Archive for the tag 'Rkhunter'

SBDavid
Apr 9th, 2010

How to add rkhunter to a cronjob

How to add rkhunter to a cronjob

we know that automation and email notification make an administrator’s life a lot easier, so now we can add rkhunter to a cronjob.

This is straight from the rkhunter website: You need to create a short shell script as follows:

#!/bin/sh

( /usr/bin/rkhunter –versioncheck
/usr/bin/rkhunter –update
/usr/bin/rkhunter –cronjob –report-warnings-only
) | /usr/bin/mail -s “rkhunter output” admin@yourdomain.com

Save the file and call it something like ‘rkhunterscript’. Make the file executable:

chmod 750 rkhunterscript

and place it in your local bin folder or in a public bin folder. Now set a root cronjob as follows:

sudo crontab -e

cronjob looks like this:

10 3 * * * /home/demo/bin/rkhunterscript

This will run the script at 3.10am each day

SBDavid
Apr 9th, 2010

Scanning for rootkits with rkhunter

Scanning for rootkits with rkhunter

The first thing we want to do after installation is to update the signatures and files rkhunter uses to detect anomalies:

sudo /usr/local/bin/rkhunter –update

Interactive mode

sudo /usr/local/bin/rkhunter -c

That command starts rkhunter in an interactive mode.

When it gets to the end of a particular scan, you need to press ‘enter’ to continue.

If you want to skip the interactive prompts, add the -sk option at the end:

sudo /usr/local/bin/rkhunter -c -sk
SBDavid
Sep 25th, 2009

Rkhunter Installation

Rkhunter Installation

Download from

http://kent.dl.sourceforge.net/project/rkhunter/rkhunter/1.3.4/rkhunter-1.3.4.tar.gz

Rootkit Hunter (RKH) is an easy-to-use tool which checks computers running UNIX (clones) for the presence of rootkits and other unwanted tools.

What are rootkits? Most times they are self-hiding toolkits used by blackhats, crackers and scriptkiddies, to avoid the eye of the sysadmin.

Unpacking the tar file should produce a single directory called ‘rkhunter-’. Where ” is the version number of rkhunter being installed. For example, the rkhunter-1.3.0.tar.gz tar file will produce the ‘rkhunter-1.3.0′ directory when unpacked. Within this directory is the installation script called ‘installer.sh’.

To perform a default installation of RKH simply unpack the tarball and, as root, run the installation script:

tar zxf rkhunter-.tar.gz
cd rkhunter-
./installer.sh –layout default –install

RKH installation supports custom layouts. To show some examples run:

./installer.sh –examples

As an another example, to install all files beneath /opt, run:

./installer.sh –layout custom /opt –install

The default installation process will install a configuration file, called ‘rkhunter.conf’, into the ‘/etc’ directory.

To run RKH, as root, simply enter the following command:

rkhunter –check

By default, the log file ‘/var/log/rkhunter.log’ will be created. It will contain the results of the checks made by RKH.

To see what other options can be used with rkhunter, enter:

rkhunter –help