Qadry
unixcop Admin

How to Install Rootkit Hunter in Linux

Introduction

rkhunter (Rootkit Hunter) is is an open-source Unix/Linux based security monitoring and analyzing tool. It is a shell script which carries out various checks on the local system to try and detect known rootkits and malware.

rkhunter is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD. rkhunter is notable due to its inclusion in popular OS (Fedora, Debian, etc.)

The tool has been written in Bourne shell, to allow for portability. It can run on almost all UNIX-derived systems.

This article will help you with the installation and config. rkhunter.

Just follow the steps below:

Download Rkhunter

  • Download Rkhunter with running commands below:
cd /mnt
wget https://netix.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz
[root@unixcop mnt]# wget https://netix.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz
--2021-10-03 10:36:20--  https://netix.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz
Resolving netix.dl.sourceforge.net (netix.dl.sourceforge.net)... 87.121.121.2
Connecting to netix.dl.sourceforge.net (netix.dl.sourceforge.net)|87.121.121.2|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 302137 (295K) [application/x-gzip]
Saving to: 'rkhunter-1.4.6.tar.gz'

rkhunter-1.4.6.tar.gz                 100%[=======================================================================>] 295.06K  90.0KB/s    in 3.3s    

2021-10-03 10:36:24 (90.0 KB/s) - 'rkhunter-1.4.6.tar.gz' saved [302137/302137]

[root@unixcop mnt]#

For the latest version Click the button below

Install Rkhunter

  • Extract RkHunter tarball and run the installation script as shown:
tar -xvf rkhunter-1.4.6.tar.gz
cd rkhunter-1.4.6
./installer.sh --install
[root@unixcop rkhunter-1.4.6]# ./installer.sh --install

Checking system for:
 Rootkit Hunter installer files: found
 A web file download command: wget found
Starting installation:
 Checking installation directory "/usr/local": it exists and is writable.
 Checking installation directories:
  Directory /usr/local/share/doc/rkhunter-1.4.6: creating: OK
  Directory /usr/local/share/man/man8: exists and is writable.
  Directory /etc: exists and is writable.
  Directory /usr/local/bin: exists and is writable.
  Directory /usr/local/lib64: exists and is writable.
  Directory /var/lib: exists and is writable.
  Directory /usr/local/lib64/rkhunter/scripts: creating: OK
  Directory /var/lib/rkhunter/db: creating: OK
  Directory /var/lib/rkhunter/tmp: creating: OK
  Directory /var/lib/rkhunter/db/i18n: creating: OK
  Directory /var/lib/rkhunter/db/signatures: creating: OK
 Installing check_modules.pl: OK
 Installing filehashsha.pl: OK
 Installing stat.pl: OK
 Installing readlink.sh: OK
 Installing backdoorports.dat: OK
 Installing mirrors.dat: OK
 Installing programs_bad.dat: OK
 Installing suspscan.dat: OK
 Installing rkhunter.8: OK
 Installing ACKNOWLEDGMENTS: OK
 Installing CHANGELOG: OK
 Installing FAQ: OK
 Installing LICENSE: OK
 Installing README: OK
 Installing language support files: OK
 Installing ClamAV signatures: OK
 Installing rkhunter: OK
 Installing rkhunter.conf: OK
Installation complete
[root@unixcop rkhunter-1.4.6]#
  • The installer with help option can be displayed with command:
./installer.sh --help

Notes:

  • After installation, the configuration file rkhunter.conf will be added into /etc .
  • This file that called rkhunter.conf.local must reside in the same directory as the main configuration file.

Update Rkhunter

  • To update the rkhunter, run this command below:
rkhunter --update
  • Fill the file properties database as shown below:
rkhunter --propupd
[root@unixcop rkhunter-1.4.6]#  rkhunter --propupd
[ Rootkit Hunter version 1.4.6 ]
File created: searched for 176 files, found 132, missing hashes 1
[root@unixcop rkhunter-1.4.6]#

Run Rkhunter

  • Scan the file system
rkhunter -c

Note:

This command generates a log file under /var/log/rkhunter.log

  • To check these logs , run:
cat /var/log/rkhunter.log
  • Check only warnings using grep command:
grep Warning /var/log/rkhunter.log
  • Check man page for RkHunter.
man rkhunter

Conclusion

Here we go, we’ve seen how to install Rootkit Hunter rkhunter in Linux and also explained some rkhunter config settings.

That’s all, Thank you !!

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest articles

x