Today's article has you checking your computer for rootkits.

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
27,974
The tool we'll use is rkhunter. It's fairly easy and straightforward.


Feedback is always welcome.

Edit: It's worth scrolling through to page #2 where there's a link to an article that's written better than my own. It's much more thorough and I'm okay with admitting that. I tend to do lighter articles and shorter articles.
 
Last edited:


captain-sensible

Well-Known Member
Credits
14,907
one thing you can run is:
Code:
[[email protected]:~][130]$ sudo rkhunter --update                                              (07-12 16:59)
[sudo] password for andrew:
[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ No update
...................
Also chkrootkit is an alternative

If your 8 maybe false +ve is an actual output then it would be interesting for us; if you quote the lines in /var/log/rkhunter.log that prompted rkhunter to give a false +ve and maybe we could all discuss and learn


Also if you look at my post on clamav - have included an ignore flag for say /proc/ because my understanding is that files can be infected, but that a virtual representation of a file can not ?

Also that if clamav is used to run through a virtual representation of a file system then that can sometimes flag up false +ve's


Is that , do you think also the case with rkhunter ?
 
Last edited:

f33dm3bits

Gold Member
Gold Supporter
Credits
25,474
Is rkhunter still of any use, the last update was in 2018 from the changelog or all the rkhunter data files still getting update on a regular basis? I just ran it once and mine shows this. I ran it once and I get a few warnings but that's because you should actually run rkhunter with the --propupd option when you first install your system. As well as some warnings about a configuration option for sshd, but nothing to worry about since most distributions set a default what the a setting hasn't been specifically set.
 
Last edited:

captain-sensible

Well-Known Member
Credits
14,907
that might explain that on running rkhunter --update , i never saw an update. With AUR they flag pkgs as outdated. I haven't got around to finding a pacman man way to check if pkgs don't get updated except by looking in /var/cache/pacman/pkg and noticing when i run pacman -Syu .

I use paccache to clean out the cache but retain at least two versions .
 

f33dm3bits

Gold Member
Gold Supporter
Credits
25,474
I didn't get any updates with the update flag either. I removed it again since I never had it installed before, I had just installed it to try it again after having read @KGIII's article.
 

captain-sensible

Well-Known Member
Credits
14,907
i've had a go installing chkrootkit from the AUR but got an error with key missing. I guess i will have to look at alternatives for rkhunter it can't find todays rookits if its not updated to know about them; at least with clamav you can see newly created viruses are added to virus sigs, when you run freshclam
 

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
27,974
if you quote the lines in /var/log/rkhunter.log that prompted rkhunter to give a false +ve and maybe we could all discuss and learn
LOL That'd be an article far longer than I normally write. I try to keep 'em all under a 5 minute read, 'cause people don't read much more than that. They're things like a /.java directory, Thunderbird, Filezilla, Chrome all eating more memory than it likes, that sort of stuff.

the last update was in 2018
Now that I didn't notice. It was 'next' in my list of notes, so it got written. I did not check that. Good catch!
 

captain-sensible

Well-Known Member
Credits
14,907
Maybe you could distill it down to concepts ; guidelines to help identify say the main differences beween a false +ve and a possible genuine rootkit

Maybe do it as a part 2 on rootkits .i think you would find that your hits would be significantly up . On the article length if they are all under 5 minute you are only catering for those with short attention spans.
 

craigevil

Active Member
Credits
1,722
chkrootkit at least is still being developed> http://www.chkrootkit.org/
Release Date: Jun 11 2021

I would suggest tools like lynis, samhain, tiger, aide, etc as well.
On a Debian based distro you can also use debsecan, and debsums.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
27,974
chkrootkit
I may need to do an article on that.

On the article length if they are all under 5 minute you are only catering for those with short attention spans.
The majority of people (according to the research I read) tend to not read anything longer than six minutes. It's also why I give a time estimate.

I do like the idea of doing multi-part articles. Hmm...
 

captain-sensible

Well-Known Member
Credits
14,907
i've only just started understanding pkgbuild : https://linux.org/threads/exploring-the-pkgbuild-arch-script.35313/

The AUR for chkrootkit doesn't work; something to do with key. Also their pkgbuild looks like its dragging in "tiger" which i don't want


However i got chkrootkit working . I simple downloaded the tar from http://www.chkrootkit.org/

i manually unpacked , ran make sense then found it ran ./chkrootkit :
Code:
gunzip chkrootkit.tar.gz
tar xvf chkrootkit.tar

cd chkrootkit-0.55

make sense
./chkrootkit
So i think i will get rid of rkhunter.

I think if i add "make sense" to the build function in PKGBUILD and a bit of tweaking i should be able to produce a pkg. Any help getting that to work please see my basic PKGBUILD at link top of this post
 
Last edited:

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
27,974
The AUR for chkrootkit doesn't work; something to do with key. Also their pkgbuild looks like its dragging in "tiger" which i don't want
For Debian/derivatives users, it's available in the default repos. So, there's that.
 

captain-sensible

Well-Known Member
Credits
14,907
a temporary hack is that i got the ASCII text executable file chkrootkit moved it to /usr/local/bin
and run as "sudo chkrootkit" output is:
Code:
[[email protected]:~][1]$ chkrootkit -V                             (07-13 18:18)
chkrootkit version 0.55
[[email protected]:~][1]$  sudo chkrootkit -r /                     (07-13 18:18)
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
 
Last edited:

captain-sensible

Well-Known Member
Credits
14,907
I may need to do an article on that.



The majority of people (according to the research I read) tend to not read anything longer than six minutes. It's also why I give a time estimate.

I do like the idea of doing multi-part articles. Hmm...
we are waiting with anticipation
 

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
27,974
My network is messed up. I can reach some sites, but not others. Some of the 'net works fine, the rest won't even load.

Among those that won't load is linux-tips.us. Hopefully it works in time for me to write tomorrow's article.
 

f33dm3bits

Gold Member
Gold Supporter
Credits
25,474
My network is messed up. I can reach some sites, but not others. Some of the 'net works fine, the rest won't even load.

Among those that won't load is linux-tips.us. Hopefully it works in time for me to write tomorrow's article.
Have you tried turning it off and on again?
 

stan

Well-Known Member
Credits
7,680
My network is messed up. I can reach some sites, but not others. Some of the 'net works fine, the rest won't even load.

Among those that won't load is linux-tips.us. Hopefully it works in time for me to write tomorrow's article.
Sometimes changing the DNS server in your router can help you to find a path around the outage.

Cloudflare
Primary 1.1.1.1
Secondary 1.0.0.1

Google
Primary 8.8.8.8
Secondary 8.8.4.4

OpenDNS
Primary 208.67.222.222
Secondary 208.67.220.220
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!


Top