For those who haven't used rkhunter yet

I made an animated gif showing what happens when rkhunter is run. **
**Unfortunately the gif is too large to post and hotlinking to 'my files' on Opera website is,
as far as I know, forbidden.

Info taken from rkh wiki:-
http://rkhunter.wiki.sourceforge.net/MPRKH?token=c27c108089f0ad3a69632511cffb61e0

These are the commands used:-

sudo rkhunter -- propupd (Means update your system file properties.
This is a necessary step to establish a foundation database file to compare scans.)
Must be run before scan.

sudo rkhunter --update (The update command requires net access.
It is highly recommended that no net access is allowed until you have
completed the PROPUPD command. So the correct order is propupd and then update commmands.
Updates are very infrequent))

Then the scan:-

sudo rkhunter -c -sk

If you get Warnings re. hidden directories/files found, and you are sure
they are false positives, then uncomment them in etc/rkhunter.conf (as root)

eg. Warning: Hidden directory found: /dev/.udev
ALLOWHIDDENDIR=/dev/.udev (remove the hash # before ALLOWHIDDENDIR)

I had to allow this one - it is a known 'false positve'
ALLOWDEVFILE=/dev/shm/pulse-shm-*

I have just tried this for the second time, fortunately all is OK, but I think it would be 'tickets' if
a rootkit was found i.e. - reinstall.

 

Not to knock the wind out of your sails, but I think rootkit scanners are next to worthless. First of all, in order for the rootkit to even be installed, your machine already has to have been compromised by someone who already has root access to it. If you have been cracked, finding the rootkit is the least of your worries. Moreover, the attacker can simply alter the rootkit scanner so that it wont find his rootkit. If he has root, he can do anything to the machine and the chances of discovering everything he has done is impossible. It's best to format reinstall.

If we are talking about desktop boxes here, then Linux security is quite simple:

1) Run a firewall that blocks all incoming
2) Turn off all listening services that aren't needed (or use the firewall in rule 1)
3) Never run as root
4) Install all packages from the distro repository.
5) For super paranoia, run SELinux, AppArmor or another MAC.

If you do steps 1-4, the chances of having a desktop box cracked are about .0001%.

If you add step 5 into the equation, the chances of being cracked are .000000000000001%.

 

To add some wind to your sail, I think the effort is commendable. Trying to write info for ordinary people in a simple, clear, coherent way, plus creating those gifs takes time and dedication. Well done.

The choice of topics is debatable. Rootkit searches are geek stuff and most average users will never bother with them, not even know what they are.

As to how you present the data, since you have quite a bit of spirit, why not turn it 100% productive:

1) Setup your own website.
2) Work with individual screenshots as people have problems following videos and animations, especially if they miss something. Explain each step is slow, rich detail, nothing missed. Videos and animations are great in addition to other forms of data rather than standalone thingies. I think it works best if you present the topic statically then wrap it up with a cool 1-2min demo that builds on data already learned.
3) Send a few suggestions to me and then you'll have a guest appearance on Dedoimedo

Cheers,
Mrk

 

Thanks Ocky, I found your first gif very useful. If you do decide to set up a web-site, be sure to post the url here so as we can bookmark it.

 

Talking about wind, I can do without for a while. We've had near gale force winds here for 4 days - a section of the neighbours roof landing on our patio - plus rain and cold.
Anyway, thanks for the encouragement, sorely needed by Linux newcomers.
A web site ? I think you are vastly overestimating my capabilities. Maybe one day when more experienced and time permitting.
I am really having fun with the Linux programs like Gimp, which I use together with byzanz to make animated gifs.

Regards.

 

There's no such thing as overestimate ... there are only excuses
If you want, you get it. No guts no glory ...
Mrk

 

It didn't stop you turning the Lions over, mores the pity.

 

It was too close for comfort - last minute kicking effort.
More astounding is that USA football (soccer) team beat Spain, (Eurocup champs) 2-0
in the Confederations Cup being hosted here.
They are through to the finals, against Brazil. Well done USA !

 

I can't believe what I'm seeing here, 2-0 against Brazil. The States are getting 11 men behind the ball, defending really well and hitting them on the break. Sensational game so far.

