rkhunter (or Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and local exploits. It does this by comparing MD5 hash of important files with known good ones in an online database, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules. It should run on almost every Unix clone.
Installation notes:
-
Download the gzipped tarball, extract it and run the installation script.
# wget http://downloads.rootkit.nl/rkhunter-Or you can create an RPM file with the integrated rkhunter.spec file and install your own package..tar.gz # tar -xvzf rkhunter- .tar.gz # cd rkhunter # ./installer.sh
# rpmbuild -ta rkhunter-.tar.gz
If you are lazy you can install the prebuilt 1.2.8-1 rpm version via:
# rpm -Uvh http://linuxweblog.com/downloads/packages/rkhunter/rkhunter-1.2.8-1.noarch.rpmTest the installation with:
# rkhunter -cUpdate the daily cron in "/etc/cron.daily/01-rkhunter" file to check for version and database updates:
#!/bin/sh ( /usr/bin/rkhunter --versioncheck /usr/bin/rkhunter --update /usr/bin/rkhunter --cronjob ) | /bin/mail -s 'rkhunter Daily Run' rootYou can customize the default configurations by editing "/etc/rkhunter.conf".
Better Way
Use the EPEL package repository for pulling the RPMs of rkhunter.
http://fedoraproject.org/wiki/EPEL/FAQ#howtouse
Then just set your email address in /etc/sysconfig/rkhunter
Package managers were invented for a reason! Kind of ironic how this is a security thread too ;)
rkhunter on plesk servers
rkhunter can be installed via the plesk watchdog module and can be run via command line:
/opt/psa/admin/sbin/modules/watchdog/rkhunter --configfile /opt/psa/etc/modules/watchdog/rkhunter.conf -c
For the others who dont use
For the others who dont use a linux system that uses these packages, how to install from source -> http://www.vinno.net/linux/server/how-to-install-root-kit-hunter
FedoraCore6 rkhunter rpm
If you are lazy, you can get the rpm via:
# wget http://www.linuxweblog.com/downloads/packages/fc6/rkhunter-1.2.9-1.noarch.rpm
md5sum: ad9da1cd575f52619ee537c16d34d463
rkhunter in fedora core
rkhunter is now available in the yum extras repository.
# yum install rkhunter
easy rkhunter in CentOS 4.4
# cd /etc/yum.repos.d/
# wget http://centos.karan.org/kbsingh-CentOS-Extras.repo
# yum --enablerepo=kbs-CentOS-Extras install rkhunter