linux poison RSS
linux poison Email

Detecting Rootkits in Ubuntu system using Chkrootkit and Rkhunter

A rootkit is a program or set of programs used by an intruder to both hide their presence on a computer system and allow future access to that same system. A rootkit will usually either manipulate the data set the operating system relies on, or alter the execution flow of the operating system.

It is important you realize that rootkits are designed to be very stealth, meaning they are difficult to find or detect by normal means. Many rootkits have been so well written that their presence can go undetected for years. They are written by experienced individuals with an advanced level of programming knowledge far above that of the average virus or malware writer. A rootkit is not an exploit. It is what an attacker uses after an initial exploit to allow future undetected access to a compromised computer.

Chkrootkit:
chkrootkit is a tool to locally check for signs of a rootkit. It contains a chkrootkit: shell script that checks system binaries for rootkit modification.

Installation:
Open up the terminal and type the following command to install chkrootkit:
$ sudo apt-get install chkrootkit

Using chkrootkit:
Open up the terminal and type the command: $ sudo chkrootkit
This will perform all tests

Other Configurations:
If you want an automatic daily run of chkrootkit:
Open /etc/chkrootkit.conf and Replace RUN_DAILY="false" by RUN_DAILY="true"

If you also want a daily mailed report :
Open /etc/cron.daily/chkrootkit and replace '$CHKROOTKIT $RUN_DAILY_OPTS' by
'$CHKROOTKIT $RUN_DAILY_OPTS | mail -s '"\"Daily chkrootkit run from $HOSTNAME \"$YOUR_EMAIL_ADDRESS"'

Rkhunter:
Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, sniffers, and malware. The application consists of the main shell script, a few text-based databases, and optional Perl scripts. It can recognise and run external applications like 'skdet' and 'unhide'. It should run on almost every Unix clone.

Installation:
Open up the terminal and type the following command to install Rkhunter:
$ sudo apt-get install Rkhunter

Using Rkhunter:
Open up the terminal and type the command: $ sudo rkhunter --check
This will perform all tests

By default, the log file '/var/log/rkhunter.log' will be created. It will contain the results of the checks made by Rkhunter

The following command option causes rkhunter to check and download the later version of any of its text data files: $ sudo rkhunter --update

To see what other options can be used with rkhunter, enter: $ sudo rkhunter --help


4 comments:

Barista Uno said...

Are these tools a MUST-HAVE? Or are they just GOOD-TO-HAVE? Please give an honest answer. I am trying to keep my Peppermint OS as lean and mean as possible and hate to add apps that are not ABSOLUTELY necessary.

DevOps said...

If you are not running or storing any critical information on your system then rkhunter or Chkrootkit are GOOD-TO-HAVE tools.

Anonymous said...

The above post should read - If you are running or storing any critical information on your system you should have.

If your not running your Linux distro as a server then the chance of getting any rootkit is very minimal. Servers by default have more doors open to the outside then a desktop distro. I personally run these ever so often on my desktop to give me a piece of mind which is far better then with other OS systems. Linux by default is securer then others.

Ch said...

What if rkhunter finds 1 suspected file? How do you delete it or block it? By the way this should be sudo apt-get install rkhunter, not Rkhunter.

Post a Comment

Related Posts with Thumbnails