Linux Rootkit and rkhunter

Contents

What is a Rootkit?

A rootkit is a type of computer virus that conduct maliciously activities. It gains access to the privileged root account on Unix operating systems and replaces the typical standard commands (rm, ps, cd, chmod, etc).

Protection against Rootkits - keep the operating system up to date

Naturally Internet server systems are particularly vulnerable and therefore particularly at risk.
It is of importance to upgrade the operating system on a regular basis to newly discovered security vulnerabilities are closed quickly. On a Debian or Ubuntu installation the following commands to load these updates:
  sudo apt-get update
  sudo apt-check-sigs
  sudo apt-get dist-upgrade

Backdoor and Rootkit Scanner

Another possibility to increase security of a Linux installation is a Backdoor- and Rootkit scanner.
Such Backdoor and Rootkit Scanner takes a fingerprint from the main system files, stores them in a database. Takes a cryptographic fingerprint from each important file and compares this fingerprint with the entry in it's database and so would expose an intruder. The fingerprint is taken in the form of a cryptographic hashes , for example, like this:
 File:/usr/sbin/adduser:c13b9da612696de6984f7d95349f4ergerrecdc002b0b:1126344004:0755:0:0:34472:1337114921::
 File:/usr/sbin/chroot:dc876ef4e82b3220bd756a2423423453f70590350f9:1126334542:0755:0:0:34396:1359234657::

Furthermore, he searches for clues for a compromised system such as e.g.:

Rkhunter Tutorial

rkhunter is such a Backdoor and Rootkit scanner which is part of a Debian or Ubuntu distribution.

Installation

On a Debian or Ubuntu setups the following commands load these scanner:
  sudo apt-get install rkhunter

Configuration of whitelist of suspicious files

/usr/bin/unhide.rb is one of the files that is ok but is pointed out as suspicious
The configuration files of 'rkhunter' is located here:

Here various aspects can be set, including the place where the database, the Logiles etc are.
In the Debian distribution the '/usr/bin/unhide.rb' is flagged as it is a script. To prevent this unauthorized warning we are use the following line in 'rkhunter.conf' a:
 SCRIPT WHITE LIST = "/usr/bin/unhide.rb"


The signature algorithm

The hash algorithm that is preset is called sha1sum. The Secure hash algorithm number one was developed by the American 'National Security Agency' and published in 1995. He is still considered safe and there are no known successful attacks.

The rkhunter database

The database is by default located in /var/lib/rkhunter/db/.
The file rkhunter.dat contains the database with the hashes and the file rkhunter_prop_list.dat a list of files to prove.

Verify your system - rkhunter --check


In order to check your system do the command
   rkhunter --check

This system will be reviewed and any warnings and attacks displayed.
A log file with verbose error messages is located under
  /var/log/rkhunter.log

Update the fingerprints



Status: Published Date: 2017/06/05 14:13:03 Revision: 1.1

Copyright bei Andreas Haack (C) 2014. Diese Seite wird so wie sie ist zur Verfuegung gestellt, ohne irgenweche Garantien der Verwendbarkeit fuer bestimte Zwecke. Die auf dieser Seiten angebrachten Links liegen ausserhalb der redaktionellen Verantwortung von Andreas Haack und es wird keine Haftung oder Garantie uebernommen. Die Seiten sind Copyright (c) 2014 von Andreas Haack. Kein Teil darf ohne die schriftliche Einverstaendnis von Andreas Haack veroeffentlicht werden.
The page is provided 'as is' , without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fit- ness for a particular purpose and non-infringement. In no event shall Andreas Haack be liable for any claim, damages or other liability. This page is copyrighted property of Andreas Haack. Copyright by Andreas Haack (c) 2014 . No part of this page may be published without written permission for Andreas Haack. A hyper-link may created to this page but NOT to the embedded elements of this page. It may be freely downloaded for private purpose only as long as it is unaltered.