Una vez presentadas las características de los rootkits y la herramienta que tenemos en Linux para combatirlos, vamos a pasar a instalar Rkhunter 1.3.6 en una máquina CentOS 5.4 de 64 bits.
Rkhunter puede instalarse de forma permanente en el sistema:
[root@centos ~]# tar zxf rkhunter-1.3.6.tar.gz
[root@centos ~]# cd rkhunter-1.3.6
[root@centos rkhunter-1.3.6]# ./installer.sh --install
O de forma temporal:
[root@centos ~]# mkdir /tmp/rkh
[root@centos ~]# cd /tmp/rkh
[root@centos rkh]# tar zxf rkhunter-1.3.6.tar.gz
[root@centos rkh/rkhunter-]# cd rkhunter-1.3.6
[root@centos rkhunter-1.3.6]# ./installer.sh --layout custom . --install
[root@centos rkhunter-1.3.6]# cd files
Para el caso del presente artículo emplearemos la forma temporal. Lo primero que haremos será actualizar las bases de datos con la información del malware actualizada por los desarrolladores de Rkhunter, y a continuación, crearemos una base de datos inicial (rkhunter.dat) con la información (MD5, permisos, etc.) de los principales binarios del sistema.
[root@centos files]# ./rkhunter --update
[ Rootkit Hunter version 1.3.6 ]
Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ No update ]
...
[root@centos files]# ./rkhunter --propupd
[ Rootkit Hunter version 1.3.6 ]
File created: searched for 159 files, found 134, missing hashes 35
Si en algún momento alguno de los binarios sufre algún tipo de modificación, tendremos que volver a ejecutar la opción propupd.
Para realizar un escaneo ejecutaremos el siguiente comando (se ha obviado parte de la salida del comando):
[root@centos files]# ./rkhunter --check --sk
[ Rootkit Hunter version 1.3.6 ]
Checking system commands...
Performing 'strings' command checks
Checking 'strings' command [ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
Performing file properties checks
Checking for prerequisites [ Warning ]
/bin/awk [ OK ]
/bin/basename [ OK ]
...
Checking for rootkits...
Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
...
Performing additional rootkit checks
Suckit Rookit additional checks [ OK ]
...
Performing malware checks
Checking running processes for suspicious files [ None found ]
...
Performing Linux specific checks
Checking loaded kernel modules [ OK ]
...
Checking the network...
Performing check for backdoor ports
Checking for TCP port 1524 [ Not found ]
Checking for TCP port 1984 [ Not found ]
...
Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]
Checking the local host...
Performing system boot checks
Checking for local host name [ Found ]
...
Performing group and account checks
Checking for passwd file [ Found ]
...
Performing system configuration file checks
Checking for SSH configuration file [ Found ]
...
Performing filesystem checks
Checking /dev for suspicious file types [ None found ]
Checking for hidden files and directories [ Warning ]
Checking application versions...
Checking version of GnuPG [ OK ]
...
System checks summary
=====================
File properties checks...
Required commands check failed
Files checked: 134
Suspect files: 5
Rootkit checks...
Rootkits checked : 253
Possible rootkits: 0
Applications checks...
Applications checked: 4
Suspect applications: 2
Dentro del log (rkhunter.log) podremos encontrar información más detallada sobre los warnings y errores encontrados.
Rkhunter dispone de un fichero de configuración donde podremos definir distintas opciones del escaneo (por ejemplo si está permitido el acceso por SSH para root).
[root@centos files]# cat rkhunter.conf
...
ALLOW_SSH_ROOT_USER=yes