This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new!

Feature: Security

Is there a rootkit hunter in your arsenal?

By Joe Barr on April 07, 2004 (8:00:00 AM)

Share    Print    Comments   

It's been about three years since I woke up one morning and discovered my Web/mail server was rooted. Thinking back, I must have assumed that just running Linux was enough to keep me out of harm's way. These days I am not so cocky. I try to keep current with security patches for the apps I run. I don't run services I don't need or use. And there is a firewall between me and the wild. One thing I haven't made a part of my regular routine -- not yet, at least -- is checking for rootkits on a regular basis. That may be about to change, since I found a nifty little project called rootkit hunter.

Michael Boelen was motivated to create the rootkit hunter one day after he and a friend accidentally scanned a machine with a brand new installation of FreeBSD 5.0. The machine had no Internet connection, and yet the tool they used, chkrootkit, reported "backdoored" binaries. Since chkrootkit is open source, they looked at the code and found that a reserved keyword for a new option in FreeBSD was causing the false positive. As a result, he decided to write his own script from scratch. Not because he disliked chkrootkit -- he says he still uses it -- but simply to create a tool for a "second opinion" when chkrootkit indicated a problem.

Boelen's "second opinion" script is now more than 3,000 lines long. It will run on virtually any flavor or Unix. It calls other shell or Perl scripts to do things like check to see if a module is running, what ports are open, generate MD5 checksums, and scan critical directories for tell-tale "evil" strings which give away the presence of certain kits.

According to the website, rkhunter scans for "rootkits, backdoors, and local exploits" by running:

- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files

Installation is as easy as downloading and decompressing the tarball (using the p argument to ensure permissions are set correctly), then -- as root -- executing the script found in the rkhunter directory. Root permissions are required to run the script.

Once installed, entering the command rkhunter without any arguments simply prints the help page. The first time I ran it for real (with the -c (for "check all") and --createlogfile arguments) rkhunter ran for 31 seconds. After familiarizing itself with the landscape of my machine and running some selftests, it ran more than 300 tests to scan for nearly 50 different rootkits. The log reports it searched unsuccessfully for: 55808 Trojan - Variant A, aPa Kit, Apache Worm, Ambient (ark) Rootkit, BeastKit, BOBKit, CiNIK Worm (Slapper.B variant), Danny-Boy's Abuse Kit, Devil RootKit, Dica, Dreams Rootkit, Duarawkz, Flea Linux Rootkit, FreeBSD Rootkit, Fuck`it Rootkit, GasKit, Heroin LKM, HjC Kit, ImperalsS-FBRK, Kitko, Knark, Li0n Worm, Lockit / LJK2, MRK, RootKit for SunOS / NSDAP, Optic Kit (Tux), Oz Rootkit, Portacelo, R3dstorm Toolkit, Scalper Worm, Shutdown, SHV4, Sin Rootkit, Slapper, Sneakin Rootkit, Suckit Rootkit, SunOS Rootkit, Superkit, TBD (Telnet BackDoor), TeLeKiT, T0rn Rootkit, Trojanit Kit, VcKit, Volc Rootkit, X-Org SunOS Rootkit, and zaRwT.KiT Rootkit.

After finishing its check for rootkits, rkhunter continued checking my system for malware, promiscuous Ethernet adapters, hidden files, and configuration errors. For example, it found the Debian default for SSH ("RootLoginPermitted = Y") to be a security risk worth mentioning, and left a tip in the logfile recommended using normal user signon and the use of su when root permissions are needed.

Running rkhunter with just the two arguments I used leaves it in interactive mode, which requires you to hit Enter between sections of the run. I've got it set it up now as a cron job, so that's no longer necessary. You can also run it manually with the --skip-keypress argument to avoid its interactive nature. Not counting the first time I ran it when it had some extra housekeeping to do, it now takes only 7 seconds or so to run.

