In an ideal world, all of your machines would be patched instantly with the latest, up-to-the-minute versions of all installed software, providing the best protection against exploits and vulnerabilities. Unfortunately, that’s rarely the case. And with experienced crackers and 0-day exploits prevalent and on the prowl, there is a constant threat of a compromise.
Of course, you should still do everything possible at every layer in your infrastructure to mitigate your risks. Be paranoid and assume the worst.
Rootkit Hunter, available from http://www.rootkit.nl/
, is a scanning tool that consists of one shell script, a few text-based databases, and optional Perl
modules. Written by Michael Boelen, it’s licensed under the GPL.
Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers. It runs a variety of tests to look for default files used by rootkits (using an MD5
hash compare that), incorrect file permissions for binaries, suspected strings in Linux
loadable kernel modules (and in FreeBSD’s
equivalent called KLD modules
), and hidden files.
Installation of Rootkit Hunter deviates from the standard ./configure&&make&&make install. After you download, verify, and unpack the source tarball, cd into the resulting directory and run:
$ sudo ./installer.sh
The installer places a shell script in /usr/local/bin/, the configuration file in /usr/local/etc/, and the rest of the files in /usr/local/rkhunter/. (You can override /usr/local/ with the ––installdir parameter.)
With everything installed, you’re ready to run the program. One nice thing about Rootkit Hunter is that it keeps a variety of information such as known good program versions, blacklisted tools and binaries, and MD5 hashes in continually updated databases, much like a virus scanner. The first thing to do is make sure all of the databases are current.
# /usr/local/bin/rkhunter ––update
If anything is out of date, it’s automatically updated. There’s also a quick and easy way to verify that you’re running the latest version of Rootkit Hunter itself:
# /usr/local/bin/rkhunter ––versioncheck
This version: 1.2.7
Latest version: 1.2.7
To run all of the Rootkit Hunter security checks and see a verbose, colorized status report, run:
# /usr/local/bin/rkhunter ––checkall
While the Rootkit Hunter script has extremely sane defaults, you can edit its configuration file if you’d like to whitelist hidden files or directories, change the install directory, or ignore the fact that remote root SSH logins are allowed. As with any software you install, take the time to thoroughly look through the configuration file to learn what the software is capable of and what each option does.
Once you’re confident that everything is installed and working correctly, add Rootkit Hunter to your list of regular system chores in the system cron file. To do that, first create a script with the following:
/usr/local/bin/rkhunter ––cronjob \
) | /bin/mail –s ’rkhunter output’ root
This script performs a version check, updates your databases, runs Rootkit Hunter in a mode conducive to cron (––cronjob disables colored output and ––report-warnings-only sets a severity level), and then mails the results to root. You should run this script as root, via cron, at least once a day.
Rootkit Hunter performs a similar function as chkrootkit. However, it works in a different manner and offers some additional features, such as storing information in live databases. Which one should you use? Since both are open source and are free to download and use, install both, see how each one works behind the scenes, and choose the one that best suits your needs and your environment.
Jeremy Garcia is the founder and administrator of LinuxQuestions.org, a free, friendly, and active Linux community. Please send questions and feedback to