Malware optimize

Check your rootkits at the door with rkhunter

Jack Wallen highlights an application that he uses to inspect systems for rootkits called rkhunter.

So it's usually op-ed here but I ran across a story the other day about a new proof of concept rootkit (Hackers Find a New Place to Hide Rootkits) and thought maybe I'd highlight an application I generally use to inspect systems for rootkits. The application is rkhunter. This tool claims to keep you 99.9% free from rootkits. By running such tests as:

  • MD5 hash compare
  • Rootkit default file search
  • Inconsistent binary file permissions
  • LKM and KLD suspected string search
  • Hidden file search
  • Optional scan within plaintext and binary files

And even though it's .1 % inaccurate (as the developers claim) it's still a smart move to install this application on any machine that lives on line, especially production-level machines.

Installing

Installation is simple. In an Ubuntu distribution, issue the command sudo apt-get install rkhunter, enter the sudo password, and you're good to go. In a Fedora-based distribution issue the command yum install rkhunter (as root) and you're good to go.

Running rkhunter

You will have to either have root access or run as sudo. So you'll run rkhunter -c as root or sudo rkhunter -c to do an initial check for rootkits.

As rkhunter completes a section of checks you will have to hit enter to continue on. But don't worry, it won't time out. You can walk away and come back to hit enter, although the checks are pretty speedy.

Now don't assume that once you have run rkhunter you are safe and do not need to run it again. In fact, I would suggest doing a couple of things. First create a cron job that will do a daily rkhunter --update to ensure that your rkhunter has the latest "definition files" for rootkits. This will require that wget be installed on the machine. Second, set up rkhunter with the --cronjob flag in an actual cronjob. Using the --cronjob flag will disable the need for the interaction.

Configuration and log files

The configuration file for rkhunter is /etc/rkhunter.conf. I would suggest you sift through that and make any necessary changes for your system. In particular (and especially if you are setting this up as a cron job), you'll want to set up an e-mail address so information is sent to you.

By default the log file is /var/log/rkhunter.log. You can change this in the rkhunter configuration file. The log file contains a lot of valuable information about the scans. This log file will also inform you when new updates have been applied.

Final thoughts

Just because you're using Linux as either your server or your desktop, don't assume you are bomb proof. Even though you are closer to computing nirvana than you may have been before, you are still not immune to everything. Making sure your Linux machines have not fallen victim to a rootkit can mean the difference between having secure data and having total data loss.

Take the time to install rkhunter on every Linux machine you have. Set up the cron job so rkhunter is issued regularly. The peace of mind this simple application brings is worth every second you put into the installation.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

18 comments
mikifinaz1
mikifinaz1

So I can save info. like this for later reference.

Jaqui
Jaqui

any rootkit detection tool is best installed prior to the system ever going online. then you can run it and get a base comparison before going online. this improves effectiveness of the detection systems that use activity on the filesystem(s).

seanferd
seanferd

I'm getting around to installing some new Linux. Thanks for the info, I believe I'll be adding that right in. The name does sound strangely familiar... Edit: "Francois Marier Says: February 6th, 2008 at 9:43 pm You may also want to install ?unhide? since rkhunter can make use of it. It?s a small utility which attempts to detect hidden processes by looking at discrepancies between the lists returned by different system calls. To enable it, just remove ?hidden_procs? from the DISABLE_TESTS variable in /etc/rkhunter.conf "

jlwallen
jlwallen

but having it at any point, is better than not having it. ideally one would do a fresh install and then install rkhunter (and any other protection you need) and then open the machine up for production.

jlwallen
jlwallen

why are you linking to a file called VIRUS.png? are you trying to get busted for something?

husserl
husserl

Perhaps this is an eloquent argument for imaging the drive when fresh.

zclayton2
zclayton2

second or third identical post of that from Balthor in different talkbacks that I have seen. I think he has been corrupted.

seanferd
seanferd

Same thing was posted to zdnet. For all I know, it's just a picture of a biological virus, but in no way am I tempted to find out.

scott_jordan
scott_jordan

The guy who posted that link should explain what it is.

husserl
husserl

Security and other updates. Oh, and those reliable MS service packs.

Jaqui
Jaqui

once everything is ready for production use, make the image then open it up for network access. saves you what, 2 hours to rebuild the os if needed. edit to add: 2 hours per system, it does add up to a significant amount of time on large networks.

seanferd
seanferd

Qu'est-ce que c'est? Really odd, I remember that icon from a program I used long ago. Now I want to know what it was. Edit: I should have checked out the PNG last night while I was running a Debian Live ISO in VMWare player. Didn't think of it.

jlwallen
jlwallen

it has something related to the hijack-this virus highlighted.

techrepublic@
techrepublic@

It's a screenshot of a Windows XP desktop! No kidding, from me at least. :D