[EN] Rootkit Hunter - Checking Linux for Rootkits

in linux •  7 years ago 

In this article I would like to introduce the tool rkhunter(Rootkit Hunter). This software makes it easy to scan your system for known / conspicuous rootkits.
Rkhunter is by no means the only tool. Another well-known is chrootkit



Image Source

What are rootkits

A rootkit is simply expressed software that disguises logins, processes or files on a compromised system. Often these are combined with back doors to allow easier access to the target system as an attacker. I do not want to go into the different types and characteristics any further at this point - but I would be happy to write a separate contribution on request.

Installation and setup

Debian based distributions can install rkhunter as usual with
apt-get install rkhunter or download from Sourceforge.

The following update with the command rkhunter --update caused an error for me:
VirtualBox_Kali-Linux-2017.2-vbox-amd64_11_03_2018_00_11_22.png

This can be fixed by making the following changes in /etc/rkhunter.conf:

 UPDATE_MIRRORS=0       -> UPDATE_MIRRORS=1
 MIRRORS_MODE=1         -> MIRRORS_MODE=0
 WEB_CMD="/bin/false"   -> WEB_CMD=""

Use

The system is scanned as follows: rkhunter -c --skip-keypress

The system is searched for incorrect file permissions, suspicious strings in kernel modules, created folders, etc. In addition, hash values of existing files are checked.

VirtualBox_Kali-Linux-2017.2-vbox-amd64_11_03_2018_00_57_26.png

In order to get more detailed information about the possible finds you should have a look at the warnings in the logs:

grep Warning /var/log/rkhunter.log

There is also the possibility of certain whitelist warnings (etc/rkhunter.conf).

Conclusion

rkhunter alone does not guarantee that there is no rootkit on the system, yet it provides a good overview and is easy to use. If many systems are to be monitored, it makes sense to run the scan regularly via cron-jobs and to send a mail if warnings occur.


Thank you for reading !

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Herzlichen Glückwunsch zur TOP 100 - Platzierung im aktuellen Ranking der effektivsten #deutsch -Kuratoren!

Es ist nicht entscheidend, welcher Algorithmus diesem Ranking letztendlich zu Grunde liegt, entscheidend ist, dass jeder Deiner Votes eine Rolle gespielt hat! Für jeden Einzelnen und damit für die #deutsch -Community insgesamt.

Dafür vielen Dank und mein Upvote, entsprechend meiner Ankündigung hier.

Shaka

Dies ist ein generischer comment an die TOP 100-Platzierten und damit ohne Bezug zum gevoteten Beitrag.

Loading...