Jump toUpdate content
Detecting Rootkits and Security Holes with rkhunter on Ubuntu Bionic
The Rootkit Hunter (rkhunter) project provides an open source tool to scan Unix installations for rootkits, backdoors and possible local exploits. To archieve this, the tool compares SHA-1 hashes of important files with known good ones in online databases, looking for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and by running special tests on the computer.
Connect to your instance via SSH.
Update the apt-sources and the already installed software on the Instance.
apt update && apt upgrade -y
apt install rkhunter -y
Open the configuration file
/etc/rkhunter.confin a text editor. Ubuntu modified some of the default configuration options. Edit the file and make sure the following settings are in place:
Open the file
/etc/default/rkhunterand edit it as following to enable scanning and updating by cron.
Check that the latest version of rkhunter is installed on your system.
Download the latest rootkit definations and file signatures.
To run checks against sensitive binaries or programs, update the file properties. These are retrieved from the repositories to minimize the risk of comprimizing the reference check.
Start Rkhunter with the following command:
You will see an output similar to the following:
[ Rootkit Hunter version 1.4.6 ] Checking system commands... Performing 'strings' command checks Checking 'strings' command [ OK ] Performing 'shared libraries' checks Checking for preloading variables [ None found ] Checking for preloaded libraries [ None found ] Checking LD_LIBRARY_PATH variable [ Not found ] Performing file properties checks Checking for prerequisites [ OK ] /usr/sbin/adduser [ OK ] /usr/sbin/chroot [ OK ] /usr/sbin/cron [ OK ] [...] [Press <ENTER> to continue]
After each group of checks the tool shows a summary of the task performed. To run the test without these breaks, use the
-sk option when launching the tool.
You can see a detailed log of the actions performed by rkhunter in the tool’s log file: