledOnion.
Article Comments:
Lex commented Mon Sep 10 16:12:21 UTC 2007 ago:
This might be a silly question, but what's to stop a rootkit from installing a trojaned version of rkhunter or chkrootkit that falsely tells you you're all clean? Doesn't this result in a false sense of security?
I realize that it's likely that at least some rootkits won't do this, but I thought it was worth mentioning. Is there a tool like rkhunter that works over SSH, so that it could be run from another server entirely to lower the chance of false negatives?
PickledOnion commented Mon Sep 10 16:20:25 UTC 2007 ago:
Hi Lex,
It's not a silly question at all. I think to be able to do that it would also have to fool the update servers (notice the rkhunter cronjob checks the version and updates itself before running a check).
I suppose in theory it would be possible but I can't conceive of the level of integration with the install and updating that would be needed to pull off a trick like that.
It's also another reason to run both. I remember in my 'windows' days I used to run two virus checkers and one discovered an infection whilst the other didn't and vica-versa.
If anyone has any deep security knowledge and could answer this with some real examples I would be grateful.
PickledOnion.
randy commented Mon Sep 10 19:07:15 UTC 2007 ago:
Can u provide a couple of examples as to how rootkits would get on your slice to begin with?
Just wondering if everything is "locked down" via SSH, firewall, etc, how does this stuff get in?
Thanks!
Lex Neva commented Mon Sep 10 19:31:30 UTC 2007 ago:
Well, PickledOnion, let's just follow out the devil's advocacy to its logical conclusion. Why would a trojanned version of rkhunter even bother to query the update server? If a rootkit comes onto your system, all it needs to do is replace rkhunter with a binary that prints "Updating... successful, scanning for rootkits, none found", etc. So it's not necessary to compromise the actual update server if the fake rkhunter binary doesn't bother to query it. We could check to see if rkhunter actually queries the server through some kind of elaborate packet sniffing, but who's to say THAT program won't also become trojanned?
Using two scanners is, of course, advantageous because a rootkit might not compromise both, but it's definitely conceivable to do exactly that. If you're dealing with a dedicated, talented blackhat who's personally rooting your box, it's more likely that they'll be able to replace all of your tools like rkhunter, chkrootkit, tripwire, etc.
I guess my end point is that it's important to know that these tools CAN'T be infallible, and are only really trustable when they DO report a rootkit found on your system (assuming it's not a false positive!) Their reports that your system is all clear shouldn't be trusted completely.
Randy, years ago I was rooted on a system that had everything locked down, no unnecessary services, etc. The attacker got in via an unpatched vulnerability in the SSH daemon, because I was lax in applying security updates. It's also possible for your system to be compromised even if you do apply all of the security fixes that your distribution releases. This can happen if there's a vulnerability in one of your services that is not publically known yet, which is called a "Zero-day exploit".
PickledOnion commented Mon Sep 10 19:35:18 UTC 2007 ago:
Hi Randy,
There are a few ways they can infect machines. The first and, as far as I am aware, most common method is by manual means such as downloading some source code from untrusted sources. Not being ultra careful at all times with everything you do. Allowing other users to have access to certain commands, directories.
I know it's a server but you'd be surprised the shortcuts people (sometimes) take to save themselves time or those tedious tasks we'd all rather not do.
Another way is not patching your system if an exploit is found in installed software. It doesn't take the bad guys long to scan thousands of machines looking for a particular exploit. Once found you are more likely to be the target of an effort to compromise your system.
Lex mentions that no system is completely secure and that is absolutely correct. However, unless we all switch off our servers the best we can do is keep on top of it with patches, updates and regular scanning.
PickledOnion.
Jlhenry commented Mon Sep 17 17:26:02 UTC 2007 ago:
FYI, I had to uncomment the following in my /etc/rkhunter.conf under Debian Etch.
ALLOWHIDDENDIR=/etc/.java ALLOWHIDDENDIR=/dev/.udev ALLOWHIDDENDIR=/dev/.static ALLOWHIDDENDIR=/dev/.initramfs
And personally, I do not like permitting remote root login so I left this:
#ALLOWSSHROOT_USER=0
And also, I've uncomment the line: MAIL-ON-WARNING=myemailaddress@domain.com
I used the default Debian Etch package. Installation:
#aptitude install rkhunter libmd5-perl
I run it in a cron this way: 26 * * * * /usr/bin/rkhunter --versioncheck --quiet 26 * * * * /usr/bin/rkhunter --update >/dev/null 26 * * * * /usr/bin/rkhunter -c --cronjob
Thanks for the help!!
Jluc
Jlhenry commented Mon Sep 17 17:27:08 UTC 2007 ago:
Sorry for the formation. I didn't know that "#" was for Bold.
PickledOnion commented Mon Sep 17 17:32:34 UTC 2007 ago:
Hi Jlhenry,
I think I may have to change the Markdown option as it does interpret config files a little oddly!
Thanks for the info. I agree that root logins are a bad idea - you can leave it commented out (as you have) or have it set at 0.
Was there any particular reason you used aptitude and not installed via source?
Cheers, PickledOnion.
Jlhenry commented Mon Sep 17 17:56:26 UTC 2007 ago:
Would love to be able to edit my comment... I made an other mistake.
As I do not want to receive alerts for every run, but do want only to receive information for Warning, I need to add the "--quiet" keyword.
Jlhenry commented Mon Sep 17 18:03:44 UTC 2007 ago:
_ Was there any particular reason you used aptitude and not installed via source? _
Yes sure. I used aptitude (or apt-get) in order to be able to update easily my distro and programs. If there is a bug fix in rkhunter available in debian, I only have to do aptitude upgrade (or apt-get upgrade).
Using sources, It's harder to maintain updates. Imagine that you have installed plenty of programs. Using source, It would takes hours to upgrades all. But with aptitude, It takes few seconds.
Furthermore, I use apticron (debian package) in order to receive a mail when there is programs updates available.
Jluc
James commented Sun Dec 02 23:00:05 UTC 2007 ago:
krhunter 1.3.0 is out. The install command is now:
sudo ./installer.sh --layout default --installBefore running a scan, run:
sudo /usr/local/bin/rkhunter --propupd#!/bin/sh ( /usr/local/bin/rkhunter --versioncheck --nocolors --quiet /usr/local/bin/rkhunter --update --nocolors --quiet /usr/local/bin/rkhunter --propupd --nocolors --quiet /usr/local/bin/rkhunter --cronjob --report-warnings-only ) | /usr/bin/mail -es "rkhunter output" you@domainJames commented Sun Dec 02 23:01:34 UTC 2007 ago:
Markdown has no respect for line breaks. Here's the same script with semicolons to break the commands up:
#!/bin/sh ( /usr/local/bin/rkhunter --versioncheck --nocolors --quiet; /usr/local/bin/rkhunter --update --nocolors --quiet; /usr/local/bin/rkhunter --propupd --nocolors --quiet; /usr/local/bin/rkhunter --cronjob --report-warnings-only ) | /usr/bin/mail -es "rkhunter output" you@domainKnack commented Mon Feb 11 14:50:38 UTC 2008 ago:
@James, I think that the "rkhunter --propupd" command should not be part of the script. As stated in the rkhunter log file:
If you run "rkhunter --propupd" each day just before doing the system checking, any property changed by an attacker will be stored in the database, and no difference will be found later during the check.
Instead of it, you should run manually the --propupd as you need it, after verifying that the system is not compromised. Or, at least, run the command after the check.