The Rootkit Hunter

In an ideal world, all of your machines would be patched instantly with the latest, up-to-the-minute versions of all installed software, providing the best protection against exploits and vulnerabilities. Unfortunately, that’s rarely the case. And with experienced crackers and 0-day exploits prevalent and on the prowl, there is a constant threat of a compromise.

Of course, you should still do everything possible at every layer in your infrastructure to mitigate your risks. Be paranoid and assume the worst.

The April 2004 “Tech Support” (available online at http://www.linux-mag.com/2004-04/tech_support_01.html) showed you how to use chkrootkit to find rootkits. This month, let’s look at a new tool called Rootkit Hunter that performs a similar function.

Rootkit Hunter, available from http://www.rootkit.nl/, is a scanning tool that consists of one shell script, a few text-based databases, and optional Perl modules. Written by Michael Boelen, it’s licensed under the GPL. Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers. It runs a variety of tests to look for default files used by rootkits (using an MD5 hash compare that), incorrect file permissions for binaries, suspected strings in Linux loadable kernel modules (and in FreeBSD’s equivalent called KLD modules), and hidden files.

Installation of Rootkit Hunter deviates from the standard ./configure&&make&&make install. After you download, verify, and unpack the source tarball, cd into the resulting directory and run:

$ sudo ./installer.sh

The installer places a shell…

Not Yet a Member? Register with LinuxMagazine.com and get free access to the entire archive, including: Hands-on Content White Papers Community Features And more.

Already a Member? Log in! Username Password Remember me Forgotten your password? Forgotten your username?

1. Helpful Tools for Software Developers
2. The Github Hall of Fame
3. Book'em, Github.
4. This Week on Github: Stupid Ruby Tricks
5. A Veritable Scatter Shot!