Rootkit scanner is scanning tool to ensure you for about 99.9%* you're clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like:
- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files
Rootkit Hunter is released as GPL licensed project and free for everyone to use.
* No, not really 99.9%.. It's just another security layer
If you want to install rootkit hunter in debian you need to add the unstable source list to your /etc/apt/sources.list file.Once you add this you need to run the following command.
#apt-get install rkhunter
Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 325 not upgraded.
Need to get 115kB of archives.
After unpacking 500kB of additional disk space will be used.
Get:1 http://mirror.ox.ac.uk unstable/main rkhunter 1.2.8-4 [115kB]
Fetched 115kB in 0s (445kB/s)
Preconfiguring packages ...
Selecting previously deselected package rkhunter.
(Reading database ... 37928 files and directories currently installed.)
Unpacking rkhunter (from .../rkhunter_1.2.8-4_all.deb) ...
Setting up rkhunter (1.2.8-4) ...
Installation time it will ask below two questions you need to answer
Choose this option if you want rkhunter to be run automatically via cron.daily.
Activate daily run?
Choose this option if you want rkhunter databases to be updated automatically via cron.weekly.
Activate weekly database update?
after this it will complete the installation.
If you want to run rkhunter you have the following options
--checkall (-c) : Check system
--createlogfile* : Create logfile
--cronjob : Run as cronjob (removes colored layout)
--display-logfile : Show logfile at end of the output
--help (-h) : Show this help
--nocolors* : Don't use colors for output
--report-mode* : Don't show uninteresting information for reports
--report-warnings-only* : Show only warnings (lesser output than --report-mode,more than --quiet)
--skip-application-check* : Don't run application version checks
--skip-keypress (-sk)* : Don't wait after every test (non-interactive)
--quick* : Perform quick scan (instead of full scan)
--quiet* : Be quiet (only show warnings)
--update : Run update tool and check for database updates
--version : Show version and quit
--versioncheck : Check for latest version
--bindir <bindir>* : Use <bindir> instead of using default binaries
--configfile <file>* : Use different configuration file
--dbdir <dir>* : Use <dbdir> as database directory
--rootdir <rootdir>* : Use <rootdir> instead of / (slash at end)
--tmpdir <tempdir>* : Use <tempdir> as temporary directory
Explicit scan options:
--allow-ssh-root-user* : Allow usage of SSH root user login
--disable-md5-check* : Disable MD5 checks
--disable-passwd-check* : Disable passwd/group checks
--scan-knownbad-files* : Perform besides 'known good' check a 'known bad' check
Multiple parameters are allowed
*) Parameter can only be used with other parameters
Here is the example We have tried with sample output
Rootkit Hunter 1.2.8 is running
Determining OS... Ready
Strings (command) [ OK ]
* System tools
Performing 'known bad' check...
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]....