Rootkit Hunter is a must in case you run a server, or you ‘re just security freak, like me. If you ‘ve never heard of it, you can find it here, but in a few words, this little thing can offer you protection against an army of linux rootkits and also make some critical suggestions for the entire security of your linux machine. Installation and configuration may prove slightly tiresome, if you ‘re used to just install something from a package manager and leave it there, to run on its own, but it provides an excellent documentation, a thorough wiki (from which accidentally stole most of the things i wrote here…) and a reliable mailing list, so fear not.
For starters, I tested this guide on a Fedora 17 machine and this guide only intends to show how to install rkhunter on it, but making slight changes which I will be mentioning along, you can install rkhunter quite easy and tireless on any linux machine. This guide, do not intend to make you familiar with rkhunter’s secret or ninja configuration, plainly because i don ‘t know them :)
So let’s download the source code with this:
wget --trust-server-names http://
sourceforge.net/projects/rkhunter/files/latest/download -O- | tar zxf -
and you ‘ll have a folder named “rkhunter-1.4.0” inside which you ‘ll find a file folder containing the source and the precious documentation, and the installer. Unlike other tarballs, there is no configuring and making. You just run the installer with some options and there you go. Before you install it, try:
sh installer.sh --layout default --show
just to see, which files go where and if everything seems fine to you, then using root privileges, either with su or sudo, run:
sh installer.sh --layout default --install
Fingers crossed, everything will go smooth, and the installer won’t detect any missing dependencies, which is extremely unlikely in a version like Fedora or Ubuntu, since rkhunter’s dependencies are mostly Unix’s sed, awk, etc… Even if you don’t have sha1sum installed, as we ‘ll see in a jiff, rkhunter is coming along with its own perl scripts to supplement it.
If everything went well, you are coming into a crossroad. Either you ‘ll walk with me down the schizo road, where i installed some additional programs that rkhunter can use, or you can just skip the rest guide, until the configuration part.
Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique, as we are informed at its website. Unhide, can also work very well with rkhunter, and it seemed the right thing to do installing it, along with rkhunter. Unhide though, needs some compiling, and even if you have installed gcc on your system, some glibc static libraries are also needed in Fedora to install it. This dependency didn’t come up in Ubuntu though. In Fedora you simply install with yum:
yum -y install glibc-static
I also had to create a folder for unhide, since untarring it, makes it just spill its guts all over my working folder… Download and untar Unhide source with:
wget --trust-server-names http://
sourceforge.net/projects/unhide/files/latest/download -O- | tar zxf - -C unhide
and then go into the unhide folder. Inside resides its source, waiting to be just compiled. I assume, that you are running on kernel >= 2.6. If you don’t, RTFM. And in case you do actually RTFM you ‘ll find out it suggests to do the following:
gcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux
gcc -Wall -O2 --static unhide_rb.c -o unhide_rb
gcc -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c -o unhide-tcp
Don’t be shy, do it, but stop there. Now you ‘ll have to put these executables into a “BINDIR” as rkhunter suggests. Since i ‘ve installed rkhunter with the default layout, its executable went to /usr/local/bin, so i thought it would be kewl to move these executables to the same folder. And it was. :) You ‘ll just have to make a link of unhide-linux with the name unhide, for compatibility issues with this:
ln -s /usr/local/bin/unhide-linux /usr/local/bin/unhide
and you ‘re done with unhide. You can run it independently or not. But rkhunter will be using it, if it manages to find it. And we ‘ll be covering this in the configuration part.
Skdet is a rootkit detector by Slider, and that’s about everything we know about it. Its origins are unknown, its creator has been lost along with his email address, and noone would ever hear about it, unless a kind Mr Dick Gevers have found it, and posted its source for everyone to use. This mystical thingy, can cooperate with rkhunter and to install it, you just do this:
dvgevers.home.xs4all.nl/skdet/skdet-1.0.tar.bz2 -O- | tar jxf -
sudo cp -rf skdet*/skdet /usr/local/bin
and that’s all. If you wanna know, why you should install it, then just don’t. Or just RTFM. I did and i am not complaining. :)
Now ‘s the tricky part. Well.. not really, but whatever. Rkhunter, runs using the /etc/rkhunter.conf file as its guideline. There are a few options you can alter, in order to maximize rkhunter’s efficiency and make your CPU suffer. For example you can alter your system’s package manager in order to… i don’t really know, but the manual made it sound important.. So alter this line:
with this one:
If you ‘re using Ubuntu, change it to PKGMGR=DPKG, or dont change at all. Wiki told me, it won’t make any real difference for you guys… We should also help rkhunter to make scans using locally supplied hashes so you should also change this line:
with this one:
I could just say, uncomment it, but studies show, that extended guides, tend to be a lot more respected by the readers, and i can also brag about it to my friends… You should also, uncomment these lines:
and you ‘re done with configuration. If you want to follow with me on my psychotic delirium, you ‘ll have to make two more changes in the rkhunter.conf file (and by this I mean, that these changes are optional). Change this line:
DISABLE_TESTS="suspscan hidden_ports hidden_procs deleted_files packet_cap_apps"
with this line:
and now, rkhunter will be running all the available tests on your machine. See this “hidden_ports hidden_procs” above? That’s why we have installed unhide. Probably… You should also uncomment this line:
Run the damn thing
Ok so now, in my opinion, anything preliminary, is done. We just have to run rkhunter for the first time. And just because it is the first time, we can’t just start scanning. We have to build its database, check for updates, and then finally scan. But all this is three commands away:
rkhunter -c -sk
and your scanning, should begin. Be aware that you may encounter false positives warnings, where a warning may be issued but in fact everything’s just fine. Rootkit hunter will not delete suspicious files, it will not erase them, it will not disinfect them, it will not even suggest a way out in most cases. You ‘ll have to do it on your own. But at the very least, it will make you aware of some security hole in your precious server, or in your indifferent for a cracker, PC.
If you think it’s worthy:
In case you want rkhunter to run on a daily basis, just add it to cron like this:
sudo vi /etc/cron.daily/rkhunter.sh
and add these lines to it:
/usr/local/bin/rkhunter -c --cronjob 2>&1) | mail -s "RKhunter Scan Details" root@localhost
make it executable, and check the /var/log/rkhunter.log every day:
chmod +x /etc/cron.daily/rkhunter.sh
That’s all. That is what you have to do on a Linux system, to get a working Rootkit Hunter. At least that’s what I did. If anything is wrong or not working, please let me know, don’t be shy.