rkhunter on Ubuntu

This article details how to install and use rkhunter, the Rootkit Hunter anti-rootkit utility, on Ubuntu Server 16.04.

Install and Update rkhunter

root@ubuntu:/# apt-cache madison rkhunter
  rkhunter |    1.4.2-5 | http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
  rkhunter |    1.4.2-5 | http://us.archive.ubuntu.com/ubuntu xenial/universe i386 Packages

root@ubuntu:/# apt-get install rkhunter

root@ubuntu:/# rkhunter --versioncheck
[ Rootkit Hunter version 1.4.2 ]

Checking rkhunter version...
  This version  : 1.4.2
  Latest version: 1.4.2

root@dhcp-146-6-110-124:/# rkhunter --update
[ Rootkit Hunter version 1.4.2 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ Updated ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ No update ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/tr                                      [ No update ]
  Checking file i18n/tr.utf8                                 [ No update ]
  Checking file i18n/zh                                      [ No update ]
  Checking file i18n/zh.utf8                                 [ No update ]

root@dhcp-146-6-110-124:/# rkhunter --propupd
[ Rootkit Hunter version 1.4.2 ]
File updated: searched for 176 files, found 141

Run a Scan

root@dhcp-146-6-110-124:/# rkhunter -c --enable all --disable none
[ Rootkit Hunter version 1.4.2 ]

Checking system commands...

  Performing 'strings' command checks
    Checking 'strings' command                               [ OK ]

  Performing 'shared libraries' checks
    Checking for preloading variables                        [ None found ]
    Checking for preloaded libraries                         [ None found ]
    Checking LD_LIBRARY_PATH variable                        [ Not found ]

  Performing file properties checks
    Checking for prerequisites                               [ OK ]
    /usr/sbin/adduser                                        [ OK ]
    /usr/sbin/chroot                                         [ OK ]
    /usr/sbin/cron                                           [ OK ]
    /usr/sbin/groupadd                                       [ OK ]
    /usr/sbin/groupdel                                       [ OK ]
[etc.]

Checking for rootkits...

  Performing check of known rootkit files and directories
    55808 Trojan - Variant A                                 [ Not found ]
    ADM Worm                                                 [ Not found ]
    AjaKit Rootkit                                           [ Not found ]
    Adore Rootkit                                            [ Not found ]
    aPa Kit                                                  [ Not found ]
    Apache Worm                                              [ Not found ]
    Ambient (ark) Rootkit                                    [ Not found ]
    Balaur Rootkit                                           [ Not found ]
    BeastKit Rootkit                                         [ Not found ]
    beX2 Rootkit                                             [ Not found ]
    BOBKit Rootkit                                           [ Not found ]
    cb Rootkit                                               [ Not found ]
    CiNIK Worm (Slapper.B variant)                           [ Not found ]
[etc.]

Performing additional rootkit checks
    Suckit Rookit additional checks                          [ OK ]
    Checking for possible rootkit files and directories      [ None found ]
    Checking for possible rootkit strings                    [ None found ]

  Performing malware checks
    Checking running processes for deleted files             [ Warning ]
    Checking running processes for suspicious files          [ None found ]
    Checking for hidden processes                            [ None found ]
    Checking for files with suspicious contents              [ None found ]
    Checking for login backdoors                             [ None found ]
    Checking for suspicious directories                      [ None found ]
    Checking for sniffer log files                           [ None found ]
    Suspicious Shared Memory segments                        [ None found ]

  Performing Linux specific checks
    Checking loaded kernel modules                           [ OK ]
    Checking kernel module names                             [ OK ]

Checking the network...

  Performing checks on the network ports
    Checking for backdoor ports                              [ None found ]
    Checking for hidden ports                                [ None found ]

  Performing checks on the network interfaces
    Checking for promiscuous interfaces                      [ None found ]
    Checking for packet capturing applications               [ Warning ]

Checking the local host...

  Performing system boot checks
    Checking for local host name                             [ Found ]
    Checking for system startup files                        [ Found ]
    Checking system startup files for malware                [ None found ]

  Performing group and account checks
    Checking for passwd file                                 [ Found ]
    Checking for root equivalent (UID 0) accounts            [ None found ]
    Checking for passwordless accounts                       [ None found ]
    Checking for passwd file changes                         [ Warning ]
    Checking for group file changes                          [ Warning ]
    Checking root account shell history files                [ OK ]

  Performing system configuration file checks
    Checking for an SSH configuration file                   [ Found ]
    Checking if SSH root access is allowed                   [ Not allowed ]
    Checking if SSH protocol v1 is allowed                   [ Not allowed ]
    Checking for a running system logging daemon             [ Found ]
    Checking for a system logging configuration file         [ Found ]
    Checking if syslog remote logging is allowed             [ Not allowed ]

  Performing filesystem checks
    Checking /dev for suspicious file types                  [ None found ]
    Checking for hidden files and directories                [ None found ]

Checking application versions...

    Checking version of GnuPG                                [ OK ]
    Checking version of OpenSSL                              [ OK ]
    Checking version of PHP                                  [ OK ]
    Checking version of OpenSSH                              [ OK ]


System checks summary
=====================

File properties checks...
    Files checked: 141
    Suspect files: 0

Rootkit checks...
    Rootkits checked : 376
    Possible rootkits: 1
    Rootkit names    : RH-Sharpe's Rootkit

Applications checks...
    Applications checked: 4
    Suspect applications: 0

The system checks took: 1 minute and 23 seconds

All results have been written to the log file: /var/log/rkhunter.log

If you don’t want to see all the checks, you can print only the warnings and positives instead:

root@ubuntu:/# rkhunter -c --enable all --disable none --rwo
    
Warning: RH-Sharpe's Rootkit                      [ Warning ]
         File '/usr/bin/wp' found
Warning: The following processes are using deleted files:
         Process: /usr/sbin/php-fpm7.0    PID: 1202    File: /tmp/.ZendSem.EpAi8h
         Process: /usr/sbin/php-fpm7.0    PID: 1226    File: /tmp/.ZendSem.EpAi8h
         Process: /usr/sbin/php-fpm7.0    PID: 1227    File: /tmp/.ZendSem.EpAi8h
         Process: /usr/sbin/mysqld    PID: 1385    File: /tmp/ibTO4TLs
Warning: Process '/sbin/dhclient' (PID 1027) is listening on the network.

Interpreting the Results

In this case, /usr/bin/wp is an installation of WP-CLI. PHP-FPM’s ZendSem files are lock files created by the Zend OPcache, and MySQL’s ib files are InnoDB temporary files (actually Percona XtraDB, since I’m using MariaDB). dhclient is the Ubuntu DHCP client and it’ll be listening on any system using DHCP.

If you want to whitelist these entries, you can edit the rkhunter configuration file:

root@ubuntu:/# vi /etc/rkhunter.conf

And add some stuff like this:

ALLOWPROCDELFILE=/usr/sbin/php-fpm7.0
ALLOWPROCDELFILE=/usr/sbin/mysqld
ALLOWPROCLISTEN=/sbin/dhclient

Personally, I like to see all the warnings, even those that I’m reasonably certain are false positives.

You can probably see by now that rkhunter is really only useful as part of a wider strategy: correct hardening of your system, access control, and monitoring of your filesystem using checksum tracking systems like OSSEC or Samhain. And obviously the results of all checks should be stored elsewhere, since a hacker can certainly change what is being reported in your logfiles.

Running rkhunter Automatically

root@ubuntu:/# crontab -e

Add a cron job that runs at midnight every day:

00 00 * * * /usr/bin/rkhunter --cronjob --update --quiet

The –cronjob option tells rkhunter to run without interaction, the –update option ensures that definitions are updated, and the –quiet option suppresses all output. If MAIL-ON-WARNING=”your_email@your_domain.com” is set in rkhunter.conf, and MAIL_CMD is valid, rkhunter will then mail you the results of its nightly check.

Loading

Leave a Reply

Your email address will not be published. Required fields are marked *