View the Most Wanted LQ Wiki articles.
LinuxQuestions.org > Linux Wiki > Rootkit Hunter

From LQWiki

Jump to: navigation, search

This page can be translated to major languages here http://www.online-translator.com/ or google for other translators. I am changing to thumbnails, click on the link to see the bigger picture (no pun intended)

Contents

FAQ

Moved to this page FAQ.

CVS and Beta edition

on new page CVS-rkh

Beta is now here

http://sourceforge.net/project/showfiles.php?group_id=155034

DOWNLOAD

Download from here. http://sourceforge.net/project/showfiles.php?group_id=155034

Go to the same link to download hashupd, if required. But lets start here.


INSTALLING

Assuming you have downloaded the file to a folder where you have write powers eg /home/your name/Download

you will have file called rkhunter-(version number).tar.gz (currently 1.2.9)

open a terminal and issue the following commands in italics

cd /pathway to file folder/

tar zxfv rkhunter-version-number.tar.gz

cd rkhunter-version number

su (and root passwd)

./installer.sh

http://www.filehigh.com/viewimg.php?f=28132&i=289205

If successful you get a message Installation ready http://www.filehigh.com/viewimg.php?f=28132&i=289207

You can delete the tar.gz file as the install placed the executables in /usr/

If you have errors, read Installing_Software and correct them.

UPDATING DATABASE

Getting unknown version numbers for your Distro.


If you do not update your database first you may also get this http://www.filehigh.com/viewimg.php?f=28132&i=279590

So update the database files in /usr/local/rkhunter/lib/rkhunter/db with this command rkhunter --update

Run the command again until you get SIX up to dates. http://www.filehigh.com/viewimg.php?f=28132&i=281993

I recommend you do not alter the file /usr/local/etc/rkhunter.conf until it checks your system for the first time.

There is currently a overwrite of your md5sums if you first had to use the hashupd so each time you update...re-run the hashupd.....this is going to be fixed soonish.


CVS edition users may instead get The file of stored file properties (rkhunter.dat) is empty

so run

rkhunter --propupd

The cvs FAQ says When using the '--propupd' option it is the users responsibility to ensure that the files on their system are genuine. Rootkit Hunter can only inform the user of a change to the files, not whether they are the original files or not. Although Rootkit Hunter can use a package manager for some systems, it must be remembered that the package manager itself uses files stored on the system. Those files may have been tampered with.

YOUR FIRST SCAN

There are options available by the command rkhunter --help

I suggest the following command- which will checkall with keyboard prompt skip

rkhunter -c -sk

http://www.filehigh.com/viewimg.php?f=28132&i=289849

Here is the result.

http://www.filehigh.com/viewimg.php?f=28132&i=289857

If your distro is not in the current database you will get a warning like this.

http://www.filehigh.com/viewimg.php?f=28132&i=279575]

see hashupd to fix this issue.

CHECK FOR WARNINGS

Scrolling up in Konsole (the default terminal for KDE users) I can see this warning.

Note you may have more than one set of warnings. http://www.filehigh.com/viewimg.php?f=28132&i=279588

so I need to inspect the hidden directory (folder) for .java

http://www.filehigh.com/viewimg.php?f=28132&i=289868

And the hidden udevdb folder.

Note as per the readme files and the configuration file already mentioned, your disto may use different hidden directories and files, I am on a Mandriva. http://www.filehigh.com/viewimg.php?f=28132&i=279577

Lets drill down one layer http://www.filehigh.com/viewimg.php?f=28132&i=279579

Lets peek at the other etc hidden files as well. They are are at the top of the list in the file manager.

http://www.filehigh.com/viewimg.php?f=28132&i=289875

OK warning is also seen for checking my ssh config here

http://www.filehigh.com/viewimg.php?f=28132&i=343668

Getting BAD result

You may get a scan result that shows a BAD

http://www.filehigh.com/viewimg.php?f=28132&i=331541

In the example, you would read the FAQ and research your software installer and remember (if possible) what updates you did....and that they were from a trusted source etc.

I scrolled thru my Mandriva /var/log/syslog and saw the date etc of when I updated this file.

I could research this further as per the FAQ but I remember the download.

Jan 20 17:15:39 g MandrivaUpdate[4161]: [RPM] wget-1.10.2-3.1mdv2007.0 installed Jan 20 17:15:39 g MandrivaUpdate[4161]: [RPM] wget-1.10.2-3mdk removed

So while the update engine failed to update my wget hash, I just run the hashupd.sh to update locally and then rescan.

