Following on my previous articles, there are several good malware detection tools out there. These scanners help notify you of malware, hopefully before your clients notify you. Some of the common ones include:
chkrootkit
Linux Malware Detect (maldet)
rkhunter
Each have their own strong points, and they certainly compliment each other nicely when using them together depending on the solutions security strategy.
Rkhunter is similar in nature to chkrootkit, and I feel that both complement each other nicely. Taken from wikipedia’s page:
rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online database, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD.
Procedure
On CentOS systems, rkhunter can be installed from the EPEL repositories. If you do not have EPEL installed, you can get it setup by:
Installing rkhunter is pretty straight forward as shown below:
# CentOS 5 / RedHat 5 [root@web01 ~]# rpm -ivh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm [root@web01 ~]# yum install rkhunter mailx # CentOS 6 / RedHat 6 [root@web01 ~]# rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm [root@web01 ~]# yum install rkhunter mailx # CentOS 7 / RedHat 7 [root@web01 ~]# rpm -ivh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm [root@web01 ~]# yum install rkhunter mailx # Ubuntu / Debian [root@web01 ~]# apt-get update [root@web01 ~]# apt-get install rkhunter mailutils
Now that the installation is out of the way, lets configure rkhunter to send email if warning is found during scan:
[root@web01 ~]# vim /etc/rkhunter.conf # Change MAIL-ON-WARNING="" # To MAIL-ON-WARNING="[email protected]"
Now fetch the latest updates, create a baseline, and run a on-demand scan:
[root@web01 ~]# rkhunter --update [root@web01 ~]# rkhunter --propupd [root@web01 ~]# rkhunter -sk -c
On CentOS and RHEL, configure cron so this runs automatically:
First, confirm the cronjob exists:
[root@web01 ~]# cat /etc/cron.daily/rkhunter
Now, update the rkhunter configuration with your email address so you can receive the nightly reports:
[root@web01 ~]# vi /etc/sysconfig/rkhunter # Change MAILTO=root@localhost # To [email protected]
On Ubuntu based systems, confirm the cronjob exists:
[root@web01 ~]# cat /etc/cron.daily/rkhunter
Now, update the rkhunter configuration with your email address so you can receive the nightly reports:
[root@web01 ~]# vi /etc/default/rkhunter # Change APT_AUTOGEN="false" REPORT_EMAIL="root" # To APT_AUTOGEN="true" REPORT_EMAIL="[email protected]"
NOTE: See https://help.ubuntu.com/community/RKhunter for more information about APT_AUTOGEN.