Monday, November 29, 2004
[Security]Search for rootkits with Rootkit Hunter
Search for rootkits with Rootkit Hunter
Until fairly recently, the tool to use for detecting malware on Linux systems was the chkrootkit tool. However, a newer tool with several more available tests and a friendlier interface is now available: Rootkit Hunter (rkhunter).
This tool is available for download from the rootkit Web site. Installation is extremely straight-forward; rkhunter only consists of Perl and shell scripts. After you've downloaded and unpacked the latest version, simply run the installer.sh script to install the program.
In its most basic form, rkhunter scans your system for any signs of malware. In addition, it performs other scans on your system, such as checking for differences between a cached copy of the passwd and group files, checking the sshd_config file to see if root logins are permissible, and so forth.
Every version adds checks for new malware, so keeping up with rkhunter releases is important. Be sure to regularly check the rootkit Web site.
To perform an interactive report, run rkhunter as shown below:
# rkhunter -c
This displays each test that rkhunter performs, pausing occasionally for you to press [Enter]. This ensures that you can see the entire report without scrolling back too far.
You can also perform a simple summary report that allows for viewing the results of rkhunter's work. Here's an example:
# rkhunter -c --report-mode
If you're only interested in the summary, you can place this code in a cron job. If you prefer to have a full report, execute the following:
# rkhunter -c --cronjob
This prevents the display of colors, which may cause the e-mails sent via cron to look a little off. All in all, rkhunter is easy to use and a definite must for anyone running Linux.
Until fairly recently, the tool to use for detecting malware on Linux systems was the chkrootkit tool. However, a newer tool with several more available tests and a friendlier interface is now available: Rootkit Hunter (rkhunter).
This tool is available for download from the rootkit Web site. Installation is extremely straight-forward; rkhunter only consists of Perl and shell scripts. After you've downloaded and unpacked the latest version, simply run the installer.sh script to install the program.
In its most basic form, rkhunter scans your system for any signs of malware. In addition, it performs other scans on your system, such as checking for differences between a cached copy of the passwd and group files, checking the sshd_config file to see if root logins are permissible, and so forth.
Every version adds checks for new malware, so keeping up with rkhunter releases is important. Be sure to regularly check the rootkit Web site.
To perform an interactive report, run rkhunter as shown below:
# rkhunter -c
This displays each test that rkhunter performs, pausing occasionally for you to press [Enter]. This ensures that you can see the entire report without scrolling back too far.
You can also perform a simple summary report that allows for viewing the results of rkhunter's work. Here's an example:
# rkhunter -c --report-mode
If you're only interested in the summary, you can place this code in a cron job. If you prefer to have a full report, execute the following:
# rkhunter -c --cronjob
This prevents the display of colors, which may cause the e-mails sent via cron to look a little off. All in all, rkhunter is easy to use and a definite must for anyone running Linux.