{"id":145,"date":"2014-06-21T06:28:58","date_gmt":"2014-06-21T06:28:58","guid":{"rendered":"http:\/\/www.pir8geek.com\/?p=145"},"modified":"2014-06-21T06:28:58","modified_gmt":"2014-06-21T06:28:58","slug":"install-rkhunter-rootkittrojan-scanning-centosrhel","status":"publish","type":"post","link":"https:\/\/www.jameseduard.com\/?p=145","title":{"rendered":"How to Install RkHunter for Rootkit\/Trojan Scanning on CentOS\/RHEL"},"content":{"rendered":"<p>Rootkit Hunter (rkhunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with\u00a0<em>known good<\/em>\u00a0ones in online database as well as:<\/p>\n<ul>\n<li>MD5 hash compare<\/li>\n<li>Look for default files used by rootkits<\/li>\n<li>Wrong file permissions for binaries<\/li>\n<li>Look for suspected strings in LKM and KLD modules<\/li>\n<li>Look for hidden files<\/li>\n<li>Optional scan within plaintext and binary files<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3><strong>1. Installation<\/strong><\/h3>\n<p><strong>1.1 Download Rootkit Hunter<\/strong><br \/>\nBegin by downloading the latest stable version of Rkhunter by using the Wget command. The \/usr\/local\/src folder is where you should put any programs (source or binary) you&#8217;ve downloaded before installing them.<\/p>\n<pre>cd \/usr\/local\/src\nwget http:\/\/dfn.dl.sourceforge.net\/sourceforge\/rkhunter\/rkhunter-1.4.0.tar.gz\nwget http:\/\/dfn.dl.sourceforge.net\/sourceforge\/rkhunter\/rkhunter-1.4.0.tar.gz.sha1.txt\nsha1sum -c rkhunter-1.4.0.tar.gz.sha1.txt<\/pre>\n<p>Make sure to check for the latest available version\u00a0<a href=\"http:\/\/www.rootkit.nl\/projects\/rootkit_hunter.html\"><strong>here<\/strong><\/a><strong>,\u00a0<\/strong>and append the instructions above accordingly.<br \/>\n<strong><br \/>\n1.2 Installation Rootkit Hunter<\/strong><br \/>\nOnce you have downloaded the latest version of Rootkit Hunder, issue the following commands as root to start the installation routine.<\/p>\n<pre>tar -zxvf rkhunter-1.4.0.tar.gz\ncd rkhunter-1.4.0\n.\/installer.sh --layout default --install \n\/usr\/local\/bin\/rkhunter --update\n\/usr\/local\/bin\/rkhunter --propupd\nrm -Rf \/usr\/local\/src\/rkhunter*<\/pre>\n<p>&nbsp;<\/p>\n<h3><strong>2 Setup a Cronjob<\/strong><\/h3>\n<p>Cronjobs enable scheduled scanning of your file system and send email notifications to specified your email id<br \/>\n<strong>2.1:<\/strong>\u00a0Create run-file in the following location (RHEL based distributions only):<\/p>\n<pre>nano -w \/etc\/cron.daily\/rkhunter.sh<\/pre>\n<p>&nbsp;<br \/>\n<strong>2.2:<\/strong>\u00a0You need to insert a short shell script to the rkhunter.sh file we have just created.<\/p>\n<pre>#!\/bin\/sh\n(\n\/usr\/local\/bin\/rkhunter --versioncheck\n\/usr\/local\/bin\/rkhunter --update\n\/usr\/local\/bin\/rkhunter --cronjob --report-warnings-only\n) | \/bin\/mail -s 'rkhunter Daily Run (PutYourServerNameHere)' your@email.here<\/pre>\n<p><strong>Important<\/strong>: Remember to change: (PutYourServerNameHere) AND your@email.here to a valid server name \/ e-mail address<br \/>\n&nbsp;<br \/>\n<strong>2.3:<\/strong>\u00a0Set execute permission on the file you have just created:<\/p>\n<pre>chmod 755 \/etc\/cron.daily\/rkhunter.sh<\/pre>\n<p>&nbsp;<\/p>\n<h3><strong>3. Update rkhunter<\/strong><\/h3>\n<p>Run the updater by issuing the following command.<\/p>\n<pre># \/usr\/local\/bin\/rkhunter --update\n# \/usr\/local\/bin\/rkhunter --propupd<\/pre>\n<p>&nbsp;<\/p>\n<h3><strong>4. Manual Scan<\/strong><\/h3>\n<p>You can initiate a manual scan by issuing the following command:<\/p>\n<pre>\/usr\/local\/bin\/rkhunter -c<\/pre>\n<p>Which runs rkhunter in interactive mode. In other words, when it gets to the end of a particular scan, you need to press &#8216;enter&#8217; to continue. If you want to &#8220;auto skip&#8221; interactive mode, add the -sk option at the end:<\/p>\n<pre>\/usr\/local\/bin\/rkhunter -c -sk<\/pre>\n<p>To scan the entire file system enter:<\/p>\n<pre>rkhunter --check<\/pre>\n<p>&nbsp;<br \/>\nYour scan results should look as follows:<\/p>\n<pre>---------------------------- Scan results ----------------------------\nMD5 scan\nScanned files: 0\nIncorrect MD5 checksums: 0\nFile scan\nScanned files: 412\nPossible infected files: 0\nApplication scan\nVulnerable applications: 0\nScanning took 39 seconds\n-----------------------------------------------------------------------<\/pre>\n<p>&nbsp;<br \/>\nCongratulations, you have now completed installing and configuring Rootkit Hunter.<br \/>\nSource from by ROServices Blog: www.ro-services.com<br \/>\n&nbsp;<br \/>\nEnjoy..<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Rootkit Hunter (rkhunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with\u00a0known good\u00a0ones in online database as well as: MD5 hash compare Look for default files used by rootkits Wrong file permissions for binaries Look for suspected strings in LKM<\/p>\n","protected":false},"author":1,"featured_media":146,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,47,9],"tags":[148,149,142],"class_list":["post-145","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-centos","category-how-tos","category-network-security","tag-rkhunter","tag-rootkit","tag-trojan"],"_links":{"self":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts\/145","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=145"}],"version-history":[{"count":0,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts\/145\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=145"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=145"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=145"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}