What is Rootkit?

Rootkits are nasty pieces of malware. They can listen for commands from their masters, steal sensitive data, and send it to their masters or provide an easy access backdoor for their masters. They’re designed to be stealthy with the ability to hide themselves from plain view.

Sometimes they’ll replace utilities such as ls or ps with their own Trojan versions that will show all files or processes on the system except for the ones that are associated with the rootkit. Rootkits can infect any operating system even our beloved Linux.

In order to plant a rootkit an attacker has to have already gained administrative privileges on a system. It can affect any operating system

Rootkits can be divided into two basic types:

• Traditionally, rootkits replaced binaries, such as ls, ifconfig, inetd, killall, login, netstat, passwd, pidof, or ps with Trojaned versions. These Trojaned versions have been written to hide certain processes or information from the administrator.
• The second type of rootkit is the loadable kernel module (LKM). A kernel rootkit is loaded as a driver or kernel extension.

Both types can be a real problem. If you suspect that a computer has been infected with a rootkit, you will need to run a rootkit checker on the system to perform rootkit malware scanner and ensure that the filesystem has not been compromised.

What Is Rkhunter?

Rkhunter (Rootkit Hunter) is an open source Unix/Linux based scanner tool for Linux systems released under GPL that scans backdoors, rootkits and local exploits on your systems.

It scans hidden files, wrong permissions set on binaries, suspicious strings in kernel etc.

Install Rootkit Hunter in Linux Systems

• First download the latest stable version of Rkhunter tool from here.
• Once you have downloaded the latest version, run the following commands as a root user to install it.

# tar -xvf rkhunter-1.4.6.tar.gz 
# cd rkhunter-1.4.6
# ./installer.sh --layout default --install

• Run the RKH updater to fill the database properties by running the following command.

# /usr/local/bin/rkhunter --update
# /usr/local/bin/rkhunter --propupd

Setting Cronjob and Email Alerts

• Create a file called rkhunter.sh under /etc/cron.daily/, which then scans your file system every day and sends email notifications to your email id. Create following file with the help of your favourite editor.

# vi /etc/cron.daily/rkhunter.sh

• Add the following lines of code to it and replace “YourServerNameHere” with your “Server Name” and “your@email.com” with your “Email Id“.

#!/bin/sh
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Run (PutYourServerNameHere)' your@email.com

• Set execute permission on the file.

# chmod 755 /etc/cron.daily/rkhunter.sh

Manual Scan and Usage

To scan the entire file system, run the Rkhunter as a root user.

# rkhunter --check

Whitelist Known Script Files

Open /etc/rkhunter.conf in your favourite editor and set a SCRIPTWHITELIST parameter in it to tell rkhunter that these are expected to be script files:

SCRIPTWHITELIST="path of the script"

Whitelist Known Files and Directories

Open /etc/rkhunter.conf in your favourite editor and add following parameters to it:

ALLOWDEVFILE="path of the file"
ALLOWHIDDENFILE="path of the file"
ALLOWHIDDENDIR="path of the directory"