we are here to introduce a security tool called Rkhunter (Rootkit Hunter). This article will guide you a way to install and configure RKH (RootKit Hunter) in Linux systems using source code.

Rkhunter (Rootkit Hunter) is an open source Unix/Linux based scanner tool for Linux systems released under GPL that scans backdoors, rootkits and local exploits on your systems.

It scans hidden files, wrong permissions set on binaries, suspicious strings in kernel etc. To know more about Rkhunter and its features visit http://www.rootkit.nl

Install Rootkit Hunter Scanner in Linux Systems

Step 1: Downloading Rkhunter

First download the latest stable version of Rkhunter tool by going to http://www.rootkit.nl/projects/rootkit_hunter.html or use below Wget command to download it on your systems.

# cd /tmp
# wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz

Step 2: Installing Rkhunter

Once you have downloaded the latest version, run the following commands as a root user to install it.

# tar -xvf rkhunter-1.4.2.tar.gz  
# cd rkhunter-1.4.2
# ./installer.sh --layout default --install
Sample Output
 Checking system for:
 Rootkit Hunter installer files: found
 A web file download command: wget found
 Starting installation:
 Checking installation directory "/usr/local": it exists and is 
 writable.
 Checking installation directories:
  Directory /usr/local/share/doc/rkhunter-1.4.2: creating: OK
  Directory /usr/local/share/man/man8: exists and is writable.
  Directory /etc: exists and is writable.
  Directory /usr/local/bin: exists and is writable.
  Directory /usr/local/lib64: exists and is writable.
  Directory /var/lib: exists and is writable.
  Directory /usr/local/lib64/rkhunter/scripts: creating: OK
  Directory /var/lib/rkhunter/db: creating: OK
  Directory /var/lib/rkhunter/tmp: creating: OK
  Directory /var/lib/rkhunter/db/i18n: creating: OK
  Directory /var/lib/rkhunter/db/signatures: creating: OK
 Installing check_modules.pl: OK
 Installing filehashsha.pl: OK
 Installing stat.pl: OK
 Installing readlink.sh: OK
 Installing backdoorports.dat: OK
 Installing mirrors.dat: OK
 Installing programs_bad.dat: OK
 Installing suspscan.dat: OK
 Installing rkhunter.8: OK
 Installing ACKNOWLEDGMENTS: OK
 Installing CHANGELOG: OK
 Installing FAQ: OK
 Installing LICENSE: OK
 Installing README: OK
 Installing language support files: OK
 Installing ClamAV signatures: OK
 Installing rkhunter: OK
 Installing rkhunter.conf: OK
Installation complete

Read More: How To Crack WPA/WPA2 Wi-Fi Passwords Using Aircrack-Ng In Kali

Step 3: Updating Rkhunter

Run the RKH updater to fill the database properties by running the following command.

# /usr/local/bin/rkhunter --update
# /usr/local/bin/rkhunter --propupd
Sample Output
[ Rootkit Hunter version 1.4.2 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ Updated ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ No update ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/tr                                      [ No update ]
  Checking file i18n/tr.utf8                                 [ No update ]
  Checking file i18n/zh                                      [ No update ]
  Checking file i18n/zh.utf8                                 [ No update ]

[ Rootkit Hunter version 1.4.2 ]
File created: searched for 174 files, found 137

Step 4: Setting Cronjob and Email Alerts

Create a file called rkhunter.sh under /etc/cron.daily/, which then scans your file system every day and sends email notifications to your email id. Create following file with the help of your favourite editor.

# vi /etc/cron.daily/rkhunter.sh

Add the following lines of code to it and replace “YourServerNameHere” with your “Server Name” and “your@email.com” with your “Email Id“.

#!/bin/sh
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Run (PutYourServerNameHere)' your@email.com

Set execute permission on the file.

# chmod 755 /etc/cron.daily/rkhunter.sh

Step 5: Manual Scan and Usage

To scan the entire file system, run the Rkhunter as a root user.

# rkhunter --check
Sample Output
[ Rootkit Hunter version 1.4.2 ]

Checking system commands...

  Performing 'strings' command checks
    Checking 'strings' command                               [ OK ]

  Performing 'shared libraries' checks
    Checking for preloading variables                        [ None found ]
    Checking for preloaded libraries                         [ None found ]
    Checking LD_LIBRARY_PATH variable                        [ Not found ]

