what rkhunter is also doing nicely… it keeps a hash of every file on your system… and if this file changes… you will get noticed.

rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD.

The tool has been written in Bourne shell, to allow for portability. It can run on almost all UNIX-derived systems.

Source: https://en.wikipedia.org/wiki/Rkhunter

How to setup and install:

tested on: Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-2+deb8u2 (2016-06-25) x86_64 GNU/Linux

#!/bin/bash
echo "====== install root kit hunter script";
echo "=== please give root password to proceed:";
su
mkdir /usr/local/src/rkhunter;
cd /usr/local/src/rkhunter;
wget http://dfn.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.4.2.tar.gz;
tar -zxvf rkhunter-1.4.2.tar.gz;
cd rkhunter-1.4.2;
./installer.sh --layout default --install;

/usr/local/bin/rkhunter --update;
/usr/local/bin/rkhunter --propupd;
rm -Rf /usr/local/src/rkhunter*; # tidy up, remove sources

rkhunter -c; # run search for rootkits

run:

this is an example output:

rkhunter -c; # run search for rootkits
[ Rootkit Hunter version 1.4.2 ]

Checking system commands...

Performing 'strings' command checks
Checking 'strings' command [ OK ]

Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]

Performing file properties checks
Checking for prerequisites [ OK ]
/usr/local/bin/rkhunter [ OK ]
/usr/sbin/adduser [ Warning ]
/usr/sbin/chroot [ OK ]
/usr/sbin/cron [ OK ]
/usr/sbin/groupadd [ OK ]
/usr/sbin/groupdel [ OK ]
/usr/sbin/groupmod [ OK ]
/usr/sbin/grpck [ OK ]
/usr/sbin/nologin [ OK ]
/usr/sbin/pwck [ OK ]
/usr/sbin/rsyslogd [ OK ]
/usr/sbin/sshd [ OK ]
/usr/sbin/useradd [ OK ]
/usr/sbin/userdel [ OK ]
/usr/sbin/usermod [ OK ]
/usr/sbin/vipw [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/basename [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/curl [ OK ]
/usr/bin/cut [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/dpkg [ OK ]
/usr/bin/dpkg-query [ OK ]
/usr/bin/du [ OK ]
/usr/bin/env [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/groups [ OK ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/last [ OK ]
/usr/bin/lastlog [ OK ]
/usr/bin/ldd [ Warning ]
/usr/bin/less [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/lsof [ OK ]
/usr/bin/mail [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/newgrp [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/perl [ OK ]
/usr/bin/pgrep [ OK ]
/usr/bin/pkill [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/runcon [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/sha224sum [ OK ]

/usr/bin/sha256sum [ OK ]
/usr/bin/sha384sum [ OK ]
/usr/bin/sha512sum [ OK ]
/usr/bin/size [ OK ]
/usr/bin/sort [ OK ]
/usr/bin/ssh [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/sudo [ OK ]
/usr/bin/tail [ OK ]
/usr/bin/test [ OK ]
/usr/bin/top [ OK ]
/usr/bin/touch [ OK ]
/usr/bin/tr [ OK ]
/usr/bin/uniq [ OK ]
/usr/bin/users [ OK ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wc [ OK ]
/usr/bin/wget [ OK ]
/usr/bin/whatis [ OK ]
/usr/bin/whereis [ OK ]
/usr/bin/which [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/usr/bin/mawk [ OK ]
/usr/bin/bsd-mailx [ OK ]
/usr/bin/w.procps [ OK ]
/sbin/depmod [ OK ]
/sbin/fsck [ OK ]
/sbin/ifconfig [ OK ]
/sbin/ifdown [ OK ]
/sbin/ifup [ OK ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/rmmod [ OK ]
/sbin/route [ OK ]
/sbin/runlevel [ OK ]
/sbin/sulogin [ OK ]
/sbin/sysctl [ OK ]
/bin/bash [ OK ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/cp [ OK ]
/bin/date [ OK ]
/bin/df [ OK ]
/bin/dmesg [ OK ]
/bin/echo [ OK ]
/bin/egrep [ Warning ]
/bin/fgrep [ Warning ]
/bin/fuser [ OK ]
/bin/grep [ OK ]
/bin/ip [ OK ]
/bin/kill [ OK ]
/bin/less [ OK ]
/bin/login [ OK ]
/bin/ls [ OK ]
/bin/lsmod [ OK ]
/bin/mktemp [ OK ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/mv [ OK ]
/bin/netstat [ OK ]
/bin/ping [ OK ]
/bin/ps [ OK ]
/bin/pwd [ OK ]
/bin/readlink [ OK ]
/bin/sed [ OK ]
/bin/sh [ OK ]
/bin/su [ OK ]
/bin/touch [ OK ]
/bin/uname /bin/which [ Warning ]
/bin/kmod [ OK ]
/bin/systemd [ OK ]
/bin/systemctl [ OK ]
/bin/dash [ OK ]
/lib/systemd/systemd [ OK ]
/etc/rkhunter.conf [ OK ]

[Press to continue]

Checking for rootkits...

Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
Adore Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
Balaur Rootkit [ Not found ]
BeastKit Rootkit [ Not found ]
beX2 Rootkit [ Not found ]
BOBKit Rootkit [ Not found ]
cb Rootkit [ Not found ] [ OK ]

CiNIK Worm (Slapper.B variant) [ Not found ]
Danny-Boy's Abuse Kit [ Not found ]
Devil RootKit [ Not found ]
Dica-Kit Rootkit [ Not found ]
Dreams Rootkit [ Not found ]
Duarawkz Rootkit [ Not found ]
Enye LKM [ Not found ]
Flea Linux Rootkit [ Not found ]
Fu Rootkit [ Not found ]
Fuck`it Rootkit [ Not found ]
GasKit Rootkit [ Not found ]
Heroin LKM [ Not found ]
HjC Kit [ Not found ]
ignoKit Rootkit [ Not found ]
IntoXonia-NG Rootkit [ Not found ]
Irix Rootkit [ Not found ]
Jynx Rootkit [ Not found ]
KBeast Rootkit [ Not found ]
Kitko Rootkit [ Not found ]
Knark Rootkit [ Not found ]
ld-linuxv.so Rootkit [ Not found ]
Li0n Worm [ Not found ]
Lockit / LJK2 Rootkit [ Not found ]
Mood-NT Rootkit [ Not found ]
MRK Rootkit [ Not found ]
Ni0 Rootkit [ Not found ]

Ohhara Rootkit [ Not found ]
Optic Kit (Tux) Worm [ Not found ]
Oz Rootkit [ Not found ]
Phalanx Rootkit [ Not found ]
Phalanx2 Rootkit [ Not found ]
Phalanx2 Rootkit (extended tests) [ Not found ]
Portacelo Rootkit [ Not found ]
R3dstorm Toolkit [ Not found ]
RH-Sharpe'
s Rootkit [ Not found ]
RSHA's Rootkit [ Not found ]
Scalper Worm [ Not found ]
Sebek LKM [ Not found ]
Shutdown Rootkit [ Not found ]
SHV4 Rootkit [ Not found ]
SHV5 Rootkit [ Not found ]
Sin Rootkit [ Not found ]
Slapper Worm [ Not found ]
Sneakin Rootkit [ Not found ]
'
Spanish' Rootkit [ Not found ]
Suckit Rootkit [ Not found ]
Superkit Rootkit [ Not found ]
TBD (Telnet BackDoor) [ Not found ]
TeLeKiT Rootkit [ Not found ]
T0rn Rootkit [ Not found ]
trNkit Rootkit [ Not found ]
Trojanit Kit [ Not found ]

Tuxtendo Rootkit [ Not found ]
URK Rootkit [ Not found ]
Vampire Rootkit [ Not found ]
VcKit Rootkit [ Not found ]
Volc Rootkit [ Not found ]
Xzibit Rootkit [ Not found ]
zaRwT.KiT Rootkit [ Not found ]
ZK Rootkit [ Not found ]

[Press to continue]

Performing additional rootkit checks
Suckit Rookit additional checks [ OK ]
Checking for possible rootkit files and directories [ None found ]
Checking for possible rootkit strings [ None found ]

Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for login backdoors [ None found ]
Checking for suspicious directories [ None found ]
Checking for sniffer log files [ None found ]
Suspicious Shared Memory segments [ None found ]
Checking for Apache backdoor [ Not found ]

Performing Linux specific checks

Checking loaded kernel modules [ OK ]
Checking kernel module names [ OK ]

[Press to continue]

Checking the network...

Performing checks on the network ports
Checking for backdoor ports [ None found ]

Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]

Checking the local host...

Performing system boot checks
Checking for local host name [ Found ]
Checking for system startup files [ Found ]
Checking system startup files for malware [ None found ]

Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ None found ]
Checking for group file changes [ None found ]
Checking root account shell history files [ OK ]

Performing system configuration file checks
Checking for an SSH configuration file [ Found ]
Checking if SSH root access is allowed [ Not allowed ]
Checking if SSH protocol v1 is allowed [ Not allowed ]
Checking for a running system logging daemon [ Found ]
Checking for a system logging configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]

Performing filesystem checks
Checking /dev for suspicious file types [ None found ]
Checking for hidden files and directories [ None found ]

[Press to continue]

Checking application versions...

Checking version of Exim MTA [ OK ]
Checking version of GnuPG [ OK ]
Checking version of Bind DNS [ OK ]
Checking version of OpenSSL [ OK ]
Checking version of PHP [ OK ]
Checking version of OpenSSH [ OK ]

System checks summary
=====================

File properties checks...
Files checked: 136
Suspect files: 5

Rootkit checks...
Rootkits checked : 377
Possible rootkits: 0

Applications checks...
Applications checked: 6
Suspect applications: 0

The system checks took: 8 minutes and 31 seconds

All results have been written to the log file: /var/log/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

How to set it up – to run and mail you every week

„Exposing any computer to the internet is in some ways risky. There are many ways that your server can be compromised or attacked by remote systems and malicious software, and it is an ongoing and proactive process to defend yourself against potential threats.

One potential concern is rootkits. Rootkits are software secretly installed by a malicious intruder to allow that user continued access to the server once security is breached. This is an extremely dangerous problem, because even after the entry vector that the user originally used to gain access is fixed, they can continue to enter the server using the rootkit they installed.

One tool that can help you protect your system from these kinds of problems is rkhunter. This software checks your system against a database of known rootkits. Additionally, it can check other system files to make sure they are in line with expected properties and values.

In this guide, we will install and configure rkhunter to protect our Ubuntu 12.04 VPS.
Install RKHunter from Source

Because the Ubuntu repositories have an outdated version of rkhunter which contains an unpatched bug, we will be installing from source so that our program will behave properly.

Change to your home directory and download the files. As of this writing, 1.4.0 is the latest version, but you can go to the project’s home page to see if a newer version is available:

cd
wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz

Once it has finished downloaded, extract the files and enter the resulting directory:

tar xzvf rkhunter*
cd rkhunter*

Inside, we should see a „files“ directory, and an installer script. We will use this to install our program. Specify the layout to install it in the /usr directory so that it will be in our default path:

sudo ./installer.sh –layout /usr –install

This will install the software and the configuration files.

Now, we have rkhunter installed, but we still need some utilities to use all of its functionality. We can get these from the Ubuntu repositories:

sudo apt-get update
sudo apt-get install binutils libreadline5 libruby1.8 ruby ruby1.8 ssl-cert unhide.rb mailutils

You will be asked some questions about the mail server setup. You can configure this if you’d like, but for the sake of brevity, we will not be configuring a web-facing mail server. Select „Local only“ to follow our example.

If you are installing locally, you can name the system mail anything. Otherwise, make sure to use a fully qualified domain name.

Now, our software is installed and ready for testing and configuration.
Initial Test Runs

Before we begin configuration, we will do a few test runs with the default settings to get an idea of how the software operates and set a baseline against which to guide our modifications.

The first thing we should do is ensure that our rkhunter version is up-to-date. If you did get the latest tarball from the site, it shouldn’t need to do anything, but it’s best to check anyways:

sudo rkhunter –versioncheck

[ Rootkit Hunter version 1.4.0 ]

Checking rkhunter version…
This version : 1.4.0
Latest version: 1.4.0

Next, we need to perform a similar option to update our data files. These files contain information that rkhunter checks against to determine if a file or behavior is suspicious or not. Keeping these files current is essential for accurately assessing your system:

sudo rkhunter –update

With our database files refreshed, we can set our baseline file properties so that rkhunter can alert us if any of the essential configuration files it tracks are altered. We need to tell rkhunter to check the current values and store them as known-good values:

sudo rkhunter –propupd

File created: searched for 167 files, found 136

Finally, we are ready to perform our initial run. This will produce some warnings. This is expected behavior, because rkhunter is configured to be generic and Ubuntu diverges from the expected defaults in some places. We will tell rkhunter about these afterwards:

sudo rkhunter -c –enable all –disable none

It will run one section of tests and then ask you to press enter to continue. You can review the warnings that were produced as you go, but there will be more detailed information in the log afterwards. Press enter until all of the tests are run.

Now, we should go through the logs and check out all of the warnings that were produced:

sudo nano /var/log/rkhunter.log

Search the file for the word „Warning“. You will see a number of different warnings that are caused by different aspects of our filesystem. We will configure rkhunter to ignore the ones we know are harmless in the next section.

Some of the changes, like changes to the passwd file, are only showing up because they have been changed by the helper utilities we downloaded with apt. The timestamps on these files are more recent than the rkhunter database files. They will disappear on the next run.

Another alternative to checking the log is to have rkhunter print out only warnings to the screen, instead of all checks:

sudo rkhunter -c –enable all –disable none –rwo

You can then copy and paste this information somewhere so we can implement the changes in our configuration file.
Configure RKHunter Based on Known-Good Values

Now that we have some info on how rkhunter is viewing our system, we can tell it which files and applications to ignore or handle differently in order to avoid false-positives.

Begin by opening the rkhunter configuration file with root privileges:

sudo nano /etc/rkhunter.conf

Set Up Mail Notifications

The first thing you can do is set up email notifications if you want to receive those when rkhunter hits a warning. You can do this here:

MAIL-ON-WARNING=“your_user@domain.com“

If you set up local mail, you can put this to receive mail when you log in as root:

MAIL-ON-WARNING=“root@localhost“

Note, that the mail programs were configured when you installed them, so whether this functions correctly depends on what your choices were.

A related configuration option specifies the program and options for sending the mail:

MAIL_CMD=mail -s „[rkhunter] Warnings found for ${HOST_NAME}“

Whitelist Known Script Files

Next, we will fix the warnings that told us that some of the binary packages on the system have been replaced by scripts. Some distributions (Ubuntu included) use scripted versions of files instead of their binary counterparts.

The four warnings I received were all examples of this. We can set a SCRIPTWHITELIST parameter to tell rkhunter that these are expected to be script files:

SCRIPTWHITELIST=“/usr/sbin/adduser“
SCRIPTWHITELIST=“/usr/bin/ldd“
SCRIPTWHITELIST=“/usr/bin/unhide.rb“
SCRIPTWHITELIST=“/bin/which“

This will prevent these files from triggering false positives on all subsequent checks. Note that these whitelists are specific for certain tests, so we are only flagging that we know these files are not supposed to be binary. Other changes can still trigger warnings, which is what we want.
Whitelist Files in the /dev Directory

Certain files in the /dev directory trigger a warning for rkhunter. These are all implementation details that do not actually point to anything wrong. They are supposed to be there and are supported by the distribution.

There are three warning types that we need to deal with. The first one is was a warning that there was a „suspicious file“ in the directory. We will specifically allow this file by placing this line in the configuration:

ALLOWDEVFILE=“/dev/.udev/rules.d/root.rules“

The next warning we must deal with is that there is a hidden directory in /dev. This is also expected. It is the directory that contained the previous file:

ALLOWHIDDENDIR=“/dev/.udev“

The last warning is for hidden files. These are basic configuration files that are kept in this directory so that the utilities can access them regardless of the partitioning scheme and mount status.

Add these lines to allow these files to exist:

ALLOWHIDDENFILE=“/dev/.blkid.tab“
ALLOWHIDDENFILE=“/dev/.blkid.tab.old“
ALLOWHIDDENFILE=“/dev/.initramfs“

Allow Root SSH Login

The next step is simply an assertion check. When you run rkhunter, it checks a parameter in its configuration file and compares it to the value in the SSHD configuration file.

This option specifies whether the root user can log in using SSH. Many security practices recommend disabling root login. If you have disabled root login, you should leave this parameter as „no“.

If you need root login over SSH, you should change this parameter to „yes“ so that rkhunter can check this and will mark this setting as valid:

ALLOW_SSH_ROOT_USER=yes

Save and close the file when you are finished.
Check the Configuration

Now that we have configured rkhunter, you need to validate the configuration and check to see that everything is now working as expected.

The first step in this is checking that the configuration file itself is valid. You can run a test on it to see if rkhunter will accept all of the values that you’ve assigned:

sudo rkhunter -C

If this gives you any output back, you need to revisit the configuration again to adjust your parameters.

After you’ve gotten the configuration file in good working order, you can run the test again to see if there are any warnings.

sudo rkhunter -c –enable all –disable none –rwo

This should produce one warning, because our rkhunter configuration itself has been modified:

Warning: The file properties have changed:
File: /etc/rkhunter.conf
Current hash: fa8ad80a18100e669be507e69d0cbb88348fc07d
Stored hash : f9015108a2f6d8044126351cf16235c55993ff7a
Current inode: 2098189 Stored inode: 2100424
Current size: 37607 Stored size: 37359
Current file modification time: 1388443781 (30-Dec-2013 17:49:41)
Stored file modification time : 1388442019 (30-Dec-2013 17:20:19)

We should have updated the file properties again after modifying this file. Do that now by typing:

sudo rkhunter –propupd

After it is finished, you can run the check command again and see that no errors are produced.

Forgetting to update the file properties gives you an option to check the mail notifications if you configured that. Since we configured local mail, we can access the messages by checking the root mailbox:

sudo mail

You should see a message that you can access by the number in the second column.

You can exit the mail screen by typing:

quit

If you set up remote email, you can check that too. It may be in your spam folder, so look there if you have not received it in your regular inbox.
Set Up a Cron Job to Automate Checks

Now that you have configured rkhunter and verified that it is operating correctly, it is probably a good idea to automate the system. We can set up rkhunter to run checks every day so that we have up-to-date information about intrusions.

This is most useful if you can have it email your regular email address, so that you are more likely to check it. Change the MAIL-ON-WARNING parameter in the /etc/rkhunter.conf file to your regular email if you haven’t done so already.

We want to run rkhunter with root privileges, as we have been doing, so we should add it to the root user’s crontab. It is important to remember not to add it to the system crontab, because this could be replaced in an upgrade and wipe out your changes.

First, we can see if the root user already has a crontab by typing:

sudo crontab -l

If this returns a crontab, then it is best to back up the file in case we make a mistake. You can do that by typing:

sudo crontab -l > crontab.bak

Afterwards, we can edit the root user’s crontab by issuing this command:

sudo crontab -e

If this is the first time you are running this command, it will ask you to choose the editor you would like to use. A safe choice is nano, if you do not have a preference for any of the other editors.

Afterwards, you will be taken into your editor and your file will be pre-populated with some comments explaining how to write the crontab.

There are a lot of complex ways to write cron specifications that can run commands at many intervals. For our purposes, we are just going to have to decide what time each day to run the command. As with most services, running it at night is usually optimal:

The format we will use is minutes hours * * * command. The hours should be written in 24 hour format (for example, 15 for 3pm). The command we want to use is /usr/bin/rkhunter –cronjob –update –quiet.

So if we want to run this command at 4:15am, we can type at the bottom of the file:

5 8 * * 6 /usr/bin/rkhunter –cronjob –update –quiet; # run rkhunter every week on sunday at 8:05

The –cronjob option tells rkhunter to not output in a colored format and to not require interactive key presses. The update option ensures that our definitions are up-to-date. The quiet option suppresses all output.

The cron utility will run this command at 4:15am, and if there is any output, the rkhunter command itself will email our user to alert them. If no problems were found, no email will be received.
Conclusion

Now that you have rkhunter installed, configured, and automated, it should do the work for you for the most part. Make sure that if you are relying on email alerts, that you check them regularly and respond to any warnings that are produced.

It is also helpful to remember that when you make software changes on your computer, rkhunter may report differences in its next run. It is recommended that after you make changes, at least run sudo rkhunter –propupd to update rkhunter to the new file properties.

Because this software references known-good values and system states that you have allowed, it is best to install and configure this directly after you have configured most of the software for your installation. Doing so before configuring your software will result in a lot of false positives, while waiting too long can result in intrusion and not knowing if you are whitelisting bad files.

By Justin Ellingwood

admin