April 19, 2006

Rootkit Hunter Installation and Configuration Linux Unix

Mini guide to setup RootKit Hunter. Nothing bulletproof, as nothing is bulletproof, but a good start.

1) Download rootkit hunter
2) $ wget http://downloads.rootkit.nl/rkhunter-1.2.8.tar.gz
3) $ md5sum rkhunter-1.2.8.tar.gz (check file integrity. md5sum should be
41122193b5006b617e03c637a17ae982 )
4) Extract the files. $ tar -zxvf rkhunter-1.2.8.tar.gz
5) $ cd rkhunter
6) su - (root) or sudo ./installer.sh (visudo for privs)
7) # ./installer.sh (Install script, run as user root)

[salt@mimir rkhunter]$ ls
files installer.sh
[salt@mimir rkhunter]$ sudo sh ./installer.sh
Password:

Rootkit Hunter installer 1.2.4 (Copyright 2003-2005, Michael Boelen)
---------------
Starting installation/update

Checking /usr/local... OK
Checking file retrieval tools... /usr/bin/wget
Checking installation directories...
- Checking /usr/local/rkhunter...Created
- Checking /usr/local/rkhunter/etc...Created
- Checking /usr/local/rkhunter/bin...Created
- Checking /usr/local/rkhunter/lib/rkhunter/db...Created
- Checking /usr/local/rkhunter/lib/rkhunter/docs...Created
- Checking /usr/local/rkhunter/lib/rkhunter/scripts...Created
- Checking /usr/local/rkhunter/lib/rkhunter/tmp...Created
- Checking /usr/local/etc...Exists
- Checking /usr/local/bin...Exists
Checking system settings...
- Perl... OK
Installing files...
Installing Perl module checker... OK
Installing Database updater... OK
Installing Portscanner... OK
Installing MD5 Digest generator... OK
Installing SHA1 Digest generator... OK
Installing Directory viewer... OK
Installing Database Backdoor ports... OK
Installing Database Update mirrors... OK
Installing Database Operating Systems... OK
Installing Database Program versions... OK
Installing Database Program versions... OK
Installing Database Default file hashes... OK
Installing Database MD5 blacklisted files... OK
Installing Changelog... OK
Installing Readme and FAQ... OK
Installing Wishlist and TODO... OK
Installing RK Hunter configuration file... OK
Installing RK Hunter binary... OK
Configuration updated with installation path (/usr/local/rkhunter)

Installation ready.
See /usr/local/rkhunter/lib/rkhunter/docs for more information. Run 'rkhunter' (/usr/local/bin/rkhunter)


8) Edit rkhunter.conf # vi rkhunter.conf
9) Setup rkhunter.sh as a daily cron job.
10) # vi /etc/cron.daily/rkhunter.sh
Add the following to rkhunter.sh

#!/bin/bash
(/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "RKhunter Scan Details" replace-this@with-your-email.com)

11) Add executing permission to rkhunter.sh,
# chmod +x /etc/cron.daily/rkhunter.sh

Good to go. Rkhunter will should report any changes made to user accounts, system and rc files, suspicious file properties in files like /bin/ps /bin/ls /usr/bin/w /usr/bin/who /bin/netstat /bin/login etc. And if you've got 0wn3d, a rootkit report.

Don't forget to check the author of Rkhunter's website. http://www.rootkit.nl


Programming Linux Hacker Tools Uncovered: Exploits, Backdoors, Scanners, Sniffers, Brute-Forcers, Rootkits (Uncovered series)