Sunday, December 25, 2005

The Rootkit hunter

Finding Rootkits, Infections and files :

Rootkit Hunter, available from, is a scanning tool that consists of one shell script, a few text-based databases, and optional Perl modules. Written by Michael Boelen, it’s licensed under the GPL. Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers. It runs a variety of tests to look for default files used by rootkits (using an MD5 hash compare that), incorrect file permissions for binaries, suspected Strings in Linux loadable kernel module.

Download RootKit From :

Step 2 :
Untar it in /usr/local/src/

tar -zxvf rkhunter-1.2.7.tar.gz

cd rkhunter

Step 3 :

Now run

[root@mybox rkhunter]# ./

Rootkit Hunter installer 1.2.4 (Copyright 2003-2005, Michael Boelen)

Starting installation/update

Checking /usr/local... OK
Checking file retrieval tools... /usr/bin/wget
Checking installation directories...
- Checking /usr/local/rkhunter...Created
- Checking /usr/local/rkhunter/etc...Created
- Checking /usr/local/rkhunter/bin...Created
- Checking /usr/local/rkhunter/lib/rkhunter/db...Created
- Checking /usr/local/rkhunter/lib/rkhunter/docs...Created
- Checking /usr/local/rkhunter/lib/rkhunter/scripts...Created
- Checking /usr/local/rkhunter/lib/rkhunter/tmp...Created
- Checking /usr/local/etc...Exists
- Checking /usr/local/bin...Exists
Checking system settings...
- Perl... OK
Installing files...
Installing Perl module checker... OK
Installing Database updater... OK
Installing Portscanner... OK
Installing MD5 Digest generator... OK
Installing SHA1 Digest generator... OK
Installing Directory viewer... OK
Installing Database Backdoor ports... OK
Installing Database Update mirrors... OK
Installing Database Operating Systems... OK
Installing Database Program versions... OK
Installing Database Program versions... OK
Installing Database Default file hashes... OK
Installing Database MD5 blacklisted files... OK
Installing Changelog... OK
Installing Readme and FAQ... OK
Installing Wishlist and TODO... OK
Installing RK Hunter configuration file... OK
Installing RK Hunter binary... OK
Configuration updated with installation path (/usr/local/rkhunter)

Installation ready.
See /usr/local/rkhunter/lib/rkhunter/docs for more information. Run 'rkhunter' (/usr/local/bin/rkhunter)

Step 4 :
Configuration Files

The installer places a shell script in /usr/local/bin/

The configuration file in /usr/local/etc/

Rest of the files in /usr/local/rkhunter/

You can override /usr/local/ with the --installdir parameter.

With everything installed, you’re ready to run the program. One nice thing about Rootkit Hunter is that it keeps a variety of information such as known good program versions, blacklisted tools and binaries, and MD5 hashes in continually updated databases, much like a virus scanner. The first thing to do is make sure all of the databases are current.
# /usr/local/bin/rkhunter ––update

If anything is out of date, it’s automatically updated. There’s also a quick and easy way to verify that you’re running the latest version of Rootkit Hunter itself:
# /usr/local/bin/rkhunter ––versioncheck
This version: 1.2.7
Latest version: 1.2.7
To run all of the Rootkit Hunter security checks and see a verbose, colorized status report, run:
# /usr/local/bin/rkhunter – – checkall

While the Rootkit Hunter script has extremely sane defaults, you can edit its configuration file if you’d like to whitelist hidden files or directories, change the install directory, or ignore the fact that remote root SSH logins are allowed. As with any software you install, take the time to thoroughly look through the configuration file to learn what the software is capable of and what each option does.
Once you’re confident that everything is installed and working correctly, add Rootkit Hunter to your list of regular system chores in the system cron file. To do that, first create a script with the following:
/usr/local/bin/rkhunter ––versioncheck
/usr/local/bin/rkhunter ––update
/usr/local/bin/rkhunter ––cronjob ––report-warnings-only
) | /bin/mail –s ’rkhunter output’ root
This script performs a version check, updates your databases, runs Rootkit Hunter in a mode conducive to cron (––cronjob disables colored output and ––report-warnings-only sets a severity level), and then mails the results to root. You should run this script as root, via cron, at least once a day.

Rootkit Hunter performs a similar function as chkrootkit. However, it works in a different manner and offers some additional features, such as storing information in live databases. Which one should you use? Since both are open source and are free to download and use, install both, see how each one works behind the scenes, and choose the one that best suits your needs and your environment.

Example to check :

[root@mybox rkhunter]# rkhunter --checkall

Rootkit Hunter 1.2.7 is running

Determining OS... Ready

Checking binaries

This will list the complete details..... of binaries, rootkits, torjans, Suspicious files and amlware etc ...

No comments: