Ubuntu / Linux news and application reviews.

A rootkit is a software system that consists of one or more programs designed to obscure the fact that a system has been compromised. An attacker may use a rootkit to replace vital system executables, which may then be used to hide processes and files the attacker has installed, along with the presence of the rootkit. Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security scan and surveillance mechanisms such as anti-virus or anti-spyware scan. Often, they are Trojans as well, thus fooling users into believing they are safe to run on their systems.


More about rootkits, on Wikipedia.

To check the system for rootkits, you can use Rootkit Hunter, a tool which scans for rootkits, backdoors and local exploits by running tests like:

- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files

Install Rootkit Hunter


In Ubuntu, simply run this command:
sudo apt-get install rkhunter


If you use another Linux distribution, firstly search for it in your package manager and if it's not present, you can download it from HERE.

Configure Rootkit Hunter


After installing Rootkit Hunter, the first thing you need to do is update it:
sudo rkhunter --update


Before running RKH you will need to fill the file properties database by running the following command (which depends on your Linux distribution):

-For Debian based Linux distributions (Debian, Ubuntu, etc.):
sudo rkhunter --propupd --pkgmgr dpkg


-For Red Hat based Linux distributions - RPM:
rkhunter --propupd --pkgmgr RPM


Checking your system for rootkits


Now you can begin the scan with this command:
sudo rkhunter --check --pkgmgr dpkg

or
rkhunter --check --pkgmgr rpm


To see all the available options, run rkhunter with no flags:
rkhunter


False alarms


There are some known false alarms for which you shouldn't worry if you are warned by RKHunter, such as:

dev/.static/, /dev/.udev & /dev/.udevdb/ – used by udev
/etc/.pwd.lock
/etc/.java/ – it is common for java installations to use this hidden directory
/dev/.initramfs, /dev/.initramfs-tools – created by initramfs-tools generated ramfs filesystems during boot

Also, some false positive results will be displayed by Rootkit Hunter when your packages have been updated so check to see which files you update and compare the results.


And a final note: some rootkits may modify the rkhunter files so that it doesn't detect the malware. The best thing to do would be to use rkhunter from a read-only USB stick!