For those who haven't used rkhunter yet

Discussion in 'all things UNIX' started by Ocky, Jun 27, 2009.

Thread Status:
Not open for further replies.
  1. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    I made an animated gif showing what happens when rkhunter is run. **
    **Unfortunately the gif is too large to post and hotlinking to 'my files' on Opera website is,
    as far as I know, forbidden.

    Info taken from rkh wiki:-
    http://rkhunter.wiki.sourceforge.net/MPRKH?token=c27c108089f0ad3a69632511cffb61e0

    These are the commands used:-

    sudo rkhunter -- propupd (Means update your system file properties.
    This is a necessary step to establish a foundation database file to compare scans.)
    Must be run before scan.

    sudo rkhunter --update (The update command requires net access.
    It is highly recommended that no net access is allowed until you have
    completed the PROPUPD command. So the correct order is propupd and then update commmands.
    Updates are very infrequent))

    Then the scan:-

    sudo rkhunter -c -sk

    If you get Warnings re. hidden directories/files found, and you are sure
    they are false positives, then uncomment them in etc/rkhunter.conf (as root)

    eg. Warning: Hidden directory found: /dev/.udev
    ALLOWHIDDENDIR=/dev/.udev (remove the hash # before ALLOWHIDDENDIR)

    I had to allow this one - it is a known 'false positve'
    ALLOWDEVFILE=/dev/shm/pulse-shm-*

    I have just tried this for the second time, fortunately all is OK, but I think it would be 'tickets' if
    a rootkit was found i.e. - reinstall. :argh:
     
  2. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Not to knock the wind out of your sails, but I think rootkit scanners are next to worthless. First of all, in order for the rootkit to even be installed, your machine already has to have been compromised by someone who already has root access to it. If you have been cracked, finding the rootkit is the least of your worries. Moreover, the attacker can simply alter the rootkit scanner so that it wont find his rootkit. If he has root, he can do anything to the machine and the chances of discovering everything he has done is impossible. It's best to format reinstall.

    If we are talking about desktop boxes here, then Linux security is quite simple:

    1) Run a firewall that blocks all incoming
    2) Turn off all listening services that aren't needed (or use the firewall in rule 1)
    3) Never run as root
    4) Install all packages from the distro repository.
    5) For super paranoia, run SELinux, AppArmor or another MAC.

    If you do steps 1-4, the chances of having a desktop box cracked are about .0001%.

    If you add step 5 into the equation, the chances of being cracked are .000000000000001%.
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    To add some wind to your sail, I think the effort is commendable. Trying to write info for ordinary people in a simple, clear, coherent way, plus creating those gifs takes time and dedication. Well done.

    The choice of topics is debatable. Rootkit searches are geek stuff and most average users will never bother with them, not even know what they are.

    As to how you present the data, since you have quite a bit of spirit, why not turn it 100% productive:

    1) Setup your own website.
    2) Work with individual screenshots as people have problems following videos and animations, especially if they miss something. Explain each step is slow, rich detail, nothing missed. Videos and animations are great in addition to other forms of data rather than standalone thingies. I think it works best if you present the topic statically then wrap it up with a cool 1-2min demo that builds on data already learned.
    3) Send a few suggestions to me and then you'll have a guest appearance on Dedoimedo :)

    Cheers,
    Mrk
     
  4. Riverrun

    Riverrun Registered Member

    Joined:
    Feb 19, 2007
    Posts:
    376
    Location:
    ~
    Thanks Ocky, I found your first gif very useful. If you do decide to set up a web-site, be sure to post the url here so as we can bookmark it.
     
  5. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Talking about wind, I can do without for a while. We've had near gale force winds here for 4 days - a section of the neighbours roof landing on our patio - plus rain and cold.
    Anyway, thanks for the encouragement, sorely needed by Linux newcomers. :D
    A web site ? I think you are vastly overestimating my capabilities. Maybe one day when more experienced and time permitting.
    I am really having fun with the Linux programs like Gimp, which I use together with byzanz to make animated gifs.

    Regards.
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    There's no such thing as overestimate ... there are only excuses :)
    If you want, you get it. No guts no glory ...
    Mrk
     
  7. Riverrun

    Riverrun Registered Member

    Joined:
    Feb 19, 2007
    Posts:
    376
    Location:
    ~
    It didn't stop you turning the Lions over, mores the pity. ;)
     
  8. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    It was too close for comfort - last minute kicking effort.;)
    More astounding is that USA football (soccer) team beat Spain, (Eurocup champs) 2-0
    in the Confederations Cup being hosted here.
    They are through to the finals, against Brazil. Well done USA !
     
  9. Riverrun

    Riverrun Registered Member

    Joined:
    Feb 19, 2007
    Posts:
    376
    Location:
    ~
    I can't believe what I'm seeing here, 2-0 against Brazil. The States are getting 11 men behind the ball, defending really well and hitting them on the break. Sensational game so far.
     
  10. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Ronen O'Gara !! last minute brain implosion !!
    He could of just gone for touch and that would have been enough.
     
  11. ahartman

    ahartman Registered Member

    Joined:
    Jul 5, 2009
    Posts:
    1
    propupd rkhunter **after** initial use

    Having used rkhunter yesterday for the first time - without
    initially running --propupd - i ran it today and this is what
    rkhunter had to say:

    usr1@njac:~$ sudo rkhunter --update
    [ Rootkit Hunter version 1.3.2 ]

    Checking rkhunter data files...
    Checking file mirrors.dat [ No update ]
    Checking file programs_bad.dat [ No update ]
    Checking file backdoorports.dat [ No update ]
    Checking file suspscan.dat [ No update ]
    Checking file i18n/cn [ No update ]
    Checking file i18n/en [ No update ]
    Checking file i18n/zh [ No update ]
    Checking file i18n/zh.utf8 [ No update ]
    usr1@njac:~$

    Is this order of things acceptable ?
    What is this '[ No update ]' statement saying ?

    Arye
     
  12. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    Re: propupd rkhunter **after** initial use

    it probably means you got the updates yesterday. i haven't used rkhunter much, but try running these -
    sudo rkhunter -- propupd
    then
    sudo rkhunter --update
    then
    sudo rkhunter -c -sk
     
  13. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Re: propupd rkhunter **after** initial use

    "The update command looks for various data updates. These are not going to modify your properties database. They relate to other data files in a default layout under /var/lib/rkhunter/db/ and are maintained by the RKH team. These updates tend to be infrequent. But on a clean installation, you can expect some updates."
     

    Attached Files:

  14. lewmur

    lewmur Registered Member

    Joined:
    Dec 22, 2008
    Posts:
    332
    Re: propupd rkhunter **after** initial use

    Just checking to see if I'm understanding things. If you just did a clean install, you can feel assured there are no rootkits on your machine. So then you run the first two commands to "record" your "starting condition." After that, you periodically run the third command to see if there have been any unauthorized changes to your root system. Have I got it right?

    But Chronomatic's objection that if anyone succeeds in installing a rootkit on your system, the first thing they are going to do is compromise rkhunter, seems valid. So, in this case, adding suspenders when you are already wearing a belt, seems pointless.
     
    Last edited: Jul 6, 2009
  15. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Re: propupd rkhunter **after** initial use

    'On a clean install, the first run of propupd, creates a new database file. On later scans, running the propupd command, updates the database file. So, to update the database file, you are satisfied you have only trusted source system file changes.'
    I always go through the sequence mentioned before doing a scan, in case there
    were any system file properties changes that require updating in the database
    file, or when new 'executables' were perhaps installed. RKH will still find rootkits if you don't run propupd.
     
  16. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    If you're into this type of thing, then I would just use an IDS like AIDE instead of rootkit scanners. You install AIDE on a fresh install, then allow it to compile a database and checksum of all system files. Then you save that database to an EXTERNAL drive/CD so that if someone does break in, they can't compromise your "clean" database. To check for intrusions, you can run a check (say weekly) against your clean database to see if any root owned files have changed.

    Really, though, unless you are running a webserver, the IDS's are a waste of time. On a desktop box, all you really need is an ingress firewall or, if you're paranoid, use a MAC like SELinux or AppArmor.
     
  17. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    so you always run those 3 commands?

    you can make a script to do it all for you!
    Code:
    #!/bin/bash -
    #
    # RKHunter script. updates and scan
    
    echo "updating database"
    sudo rkhunter --propupd
    
    echo "checking for updates"
    sudo rkhunter --update
    
    echo "Scanning"
    sudo rkhunter -c -sk
    
    sleep 5
    exit 0
    save it as rkhunter_scan.sh
    then make it executable -
    chmod +x rkhunter_scan.sh
    and run it like this -
    ./rkhunter_scan.sh

    i think it works lol.

    i remebered i posted about aide and rkhunter once here -
    https://www.wilderssecurity.com/showpost.php?p=934817&postcount=62

    EDIT. i think with aide you should really move the database onto a removable drive, somewhere off the HDD just be be sure it hasn't been changed to hide stuff, not that i think it's very likely to be editted by a hacker lol. and also it should be run on a system that doesn't change much - one that's already setup so there aren't too many changes to go through.
     
    Last edited: Jul 6, 2009
  18. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Thanks, your script does the job a liitle faster .. :)

    PS. I agree with chronomatic's point of view, being a mere desktop home
    user - just interested in trying out stuff.
     
  19. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    i was thinking you can make an alias for that script if you want like this -

    put the script somewhere safe i.e. ~/scripts/rkhunter_scan.sh
    ~/ that bit in the path means your home directory, it's the same as this - /home/USERNAME/scripts/rkhunter_scan.sh

    then you make the alias. you should be able to add it to this file ~/.bashrc
    gedit ~/.bashrc

    and add this to the end of the file (name it whatever you think you'll find easiest to remember! i used rootkit_scan) -
    alias rootkit_scan='~/scripts/rkhunter_scan.sh'

    then open a new terminal window and run rootkit_scan :cool:
     
Loading...
Thread Status:
Not open for further replies.