Rootkit Hunter (rkhunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online database as well as:
- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files
[box type=”info” align=”aligncenter” ]In this article we will show you how to install Rootkit Hunter (rkhunter) in RHEL/CentOS 5.9/6.0/6.1/6.2/6.3/6.4/6.5/, Fedora 16/17/18/19/20 linux and example usages.[/box]
Install Rootkit Hunter on RHEL/CentOS and Fedora
To install rkhunter on Fedora 16/17/18/19/20 enter following command:
# yum install rkhunter -y
To install rkhunter on RHEL/CentOS 6.1/6.2/6.3/6.4/6.5, first install RpmForge repository on your system and then use yum command:
# yum install rkhunter -y
Rotkit Hunter update
Run the rkhunter updater by issuing the following command.
# /usr/local/bin/rkhunter --update # /usr/local/bin/rkhunter --propupd
Rootkit Hunter manual scan
You can initiate a manual scan by issuing the following command:
# sudo rkhunter -c
Once rkhunter is initiated, it will go ahead and run a series of tests as follows:
- Compare SHA-1 hashes of system binaries against known good values maintained in the database.
- Check for known rootkit files and directories, as well as rootkit strings.
- Perform malware detection, including checking for login backdoors, sniffer log files, and other suspicious directories.
- Perform trojan specific checks such as examining enabled xinetd services.
- Perform checks on network ports and interfaces.
- Perform system boot checks.
- Perform group and account checks.
- Perform system configuration file checks.
- Perform filesystem checks.
Once scanning is completed, rkhunter stores the result in /var/log/rkhunter.log. You can check for any warning as follows.
# sudo grep Warning /var/log/rkhunter.log
For more information and options run the following command.
# rkhunter --help