 

Ronen O'Gara !! last minute brain implosion !!
He could of just gone for touch and that would have been enough.

 

propupd rkhunter **after** initial use

Having used rkhunter yesterday for the first time - without
initially running --propupd - i ran it today and this is what
rkhunter had to say:

usr1@njac:~$ sudo rkhunter --update
[ Rootkit Hunter version 1.3.2 ]

Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]
usr1@njac:~$

Is this order of things acceptable ?
What is this '[ No update ]' statement saying ?

Arye

 

Re: propupd rkhunter **after** initial use

it probably means you got the updates yesterday. i haven't used rkhunter much, but try running these -
sudo rkhunter -- propupd
then
sudo rkhunter --update
then
sudo rkhunter -c -sk

 

Re: propupd rkhunter **after** initial use

"The update command looks for various data updates. These are not going to modify your properties database. They relate to other data files in a default layout under /var/lib/rkhunter/db/ and are maintained by the RKH team. These updates tend to be infrequent. But on a clean installation, you can expect some updates."

 

Re: propupd rkhunter **after** initial use

Just checking to see if I'm understanding things. If you just did a clean install, you can feel assured there are no rootkits on your machine. So then you run the first two commands to "record" your "starting condition." After that, you periodically run the third command to see if there have been any unauthorized changes to your root system. Have I got it right?

But Chronomatic's objection that if anyone succeeds in installing a rootkit on your system, the first thing they are going to do is compromise rkhunter, seems valid. So, in this case, adding suspenders when you are already wearing a belt, seems pointless.

 

Re: propupd rkhunter **after** initial use

'On a clean install, the first run of propupd, creates a new database file. On later scans, running the propupd command, updates the database file. So, to update the database file, you are satisfied you have only trusted source system file changes.'
I always go through the sequence mentioned before doing a scan, in case there
were any system file properties changes that require updating in the database
file, or when new 'executables' were perhaps installed. RKH will still find rootkits if you don't run propupd.

 

If you're into this type of thing, then I would just use an IDS like AIDE instead of rootkit scanners. You install AIDE on a fresh install, then allow it to compile a database and checksum of all system files. Then you save that database to an EXTERNAL drive/CD so that if someone does break in, they can't compromise your "clean" database. To check for intrusions, you can run a check (say weekly) against your clean database to see if any root owned files have changed.

Really, though, unless you are running a webserver, the IDS's are a waste of time. On a desktop box, all you really need is an ingress firewall or, if you're paranoid, use a MAC like SELinux or AppArmor.

 

so you always run those 3 commands?

you can make a script to do it all for you!

Code:

#!/bin/bash -
#
# RKHunter script. updates and scan

echo "updating database"
sudo rkhunter --propupd

echo "checking for updates"
sudo rkhunter --update

echo "Scanning"
sudo rkhunter -c -sk

sleep 5
exit 0

save it as rkhunter_scan.sh
then make it executable -
chmod +x rkhunter_scan.sh
and run it like this -
./rkhunter_scan.sh

i think it works lol.

i remebered i posted about aide and rkhunter once here -
https://www.wilderssecurity.com/showpost.php?p=934817&postcount=62

EDIT. i think with aide you should really move the database onto a removable drive, somewhere off the HDD just be be sure it hasn't been changed to hide stuff, not that i think it's very likely to be editted by a hacker lol. and also it should be run on a system that doesn't change much - one that's already setup so there aren't too many changes to go through.

 

Thanks, your script does the job a liitle faster ..

PS. I agree with chronomatic's point of view, being a mere desktop home
user - just interested in trying out stuff.

 

i was thinking you can make an alias for that script if you want like this -

put the script somewhere safe i.e. ~/scripts/rkhunter_scan.sh
~/ that bit in the path means your home directory, it's the same as this - /home/USERNAME/scripts/rkhunter_scan.sh

then you make the alias. you should be able to add it to this file ~/.bashrc
gedit ~/.bashrc

and add this to the end of the file (name it whatever you think you'll find easiest to remember! i used rootkit_scan) -
alias rootkit_scan='~/scripts/rkhunter_scan.sh'

then open a new terminal window and run rootkit_scan