rkhunter (Rootkit Hunter) is a Unix based tool for scanning rootkits, backdoor, and possible local exploits. This is done by comparing the SHA-1 hash of important files with those that are well known in online databases, searching for default (or rootkit) directories, incorrect file permissions, hidden files, suspicious strings in kernel modules, and tests specifically for Linux and FreeBSD. This tool is written in Bourne shell, to enable portability and can run on almost all UNIX-derived systems.
How its work the tool
As noted above, the way this tool works is by checking the hash of the binary file and matching it with an online database. In addition this tool will also scan for rootkits that are likely to be installed. Rootkit Hunter itself can recognize rootkits in the following list:
- 55808 Trojan - Variant A
- ADM Worm
- AjaKit Rootkit
- Adore Rootkit
- aPa Kit
- Apache Worm
- Ambient (ark) Rootkit
- Balaur Rootkit
- BeastKit Rootkit
- beX2 Rootkit
- BOBKit Rootkit
- cb Rootkit
- CiNIK Worm (Slapper.B variant)
- Danny-Boy's Abuse Kit
- Devil RootKit
- Diamorphine LKM
- Dica-Kit Rootkit
- Dreams Rootkit
- Duarawkz Rootkit
- Ebury backdoor
- Enye LKM
- Flea Linux Rootkit
- Fu Rootkit
- Fuck`it Rootkit
- GasKit Rootkit
- Heroin LKM
- HjC Kit
- ignoKit Rootkit
- IntoXonia-NG Rootkit
- Irix Rootkit
- Jynx Rootkit
- Jynx2 Rootkit
- KBeast Rootkit
- Kitko Rootkit
- Knark Rootkit
- ld-linuxv.so Rootkit
- Li0n Worm
- Lockit / LJK2 Rootkit
- Mokes backdoor
- Mood-NT Rootkit
- MRK Rootkit
- Ni0 Rootkit
- Ohhara Rootkit
- Optic Kit (Tux) Worm
- Oz Rootkit
- Phalanx Rootkit
- Phalanx2 Rootkit
- Phalanx2 Rootkit (extended tests)
- Portacelo Rootkit
- R3dstorm Toolkit
- RH-Sharpe's Rootkit
- RSHA's Rootkit
- Scalper Worm
- Sebek LKM
- Shutdown Rootkit
- SHV4 Rootkit
- SHV5 Rootkit
- Sin Rootkit
- Slapper Worm
- Sneakin Rootkit
- 'Spanish' Rootkit
- Suckit Rootkit
- Superkit Rootkit
- TBD (Telnet BackDoor)
- TeLeKiT Rootkit
- T0rn Rootkit
- trNkit Rootkit
- Trojanit Kit
- Tuxtendo Rootkit
- URK Rootkit
- Vampire Rootkit
- VcKit Rootkit
- Volc Rootkit
- Xzibit Rootkit
- zaRwT.KiT Rootkit
- ZK Rootkit
how to install
sudo apt-get update && duso apt-get install rkhunter
if u want to install from the source
wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz
tar -xvf rkhunter-1.4.6.tar.gz
cd rkhunter-1.4.6
./installer.sh --layout default --install
for any option installation u can using
./install --help
How to using Rootkit Hunter
Using rkhunter very easy, run the command
rkhunter --check
Example output
[ Rootkit Hunter version 1.4.6 ]
Checking system commands...
Performing 'strings' command checks
Checking 'strings' command [ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
Performing file properties checks
Checking for prerequisites [ Warning ]
/usr/sbin/adduser [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/cron [ OK ]
/usr/sbin/groupadd [ OK ]
/usr/sbin/groupdel [ OK ]
/usr/sbin/groupmod [ OK ]
/usr/sbin/grpck [ OK ]
/usr/sbin/nologin [ OK ]
/usr/sbin/pwck [ OK ]
/usr/sbin/rsyslogd [ OK ]
/usr/sbin/useradd [ OK ]
/usr/sbin/userdel [ OK ]
/usr/sbin/usermod [ OK ]
/usr/sbin/vipw [ OK ]
/usr/sbin/unhide [ OK ]
/usr/sbin/unhide-linux [ OK ]
/usr/sbin/unhide-posix [ OK ]
/usr/sbin/unhide-tcp [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/basename [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/curl [ OK ]
/usr/bin/cut [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/dpkg [ OK ]
/usr/bin/dpkg-query [ OK ]
/usr/bin/du [ OK ]
/usr/bin/env [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/groups [ OK ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/ipcs [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/last [ OK ]
/usr/bin/lastlog [ OK ]
/usr/bin/ldd [ OK ]
/usr/bin/less [ OK ]
/usr/bin/locate [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/lsof [ OK ]
/usr/bin/lynx [ OK ]
/usr/bin/mail [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/mlocate [ OK ]
/usr/bin/newgrp [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/perl [ OK ]
for any command u can using
rkhunter --help