RKHunter – RootKit Hunter
Rootkit scanner is scanning tool to ensure you for about 99.9%* you’re clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like:
- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files
Rootkit Hunter is released as GPL licensed project and free for everyone to use. # wget http://downloads.rootkit.nl/rkhunter-1.1.4.tar.gz
# tar -xzvf rkhunter-1.1.4.tar.gz
# cd rkhunter
# ./installer.sh
Receive e-mail everyday with the result Rootkit Hunter
For Root user# crontab -e
For any user# crontab -e -u username
and add
0 3 * * * (./usr/local/bin/rkhunter checkall 2>&1 | mail -s "chkrootkit output" -c mailadr[email protected],[email protected] [email protected]) * the correct path can be found with which rkhunter
This will run Rootkit Hunter at 3:00 am every day, and e-mail the output to [email protected] and copies to [email protected] and [email protected]
Nota
If you ever get a positive alarm, you can try to remove the rootkit, but all professionals would advice you to reinstall the server from scratch, and restore a previous backup (that mean saving nothing from server as soon as the rootkit is revealed….)
Links
http://www.rootkit.nl/projects/rootkit_hunter.html