This can happen with any updates and new software, so do not panic. Please read the FAQ. and see the hashupd for further information.

OPTIONAL you can modify CONFIG FILE

/usr/local/etc/rkhunter.conf

Now that I am confident all is ok with the hidden stuff, you can choose to modify the config file to uncomment the relevant hidden files or directories and /or add such to the file.

LAST SCAN

After I decided to modify the config file I re-scanned.

http://www.filehigh.com/viewimg.php?f=28132&i=289940

HASHUPD

Hashup.d is a way of updating your hash data (md5sums) file if your distro is not in the current data file.

It is also used when you have updated your software and the sourceforge site is currently a little behind in hashes.

Naturally read the FAQ on security checks before you rush in and run the hashupd.sh file.

Download it from the same link at top of page.

It is recommended you run this command on a clean install with no potential corruption from a network....To run this after you have already connected to the net may create a false hash for a corrupted file.

However, each time you run the update command you then need to run the hashup command.....until your operating system is in the os data file. This is because each update command overwrites your locally produced data file....unless you run rkh with a different path to data.

Note that I run my hashup as a sh command like this

rkhunter --update (data file is overwritten)

cd /pathway to file for hashupd

sh hashup.d (local hash file overwrites again)

rkhunter -c -sk

The pic shows the first end part of the update and the full hashup image.

http://www.filehigh.com/viewimg.php?f=28132&i=289924

ROOTKIT DETECTED

unSpawn must be acknowledged as providing all assistance in my attempt to get a kit installed.

http://www.filehigh.com/viewimg.php?f=28132&i=316850

The result screen is misleading as it was not a true rootkit as it is used for honeypots and was deliberately installed to illustrate the scan process. Even the rootkit area does not call it a rootkit. However, if you did not install it then it is a kit.

To locate that something was installed that is strange, I needed to scroll up to the rootkit area.

http://www.filehigh.com/viewimg.php?f=28132&i=314760

Join the mailing list and post your abbreviated result that is troubling you and let the team help you. Then you can help by adding to the database if its a kit.


I suggest you stop using the hard drive system and get onto another computer or use a live cd to now research the named kit. The team at the mailing list will of course give better advice than I.

Hopefully, you have partimage images to restore, otherwise as per unSpawn's kind articles on security, you need to do a clean install.

There are so many live cds now-a-days download one now from http://www.distromania.com or http://www.distrowatch.org

Lots of security links and advice is here (unSpawn's sticky post) http://www.linuxquestions.org/questions/showthread.php?t=45261

Good advice and history here http://www.cs.wright.edu/people/faculty/pmateti/Courses/499/Fortification/obrien.html Note that author David O'Brien recommends that you can not restore backups UNLESS they are verified. That means you had to do a clean install....run multiple testers...then store off computer to be trusted.

For simple users like me, partimage stored on dvd or cdr is good enough. For Sysadmin you probably won't be reading this? However, restore each image and rescan with the updated tools such as rkhunter to be sure to be sure.

And some more nice info http://www.fish2.com/tct/help-when-broken-into

UNHIDE SCANNER (OPTIONAL)

You may wish to run other scanners including UNHIDE

OTHER QUERIES NOT IN READMES ETC

I suggest you search the archive emails for rkhunter here

http://sourceforge.net/mailarchive/forum.php?forum=rkhunter-users

If no luck pls subscribe to the mailing list.

Be aware that its only a small number of volunteers so speedy replies may not occur if large number of emails.


ADVOCACY...other site mentions

This list, if others contribute, pls consider only those that link to the sourceforge site. The exception to my own rule is this link as it is a major site likely to be visited by newbies.

http://www.linux.org/lessons/advanced/x507.html

Better sites include:

http://www.foogazi.com/2007/01/03/the-best-linux-security-tools/ probable google hit with those keywords


Mandriva does not yet have it in the main package but as a contribute package and dox at wiki are here

http://wiki.mandriva.com/en/Docs/SysAdmin/Security/rkhunter

Ubuntu mentions the logfile here

https://help.ubuntu.com/community/LinuxLogFiles#head-3f1d6beea5180048c68c2f0fb4848eb236061e04

and that its on their list of security tools here

https://help.ubuntu.com/community/InstallingSecurityTools?highlight=%28rootkit%29%7C%28hunter%29


Personal tools