Rootkit Hunter

Tested on openSUSE

• 12.3
• 12.2
• 12.1

Recommended articles

• Concepts_security
• SDB:Login_as_root

Related articles

• Portal:Security

About Rootkit Hunter (rkhunter)

Rootkit Hunter is a shell script called rkhunter, that scans your Linux operating system for rootkits, backdoors and other related security issues. It can also be used to test applications.

What are Rootkits?

Rootkits are a type of computer malware that actively hides it's existence on a computer, typically by intercepting system calls (but not limited by those means). A rootkit may open what is known as a backdoor into the compromised computer and allow a remote hacker to install software, create user accounts (with root access), change system-wide settings, steal user information (such as, but not limited to passwords, banking details etc), log user activities, delete files and/or folders, as well as other possible activity’s. Some rootkits may also be installed by legitimate companies, see http://en.wikipedia.org/wiki/Rootkit#Sony_BMG_copy_protection_rootkit_scandal for more information.

Warning: Rootkit Hunter is not anti-virus software and therefore is not intended as a replacement for anti-virus software. It is merely a tool to check for the possible existence of rootkits, backdoors and other security issues that may be present on your system.

Features

• Comparing MD5 hashes
• Looking for default files used by rootkits
• Checking for wrong file permissions for binaries
• Looking for suspected strings in LKM and KLD modules
• Looking for hidden files/folders

Installing rkhunter

Using YaST

1) Open YaST (as root, see SDB:Login_as_root for help)

2) Click on Software > Software Management

3) Then click on the "Search" tab (on the top left hand corner of the "Software Management" screen)

4) Then type rkhunter and then press enter. (making sure you tick the box next to rkhunter)

5) Click on the "Accept" button. (bottom right hand corner of the "Software Management" screen)

Using your Web browser

1) Open http://software.opensuse.org/package/rkhunter?search_term=rkhunter

2) Then click the Direct Install option. (at the bottom of your screen)

Setting up rkhunter

Warning: You need to make sure that all software installed is legitimate, before you run any of these commands.

Open the command-line (kdesu program in KDE) as root and type the following commands;

This will create a database against the file properties stored in the rpm database, of all installed software on the system.

This will update Rootkit Hunter's definitions on the rootkits out there.

Using rkhunter

Open the command-line (kdesu program in KDE) as root and type any of the following;

This option will check for rootkits and other security issues present on your system.

This option will list some of the supported capabilities of the program. The tests option lists the currently available test names (see the README file for more details). The languages option lists the currently available languages for rkhunter. The rootkits option lists the rootkits that are searched for by rkhunter. The perl option lists the installation status of the perl command and perl modules that may be used by some of the tests.

This option will check to see if there is a higher version available for your system.

This option will display the current version of rkhunter installed on your system.

As the option name suggests, this option displays help for rkhunter.

External links

• Rootkit Hunter's website
• Rootkit Hunter's FAQ

See also

• Malware information on Wikipedia
• Rootkit information on Wikipedia
• rkhunter's online man page
• http://www.pctools.com/security-news/what-is-a-rootkit-virus/
• http://www.webopedia.com/TERM/R/rootkit.html
• http://www.techrepublic.com/blog/10-things/10-plus-things-you-should-know-about-rootkits/
• root user information on Wikipedia
• system call information on Wikipedia