The Rootkit Hunter (rkhunter) project provides an open source tool to scan Unix installations for rootkits, backdoors and possible local exploits. To archieve this, the tool compares SHA-1 hashes of important files with known good ones in online databases, looking for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and by running special tests on the computer.
1 . Connect yourself to your server via SSH.
2 . Update the apt-sources and the already installed software on the server:
apt update && apt upgrade -y
3 . Install rkhunter:
apt install rkhunter -y
4 . Open the configuration file /etc/rkhunter.conf in a text editor. Ubuntu modified some of the default configuration options. Edit the file and make sure the following settings are in place:
UPDATE_MIRRORS=1 MIRRORS_MODE=0 WEB_CMD=""
5 . Open the file /etc/default/rkhunter and edit it as following to enable scanning and updating by cron:
CRON_DAILY_RUN="true" CRON_DB_UPDATE=true" APT_AUTOGEN="true"
6 . Check that the latest version of rkhunter is installed on your system:
7 . Download the latest rootkit definations and file signatures:
8 . To run checks against sensitive binaries or programs, update the file properties. These are retrieved from the repositories to minimize the risk of comprimizing the reference check.
9 . Rkhunter is now ready to check your system. Start it with the following command:
You will see an output similar to the following:
[ Rootkit Hunter version 1.4.6 ] Checking system commands... Performing 'strings' command checks Checking 'strings' command [ OK ] Performing 'shared libraries' checks Checking for preloading variables [ None found ] Checking for preloaded libraries [ None found ] Checking LD_LIBRARY_PATH variable [ Not found ] Performing file properties checks Checking for prerequisites [ OK ] /usr/sbin/adduser [ OK ] /usr/sbin/chroot [ OK ] /usr/sbin/cron [ OK ] [...] [Press <ENTER> to continue]
After each group of checks the tool shows a summary of the task performed. To run the test without these breaks, use the option
-sk when launching the tool.
You can see a detailed log of the actions performed by rkhunter in the log file of the tool: /var/log/rkhunter.log.