Vicky’s server guides

Rkhunter is an intrustion detection program for Linux OS which has been widely used by many server administrators. Sometimes there is a false alarm but most of the time you need to check the problematic areas Rkhunter points out.

NEW: November 30th 2009 – Rkhunter v.1.3.6. is available and this how-to is updated.

Use these commands to install it:

wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.3.6/rkhunter-1.3.6.tar.gz?use_mirror=freefr

tar xvfz rkhunter*
cd rkhunter-1.3.6
./installer.sh –layout oldschool –install

note the installation difference – my command uses old format for installing rkhunter. If you do not have rkhunter installed or want it to be installed elsewhere follow the install script instructions and using “–layout default” may be good option.

Also, you will need to edit the config file because it is different than previous version. Do so by using this command:

cp /etc/rkhunter.conf /usr/local/etc/rkhunter.conf

It worked for me. Inspect the config file before usage.

After successful installation you can remove this rkhunter-1.3.6 directory.

At this time it is a good idea to create a cron job task to run Rkhunter regularly with email to root mailbox.

crontab -e

and insert these lines in there:

10 0 * * * /usr/local/bin/rkhunter –-update > /dev/null 2>&1 # updates Rkhunter’s database
25 0 * * * /usr/local/bin/rkhunter -c –-nocolors –-cronjob –-report-mode –-createlogfile –-skip-keypress –-quiet # runs it in cronjob mode

That’s it! Enjoy this fine piece of software

Here is the changelog for version 1.3.6: (date is in European format)

* 1.3.6 (30/11/2009)

New:
- Added ZK rootkit check.
- German translation provided.
- Added the IGNORE_PRELINK_DEP_ERR option to the configuration file. This
option can be used when a persistent prelink dependency error occurs.
Further details of its use are in the configuration file.
- Added CX rootkit check.
- Added the USER_FILEPROP_FILES_DIRS configuration option. This allows
users to add further files and directories to the file properties
check. Details are in the configuration file. The installer program
will automatically add the configuration file pathname to this option.
- Added the EPOCH_DATE_CMD configuration option. In the file properties
test any modification date/times will now be displayed in human-readable
format as well as the number of epoch seconds. This option can be used
to specify the command to use if the ‘date’ or ‘perl’ commands cannot
convert epoch seconds.
- Added the COPY_LOG_ON_ERROR configuration option. When set this will
take a copy of the log file if any errors or warnings have occurred.
- Added the WEBCMD configuration option. This allows users to specify
the command used to download data file updates from the Internet.
- It is now possible to put configuration changes into a local config
file. This file, called ‘rkhunter.conf.local’, must be in the same
directory as the main configuration file. Rkhunter will look for
configuration options in the main config file, and then in the local
config file if it exists. As before, for options allowed only once,
the last one seen is used. For options allowed more than once, all
options from both files will be used.
- Added the SHARED_LIB_WHITELIST configuration option to allow the
whitelisting of preloaded shared libraries.
- Made some minor changes to enable support for SliTaz Linux.
- Added the WARN_ON_OS_CHANGE and UPDT_ON_OS_CHANGE configuration
options. During the file properties check there are some O/S tests
performed to see if the O/S has changed since the last run of
‘rkhunter –propupd’. By default if something has changed, then a
warning is shown. If the WARN_ON_OS_CHANGE option is unset, then no
warnings will be shown. If the UPDT_ON_OS_CHANGE option is set, and
the O/S has changed, then rkhunter will automatically update the file
properties file (in effect, it will run ‘rkhunter –propupd’).
- The installer now has a ‘–overwrite/-o’ option. When used this will
overwrite the existing configuration file. This allows a site to check
the new config file (at least once) for changes, and then modify their
own ‘rkhunter.conf.local’ file as required. This option can then be
used to have the installer overwrite the default config file. It saves
having to move the new default config file into place on each computer.
- Locking is now possible when rkhunter runs. This prevents RKH running
more than once and corrupting any modified files such as the log file,
or the file properties file. New configuration options have been added
to handle the locking, and the configuration file contains details of
how the locking works. The default is not to use locking.
- Added support for hash functions SHA224, SHA256, SHA384 and SHA512 using
perl modules Digest-SHA-PurePerl or SHA256, both available at CPAN.
- Added the UPDATE_LANG configuration option. This can be set to those
language files the user wants to be updated when the ‘–update’ option is
used. Since most sites may only use one language, this can reduce the
network bandwidth used. The default is to update all the languages. The
configured default language, and English (en), are always updated.
- Added the ALLOWPROMISCIF configuration option. This can be used to
specify network interfaces which are allowed to be in promiscuous mode.
- Added the SCANROOTKITMODE configuration option. If set to “THOROUGH” then
the scanrootkit function will search for filenames in all directories.
While still not optimal this is one step away from the rigidity of
searching only in known locations. Enabling this feature implies you have
the knowledge to interprete results properly.
- Added OSX rootkit check.
- Added weaponX rootkit check.
- Added the PKGMGR_NO_VRFY configuration option. This allows specified
files to be exempt from the package manager verification process. Now
that users can include their own files into the file properties check,
it is possible that changed packaged files will cause a warning to be
issued. This option allows those files to skip the package manager
verification, and be treated as non-packaged files.
- Added cb rootkit check.
- Added Fu rootkit check.
- Added ld-linuxv.so.1 LD_PRELOAD check.
- Added Adore Rootkit aka strings.o rootkit aka Dextenea check.
- Added iLLogiC rootkit check.
- Added ‘Spanish’ rootkit check.
- Added Xzibit rootkit check.
- Added trNkit rootkit check.

