Rootkit is a collection of programs that opens the administrator-level access of a computer or computer network. Typically, a hacker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it helps the hacker for a possible intrusion and gain root or privileged access to the computer and possibly other machines on the same network.
The presence of a rootkit on a network was first documented in the early 1990s. At that time, Sun and Linux operating systems were the primary targets for a hacker looking to install a rootkit. Today, rootkits are the real threats for a number of operating systems including Windows and are increasingly difficult to detect it on network.
It is considered that the rootkit developers are the world’s best programmers. A number of vendors including Microsoft, F-Secure offers a number of applications that can detect the presence of rootkits. If a rootkit is detected, however, the only sure way to get rid of it is to completely erase the computer’s hard drive and reinstall the operating system. So in all the ways it is a real harm and threat to production servers .
There are a number of tools these days to scan the root kits , however RKHunter is one of the most commonly used one for Linux servers
Now, let’s see the installation and configuration of RKHunter on a Linux box,
1. SSH to the Linux box and login with Root credentials
Go to the location : cd /usr/local/src/
2. Download latest RKHunter Version *.*.*
Try the source below:
Type: wget http://optusnet.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.0.tar.gz
3. Extract files Type: tar -xzvf rkhunter-1.3.0.tar.gz
4. Type: cd rkhunter-1.3.0.tar.gz
5. Execute the script
./installer.sh –layout default –install
6. Set up RKHunter daily scans , set a cronjob
Type: vim /etc/cron.daily/rkhunter.sh Add The Following:
(/usr/local/bin/rkhunter -c –cronjob 2>&1 | mail -s “RKhunter Scan Details” [email protected] )
The sample e-mail should be replaced with your own e-mail. It is best to set up an offsite e-mail address, so that if the box is compromised the hacker can’t erase the scan report.
Set up execution permission to the script: Type: chmod +x /etc/cron.daily/rkhunter.sh
–checkall (or -c)
Check the system, performs all tests.
ie, check for rootkits rkhunter –check