[EN] Rootkit Hunter - Checking Linux for Rootkits

In this article I would like to introduce the tool rkhunter(Rootkit Hunter). This software makes it easy to scan your system for known / conspicuous rootkits.
Rkhunter is by no means the only tool. Another well-known is chrootkit

Image Source

What are rootkits

A rootkit is simply expressed software that disguises logins, processes or files on a compromised system. Often these are combined with back doors to allow easier access to the target system as an attacker. I do not want to go into the different types and characteristics any further at this point - but I would be happy to write a separate contribution on request.

Installation and setup

Debian based distributions can install rkhunter as usual with
apt-get install rkhunter or download from Sourceforge.

The following update with the command rkhunter --update caused an error for me:

This can be fixed by making the following changes in /etc/rkhunter.conf:

 UPDATE_MIRRORS=0       -> UPDATE_MIRRORS=1
 MIRRORS_MODE=1         -> MIRRORS_MODE=0
 WEB_CMD="/bin/false"   -> WEB_CMD=""

Use

The system is scanned as follows: rkhunter -c --skip-keypress

The system is searched for incorrect file permissions, suspicious strings in kernel modules, created folders, etc. In addition, hash values of existing files are checked.

In order to get more detailed information about the possible finds you should have a look at the warnings in the logs:

grep Warning /var/log/rkhunter.log

There is also the possibility of certain whitelist warnings (etc/rkhunter.conf).

Conclusion

rkhunter alone does not guarantee that there is no rootkit on the system, yet it provides a good overview and is easy to use. If many systems are to be monitored, it makes sense to run the scan regularly via cron-jobs and to send a mail if warnings occur.

Thank you for reading !