Changes:
- Removed the ‘os_specific’ test for OpenBSD. The *BSD test is currently
only applicable to NetBSD and FreeBSD.
- Updated the ENYE LKM check.
- The ‘–debug’ option no longer needs to be the first option on the
command line.
- Improved support for MAC’s now using the bash shell by default. Include
logging of whether 64-bit is available.
- When uninstalling rkhunter, old versions of the document directory
(usually /usr/local/share/doc/rkhunter-*) will now be removed.
- The warnings from the passwd and group file changes tests are now
more specific about what has changed.
- Small change to the detection of Source Mage Linux.
- Renamed part of the ‘shared_libs’ test to display that it is checking
for preloaded libraries, rather than just the preload file. The pathname
of the preload file is now logged, and any found shared library files are
now logged as a warning.
- The SYSLOG_CONFIG_FILE configuration option can now take the value of
‘NONE’ to indicate that there is no syslog configuration file, despite
the fact that syslogd may be running.
- Some tests will now show their result as ‘Whitelisted’. If a test uses a
configuration option, and this has been set, and the test passes – giving
a green result – then it will now be shown as ‘Whitelisted’. The user can
now see that a test has either passed correctly – an ‘OK’ or ‘Not found’
type result – or has passed because the test requirements have been
whitelisted. It is for the user to investigate if this is correct or not.
(This change does not currently apply to all relevant tests.)
Additionally, the configuration option WHITELISTED_IS_WHITE can be set
if the ‘Whitelisted’ result is to be shown in white rather than green.
For color set two users this will be shown in black.
- Improved the O/S name detection slightly for those systems which only
provide a version number.
- Rkhunter now ensures that the output from the ‘lsattr’ command, or
‘ls -lno’ on *BSD systems, and the ‘file’ command is valid. That is, it
produces something on stdout. If it doesn’t, then the ‘immutable’ and/or
‘scripts’ test is skipped.
- Changed the RPM spec file so as not to verify the checksum, size and mtime
of the database files and the i18n files. These files may be changed by
rkhunter itself.
- The installer now uses the ‘default’ layout by default. It is no longer
necessary to specify the layout at all if the default is to be used.
The ‘–layout’ option no longer needs to be the first option specified
if it is used.
- Improved Fleakit Linux Rootkit checks.
- Improved SHV4 Rootkit checks.
- Improved beX2 Rootkit check.
- Improved Phalanx2 Rootkit check to include Phalanx version 2.3d as reported
in ticket 2839813, including a PHALANX2_DIRTEST configuration option which
enables scanning for directory names and accepts the value ’0′ for default
directory names to search for and ’1′ for scanning the /etc and /usr
directories for directory names ending in ‘.p2′ at the expense of a slightly
longer running time. Absence of the configuration option selects value ’0′.
- Improved Ambient (ark) Rootkit check.
- Improved BOBkit Rootkit check.
- Improved Dica-Kit Rootkit check.
- Improved Evil strings test.
- Improved Possible rootkit files and directories test.
- Improved Suspicious startup file strings test.
- Improved Suspicious open files test.
- Improved Known bad Linux kernel modules test.
- Improved Dreams Rootkit check.
- Improved Universal Rootkit (URK) check.
- Improved FreeBSD Rootkit (FBRK) check and removed standalone ImperialS version.

