Space Menu Home News Corporate Server 4 Partners Technology monitoring Training
Add Comment Add Comment (1) | History History |


KB.Images/rkhunterlogo.gifRootkit scanner are scanning tools to ensure you for about 99.9% you're clean of nasty tools. These tools scans for rootkits, backdoors and local exploits by running tests like:
  • MD5 hash compare
  • Look for default files used by rootkits
  • Wrong file permissions for binaries
  • Look for suspected strings in LKM and KLD modules
  • Look for hidden files
  • Optional scan within plaintext and binary files

rkhunter installation

#urpmi rkhunter
installation de rkhunter-1.2.0-1mdk.noarch.rpm depuis 
PrĂ©paration …                        1/1: rkhunter

First use

First of all, we need to update the rootkits definition !
# rkhunter --update
Running updater...Mirrorfile //lib/rkhunter/db/mirrors.dat rotated
Using mirror http://www.rootkit.nl/rkhunter
[DB] Mirror file                      : Up to date
[DB] MD5 hashes system binaries       : Update available
  Action: Database updated (current version: 2005051900, new version 2005080200)
[DB] Operating System information     : Update available
  Action: Database updated (current version: 2005052200, new version 2005082200)
[DB] MD5 blacklisted tools/binaries   : Up to date
[DB] Known good program versions      : Update available
  Action: Database updated (current version: 2005041700, new version 2005071500)
[DB] Known bad program versions       : Update available
  Action: Database updated (current version: 2005041700, new version 2005071500)Ready.
or you may have
# rkhunter --update
Running updater...Mirrorfile //lib/rkhunter/db/mirrors.dat rotated
Using mirror http://mirror01.mirror.rkhunter.org
[DB] Mirror file                      : Up to date
[DB] MD5 hashes system binaries       : Up to date
[DB] Operating System information     : Up to date
[DB] MD5 blacklisted tools/binaries   : Up to date
[DB] Known good program versions      : Up to date
[DB] Known bad program versions       : Up to dateReady.

Then we can do our first check :

#rkhunter -c --skip-keypress
Rootkit Hunter 1.2.0 is running

Determining OS... Warning: this operating system is not fully supported!
Ready
Warning: Cannot find md5_not_known
All MD5 checks will be skipped!


Checking binaries
* Selftests
     Strings (command)
[...]

Lets setup RKHunter to e-mail you you daily scan reports.

Add The Following to /etc/cron.daily/rkhunter.sh

#!/bin/bash
(/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "RKhunter Scan Details" replace-this@with-your-email.com)
Replace the e-mail above with your e-mail!! It is best to send the e-mail to an e-mail off-site so that if the box IS compromised the hacker can't erase the scan report unless he hacks another server too. Type:
chmod +x /etc/cron.daily/rkhunter.sh

RKHunter let me know there was something wrong with my dedicated server, What do I do?

  • If your system is infected with any rootkit, it's almost impossible to clean it up. Never trust a machine which has been infected with a rootkit ! Hiding is the root kit's main purpose.
(So a fresh installation of the operating system is REQUIRED)
  • If only one check fails it is possible that you have a "false positive".
This sometimes occurs due to custom configurations or changed binaries. If this happens you can validate the 'false positive' by checking for untrusted paths, knowing if oyu recently updated the binary, and rkhunter just is out of date, and you can also compare your binaries with other trusted binaries to ensure they are in fact 'safe' from a root kit.

RKHunter Faq Can Be Found Here http://www.rootkit.nl

 
Comments: 1 comments ...
 
 
Main.Security > rkhunter installation (fr)
Creator: Diwann  Date: 2005/09/09 13:04
Last Author: Diwann  Date: 2006/10/19 03:04
Valid XHTML 1.0! Valid CSS2!
(c) Mandriva