I've been using Rootkit Hunter on my servers for a while now and am
aware that perhaps I don't use it to its full extent. So I took the trouble to investigate. It's a path-based rootkit
detector, so it's mostly looking for file/directory names and strings that it deems as evil but it also does a bunch of
other stuff. Its purpose is not to protect my servers against attack but to ring alarm bells when the attacker has got in.
The alarm arrives as an e-mail and it does take a bit of tweaking to weed out the false positives.
I suppose I shouldn't be surprised but certainly Ubuntu's rkhunter
package lags behind someway version-wise, I would
have thought "anti-virus"-type apps get the full update treatment, especially as newly-detected rootkits are introduced in
new versions, but hey ho, installation from upstream is a cinch.
You can get the latest version from the rkhunter official site and installation is as
easy as running a script. It adds such things as a man page, a logrotate script and cron-jobs which saves you a lot of work.
Make sure you have binutils
and unhide
packages installed (we're talking debian-based); roll on the
project to match package names across distributions
You also may want skdet which you can build from source or easier (for me!)
convert the provided rpm using alien
into a deb file and just install that.
The config file is found at /etc/rkhunter.conf although as suggested in the docs I create a local config file
rkhunter.conf.local this makes it easier to copy the config elsewhere and be aware of you changes. Here's a few choice
morsels :
PKGMGR=DPKG
ENABLE_TESTS="all"
DISABLE_TESTS="os_specific apps trojans"
STARTUP_PATHS="/etc/init.d /etc/rc.local"
SYSLOG_CONFIG_FILE=/etc/rsyslog.conf
SCAN_MODE_DEV=THOROUGH
UNHIDE_TESTS="sys proc procfs reverse"
PKGMGR Despite warnings in the Ubuntu-package rkhunter.conf the DPKG option doesn't seem to extend the test immeasurably
so I change it from NONE because the most annoying false positives are those related to packages that you've updated
the day before. However the built-in file properties check is far more thorough in its search for file changes than the
dpkg version so this is a trade-off you might not like to make.
DISABLE_TESTS "os_specifics" is out for me because it's looking for kernel modules and none of my servers use them.
The "apps" test is out because I already use cron-apt to make sure that
the machine pesters me 'til I update it. The "trojans" test looks for an Apache backdoor (I use nginx)
and also looks for inetd/xinetd which are not installed by default and I wouldn't dream of installing (less services
provided the better!)
STARTUP_PATHS You need to add in /etc/init.d on an Ubuntu system.
SYSLOG_CONFIG_FILE This is rsyslog again on an Ubuntu system, not syslog.
UNHIDE_TESTS This adds tests other than the default sys. NB. I get false positives with the brute option. Note also
I don't have unhide.rb on my system beacuse I don't want to install Ruby (KISS). The
Ruby version is a rewrite of the original and is allegedly quicker and more descriptive once it finds something.
OK, that's all for now, here's hoping for only false positives!