Bugfixes:
- When using the Korn shell the application check could give a spurious
error printing out ‘-1′.
- The debug code only partially worked when using the Korn shell.
- Fixed the option parsing in the configuration file such that leading
and trailing whitespace are now correctly removed.
- When displaying the list of checked rootkit names, the list was supposed
to be sorted.
- If the ‘–list’ option was used more than once with the same argument
(e.g. ‘–list tests –list tests’), it displayed the wrong information.
- The rootkit strings check wasn’t logging a warning for the particular
string found. It was, however, displaying an overall test failure
warning on the screen though.
- The rootkit file whitelisting wasn’t applied to the startup script
malware check. Also the summary wasn’t showing if any possible rootkits
had been found or not.
- If the ‘–propupd’ option was used with either of the ‘–enable/–disable’
command-line options, then the file properties would not be stored.
However, if, for example, the ‘hashes’ test was enabled, then only these
would be stored. In all cases the relevant test was not run after the
file properties were obtained, unless the ‘–check’ option was also used.
- The installer now uses a basic ‘echo’ command. Hopefully it should work
on all UNIX/Linux systems, and avoid any further “-e”‘s being displayed.
- Changed how rkhunter detects the Korn shell, and added a test to see if
the ‘echo -e’ command works or not. As with the installer, this should
allow rkhunter to work on all UNIX/Linux systems, and avoid any further
“-e”‘s being displayed.
- When converting the case of characters, unpredictable results could
occur when other languages were specified (via LANG). We now use character
classes rather than the ‘a-z’ and ‘A-Z’ ranges.
- For the ‘ports’ test ensure that only local ports are checked. Also if a
port is whitelisted, the result will say so.
- Using ‘–hash MD5 –propupd’ on a prelinked system caused an error.
- If a non-existent syslog config file was put into the RKH configuration
file, then rkhunter incorrectly said that it was found.
- If the use of prelinking changed, and the ‘hashes’ test was disabled, then
rkhunter correctly logged a warning (of an O/S change) but did not display
it unless the ‘–rwo’ option was used. It now displays the warning whether
‘–rwo’ is used or not.
- The ‘group_accounts’ test now checks /etc/passwd, as well as the shadow
file, for passwordless accounts.
- If the passwd file did not exist, then a warning of this was logged three
times. It is now logged once as a warning, and as an info message for the
other times.
- It was possible for the network ports test to incorrectly display a warning
due to an uninitialised variable.
- The SSH configuration file tests now allow for leading spaces/tabs.
- When using the ‘–debug’ option, and running the ‘suspscan’ test, the debug
file itself could be logged as suspicious. It is now skipped from the test.
- Ensure the /proc/ksyms or /proc/kallsyms file is readable before using it.
- If the mirrors.dat file has been locally modified to provide a mirror, then
the installer will no longer overwrite the file.