Part of my daily security routine is to check machine logs for signs of suspicious activity. Recently I found a few shell commands showing up in the Apache error log of one of the machines. It took a long time to track down the problem. In the end I found it was due to a poorly written and insecure script. This script was on the server when I inherited it from the previous administrator (figuring out which script was causing the problems is a story in itself).
After securing the script I couldn’t help but worry that something might have been dropped onto the server. In fact, after looking around I found a few files in /tmp and a couple in some places where apache had write access. I decided to look around for a tool to help me figure out if anything important had been tampered with. A quick look through the ports turned up rkhunter under /usr/ports/security/rkhunter.
The package description reads:
Rootkit Hunter is scanning tool to ensure you for about 99.9% you’re clean of nasty tools.
This tool scans for rootkits, backdoors and local exploits by running tests like:
- MD5/SHA1 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary filesWWW: http://www.rootkit.nl/
Installing from ports is easy:
cd /usr/ports/security/rkhunter
followed by
make install && make clean
and rkhunter is installed (you may also wish to install portaudit1).
The post-install blurb suggests a typing rkhunter as a first step. This gives rkhunter’s command line options.
The –update option updates rkhunter’s databases and is a good first step.
rkhunter --update
root@t2# rkhunter –update
Running updater…Mirrorfile /usr/local/lib/rkhunter/db/mirrors.dat rotated
Using mirror http://www.rootkit.nl/rkhunter
[DB] Mirror file : Up to date
[DB] MD5 hashes system binaries : Update available
Action: Database updated (current version: 2005051900, new version 2005121400)
[DB] Operating System information : Update available
Action: Database updated (current version: 2005052200, new version 2005102800)
[DB] MD5 blacklisted tools/binaries : Up to date
[DB] Known good program versions : Update available
Action: Database updated (current version: 2005041700, new version 2005111500)
[DB] Known bad program versions : Update available
Action: Database updated (current version: 2005041700, new version 2005111500)Ready.
Now that the database is up to date it is time to run rkhunter in check mode (–checkall or -c)
rkhunter -c
Here is a sample of the output:
root@t2# rkhunter -c
Rootkit Hunter 1.2.7 is running
Determining OS... Ready
Checking binaries
* Selftests
Strings (command) [ OK ]
* System tools
Performing 'known good' check...
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/kill [ OK ]
/bin/ls [ OK ]
...
Check rootkits
* Default files and directories
Rootkit '55808 Trojan - Variant A'... [ OK ]
ADM Worm... [ OK ]
Rootkit 'AjaKit'... [ OK ]
Rootkit 'aPa Kit'... [ OK ]
Rootkit 'Apache Worm'... [ OK ]
...
* Suspicious files and malware
Scanning for known rootkit strings [ OK ]
Scanning for known rootkit files [ OK ]
...
It does seem to do a fairly thorough job in checking for a lot of things. It can be run as a cron job (the –cronjob switch takes out the colorized output).
Note: RK Hunter copies
/etc/groupand/etc/passwdto root’s home directory. So don’t have a coronary if you spot them in there (I nearly did).
[1] Portaudit is used by rkhunter to check for vulnerable applications, it is useful but not actually necessary to have it installed. It can be found under /usr/ports/security/portaudit.