This article details how to install and use rkhunter, the Rootkit Hunter anti-rootkit utility, on Ubuntu Server 16.04.
Install and Update rkhunter
root@ubuntu:/# apt-cache madison rkhunter rkhunter | 1.4.2-5 | http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages rkhunter | 1.4.2-5 | http://us.archive.ubuntu.com/ubuntu xenial/universe i386 Packages root@ubuntu:/# apt-get install rkhunter root@ubuntu:/# rkhunter --versioncheck [ Rootkit Hunter version 1.4.2 ] Checking rkhunter version... This version : 1.4.2 Latest version: 1.4.2 root@dhcp-146-6-110-124:/# rkhunter --update [ Rootkit Hunter version 1.4.2 ] Checking rkhunter data files... Checking file mirrors.dat [ No update ] Checking file programs_bad.dat [ Updated ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ No update ] Checking file i18n/de [ No update ] Checking file i18n/en [ No update ] Checking file i18n/tr [ No update ] Checking file i18n/tr.utf8 [ No update ] Checking file i18n/zh [ No update ] Checking file i18n/zh.utf8 [ No update ] root@dhcp-146-6-110-124:/# rkhunter --propupd [ Rootkit Hunter version 1.4.2 ] File updated: searched for 176 files, found 141
Run a Scan
root@dhcp-146-6-110-124:/# rkhunter -c --enable all --disable none [ Rootkit Hunter version 1.4.2 ] Checking system commands... Performing 'strings' command checks Checking 'strings' command [ OK ] Performing 'shared libraries' checks Checking for preloading variables [ None found ] Checking for preloaded libraries [ None found ] Checking LD_LIBRARY_PATH variable [ Not found ] Performing file properties checks Checking for prerequisites [ OK ] /usr/sbin/adduser [ OK ] /usr/sbin/chroot [ OK ] /usr/sbin/cron [ OK ] /usr/sbin/groupadd [ OK ] /usr/sbin/groupdel [ OK ] [etc.] Checking for rootkits... Performing check of known rootkit files and directories 55808 Trojan - Variant A [ Not found ] ADM Worm [ Not found ] AjaKit Rootkit [ Not found ] Adore Rootkit [ Not found ] aPa Kit [ Not found ] Apache Worm [ Not found ] Ambient (ark) Rootkit [ Not found ] Balaur Rootkit [ Not found ] BeastKit Rootkit [ Not found ] beX2 Rootkit [ Not found ] BOBKit Rootkit [ Not found ] cb Rootkit [ Not found ] CiNIK Worm (Slapper.B variant) [ Not found ] [etc.] Performing additional rootkit checks Suckit Rookit additional checks [ OK ] Checking for possible rootkit files and directories [ None found ] Checking for possible rootkit strings [ None found ] Performing malware checks Checking running processes for deleted files [ Warning ] Checking running processes for suspicious files [ None found ] Checking for hidden processes [ None found ] Checking for files with suspicious contents [ None found ] Checking for login backdoors [ None found ] Checking for suspicious directories [ None found ] Checking for sniffer log files [ None found ] Suspicious Shared Memory segments [ None found ] Performing Linux specific checks Checking loaded kernel modules [ OK ] Checking kernel module names [ OK ] Checking the network... Performing checks on the network ports Checking for backdoor ports [ None found ] Checking for hidden ports [ None found ] Performing checks on the network interfaces Checking for promiscuous interfaces [ None found ] Checking for packet capturing applications [ Warning ] Checking the local host... Performing system boot checks Checking for local host name [ Found ] Checking for system startup files [ Found ] Checking system startup files for malware [ None found ] Performing group and account checks Checking for passwd file [ Found ] Checking for root equivalent (UID 0) accounts [ None found ] Checking for passwordless accounts [ None found ] Checking for passwd file changes [ Warning ] Checking for group file changes [ Warning ] Checking root account shell history files [ OK ] Performing system configuration file checks Checking for an SSH configuration file [ Found ] Checking if SSH root access is allowed [ Not allowed ] Checking if SSH protocol v1 is allowed [ Not allowed ] Checking for a running system logging daemon [ Found ] Checking for a system logging configuration file [ Found ] Checking if syslog remote logging is allowed [ Not allowed ] Performing filesystem checks Checking /dev for suspicious file types [ None found ] Checking for hidden files and directories [ None found ] Checking application versions... Checking version of GnuPG [ OK ] Checking version of OpenSSL [ OK ] Checking version of PHP [ OK ] Checking version of OpenSSH [ OK ] System checks summary ===================== File properties checks... Files checked: 141 Suspect files: 0 Rootkit checks... Rootkits checked : 376 Possible rootkits: 1 Rootkit names : RH-Sharpe's Rootkit Applications checks... Applications checked: 4 Suspect applications: 0 The system checks took: 1 minute and 23 seconds All results have been written to the log file: /var/log/rkhunter.log
If you don’t want to see all the checks, you can print only the warnings and positives instead:
root@ubuntu:/# rkhunter -c --enable all --disable none --rwo Warning: RH-Sharpe's Rootkit [ Warning ] File '/usr/bin/wp' found Warning: The following processes are using deleted files: Process: /usr/sbin/php-fpm7.0 PID: 1202 File: /tmp/.ZendSem.EpAi8h Process: /usr/sbin/php-fpm7.0 PID: 1226 File: /tmp/.ZendSem.EpAi8h Process: /usr/sbin/php-fpm7.0 PID: 1227 File: /tmp/.ZendSem.EpAi8h Process: /usr/sbin/mysqld PID: 1385 File: /tmp/ibTO4TLs Warning: Process '/sbin/dhclient' (PID 1027) is listening on the network.
Interpreting the Results
In this case, /usr/bin/wp is an installation of WP-CLI. PHP-FPM’s ZendSem files are lock files created by the Zend OPcache, and MySQL’s ib files are InnoDB temporary files (actually Percona XtraDB, since I’m using MariaDB). dhclient is the Ubuntu DHCP client and it’ll be listening on any system using DHCP.
If you want to whitelist these entries, you can edit the rkhunter configuration file:
root@ubuntu:/# vi /etc/rkhunter.conf
And add some stuff like this:
ALLOWPROCDELFILE=/usr/sbin/php-fpm7.0 ALLOWPROCDELFILE=/usr/sbin/mysqld ALLOWPROCLISTEN=/sbin/dhclient
Personally, I like to see all the warnings, even those that I’m reasonably certain are false positives.
You can probably see by now that rkhunter is really only useful as part of a wider strategy: correct hardening of your system, access control, and monitoring of your filesystem using checksum tracking systems like OSSEC or Samhain. And obviously the results of all checks should be stored elsewhere, since a hacker can certainly change what is being reported in your logfiles.
Running rkhunter Automatically
root@ubuntu:/# crontab -e
Add a cron job that runs at midnight every day:
00 00 * * * /usr/bin/rkhunter --cronjob --update --quiet
The –cronjob option tells rkhunter to run without interaction, the –update option ensures that definitions are updated, and the –quiet option suppresses all output. If MAIL-ON-WARNING=”your_email@your_domain.com” is set in rkhunter.conf, and MAIL_CMD is valid, rkhunter will then mail you the results of its nightly check.