Check your rootkits at the door with rkhunter

So it’s usually op-ed here but I ran across a story the other day about a new proof of concept rootkit (Hackers Find a New Place to Hide Rootkits) and thought maybe I’d highlight an application I generally use to inspect systems for rootkits. The application is rkhunter. This tool claims to keep you 99.9% free from rootkits. By running such tests as:

• MD5 hash compare
• Rootkit default file search
• Inconsistent binary file permissions
• LKM and KLD suspected string search
• Hidden file search
• Optional scan within plaintext and binary files

And even though it’s .1 % inaccurate (as the developers claim) it’s still a smart move to install this application on any machine that lives on line, especially production-level machines.

Installing
Installation is simple. In an Ubuntu distribution, issue the command sudo apt-get install rkhunter, enter the sudo password, and you’re good to go. In a Fedora-based distribution issue the command yum install rkhunter (as root) and you’re good to go.

Running rkhunter
You will have to either have root access or run as sudo. So you’ll run rkhunter -c as root or sudo rkhunter -c to do an initial check for rootkits.

As rkhunter completes a section of checks you will have to hit enter to continue on. But don’t worry, it won’t time out. You can walk away and come back to hit enter, although the checks are pretty speedy.

Now don’t assume that once you have run rkhunter you are safe and do not need to run it again. In fact, I would suggest doing a couple of things. First create a cron job that will do a daily rkhunter –update to ensure that your rkhunter has the latest “definition files” for rootkits. This will require that wget be installed on the machine. Second, set up rkhunter with the –cronjob flag in an actual cronjob. Using the –cronjob flag will disable the need for the interaction.

 Loading ...

Configuration and log files
The configuration file for rkhunter is /etc/rkhunter.conf. I would suggest you sift through that and make any necessary changes for your system. In particular (and especially if you are setting this up as a cron job), you’ll want to set up an e-mail address so information is sent to you.

By default the log file is /var/log/rkhunter.log. You can change this in the rkhunter configuration file. The log file contains a lot of valuable information about the scans. This log file will also inform you when new updates have been applied.

Final thoughts
Just because you’re using Linux as either your server or your desktop, don’t assume you are bomb proof. Even though you are closer to computing nirvana than you may have been before, you are still not immune to everything. Making sure your Linux machines have not fallen victim to a rootkit can mean the difference between having secure data and having total data loss.

Take the time to install rkhunter on every Linux machine you have. Set up the cron job so rkhunter is issued regularly. The peace of mind this simple application brings is worth every second you put into the installation.