Today's article has you checking your computer for rootkits.

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
12,010
Reaction score
10,619
Credits
99,231
The tool we'll use is rkhunter. It's fairly easy and straightforward.


Feedback is always welcome.

Edit: It's worth scrolling through to page #2 where there's a link to an article that's written better than my own. It's much more thorough and I'm okay with admitting that. I tend to do lighter articles and shorter articles.
 
Last edited:


one thing you can run is:
Code:
[andrew@darkstar:~][130]$ sudo rkhunter --update                                              (07-12 16:59)
[sudo] password for andrew:
[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ No update
...................

Also chkrootkit is an alternative

If your 8 maybe false +ve is an actual output then it would be interesting for us; if you quote the lines in /var/log/rkhunter.log that prompted rkhunter to give a false +ve and maybe we could all discuss and learn


Also if you look at my post on clamav - have included an ignore flag for say /proc/ because my understanding is that files can be infected, but that a virtual representation of a file can not ?

Also that if clamav is used to run through a virtual representation of a file system then that can sometimes flag up false +ve's


Is that , do you think also the case with rkhunter ?
 
Last edited:
Is rkhunter still of any use, the last update was in 2018 from the changelog or all the rkhunter data files still getting update on a regular basis? I just ran it once and mine shows this. I ran it once and I get a few warnings but that's because you should actually run rkhunter with the --propupd option when you first install your system. As well as some warnings about a configuration option for sshd, but nothing to worry about since most distributions set a default what the a setting hasn't been specifically set.
 
Last edited:
that might explain that on running rkhunter --update , i never saw an update. With AUR they flag pkgs as outdated. I haven't got around to finding a pacman man way to check if pkgs don't get updated except by looking in /var/cache/pacman/pkg and noticing when i run pacman -Syu .

I use paccache to clean out the cache but retain at least two versions .
 
I didn't get any updates with the update flag either. I removed it again since I never had it installed before, I had just installed it to try it again after having read @KGIII's article.
 
i've had a go installing chkrootkit from the AUR but got an error with key missing. I guess i will have to look at alternatives for rkhunter it can't find todays rookits if its not updated to know about them; at least with clamav you can see newly created viruses are added to virus sigs, when you run freshclam
 
if you quote the lines in /var/log/rkhunter.log that prompted rkhunter to give a false +ve and maybe we could all discuss and learn

LOL That'd be an article far longer than I normally write. I try to keep 'em all under a 5 minute read, 'cause people don't read much more than that. They're things like a /.java directory, Thunderbird, Filezilla, Chrome all eating more memory than it likes, that sort of stuff.

the last update was in 2018

Now that I didn't notice. It was 'next' in my list of notes, so it got written. I did not check that. Good catch!
 
Maybe you could distill it down to concepts ; guidelines to help identify say the main differences beween a false +ve and a possible genuine rootkit

Maybe do it as a part 2 on rootkits .i think you would find that your hits would be significantly up . On the article length if they are all under 5 minute you are only catering for those with short attention spans.
 
chkrootkit at least is still being developed> http://www.chkrootkit.org/
Release Date: Jun 11 2021

I would suggest tools like lynis, samhain, tiger, aide, etc as well.
On a Debian based distro you can also use debsecan, and debsums.
 
chkrootkit

I may need to do an article on that.

On the article length if they are all under 5 minute you are only catering for those with short attention spans.

The majority of people (according to the research I read) tend to not read anything longer than six minutes. It's also why I give a time estimate.

I do like the idea of doing multi-part articles. Hmm...
 
i've only just started understanding pkgbuild : https://linux.org/threads/exploring-the-pkgbuild-arch-script.35313/

The AUR for chkrootkit doesn't work; something to do with key. Also their pkgbuild looks like its dragging in "tiger" which i don't want


However i got chkrootkit working . I simple downloaded the tar from http://www.chkrootkit.org/

i manually unpacked , ran make sense then found it ran ./chkrootkit :
Code:
gunzip chkrootkit.tar.gz
tar xvf chkrootkit.tar

cd chkrootkit-0.55

make sense
./chkrootkit

So i think i will get rid of rkhunter.

I think if i add "make sense" to the build function in PKGBUILD and a bit of tweaking i should be able to produce a pkg. Any help getting that to work please see my basic PKGBUILD at link top of this post
 
Last edited:
The AUR for chkrootkit doesn't work; something to do with key. Also their pkgbuild looks like its dragging in "tiger" which i don't want

For Debian/derivatives users, it's available in the default repos. So, there's that.
 
a temporary hack is that i got the ASCII text executable file chkrootkit moved it to /usr/local/bin
and run as "sudo chkrootkit" output is:
Code:
[andrew@darkstar:~][1]$ chkrootkit -V                             (07-13 18:18)
chkrootkit version 0.55
[andrew@darkstar:~][1]$  sudo chkrootkit -r /                     (07-13 18:18)
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
 
Last edited:
I managed to get a pkgbuild working and installed version "Brazilian valentine 0.55 " chkrootkit properly via pacman
 

Attachments

  • pkgbuild.zip
    498 bytes · Views: 353
I may need to do an article on that.



The majority of people (according to the research I read) tend to not read anything longer than six minutes. It's also why I give a time estimate.

I do like the idea of doing multi-part articles. Hmm...
we are waiting with anticipation
 
LOL It'll be a bit before there are multi-part articles, but we'll try it and see where it goes.
 
My network is messed up. I can reach some sites, but not others. Some of the 'net works fine, the rest won't even load.

Among those that won't load is linux-tips.us. Hopefully it works in time for me to write tomorrow's article.
 
My network is messed up. I can reach some sites, but not others. Some of the 'net works fine, the rest won't even load.

Among those that won't load is linux-tips.us. Hopefully it works in time for me to write tomorrow's article.
Have you tried turning it off and on again?
 
My network is messed up. I can reach some sites, but not others. Some of the 'net works fine, the rest won't even load.

Among those that won't load is linux-tips.us. Hopefully it works in time for me to write tomorrow's article.
Sometimes changing the DNS server in your router can help you to find a path around the outage.

Cloudflare
Primary 1.1.1.1
Secondary 1.0.0.1

Google
Primary 8.8.8.8
Secondary 8.8.4.4

OpenDNS
Primary 208.67.222.222
Secondary 208.67.220.220
 


Top