Rootkit Hunter (rkhunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. Rootkits are self-hiding toolkits secretly installed by a malicious intruder to allow that user to gain access to the server. Rootkit Hunter offers protection by comparing SHA-1 hashes of important files with known good ones in a online database as well as:<\/p>\n
MD5 hash compare # yum install http:\/\/pkgs.repoforge.org\/rpmforge-release\/rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm<\/p>\n RHEL\/CentOS 6 64 bit:<\/strong><\/p>\n # wget http:\/\/pkgs.repoforge.org\/rpmforge-release\/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm RHEL\/CentOS 6 32 bit:<\/strong><\/p>\n # wget http:\/\/pkgs.repoforge.org\/rpmforge-release\/rpmforge-release-0.5.3-1.el6.rf.i686.rpm yum install rkhunter<\/p>\n # \/usr\/local\/bin\/rkhunter \u2013update grep Warning \/var\/log\/rkhunter\/rkhunter.log<\/p>\n Check the version<\/p>\n # rkhunter –versioncheck<\/p>\n Rootkit Hunter version 1.4.2<\/p>\n Checking rkhunter version… # rkhunter -c #nano -w \/etc\/cron.daily\/rkhunter.sh #!\/bin\/sh Set Execute Permissions<\/p>\n Set execute permission on the file you have just created:<\/p>\n # chmod 755 \/etc\/cron.daily\/rkhunter.sh Rootkit Hunter configuration<\/p>\n The configuration file for rkhunter can be found at:<\/p>\n # \/etc\/rkhunter.conf The parameter ALLOW_SSH_ROOT_USER tells rkhunter whether or not the root user is allowed to ssh into the system. This is unset by default in the rkhunter.conf file. Rkhunter will complain about this on every run. If you have disabled root login, you should set this parameter to \u201cno\u201d.<\/p>\n ALLOW_SSH_ROOT_USER=no ALLOW_SSH_ROOT_USER=yes Update rkhunter<\/p>\n To check the currently installed version enter the following:<\/p>\n # rkhunter –versioncheck # rkhunter –update # rkhunter –propupd<\/p>\n","protected":false},"excerpt":{"rendered":" Rootkit Hunter (rkhunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. Rootkits are self-hiding toolkits secretly installed by a malicious intruder to allow that user to gain access to the server. Rootkit Hunter offers protection by comparing SHA-1 hashes of important files with known good ones in a online database […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,73,4,17],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5079"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5079"}],"version-history":[{"count":2,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5079\/revisions"}],"predecessor-version":[{"id":5081,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5079\/revisions\/5081"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5079"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5079"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5079"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nLook for default files used by rootkits
\nWrong file permissions for binaries
\nLook for suspected strings in LKM and KLD modules
\nLook for hidden files
\nOptional scan within plaintext and binary files
\nIf this is the first installation of RHEL and CentOS RPMForge Repository:
\nRHEL\/CentOS 7:<\/strong><\/p>\n
\n# rpm -Uvh rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm<\/p>\n
\n# rpm -Uvh rpmforge-release-0.5.3-1.el6.rf.i686.rpm<\/p>\n
\n# \/usr\/local\/bin\/rkhunter \u2013propupd
\n# rkhunter -c<\/p>\n
\nThis version : 1.4.2
\nLatest version: 1.4.2
\nManual Scan<\/p>\n
\nrkhunter -c -l \/var\/log\/rkhunter.log
\nCreate the run-file in the following location (RHEL based distributions only):<\/p>\n
\nInstall into shell script<\/p>\n
\n(
\n\/usr\/bin\/rkhunter –versioncheck
\n\/usr\/bin\/rkhunter –update
\n\/usr\/bin\/rkhunter –cronjob –report-warnings-only
\n) | \/bin\/mail -s ‘rkhunter Daily Scan Report (ServerNameHere)’ your@email.here<\/p>\n
\nhe cron utility will run once daily, and if a threat is detected, the rkhunter command itself will email our user to alert them. If no problems were found, no email will be received.<\/p>\n
\nSSHD Root Logon<\/p>\n
\nIf you need root login over SSH, you should change this parameter to \u201cyes\u201d so that rkhunter can check this and will mark this setting as valid:<\/p>\n
\nSecurity practices recommend disabling root login.<\/p>\n
\nRun the updater by issuing the following command:<\/p>\n
\nWith our database files refreshed, we need to tell rkhunter to check the current values and store them as known-good values:<\/p>\n