RKHunter [Rootkit Hunter]
RootKit is a feature rich scanning tool that scans for rootkits, backdoors, and local exploits. It scans hidden files, wrong permissions set on binaries, suspicious strings in kernel etc.
As rootkits are installed into system files they cannot be removed easily however, RKHunter will still notify you of any rootkits that may exist in your system so that you can take the necessary steps to reload on server.
Rootkit Hunter is not a reactive tool: it only enumerates encountered threats.
It is up to you to read the log file and investigate suspicious activity.
To know more about Rkhunter and its features visit http://www.rootkit.nl/.
Installing Rkhunter (Rootkit Hunter) in RHEL, CentOS and Fedora
Step 1: Downloading Rkhunter:
[root@server ~]# mkdir /download
[root@server ~]# cd /download
[root@server download]# wget http://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz
Step 2: Installing Rkhunter:
Once you have downloaded the latest version, run the following commands as a root user to install it.
[root@server download]# tar -xvzf rkhunter-1.4.0.tar.gz
[root@server download]# cd rkhunter-1.4.0
[root@server rkhunter-1.4.0]# ./installer.sh --install
[root@server rkhunter-1.4.0]# cd
Step 3: Updating Rkhunter:
Run the RKH updater to fill the database properties by running the following command.
[root@server ~]# /usr/local/bin/rkhunter --update
[root@server ~]# /usr/local/bin/rkhunter --propupd
Step 4: Setting Cronjob and Email Alerts:
Create one file "rkhunter.sh under /etc/cron.daily/, which then scans your file system every day and sends email notifications to your email id.
[root@server ~]# vi /etc/cron.daily/rkhunter.sh
#Add the following lines of code to it and replace your “Server Name” and your “Email Id“.
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Run (server.anup.co.in)' firstname.lastname@example.org
Set execute permission on the file.
[root@server ~]# chmod +x /etc/cron.daily/rkhunter.sh
Step 5: Manual Scan and Usage:
To scan the entire file system, run the Rkhunter as a root user.
[root@server ~]# rkhunter --check
The above command generates log file under /var/log/rkhunter.log with the checks results made by Rkhunter.
For more information and options please run the following command.
[root@server ~]# rkhunter --help