James Eduard

James Eduard

  • CentOS
  • How To's

    • How to Install RkHunter for Rootkit/Trojan Scanning on CentOS/RHEL

    pir8g33k3 mins0

    Rootkit Hunter (rkhunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online database as well as:

    • MD5 hash compare
    • Look for default files used by rootkits
    • Wrong file permissions for binaries
    • Look for suspected strings in LKM and KLD modules
    • Look for hidden files
    • Optional scan within plaintext and binary files

     

    1. Installation

    1.1 Download Rootkit Hunter
    Begin by downloading the latest stable version of Rkhunter by using the Wget command. The /usr/local/src folder is where you should put any programs (source or binary) you’ve downloaded before installing them.

    cd /usr/local/src
wget http://dfn.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.4.0.tar.gz
wget http://dfn.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.4.0.tar.gz.sha1.txt
sha1sum -c rkhunter-1.4.0.tar.gz.sha1.txt

    Make sure to check for the latest available version hereand append the instructions above accordingly.

    1.2 Installation Rootkit Hunter
    Once you have downloaded the latest version of Rootkit Hunder, issue the following commands as root to start the installation routine.

    tar -zxvf rkhunter-1.4.0.tar.gz
cd rkhunter-1.4.0
./installer.sh --layout default --install 
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --propupd
rm -Rf /usr/local/src/rkhunter*

     

    2 Setup a Cronjob

    Cronjobs enable scheduled scanning of your file system and send email notifications to specified your email id
    2.1: Create run-file in the following location (RHEL based distributions only):

    nano -w /etc/cron.daily/rkhunter.sh

     
    2.2: You need to insert a short shell script to the rkhunter.sh file we have just created.

    #!/bin/sh
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Run (PutYourServerNameHere)' [email protected]

    Important: Remember to change: (PutYourServerNameHere) AND [email protected] to a valid server name / e-mail address
     
    2.3: Set execute permission on the file you have just created:

    chmod 755 /etc/cron.daily/rkhunter.sh

     

    3. Update rkhunter

    Run the updater by issuing the following command.

    # /usr/local/bin/rkhunter --update
# /usr/local/bin/rkhunter --propupd

     

    4. Manual Scan

    You can initiate a manual scan by issuing the following command:

    /usr/local/bin/rkhunter -c

    Which runs rkhunter in interactive mode. In other words, when it gets to the end of a particular scan, you need to press ‘enter’ to continue. If you want to “auto skip” interactive mode, add the -sk option at the end:

    /usr/local/bin/rkhunter -c -sk

    To scan the entire file system enter:

    rkhunter --check

     
    Your scan results should look as follows:

    ---------------------------- Scan results ----------------------------
MD5 scan
Scanned files: 0
Incorrect MD5 checksums: 0
File scan
Scanned files: 412
Possible infected files: 0
Application scan
Vulnerable applications: 0
Scanning took 39 seconds
-----------------------------------------------------------------------

     
    Congratulations, you have now completed installing and configuring Rootkit Hunter.
    Source from by ROServices Blog: www.ro-services.com
     
    Enjoy..

    pir8g33k

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Related Articles

    3 mins
    You May Have Missed