Thursday, September 15, 2011

Kit that hunts Kits - RKHunter

Rootkit Hunter(rkhunter) is a Unix tool that scans for rootkits, trojans, backdoors and similar exploits. The tool is released under GPL license, and hence is a free tool. Actually it’s a shell script that performs various checks on the system and detects the presence of known rootkits and malware. It performs various checks to see if system binaries have been modified, if the system startup files have been tampered, and if active processes are malicious in nature. The reports of the checks are usually brief, yet helpful in validating the sanity of a local machine/server.

Scanning techniques

–> MD5 hash compare, to validate the authenticity of packages and binaries
–> Looking for Hidden files and default files used by rootkits.
–> Wrong file permissions for binaries
–> Look for suspected strings in kernel modules
–> Optional scan for malicious code within plain-text and binary files

Install RKHunter

The installation is pretty much simple. The latest files can be fetched from
The following command(s) would leave you with a working rkhunter installation:
cd /usr/local/src/; wget; tar -zxvf rkhunter-*; cd rkhunter-*; sh --layout /usr/local --install
The very first step would be to populate the properties database. The following command does that :

rkhunter --propupd

You may wish to glance through the configuration file at /usr/local/etc/rkhunter.conf. The file would help you to understand the tool better, and also empower you with the configuration details. It would give you a better idea on avoiding false positives as well.
You might see a few warnings when you run the test, and it does not always indicate a security breach. Yes, the chances of false positives are high, and once you get to know the tool, you could avoid them with various configuration options. The tool is so designed, that it would work on various platforms, and yet remain flexible enough to make it work for each of your systems.
The test can be performed with the following command :

/usr/local/bin/rkhunter --check --skip-keypress

In case you want to un-install the tool, the following command would remove the installation. This has to be run from the same location from which it was installed(say /usr/local/src/rkhunter-1.3.6).

./ –remove

Setting cron for RKHunter

Scheduling the check is a step that assures periodic server sanctity check/reports. It is simple, and the following cron with the one liner script takes care of the schedule.
The script has to go to the /etc/cron.daily folder. The tool itself has a switch “–cronjob” that is designed for the purpose of cron.
Create the file /etc/cron.daily/
Add the following- replacing your email address in place of
/usr/local/bin/rkhunter --cronjob 2>&1 | mail -s "$HOSTNAME daily RK-Hunter Scan Report"
Follow it up with setting permissions for the script :
chmod +x /etc/cron.daily/
That’s it! You now have a kit that detects rootkits at your service.