Detect Rootkits with rkhunter

This topic provides steps for installing and using Rootkit Hunter (rkhunter).

About this task

Rootkit Hunter (rkhunter) is a standard tool for the detection of rootkits on Linux. The Ubuntu Linux distribution maintains a package for rkhunter. The complete set of checks that rkhunter performs provides a good security baseline for finding some of the most malicious elements of the offensive security landscape. It is recommended you regularly run the rkhunter --check command and review the contents of the /var/log/rkhunter.log file.

Procedure

  1. Install rkhunter by running: 
    # apt-get install rkhunter
  2. Run a scan for rootkits: 
    # rkhunter --check
    T0rn Rootkit                                        [ Not found ]
    trNkit Rootkit                                      [ Not found ]
    Trojanit Kit                                        [ Not found ]
    Tuxtendo Rootkit                                    [ Not found ]
    URK Rootkit                                         [ Not found ]
    Vampire Rootkit                                     [ Not found ]
    VcKit Rootkit                                       [ Not found ]
    Volc Rootkit                                        [ Not found ]
    Xzibit Rootkit                                      [ Not found ]
    zaRwT.KiT Rootkit                                   [ Not found ]
    ZK Rootkit                                          [ Not found ]
  3. To dive in to additional details of what is actually being checked on the system, refer to the /var/log/rkhunter.log file. For example, in the following example, the scan looked for evidence of the T0rn rootkit and specifically, the existence of the following files were checked (output abbreviated): 
    [21:28:18] Checking for T0rn Rootkit...
[21:28:18]   Checking for file '/dev/.lib/lib/lib/t0rns'     [ Not found ]
[21:28:18]   Checking for file '/dev/.lib/lib/lib/du'        [ Not found ]
[21:28:18]   Checking for file '/dev/.lib/lib/lib/ls'        [ Not found ]
[21:28:18]   Checking for file '/dev/.lib/lib/lib/t0rnsb'    [ Not found ]
[21:28:18]   Checking for file '/dev/.lib/lib/lib/ps'        [ Not found ]
[21:28:18]   Checking for file '/dev/.lib/lib/lib/t0rnp'     [ Not found ]
[21:28:18]   Checking for file '/dev/.lib/lib/lib/find'      [ Not found ]
[21:28:18]   Checking for file '/dev/.lib/lib/lib/ifconfig'  [ Not found ]
[21:28:18]   Checking for file '/dev/.lib/lib/lib/pg'        [ Not found ]
[21:28:18]   Checking for file '/dev/.lib/lib/lib/ssh.tgz'   [ Not found ]
[21:28:18]   Checking for file '/dev/.lib/lib/lib/top'       [ Not found ]
[21:28:19]   Checking for file '/dev/.lib/lib/lib/sz'        [ Not found ]
[21:28:19]   Checking for file '/dev/.lib/lib/lib/login'     [ Not found ]
[21:28:19]   Checking for file '/dev/.lib/lib/lib/in.fingerd' [ Not found ]
[21:28:19]   Checking for file '/dev/.lib/lib/lib/1i0n.sh'   [ Not found ]
9037509-00 Rev AA