Future enhancements

Author Boelen explained his roadmap for the future of rkhunter. He said it includes:

-Integrating the optional stringscanner into the base checker
-adding more undetected rootkits
- improving the currently used whitelist of system binaries (MD5 hashes)
- adding a blacklist of "bad" binaries (backdoors, bad CGI scripts, misused IRC tools, and so forth)
- adding an application version check to check for "bad" versions with possibile vulnerabilities
- improving the installer and making the application somewhat more dynamic through the use of file paths
- setting up mirrors for the databases mentioned above and for the application and its Web site
- creating a server-client relation between the checker and a RootkitHunter management server

Boelen has been working on the project for only about 9 months. The final 1.0.0 release was downloaded amost 2,000 times in the first few days of availability, and that was prior to it being announced on mailing lists and on Freshmeat.

Boelen says he gets a pretty fair amount of feedback and suggestions for his efforts, but what he really needs are "new undetected rootkits, especially ones found on different honeypots." The more his users contribute to the project, the better it's going to get.

Note: This review based on version 1.0.3. A new version (1.0.5) was released April 5, 2004.

Share    Print    Comments   


on Is there a rootkit hunter in your arsenal?

Note: Comments are owned by the poster. We are not responsible for their content.

RPM available

Posted by: Joe Klemmer on April 08, 2004 12:23 AM
I have been keeping an rpm of rkhunter available for ftp at <A HREF="" TITLE=""></a> (along with some other things I use that don't normally have rpm versions). It's a noarch.rpm file so it should install on any system.


Re:RPM available

Posted by: Anonymous Coward on April 08, 2004 01:36 AM
I also noticed that you fail to provide source rpms for any of the packages you provide.

How do I know your rootkit detector rpm is not a root kit itself? ]:>


Re:RPM available

Posted by: Joe Klemmer on April 08, 2004 03:27 AM
The rpms in that dir are normally built from the tarball source using the <A HREF="" TITLE="">CheckInstall</a> utility. There is absolutely no guarentee that these rpms are even real rpms. They could be porn (I wish!). I have these files up there for the purpose of making them availabel to me whether I'm home or at work or wandering the world. I used to only have them accessible to myself through scp but some people asked me to make them available. So I did.


Rootkit hunter and FreeBSD

Posted by: Anonymous Coward on April 08, 2004 06:56 AM
Very nice to read about this. A few weeks ago i tried rkhunter on a FreeBSD 4.9 system and although it ran fine, it did say "Unsupported system" and it was unable to do any md5sum-checks. Is only FreeBSD 5.x supported ? Thanks for sharing this application with us Michael. And keep up the good work!



Posted by: vainjane on April 08, 2004 07:57 AM
I didn't know there were so many rootkits for Linux until I read this article. Glad I read it! rkhunter is a nice program.


Re:Great ! I'm off to

Posted by: Anonymous Coward on April 08, 2004 04:04 PM
... adapt my rootkit to this hunter thing. I think I can hide it from this hunter by early this afternoon at first sight.

Maybe if I should look into polymorphic code generation also.

Btw having a rootkit running on your servers is a good thing in case you really do get rooted.

greetings<nobr> <wbr></nobr>;-p


Re:Great ! I'm off to

Posted by: vainjane on April 09, 2004 02:49 AM
>Maybe if I should look into polymorphic code generation also.

True, there is only so much you can do with signature detection. Atleast it guards against the lazy crackers!

>Btw having a rootkit running on your servers is a good thing in case you really do get rooted.

What do you mean?


Not a Silver Bullet

Posted by: Anonymous Coward on April 09, 2004 07:59 PM
Rootkit detectors are certainly useful, but no matter what you have they cannot replace good sense.

If you're connected to the internet, a firewall is a given. If your server is not listening on anything, then you are at a very low risk. If you are listening, see if you can use your firewall to lock down your ports to a particular IP address or range and drop everything else. If you have a web server open, then look at partitioning this potential risk off and research chroot jails. Patching sometimes becomes important, because you are relying on that bit of software.

Research intrusion detection, and use rootkit detectors, but beware - they are not fullproof and can give false alarms or not raise the alarm when something is there. Browse your tmp, var and other filesystems every so often and look at the processes your server is running. Is there anything unusual there?

Software like rootkit finders and intrusion detectors are not a solution to anything.


This story has been archived. Comments can no longer be posted.

Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya