Delivered each Tuesday, TechRepublic’s free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!
Until fairly recently, the tool to use for
detecting malware on Linux systems was the chkrootkit tool. However, a
newer tool with several more available tests and a friendlier
interface is now available: Rootkit Hunter (rkhunter).
This tool is available for download from the rootkit Web site. Installation is
extremely straight-forward; rkhunter only consists of
Perl and shell scripts. After you’ve downloaded and unpacked the
latest version, simply run the installer.sh script to
install the program.
In its most basic form, rkhunter scans your system
for any signs of malware. In addition, it performs other scans on
your system, such as checking for differences between a cached copy
of the passwd and group files, checking the sshd_config file to see if
root logins are permissible, and so forth.
Every version adds checks for new malware, so
keeping up with rkhunter
releases is important. Be sure to regularly check the rootkit Web
To perform an interactive report, run rkhunter as shown
# rkhunter -c
This displays each test that rkhunter performs, pausing
occasionally for you to press [Enter]. This ensures that you can
see the entire report without scrolling back too far.
You can also perform a simple summary report
that allows for viewing the results of rkhunter‘s work. Here’s an
# rkhunter -c –report-mode
If you’re only interested in the summary, you
can place this code in a cron job. If you prefer to have a full
report, execute the following:
# rkhunter -c –cronjob
This prevents the display of colors, which may
cause the e-mails sent via cron to look a little off. All in all,
rkhunter is easy to use
and a definite must for anyone running Linux.