Friday 31 May 2013

Protecting Against Rootkits with RKhunter (Rootkit Hunter)

When operating a Linux server, one of your primary objectives is to run a secure and healthy server. A hacker has several ways to compromise a server. One of these methods would be by installing a rootkit to gain easy access to your Linux server. A rootkit is design to hide malicious processes and files within your server which allows hackers to connect and use your server for illicit activities such has phishing, botnet controller, sending DDoS attacks, etc. Scanning regularly for rootkit is recommended to prevent further detrimental activities on the server. There are several rootkit scanners available for download but today we will focus on rkhunter, short for: The Rootkit Hunter project.

Rkhunter is a Unix-based tool designed to scan machines and/or servers for rootkits, backdoors, etc. It does this by running multiple tests which compare the local data with several signature databases. This tool has been designed to be fairly easy to use and can run tests in bulk or separately. The Rootkit Hunter project was initially created by Michael Boelen in 2006 but has been since taken over by a 3 person development team.

Rkhunter is a fast, complete and easy to use solution to mitigate rootkit and malware threats. Keep in mind that rkhunter is a passive rootkit scanner (it needs to be scheduled or run manually), which means that it won’t detect rootkit on the fly and it should not be intended as a preventive counter-measure in your Security Strategy. The Rootkit Hunter project should only be used as a post-incident tool to detect a breach of security that has already occurred. It is recommended to run often as part of a comprehensive and exhaustive security strategy. Rkhunter needs to be run in bash and with root access privileges. After each scan, scheduled or not, you will receive a comprehensive and detailed log result.

Rkhunter can be installed within minutes. In the following section, you will be provided with a simple step by step tutorial to install and then run your first scan of rkhunter. The test has been run from a GloboTech dedicated server located in Canada. Afterward, you will learn how-to run custom rootkit scans using this tool.

Download and Install RKHunter

cd /usr/src
wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz
tar zxvf rkhunter-1.4.0.tar.gz
cd rkhunter-1.4.0/
./installer.sh --layout default --install

Update RKHunter's Definition Database

Type “rkhunter --update “ to make sure your rkhunter database is up to date.

Run RKHunter for the first time

Type “ rkhunter -c --sk “ to run rkhunter for the first time. This will launch a manual scan and by adding “ --sk “ this will skip the keypress requirements after each section is done scanning. The “ -c“ flag will run.

This operation will result into a long log file with a summary of the scan at the end. Here is a sample of this output:

System checks summary
=====================

File properties checks...
Files checked: 137
Suspect files: 0

Rootkit checks...
Rootkits checked: 312
Possible rootkits: 0

Applications checks...
Applications checked: 7
Suspect applications: 0

The system checks took: 33 seconds

All results have been written to the log file (/var/log/rkhunter.log)

This is pretty straight forward to understand. By example, it’s reporting that it has scanned your system against 312 known rootkits and has found no existing threat.

Available tests options

Rkhunter offers several test options while launching a scan. Here is a list of the most popular tests with their definitions:

additional_rkts => possible_rkt_files possible_rkt_strings
group_accounts => group_changes passwd_changes
local_host => filesystem group_changes passwd_changes startup_malware system_configs
malware => deleted_files hidden_procs other_malware running_procs suspscan
network => hidden_ports packet_cap_apps ports promisc
os_specific => avail_modules loaded_modules
possible_rkts => possible_rkt_files possible_rkt_strings
properties => attributes hashes immutable scripts
rootkits => avail_modules deleted_files hidden_procs known_rkts loaded_modules other_malware possible_rkt_files possible_rkt_strings running_procs suspscan trojans
shared_libs => shared_libs_path
startup_files => startup_malware
system_commands => attributes hashes immutable scripts shared_libs_path strings

You can run concurrent tests with the following command: rkhunter --enable

By example if you would like to run a scan for the following test “malware, rootkits, additional_rkts, startup_files, other_malware”, you would type this command: rkhunter --enable malware,rootkits,additional_rkts,startup_files,other_malware --sk


Even if you are taking preventative measures not to have your server hacked, scanning your server with rkhunter is a good way to know quickly if your server has been comprised. By adding a cronjob to automate the scan on a daily basis with the results emailed to you, you can know and take action immediately when you are notified of a threat.

For further information, please refer yourself to the homepage of “The Rookit Hunter project” at following address: http://sourceforge.net/apps/trac/rkhunter/wiki/MPRKH#Contents

No comments:

Post a Comment