Scanning for rootkits with rkhunter

Continuing with the scanning for rootkits articles, we now concentrate on installing and configuring rkhunter.

Rkhunter works in the same manner as chkrootkit (see this article) but rkhunter also scans for other types of exploits.


Which one?

Neither rkhunter nor chkrootkit are necessarily better than the other and can easily be run at the same time, giving added defence measures and peace of mind.

As with chkrootkit, rkhunter is not an active defence method. It does not prevent exploits being placed on your Slice but it will inform you if there is a suspected exploit. Again, as with chkrootkit, if you have been exploited then the only real option is to reinstall with a fresh Slice.

Installation

Log into your VPS and move to your sources directory:

cd ~/sources

Once there, download the latest version of rkhunter from the SourceForge download area:

wget http://sourceforge.net/projects/rkhunter/files/rkhunter/latest

This article was written for version 1.3.6 of rkhunter (and updated for 1.3.8), but it should assist with setting up later versions as well. If the wget command above doesn't work, check the link above to their download area to get the latest version.

md5sum

Being good sysadmins we want to check the md5sum of the downloaded file before extracting it and installing it.

To find the md5 signature of the downloaded package:

md5sum rkhunter-1.3.8.tar.gz

Compare this with the signature available on the sourceforge project site for the archive you downloaded. For version 1.3.8, for example, you would go to this url:

http://sourceforge.net/projects/rkhunter/files/rkhunter/1.3.8/

Then click the letter (i) next to the file's size to expose the MD5 hashsum for the file.

Extract

Once you're happy, extract the source code:

tar xvfz rkhunter-1.3.8.tar.gz

Then move it into the newly created directory:

cd rkhunter-1.3.8/

Install

To install the code issue the following command:

sudo ./installer.sh --install

Docs

At the beginning of the install you'll see a message like:

 Directory /usr/local/share/doc/rkhunter-1.3.8: creating: OK

That's the location of the documentation for rkhunter. Take a look at the main readme file:

sudo nano /usr/local/share/doc/rkhunter-1.3.8/README

Take some time to at least skim that document and see what configurations are available.

Update

The first thing we want to do after installation is to update the signatures and files rkhunter uses to detect anomalies:

sudo /usr/local/bin/rkhunter --update

You might want to run that command more than once, until you get an output like this:

[ Rootkit Hunter version 1.3.8 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ No update ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ No update ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/zh                                      [ No update ]
  Checking file i18n/zh.utf8                                 [ No update ]

Scanning

Let's run it:

sudo /usr/local/bin/rkhunter -c

That command starts rkhunter in an interactive mode. When it gets to the end of a particular scan, you need to press 'enter' to continue.

My scan results were as follows:

---------------------------- Scan results ----------------------------

MD5 scan
Scanned files: 0
Incorrect MD5 checksums: 0

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 0

Scanning took 79 seconds

-----------------------------------------------------------------------

Which is nice.

If you want to skip the interactive prompts, add the -sk option at the end:

sudo /usr/local/bin/rkhunter -c -sk

To see other options available run rkhunter without any arguments:

sudo /usr/local/bin/rkhunter

Configuration

You may have configured your Slice in a way that triggers warnings from rkhunter.

Read any warnings and carefully consider whether you really need something rkhunter considers a security risk. If you do decide you are comfortable with a risk, there are ways of configuring rkhunter so it ignores certain issues.

Hey?

Here's an example. Let's say I ran rkhunter and got this message:

Checking for allowed root login... Watch out Root login possible. Possible risk!
    info: "PermitRootLogin yes" found in file /etc/ssh/sshd_config
    Hint: See logfile for more information about this issue

That's fairly straightforward: I left the "PermitRootLogin" set to "yes" in my sshd_config file.

Now we know that's a silly thing to do and it's a nice reminder to tighten up our SSH configuration.

But let's say we do want to enable root logins via SSH but don't want a warning every time we run rkhunter.

Enter /etc/rkhunter.conf. Open it up:

sudo nano /etc/rkhunter.conf

Scan down until you reach this line:

#ALLOW_SSH_ROOT_USER=0

Uncomment the line and change the 0 to a 1

ALLOW_SSH_ROOT_USER=1

Now when we run rkhunter there are no highlighted warnings and this message:

Checking for allowed root login...  [ OK (Remote root login permitted by explicit option) ]

Now it's says root logins are OK, but specifies why it's OK: You explicitly allowed it.

However, please don't allow root logins. Thanks.

Automation

Lastly, we know that automation and email notification make an administrator's life a lot easier, so now we can add rkhunter to a cronjob.

This is straight from the rkhunter website: You need to create a short shell script as follows:

#!/bin/sh

( /usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /usr/bin/mail -s "rkhunter output" admin@yourdomain.com

Save the file and call it something like 'rkhunterscript'. Make the file executable:

chmod 750 rkhunterscript

and place it in your local bin folder or in a public bin folder. Now set a root cronjob as follows:

sudo crontab -e

My cronjob looks like this:

10 3 * * * /home/demo/bin/rkhunterscript -c --cronjob

This will run the script at 3.10am each day. Why 3.10am? Well, I have chkrootkit running at 3.00am, I'd like that to finish before starting this one.

PickledOnion. (Updated by Ismail)

Article Comments:

Brian Adkins commented Sat Aug 14 14:46:44 UTC 2010:

I get the following, which seems to be a false positive (the string is in a comment):

Warning: Checking for possible rootkit strings [ Warning ] Found string 'hdparm' in file '/etc/init.d/checkroot.sh'. Possible rootkit: Xzibit Rootkit

Jered commented Sun Aug 15 05:58:30 UTC 2010:

Poking around the web it looks like it is a false positive, yes. If you take a look at this message from the rkhunter mailing list, it describes a similar issue along with instructions for working around it.

Michael Grech commented Sat Oct 09 15:11:21 UTC 2010:

I had to the modify the location of the wget command to remove the download part.

andy brookes commented Thu May 12 18:56:58 UTC 2011:

nice and concise article , I got what I what was looking the command --update; its not always obvious what commands are for various apps

eg clamav which has an update command of freshclam

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)