Rootkit Hunter for Linux

Rootkit Hunter is a security monitoring and analyzing tool for POSIX compliant systems. Well, at least that is the official definition for this utility. From the man pages, rkhunter is a shell script which carries out various checks on the local system to try and detect known rootkits and malware. It also performs checks to see if commands have been modified, if the system startup files have been modified, and various checks on the network interfaces, including checks for listening applications. rkhunter has  been written to be as generic as possible, and so should run on most Linux and UNIX systems. It is provided with some support scripts should certain commands be missing from the system, and some of these are perl scripts.  rkhunter does require certain  commands  to  be present for it to be able to execute. Additionally, some tests require specific commands, but if these are not present then the test will be skipped. rkhunter needs to be run under a Bourne-type shell, typically bash or ksh. rkhunter can be run as a cron job or from the command-line.

Download rkhunter from sourceforge.net and install.  This is an example, the links change with sourceforge.net.

yum update -y
cd /usr/local/src
wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Frkhunter%2F&ts=1436462452&use_mirror=iweb
tar -zxvf rkhunter-1.4.2.tar.gz
cd rkhunter-1.4.2
./installer.sh --layout default --install
rm -Rf /usr/local/src/rkhunter*

Update rkhunter.

/usr/local/bin/rkhunter --update

Sample output.

[ Rootkit Hunter version 1.4.2 ]

Checking rkhunter data files…
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/tr [ No update ]
Checking file i18n/tr.utf8 [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]

Using prelink prior to running the rkhunter –propupd command greatly reduces the WARNING messages which in part are as a result of missing hashes.

/usr/sbin/prelink -av -mR
/usr/local/bin/rkhunter --propupd

Sample output.

[ Rootkit Hunter version 1.4.2 ]
File updated: searched for 171 files, found 143, missing hashes 2

rkhunter automatically creates a /etc/cron.daily/rkhunter.sh job. If you don’t want it, move it or delete it.

A simple manual use case example.

# Check log and show only warnings to screen
rkhunter -c --enable all --disable none --rwo

An example output, truncated.

Warning: The command ‘/sbin/ifdown’ has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command ‘/sbin/ifup’ has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
Warning: No hash value found for file ‘/usr/bin/elinks’ in the ‘rkhunter.dat’ file.
Warning: The command ‘/usr/bin/GET’ has been replaced by a script: /usr/bin/GET: a /usr/bin/perl -w script text executable
Warning: The command ‘/usr/bin/ldd’ has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable

The configuration file is located at /etc/rkhunter.conf. There you can modify exceptions among other things. Once the edits are made, check the configuration. The “C” is capitalized here.

rkhunter -C

For more help use the man pages with man rkhunter or the help pages with rkhunter –help.

Source(s)
http://comments.gmane.org/gmane.comp.security.rkhunter.user/2791
https://www.digitalocean.com/community/tutorials/how-to-use-rkhunter-to-guard-against-rootkits-on-an-ubuntu-vps
http://www.woktron.com/secure/knowledgebase/79/Installation-Rootkit-Hunter-rkhunter-on-CentOS-5-and-6.html
https://stelfox.net/blog/2014/08/dependency-prelink-issues/