Easy Rootkit hunter installation in RHEL/CentOS and Fedora linux

Rootkit Hunter (rkhunter) is a Unix-based tool that scans for rootkitsbackdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online database as well as:

  • MD5 hash compare
  • Look for default files used by rootkits
  • Wrong file permissions for binaries
  • Look for suspected strings in LKM and KLD modules
  • Look for hidden files
  • Optional scan within plaintext and binary files
In this article we will show you how to install Rootkit Hunter (rkhunter) in RHEL/CentOS 5.9/6.0/6.1/6.2/6.3/6.4/6.5/, Fedora 16/17/18/19/20 linux and example usages.

Install Rootkit Hunter on RHEL/CentOS and Fedora

To install rkhunter on Fedora 16/17/18/19/20 enter following command:

# yum install rkhunter -y

To install rkhunter on RHEL/CentOS 6.1/6.2/6.3/6.4/6.5, first install RpmForge repository on your system and then use yum command:

# yum install rkhunter -y

Rotkit Hunter update

Run the rkhunter updater by issuing the following command.

# /usr/local/bin/rkhunter --update
# /usr/local/bin/rkhunter --propupd
Rootkit Hunter update
Rootkit Hunter update

Rootkit Hunter manual scan

You can initiate a manual scan by issuing the following command:

# sudo rkhunter -c

Once rkhunter is initiated, it will go ahead and run a series of tests as follows:

  • Compare SHA-1 hashes of system binaries against known good values maintained in the database.
  • Check for known rootkit files and directories, as well as rootkit strings.
  • Perform malware detection, including checking for login backdoors, sniffer log files, and other suspicious directories.
  • Perform trojan specific checks such as examining enabled xinetd services.
  • Perform checks on network ports and interfaces.
  • Perform system boot checks.
  • Perform group and account checks.
  • Perform system configuration file checks.
  • Perform filesystem checks.
Rootkit Hunter manual scanning
Rootkit Hunter manual scanning

Once scanning is completed, rkhunter stores the result in /var/log/rkhunter.log. You can check for any warning as follows.

# sudo grep Warning /var/log/rkhunter.log
Check Rootkit Hunter log
Check Rootkit Hunter log

For more information and options run the following command.

# rkhunter --help

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.