Rootkit Hunter(rkHunter) is a unix-based tool that scans for rootkits, backdoors, and possible exploits, The way of working, for rkhunter goes like that it compares SHA-1 hashes for important files with the known good files in an online database. It searches for hidden files, doubtful strings in kernel modules, default directories for rootkits, and Optional scans within the plain text, and binary files.
Install rkhunter
# cd /tmp
# wget http://ncu.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz
# tar -xvf rkhunter-1.4.0.tar.gz
# cd rkhunter-1.4.0
# ./installer.sh --layout default --install
Update rkhunter
# /usr/local/bin/rkhunter --update
# /usr/local/bin/rkhunter --propupd
Cron Job
# nano /etc/cron.daily/rkhunter.sh
Add the following lines of code to it and replace “YourServerNameHere” with your “Server Name” and “[email protected]” with your “Email Id“.
#!/bin/sh
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Run (servername)' [email protected]
Change the permission
Set execute permission on the file.
# chmod 755 /etc/cron.daily/rkhunter.sh
Manual ScanTo scan the entire file system, run the Rkhunter as a root user.
# rkhunter --check
The above command generates a log file under /var/log/rkhunter.log with the results of the check made by Rkhunter. For more information and options please run the following command.
# rkhunter --help