  Performing file properties checks
    Checking for prerequisites                               [ OK ]
    /usr/local/bin/rkhunter                                  [ OK ]
    /usr/sbin/adduser                                        [ OK ]
    /usr/sbin/chkconfig                                      [ OK ]
    /usr/sbin/chroot                                         [ OK ]
    /usr/sbin/depmod                                         [ OK ]
    /usr/sbin/fsck                                           [ OK ]
    /usr/sbin/fuser                                          [ OK ]
    /usr/sbin/groupadd                                       [ OK ]
    /usr/sbin/groupdel                                       [ OK ]
    /usr/sbin/groupmod                                       [ OK ]
    /usr/sbin/grpck                                          [ OK ]
    /usr/sbin/ifconfig                                       [ OK ]
    /usr/sbin/ifdown                                         [ Warning ]
    /usr/sbin/ifup                                           [ Warning ]
    /usr/sbin/init                                           [ OK ]
    /usr/sbin/insmod                                         [ OK ]
    /usr/sbin/ip                                             [ OK ]
    /usr/sbin/lsmod                                          [ OK ]
    /usr/sbin/lsof                                           [ OK ]
    /usr/sbin/modinfo                                        [ OK ]
    /usr/sbin/modprobe                                       [ OK ]
    /usr/sbin/nologin                                        [ OK ]
    /usr/sbin/pwck                                           [ OK ]
    /usr/sbin/rmmod                                          [ OK ]
    /usr/sbin/route                                          [ OK ]
    /usr/sbin/rsyslogd                                       [ OK ]
    /usr/sbin/runlevel                                       [ OK ]
    /usr/sbin/sestatus                                       [ OK ]
    /usr/sbin/sshd                                           [ OK ]
    /usr/sbin/sulogin                                        [ OK ]
    /usr/sbin/sysctl                                         [ OK ]
    /usr/sbin/tcpd                                           [ OK ]
    /usr/sbin/useradd                                        [ OK ]
    /usr/sbin/userdel                                        [ OK ]
    /usr/sbin/usermod                                        [ OK ]
....
[Press  to continue]


Checking for rootkits...

  Performing check of known rootkit files and directories
    55808 Trojan - Variant A                                 [ Not found ]
    ADM Worm                                                 [ Not found ]
    AjaKit Rootkit                                           [ Not found ]
    Adore Rootkit                                            [ Not found ]
    aPa Kit                                                  [ Not found ]
.....

[Press  to continue]


  Performing additional rootkit checks
    Suckit Rookit additional checks                          [ OK ]
    Checking for possible rootkit files and directories      [ None found ]
    Checking for possible rootkit strings                    [ None found ]

....
[Press  to continue]


Checking the network...

  Performing checks on the network ports
    Checking for backdoor ports                              [ None found ]
....
  Performing system configuration file checks
    Checking for an SSH configuration file                   [ Found ]
    Checking if SSH root access is allowed                   [ Warning ]
    Checking if SSH protocol v1 is allowed                   [ Warning ]
    Checking for a running system logging daemon             [ Found ]
    Checking for a system logging configuration file         [ Found ]
    Checking if syslog remote logging is allowed             [ Not allowed ]
...
System checks summary
=====================

File properties checks...
    Files checked: 137
    Suspect files: 6

Rootkit checks...
    Rootkits checked : 383
    Possible rootkits: 0

Applications checks...
    Applications checked: 5
    Suspect applications: 2

The system checks took: 5 minutes and 38 seconds

All results have been written to the log file: /var/log/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

The above command generates log file under /var/log/rkhunter.log with the checks results made by Rkhunter.

# cat /var/log/rkhunter.log

Read More: How to get someone’s IP address and trace Location

Sample Output
03:33:40] Running Rootkit Hunter version 1.4.2 on server
[03:33:40]
[03:33:40] Info: Start date is Tue May 31 03:33:40 EDT 2016
[03:33:40]
[03:33:40] Checking configuration file and command-line options...
[03:33:40] Info: Detected operating system is 'Linux'
[03:33:40] Info: Found O/S name: CentOS Linux release 7.2.1511 (Core) 
[03:33:40] Info: Command line is /usr/local/bin/rkhunter --check
[03:33:40] Info: Environment shell is /bin/bash; rkhunter is using bash
[03:33:40] Info: Using configuration file '/etc/rkhunter.conf'
[03:33:40] Info: Installation directory is '/usr/local'
[03:33:40] Info: Using language 'en'
[03:33:40] Info: Using '/var/lib/rkhunter/db' as the database directory
[03:33:40] Info: Using '/usr/local/lib64/rkhunter/scripts' as the support script directory
[03:33:40] Info: Using '/usr/lib64/qt-3.3/bin /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /bin /sbin /usr/libexec /usr/local/libexec' as the command directories
[03:33:40] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[03:33:40] Info: No mail-on-warning address configured
[03:33:40] Info: X will be automatically detected
[03:33:40] Info: Found the 'basename' command: /usr/bin/basename
[03:33:40] Info: Found the 'diff' command: /usr/bin/diff
[03:33:40] Info: Found the 'dirname' command: /usr/bin/dirname
[03:33:40] Info: Found the 'file' command: /usr/bin/file
[03:33:40] Info: Found the 'find' command: /usr/bin/find
[03:33:40] Info: Found the 'ifconfig' command: /usr/sbin/ifconfig
[03:33:40] Info: Found the 'ip' command: /usr/sbin/ip
...

For more information and options please run the following command.

# rkhunter --help

If you liked this article, then sharing is the right way to say thanks.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.