F8 RKhunter

---

rkhunter is another nifty program, similar to blockhosts, whose purpose is to scan for rootkits or other malware on your system such as trojans, backdoors, and local exploits. rkhunter differs from blockhosts in that it is a passive program that only reports (potential) problems. It does not provide any active prevention or protection. But what it does do, it does very well. With a typical installation of rkhunter, the following checks are performed:

    1.  MD5 has comparisons.
    2.  Default files commonly used by rootkits.
    3.  Incorrect file placement (moved binaries).
    4.  Search for suspect strings in LKM and KLD modules.
    5.  Hidden files.
    6.  Optional scan within plain text and binary files.
    7.  Search for old versions of software packages.

rkhunter used to be a part of Fedora Extras, but was taken out of FC6 due to the fact that "in the second quarter of 2006, the founder of Rookit Hunter found out the hard way that maintaining FOSS can be difficult when real-life commitments overrule. Management of the project was taken over by unSpawn, and a project group comprising of developers and testers was formed..." LOL.

This means that we will have to install it from source. Head over to the new RKhunter website:


Click on the SF project page link, followed by the Download Rootkit Hunter link. Download the latest version, which at the time of this writing is rkhunter-1.3.0.tar.gz. Next, create an appropriate directory to install RKhunter under /usr/local/src:
Copy the source tarball to the directory:
Change into the rkhunter directory:
and decompress the source:
Once the package has been decompressed, delete the source file, and change the ownership of the rkhunter-1.2.9 directory to root:
Next, login as root and change into the rkhunter-1.3.0 directory:
Next, run the installer script to install rkhunter:
Logout of root, and change into the /usr/local/etc directory to configure rkhunter:
We are now ready to edit the /usr/local/etc/rkhunter.conf file using sudo. The first thing we need to do is specify the logfile location, whitelist a few scripts that are a part of a typical installation for Fedora 8, and add options for allowing a few hidden directories and a temporary Pulse Audio file in /dev/shm. For example, the following information should be added/uncommented:
Save and exit. The logfile is to be placed in /var/log/rkhunter, so create the directory:
Next, run rkhunter using sudo and check for any updates and update the properties of various commands: Then you can run an initial test scan:
Running rkhunter manually on a regular basis is tedious, so let's set up a daily scan report. Create an /etc/cron.daily/rkhunter file with the following information in it:
Make sure that everything fits on a single line. Save and exit. Then make the file executable:
Next, create an /etc/logrotate.d/rkhunter file for log rotation with the following information:
Save and exit. Now, whenever rkhunter is run on a daily basis through cron.daily, a report will be generated and sent to root's e-mail. A log of the results will also be stored in /var/log/rkhunter/rkhunter.log. I rarely, if ever, log in as root, so I find it useful to put a forward in root's home directory to forward any e-mails sent to root to your user directory instead. First, login as root:
Type in root's password, and change your directory into root's home directory:
Then put a .forward file in root's home directory so that it forwards any e-mail sent to root to your account. This is done by placing an appropriate e-mail address (where you want it forwarded to) in the /root/.forward file:
Save and exit, and log out of root:
rkhunter is now setup, and will send you an e-mail report every morning with the results of the scan. If a problem shows up in the report, it gives you a starting point to determine whether your system has been broken into. It is by no means failsafe, as logs can be edited and deleted, but it does provide another layer of defense against a potential hacker.