How to Scan for Rootkits, backdoors and Exploits Using ‘Rootkit Hunter’ in Linux
What Is Rkhunter?Rkhunter (Rootkit Hunter) is an open source Unix/Linux based scanner tool for Linux systems released under GPL that scans backdoors, rootkits and local exploits on your systems.
It scans hidden files, wrong permissions set on binaries, suspicious strings in kernel backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases.
A rootkit is a malicious software designed to obtain root-level access to a computer while hiding its presence or identity from antivirus software. Common ways for rootkits to get installed on your system are through trojan horses contained in drive-by downloads, known system vulnerabilities, suspicious email attachments, web surfing, or simply by password cracking.
there are several rootkit scanner tools for Linux, One such rootkit detection tool is called Rootkit Hunter (rkhunter).
Install Rootkit Hunter Scanner in Linux
If you are running Kali Linux you can install it by this terminal command
[success title="Install rkhunter in kali linux" icon="check-circle"] apt-get install rkhunter [/success]
To install rkhunter on Fedora execute the following command:
[success title="install rkhunter in Fedora" icon="check-circle"] sudo dnf install rkhunter-1.4.2-11.fc24.noarch [/success]
if you are not using kali linux Download Rkhunter by this terminal command
[success title="Terminal command" icon="check-circle"] wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz [/success]
Once you have downloaded Rkhunter, run the following commands as a root user
[success title="Terminal command" icon="check-circle"] tar -xvf rkhunter-1.4.2.tar.gz
./installer.sh --layout default --install [/success]
To update Rkhunter
[success title="update Rkhunter" icon="check-circle"] rkhunter --update [/success]
To scan your system using rkhunter, run the following.
[success title="Terminal command" icon="check-circle"]sudo rkhunter -c [/success]
Once rkhunter is initiated, it will run a series of tests as follows.
- Compare SHA-1 hashes of system binaries against known good values maintained in the database.
- Check for known rootkit files and directories, as well as rootkit strings.
- Perform malware detection, including checking for login backdoors, sniffer log files, and other suspicious directories.
- Perform trojan specific checks such as examining enabled xinetd services.
- Perform checks on network ports and interfaces.
- Perform system boot checks.
- Perform group and account checks.
- Perform system configuration file checks.
- Perform filesystem checks.