Hunting Out Rootkits
By Ian Scott
For a long time, I have been using a tool called
Recently I was made aware of another similar tool that I like even better, called Rootkit Hunter. According to the description on the Rootkit Hunter website,
“Rootkit scanner is scanning tool to ensure you for about 99.9% you’re clean of nasty tools.
This tool scans for rootkits, backdoors and local exploits by running tests like:
- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files”
There’s a few things I like better about Rootkit Hunter than Chkrootkit. While both are free tools, released under the GPL, and both do similar things, Rootkit Hunter offers a few more options that make it easier to use.
One of the problems I had when running Chkrootkit manually was that it outputted a lot of information to the console, and in order to read it, you have to scroll back after it’s completed running.
Rootkit Hunter on the other hand, runs tests in such a way that you may view the results of the tests it just ran, and then hit the Enter key to have it continue on to the next tests. It also provides a brief summary of what it found, and anything that you might want to pay special attention to.
As well, the results are color coded. An “OK” or “Clean” result prints in green, warnings print in yellow, and tests that returned what could be a major problem are in red.
It also goes further than Chkrootkit in other ways as well. Naturally, both tools look for the existence of possible rootkits that may have been installed on the system. When a rootkit is installed, new modified versions of a variety of binaries are installed as well. This is done in order to prevent you from discovering the rootkit. But there is a signature with known rootkits that these tools will look for.
This would be a good time to point out that any rootkit tool you use will be useless in discovering brand new rootkits that the tool does not know about. I make it a habit of regularly checking the tools’ websites for updates, and installing them immediately.
Altough I have not played with all the options available in Rootkit Hunter, one thing I found that Chkrootkit does better: Reporting on possible hidden files. Chkrootkit prints out a much longer list of possible files that a Sys Admin might want to take a look at - although it appears on the Console in a very hard to read manner.
More Reports
That being said, Rootkit Hunter does a number of other things that Chkrootkit does not do, and here’s where I really think it exceeds Chkrootkit.
As well as displaying color, Rootkit also runs a number of other tests that are invaluable. Included in these tests are checking the system for outdated applications that could contain vulnerabilities and warns you, System checks which include checking for passwordless user accounts, for differences in user accounts, and for differences in user groups.
When I ran Rootkit Hunter on my Linux PC, it told me that my SSH configuration allowed for remote root login. Thanks, Rootkit Hunter! I had just recently reinstalled Fedora Core 2 because of another Maxtor Harddrive crash, and forgot to change the default configuration file for sshd_config. I’ll get to that right away!
Installation is a breeze! Just grab the package from http://downloads.rootkit.nl/rkhunter-1.1.8.tar.gz (the most recent version at the time of this writing) and then:
# tar -zxvf rkhunter-1.1.8.tar.gz
# cd rkhunter-1.1.8
# ./installer.sh
That’s it! Then run:
# /usr/local/bin/rkhunter
At first, you’ll be given a list of options as to how you want to run it. I simply run it like this:
# /usr/local/bin/rkhunter -c
which will have it check all. But if you want, you can turn off color, or you may run it so it will only show “interesting” information, you turn off passwd/group and MD5 checks, or run it from a cronjob in quiet mode, and such that it will only report anything that is not OK or not Clean.
There’s more information on the FAQ’s at the Rootkit Hunter website.
All in all, a great tool! Use it daily, and add it as a cronjob like this:
30 5 * * * root /usr/local/bin/rkhunter -c –quiet –cronjob
Obviously, you don’t want to use Rootkit Hunter as your main defence against rootkits!!! As Bruce Schnier says, “Security is a process, not a product.”
Happy Rootkit Hunting!
Read more in: Computer Security |