Sunday, October 2, 2022

How to Install and Configure Rootkit hunter in Linux

In this article, we want to teach you How to install and Configure Rootkit hunter in Linux.

RK hunter which stands for Rootkit hunter is an open-source Linux and Unix-based scanner for Linux systems released under GPL that scans backdoors, rootkits, and local exploits on your systems.

It scans hidden files, wrong permissions set on binaries, suspicious strings in the kernel, etc.

How to Install and Configure Rootkit hunter in Linux

Here you can start to install Rootkit hunter on the Linux system.

In this part, we want to show you how to install Rootkit hunter on RPM packages for Centos, RedHat, AlmaLinux, etc., and DEB packages for Debian, Ubuntu, etc.

We run commands as a root user, if you are a non-root user be sure that you have sudo privileges.

Install and Configure Rootkit on AlmaLinux /Centos /RHEL

First, you need to download the latest version of the Rootkit hunter tool by visiting the Rootkit hunter project page.

copy the link address of it, and put it in the following command:

cd /tmp
wget https://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz/downloadhttps://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.6/

Note: If you don’t have the wget tool you need to install it first on your server with the following command:

dnf install wget
or
yum install wget

After this, execute the wget command above to download the latest version of Rootkit hunter in Linux.

When you are finished with downloading the Rootkit hunter then start to install it.

Run the following commands to install the Rootkit hunter:

tar -xvf rkhunter-1.4.6.tar.gz
cd rkhunter-1.4.6
./installer.sh --layout default --install

In your output, you should see:

Output
Checking system for:
Rootkit Hunter installer files: found
A web file download command: wget found
Starting installation:
Checking installation directory "/usr/local": it exists and is writable.
Checking installation directories:
Directory /usr/local/share/doc/rkhunter-1.4.6: creating: OK
Directory /usr/local/share/man/man8: exists and is writable.
Directory /etc: exists and is writable.
...
Installing ACKNOWLEDGMENTS: OK
Installing CHANGELOG: OK
Installing FAQ: OK
Installing LICENSE: OK
Installing README: OK
Installing language support files: OK
Installing ClamAV signatures: OK
Installing rkhunter: OK
Installing rkhunter.conf: OK
Installation complete

When you are done with the installation of the Rootkit hunter you need to update it.

Update Rootkit hunter

You can use the RKH updater to fill the database properties.

Run the command below:

/usr/local/bin/rkhunter --update
Output
[ Rootkit Hunter version 1.4.6 ]
Checking rkhunter data files...
Checking file mirrors.dat [ Updated ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/tr [ No update ]
Checking file i18n/tr.utf8 [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]
Checking file i18n/ja [ No update ]

Then run the following command:

/usr/local/bin/rkhunter --propupd
Output
[ Rootkit Hunter version 1.4.6 ]
File created: searched for 176 files, found 129, missing hashes 1

At this point, you can set up cronjob and Email alerts for Rootkit hunter.

Here, you need to create a file named rkhunter.sh under the /etc/crondaily/ directory.

It will scan your file system every day and send an email notification to your email address. you can use your favorite text editor to create the file. here we use vi text editor:

vi /etc/cron.daily/rkhunter.sh

then, add the following lines to your file. remember to replace the server name and email address with yours.

#!/bin/sh
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Run (your-server-name)' olivia@orcacore.com

Now set the execute permissions to your file with the following command:

chmod 755 /etc/cron.daily/rkhunter.sh

Install and Configure Rootkit on Debian/Ubuntu

To install Rootkit on Debian/Ubuntu distros follow these instructions.

First, you need to update the APT packages with the following command:

apt update

Then install Rootkit with the following command:

apt install rkhunter

Now you need to edit the Rootkit hunter config file. run the command below to open the file, you can use your favorite editor:

vi /etc/rkhunter.conf

Be sure that the following lines are set to these:

UPDATE_MIRRORS=1 
MIRRORS_MODE=0
WEB_CMD="" 
ALLOW_SSH_PROT_V1=0

Here, you need to enable cronjobs. run the following command to open the Rootkit default file:

vi /etc/default/rkhunter

Set the following lines to these:

CRON_DAILY_RUN="true" 
CRON_DB_UPDATE="true" 
APT_AUTOGEN="true"

You can check your configuration with:

rkhunter -C

To check that you have the latest Rootkit definitions run the following command:

rkhunter --update

Then check your version is up to date with:

rkhunter --versioncheck
Output
[ Rootkit Hunter version 1.4.6 ]
Checking rkhunter version...
This version : 1.4.6
Latest version: 1.4.6

Now run the command below to update the rkhunter data file of stored values with the current values:

rkhunter --propupd

Here, you can see how Rootkit hunter works in Linux.

How to Use Rootkit hunter

Run the following command to scan the entire file system:

rkhunter --check

When you run the Rootkit hunter command, In your output, you will see something similar to this:

...
 /usr/bin/dirname [ OK ]
/usr/bin/dmesg [ OK ]
/usr/bin/du [ OK ]
/usr/bin/echo [ OK ]
/usr/bin/ed [ OK ]
/usr/bin/egrep [ Warning ]
/usr/bin/env [ OK ]
/usr/bin/fgrep [ Warning ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
...
[Press <ENTER> to continue]
Checking for rootkits...
Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
Adore Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
[Press <ENTER> to continue]
Performing additional rootkit checks
Suckit Rootkit additional checks [ OK ]
....
Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for login backdoors [ None found ]
Checking for sniffer log files [ None found ]
Checking for suspicious directories [ None found ]
...
Checking kernel module names [ OK ]
[Press <ENTER> to continue]
Checking the network...
Performing checks on the network ports
Checking for backdoor ports [ None found ]
...
Checking for an SSH configuration file [ Found ]
[Press <ENTER> to continue]

System checks summary
=====================
File properties checks...
Files checked: 129
Suspect files: 6

Rootkit checks...
Rootkits checked : 380
Possible rootkits: 0

Applications checks...
All checks skipped

The system checks took: 2 minutes and 21 seconds

All results have been written to the log file: /var/log/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

The above command generates a log file under /var/log/rkhunter.log with the check results made by Rootkit hunter.

run the following command:

cat /var/log/rkhunter.log
Output
....
[05:41:44] System checks summary
[05:41:44] =====================
[05:41:44]
[05:41:44] File properties checks...
[05:41:44] Files checked: 129
[05:41:44] Suspect files: 6
[05:41:44]
[05:41:44] Rootkit checks...
[05:41:44] Rootkits checked : 380
[05:41:44] Possible rootkits: 0
[05:41:44]
[05:41:44] Applications checks...
[05:41:44] All checks skipped
[05:41:44]
[05:41:44] The system checks took: 2 minutes and 21 seconds
[05:41:44]
[05:41:44] Info: End date is Wed Sep 8 05:41:44 EDT 2021

Also, for more information about Rootkit hunter you can use the following command:

rkhunter --help

Conclusion

At this point, you learn what is RKH, and also, you know How to install and configure Rootkit hunter in Linux.

As you see, you can use Rootkit on all Linux distros like AlmaLinux, Centos 7, Ubuntu 18.04, Debian 10, etc.

Hope you enjoy it.

May this article about How To Install and Configure LMD in Linux be useful for you.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles