Today's article has you checking your computer for rootkits.

[KGIII]

The tool we'll use is rkhunter. It's fairly easy and straightforward.

Let's Use rkhunter To Look For Rootkits • Linux Tips

In this article, we'll go hunting for rootkits with a tool known as 'rkhunter'. It's relatively easy to use rkhunter and this article will show you how.

linux-tips.us

Feedback is always welcome.

Edit: It's worth scrolling through to page #2 where there's a link to an article that's written better than my own. It's much more thorough and I'm okay with admitting that. I tend to do lighter articles and shorter articles.

 

[captain-sensible]

one thing you can run is:

[[email protected]:~][130]$ sudo rkhunter --update                                              (07-12 16:59)
[sudo] password for andrew:
[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ No update
...................

Also chkrootkit is an alternative

If your 8 maybe false +ve is an actual output then it would be interesting for us; if you quote the lines in /var/log/rkhunter.log that prompted rkhunter to give a false +ve and maybe we could all discuss and learn


Also if you look at my post on clamav - have included an ignore flag for say /proc/ because my understanding is that files can be infected, but that a virtual representation of a file can not ?

Also that if clamav is used to run through a virtual representation of a file system then that can sometimes flag up false +ve's


Is that , do you think also the case with rkhunter ?

 

[f33dm3bits]

Is rkhunter still of any use, the last update was in 2018 from the changelog or all the rkhunter data files still getting update on a regular basis? I just ran it once and mine shows this. I ran it once and I get a few warnings but that's because you should actually run rkhunter with the --propupd option when you first install your system. As well as some warnings about a configuration option for sshd, but nothing to worry about since most distributions set a default what the a setting hasn't been specifically set.

 

[captain-sensible]

that might explain that on running rkhunter --update , i never saw an update. With AUR they flag pkgs as outdated. I haven't got around to finding a pacman man way to check if pkgs don't get updated except by looking in /var/cache/pacman/pkg and noticing when i run pacman -Syu .

I use paccache to clean out the cache but retain at least two versions .

 

[f33dm3bits]

I didn't get any updates with the update flag either. I removed it again since I never had it installed before, I had just installed it to try it again after having read @KGIII's article.

 

[captain-sensible]

i've had a go installing chkrootkit from the AUR but got an error with key missing. I guess i will have to look at alternatives for rkhunter it can't find todays rookits if its not updated to know about them; at least with clamav you can see newly created viruses are added to virus sigs, when you run freshclam

 

[KGIII]

if you quote the lines in /var/log/rkhunter.log that prompted rkhunter to give a false +ve and maybe we could all discuss and learn

LOL That'd be an article far longer than I normally write. I try to keep 'em all under a 5 minute read, 'cause people don't read much more than that. They're things like a /.java directory, Thunderbird, Filezilla, Chrome all eating more memory than it likes, that sort of stuff.

the last update was in 2018

Now that I didn't notice. It was 'next' in my list of notes, so it got written. I did not check that. Good catch!

 

[captain-sensible]

Maybe you could distill it down to concepts ; guidelines to help identify say the main differences beween a false +ve and a possible genuine rootkit

Maybe do it as a part 2 on rootkits .i think you would find that your hits would be significantly up . On the article length if they are all under 5 minute you are only catering for those with short attention spans.

 

[craigevil]

chkrootkit at least is still being developed> http://www.chkrootkit.org/
Release Date: Jun 11 2021

I would suggest tools like lynis, samhain, tiger, aide, etc as well.
On a Debian based distro you can also use debsecan, and debsums.

 

[KGIII]

chkrootkit

I may need to do an article on that.

On the article length if they are all under 5 minute you are only catering for those with short attention spans.

The majority of people (according to the research I read) tend to not read anything longer than six minutes. It's also why I give a time estimate.

I do like the idea of doing multi-part articles. Hmm...

 

[captain-sensible]

i've only just started understanding pkgbuild : https://linux.org/threads/exploring-the-pkgbuild-arch-script.35313/

The AUR for chkrootkit doesn't work; something to do with key. Also their pkgbuild looks like its dragging in "tiger" which i don't want


However i got chkrootkit working . I simple downloaded the tar from http://www.chkrootkit.org/

i manually unpacked , ran make sense then found it ran ./chkrootkit :

gunzip chkrootkit.tar.gz
tar xvf chkrootkit.tar

cd chkrootkit-0.55

make sense
./chkrootkit

So i think i will get rid of rkhunter.

I think if i add "make sense" to the build function in PKGBUILD and a bit of tweaking i should be able to produce a pkg. Any help getting that to work please see my basic PKGBUILD at link top of this post

 

[KGIII]

The AUR for chkrootkit doesn't work; something to do with key. Also their pkgbuild looks like its dragging in "tiger" which i don't want

For Debian/derivatives users, it's available in the default repos. So, there's that.

 

[captain-sensible]

a temporary hack is that i got the ASCII text executable file chkrootkit moved it to /usr/local/bin
and run as "sudo chkrootkit" output is:

[[email protected]:~][1]$ chkrootkit -V                             (07-13 18:18)
chkrootkit version 0.55
[[email protected]:~][1]$  sudo chkrootkit -r /                     (07-13 18:18)
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected

 

[captain-sensible]

I managed to get a pkgbuild working and installed version "Brazilian valentine 0.55 " chkrootkit properly via pacman

 

[captain-sensible]

I may need to do an article on that.



The majority of people (according to the research I read) tend to not read anything longer than six minutes. It's also why I give a time estimate.

I do like the idea of doing multi-part articles. Hmm...

we are waiting with anticipation

 

[KGIII]

LOL It'll be a bit before there are multi-part articles, but we'll try it and see where it goes.

 

[captain-sensible]

i will throw this one in : https://www.ossec.net/about/

 

[KGIII]

My network is messed up. I can reach some sites, but not others. Some of the 'net works fine, the rest won't even load.

Among those that won't load is linux-tips.us. Hopefully it works in time for me to write tomorrow's article.

 

[f33dm3bits]

My network is messed up. I can reach some sites, but not others. Some of the 'net works fine, the rest won't even load.

Among those that won't load is linux-tips.us. Hopefully it works in time for me to write tomorrow's article.

Have you tried turning it off and on again?

 

[stan]

My network is messed up. I can reach some sites, but not others. Some of the 'net works fine, the rest won't even load.

Among those that won't load is linux-tips.us. Hopefully it works in time for me to write tomorrow's article.

Sometimes changing the DNS server in your router can help you to find a path around the outage.

Cloudflare
Primary 1.1.1.1
Secondary 1.0.0.1

Google
Primary 8.8.8.8
Secondary 8.8.4.4

OpenDNS
Primary 208.67.222.222
Secondary 208.67.220.220