http://mr-oss.com - Hunting Rootkits

The Command Line

Hack It Yourself

Security Everything

Linux Distributions

HOME

Hunting Rootkits

PDF

Print

E-mail

Written by Mr-Oss
Saturday, 18 April 2009
Hunting Rootkits Rootkits are in season all year long and hackers love to deploy them on the computers of unsuspecting users. The problem with rootkits begins with thier very purpose which is evading detection. Rootkits can be used to allow covert unauthorized access into your systems at a low level which is extremely difficult to detect. Once a hacker rootkits your system all kinds of nasty evasion tactics can be implemented which can make them almost invisible to the system owner. Commands can be modified to hide running processes while at the same time still providing the expected functionality to the system administrator. Combine this with other various techniques and the hacker will prove extremely difficult to notice. Without being noticed they can freely command your server at will and catching some of these system breaches requires the skills of a computer forensics expert. There are a few tools that attempt to help system administrators hunt down rootkits and become aware of thier existence. There are various tools which are available to help system administrators hunt down rootkits on thier systems. Binary analysis of the /proc filesystem, behavioral analysis of loadable kernel modules, and analyzing compiler and system linker hooking anomalies are a few of the methods that might be used by computer forensic experts to hunt down rootkits on computer systems. Luckily for the average system administrator you won't need to know how to verify system call sequences and validate the integrity of programs loaded into memory. The average system administrator has a free tool available for use that can help them accomplish rootkit detection with minimal effort. That free tool is rootkit hunter and can be downloaded from the project page found HERE Rootkit Hunteris very easy to download and use. It provides system admins with a scripted forensic analysis for thier systems. The program is distributed as source code in the form of a gunzipped tarball. The following commands will show how to download, install, update, run, and remove the rootkit hunter program on a linux system. First, grab the source code. r-oss@rkhunter > pwd /usr/local/src mr-oss@rkhunter > wget http://superb-east.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.4.tar.gz --13:54:59-- http://superb-east.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.4.tar.gz => `rkhunter-1.3.4.tar.gz' Resolving superb-east.dl.sourceforge.net... 209.160.66.130 Connecting to superb-east.dl.sourceforge.net\|209.160.66.130\|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 275,653 (269K) [application/x-gzip] 100%[============================= =================================================== ================================>] 275,653 47.36K/s ETA 00:00 13:55:07 (47.23 KB/s) - `rkhunter-1.3.4.tar.gz' saved [275653/275653] Now unpack the files and change directories into the newly created rkhunter directory mr-oss@rkhunter > tar -xvzf rkhunter-1.3.4.tar.gz rkhunter-1.3.4/ rkhunter-1.3.4/files/ rkhunter-1.3.4/files/WISHLIST rkhunter-1.3.4/files/programs_bad.dat rkhunter-1.3.4/files/rkhunter rkhunter-1.3.4/files/defaulthashes.dat rkhunter-1.3.4/files/i18n/ rkhunter-1.3.4/files/i18n/cn rkhunter-1.3.4/files/i18n/zh.utf8 rkhunter-1.3.4/files/i18n/zh rkhunter-1.3.4/files/i18n/en rkhunter-1.3.4/files/tools/ rkhunter-1.3.4/files/tools/README rkhunter-1.3.4/files/tools/update_client.sh rkhunter-1.3.4/files/tools/update_server.sh rkhunter-1.3.4/files/README rkhunter-1.3.4/files/filehashmd5.pl rkhunter-1.3.4/files/programs_good.dat rkhunter-1.3.4/files/contrib/ rkhunter-1.3.4/files/contrib/run_rkhunter.sh rkhunter-1.3.4/files/contrib/README.txt rkhunter-1.3.4/files/contrib/rkhunter_remote_howto.txt rkhunter-1.3.4/files/testing/ rkhunter-1.3.4/files/testing/stringscanner.sh rkhunter-1.3.4/files/testing/rootkitinfo.txt rkhunter-1.3.4/files/testing/rkhunter.conf rkhunter-1.3.4/files/filehashsha1.pl rkhunter-1.3.4/files/mirrors.dat rkhunter-1.3.4/files/backdoorports.dat rkhunter-1.3.4/files/check_modules.pl rkhunter-1.3.4/files/md5blacklist.dat rkhunter-1.3.4/files/rkhunter.conf rkhunter-1.3.4/files/check_port.pl rkhunter-1.3.4/files/CHANGELOG rkhunter-1.3.4/files/os.dat rkhunter-1.3.4/files/check_update.sh rkhunter-1.3.4/files/FAQ rkhunter-1.3.4/files/ACKNOWLEDGMENTS rkhunter-1.3.4/files/stat.pl rkhunter-1.3.4/files/LICENSE rkhunter-1.3.4/files/readlink.sh rkhunter-1.3.4/files/development/ rkhunter-1.3.4/files/development/createfilehashes.pl rkhunter-1.3.4/files/development/osinformation.sh rkhunter-1.3.4/files/development/search_dead_sysmlinks.sh rkhunter-1.3.4/files/development/i18nchk rkhunter-1.3.4/files/development/createhashes.sh rkhunter-1.3.4/files/development/rpmprelinkhashes.sh rkhunter-1.3.4/files/development/createhashesall.sh rkhunter-1.3.4/files/development/rpmhashes.sh rkhunter-1.3.4/files/suspscan.dat rkhunter-1.3.4/files/rkhunter.8 rkhunter-1.3.4/files/showfiles.pl rkhunter-1.3.4/files/rkhunter.spec rkhunter-1.3.4/installer.sh mr-oss@rkhunter > cd rkhunter-1.3.4 Now look at whats inside the new rkhunter directory mr-oss@rkhunter > ls files/ installer.sh* As you can see we only have 2 listings under the rkhunter directory. A files subdirectory and the installer.sh installation script. Unlike most source code program installations rkhunter does not have ./configure, make, make install. Instead, the rkhunter program is installed using the installer.sh script. The installer.sh script can be a little cumbersome the first time you are exposed to it. The installer script expects certain command line arguments to be sent in a certain order for everything to function correctly. Calling the installer.sh script will display the help and list the various options available to you. mr-oss@rkhunter > ./installer.sh Rootkit Hunter installer 1.2.8 Usage: ./installer.sh <parameters> Ordered valid parameters: --help (-h) : Show this help. --examples : Show layout examples. --layout <value> : Choose installation template (mandatory switch). The templates are: - default: (FHS compliant), - /usr, - /usr/local, - oldschool: previous version file locations, - custom: supply your own prefix, - RPM: for building RPM's. Requires $RPM_BUILD_ROOT. - DEB: for building DEB's. Requires $DEB_BUILD_ROOT. --striproot : Strip path from custom layout (for package maintainers). --install : Install according to chosen layout. --show : Show chosen layout. --remove : Uninstall according to chosen layout. --version : Show the installer version. The options you will find required/useful are the --layout option followed by an action such as --install, --show, or --remove. The --layout option should be passed first followed by your desired action to perform. The layout value is basically the prefix flag of where rkhunter will be installed. If you want to install rkhunter into /usr/local/bin then you would specify --layout /usr/local . If you wanted to put it into /usr/bin then you would use --layout /usr . The layout will need to be remembered for future uses of the installer such as upgrading. When upgrading I typically remove the old version first. To remove the old version you have to specify the layout that was used when it was installed. Here are the commands and output for installing rkhunter under /usr/local/bin mr-oss@rkhunter > ./installer.sh --layout /usr/local --install Checking system for: Rootkit Hunter installer files: found. OK Available file retrieval tools: wget: found. OK Starting installation/update Checking PREFIX /usr/local: exists, and is writable. OK Checking installation directories: Directory /usr/local/share/doc/rkhunter-1.3.4: creating: OK. Directory /usr/local/share/man/man8: exists, and is writable. OK Directory /usr/local/etc: exists, and is writable. OK Directory /usr/local/bin: exists, and is writable. OK Directory /usr/local/lib: exists, and is writable. OK Directory /var/lib: exists, and is writable. OK Directory /usr/local/lib/rkhunter/scripts: creating: OK. Directory /var/lib/rkhunter/db: creating: OK. Directory /var/lib/rkhunter/tmp: creating: OK. Directory /var/lib/rkhunter/db/i18n: creating: OK. Installing check_modules.pl: OK. Installing check_update.sh: OK. Installing check_port.pl: OK. Installing filehashmd5.pl: OK. Installing filehashsha1.pl: OK. Installing showfiles.pl: OK. Installing stat.pl: OK. Installing readlink.sh: OK. Installing backdoorports.dat: OK. Installing mirrors.dat: OK. Installing os.dat: OK. Installing programs_bad.dat: OK. Installing programs_good.dat: OK. Installing defaulthashes.dat: OK. Installing md5blacklist.dat: OK. Installing suspscan.dat: OK. Installing rkhunter.8: OK. Installing ACKNOWLEDGMENTS: OK. Installing CHANGELOG: OK. Installing FAQ: OK. Installing LICENSE: OK. Installing README: OK. Installing WISHLIST: OK. Installing language support files: OK. Installing rkhunter: OK. Installing rkhunter.conf: OK. Installation finished. All Finished! The main program binary is called rkhunter and it has been installed to /usr/local/bin. Just for good measure lets validate that statement. mr-oss@rkhunter > which rkhunter /usr/local/bin/rkhunter Great! The program is there and ready for use. The first thing I would suggest for you to do would be to update your various components and signatures for the rkhunter application. This is controlled by the rkhunter program itself by using the command rkhunter --update. Your system will need Internet access to fetch the updates. mr-oss@rkhunter > rkhunter --update You must be the root user to run this program. Did I mention that you will need to run the rkhunter program as the root user? If not, then please be aware that you will need root level access to run this application. I would also recommend running the installer script as the root user or you will most likely encounter write permission errors when attempting to install rkhunter into typical system bin directories. Now that the root disclaimer is out of the way let's update this thing. root@rkhunter > rkhunter --update [ Rootkit Hunter version 1.3.4 ] Checking rkhunter data files... Checking file mirrors.dat [ No update ] Checking file programs_bad.dat [ No update ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ No update ] Checking file i18n/de [ Updated ] Checking file i18n/en [ No update ] Checking file i18n/zh [ No update ] Checking file i18n/zh.utf8 [ No update ] The program only needed one update this time. Typically, you would want to run the rkhunter --update command prior to scanning your system so you can utilize any newly developed signatures and signs of various rootkits. Now that our rkhunter program is installed and up to date lets actually scan our host. root@rkhunter > rkhunter --check [ Rootkit Hunter version 1.3.4 ] Checking system commands... Performing 'strings' command checks * OUTPUT TRUNCATED * Invoking rkhunter --check will setoff an elaborate series of system tests and echo the results to the screen. You will see various ok and warning messages along with needing to hit the enter key every so often for the test to continue on. The --check flag requires end user interaction during the test for the test to complete. I would suggest using --check for your first scan. Take a look at all the different things that are being analyzed for you. Pretty cool.... computer forensics is easy right? Here is what you will see at the end of your scan. The system checks took: 4 minutes and 48 seconds All results have been written to the logfile (/var/log/rkhunter.log) One or more warnings have been found while checking the system. Please check the log file (/var/log/rkhunter.log) I would suggest taking a look at the log file created by rkhunter which can be found at /var/log/rkhunter.log. The log file shows in greater detail exactly what rkhunter was looking for or happened to find. The --check flag is nice but it gets annoying hitting the enter key over and over. The fact that rkhunter will wait for the enter key to be pressed before continuing basically thwarts any chance of running this process automatically from cron. The automatic rkhunter scan from a cron job would be extremely handy. To accomplish this we will have to look at other scanning flags that are available besides --check. To do this you can simply call the rkhunter program without any arguments and the command help will be displayed. root@rkhunter > rkhunter Usage: rkhunter {--check \| --update \| --versioncheck \| --propupd [{filename \| directory \| package name},...] \| --list [{tests \| {lang \| languages} \| rootkits},...] \| --version \| --help} [options] Current options are: --append-log Append to the logfile, do not overwrite --bindir <directory>... Use the specified command directories -c, --check Check the local system --cs2, --color-set2 Use the second color set for output --configfile <file> Use the specified configuration file --cronjob Run as a cron job (implies -c, --sk and --nocolors options) --dbdir <directory> Use the specified database directory --debug Debug mode (Do not use unless asked to do so) --disable <test>[,<test>...] Disable specific tests (Default is to disable no tests) --display-logfile Display the logfile at the end --enable <test>[,<test>...] Enable specific tests (Default is to enable all tests) --hash {MD5 \| SHA1 \| NONE \| Use the specified file hash function <command>} (Default is SHA1) -h, --help Display this help menu, then exit --lang, --language <language> Specify the language to use (Default is English) --list [tests \| languages \| List the available test names, languages, rootkits] or checked for rootkits, then exit -l, --logfile [file] Write to a logfile (Default is /var/log/rkhunter.log) --noappend-log Do not append to the logfile, overwrite it --nocolors Use black and white output --nolog Do not write to a logfile --nomow, --no-mail-on-warning Do not send a message if warnings occur --ns, --nosummary Do not show the summary of check results --novl, --no-verbose-logging No verbose logging --pkgmgr {RPM \| DPKG \| BSD \| Use the specified package manager to obtain or NONE} verify file hash values. (Default is NONE) --propupd [file \| directory \| Update the entire file properties database, package]... or just for the specified entries -q, --quiet Quiet mode (no output at all) --rwo, --report-warnings-only Show only warning messages -r, --rootdir <directory> Use the specified root directory --sk, --skip-keypress Don't wait for a keypress after each test --summary Show the summary of system check results (This is the default) --syslog [facility.priority] Log the check start and finish times to syslog (Default level is authpriv.notice) --tmpdir <directory> Use the specified temporary directory --update Check for updates to database files --vl, --verbose-logging Use verbose logging (on by default) -V, --version Display the version number, then exit --versioncheck Check for latest version of program -x, --autox Automatically detect if X is in use -X, --no-autox Do not automatically detect if X is in use As you can see rkhunter has an extensive list of command line options that make it extremely flexible. Using various command line flags you can custom tailor rkhunters behavior to fit your needs exactly. The possibilities are almost endless. So if we want to run rkhunter from cron we could use the -c --cronjob flags or maybe the -c -sk combination of options. It's up to you where to go from here. If for some reason you decide that your better off without rkhunter or you have just grabbed the latest version and want to upgrade we should remove the current installation. To uninstall rkhunter from your system you need to know the --layout path that was used when it was installed. Since I used /usr/local I will once again use --layout /usr/local only this time the action will be --remove instead of --install. To remove rkhunter we will need to use the installer.sh script again. On this system I unpacked rkhunter's tarball under /usr/local/src so to uninstall I will need to cd to /usr/local/src/rkhunter-x-x-x. root@rkhunter > cd /usr/local/src/rkhunter-1.3.4 root@rkhunter > ./installer.sh --layout /usr/local --remove Starting uninstallation Checking PREFIX /usr/local: exists, and is writable. OK Removing installation files: Removing rkhunter.8: OK. Removing /usr/local/bin/rkhunter: OK. Removing /usr/local/etc/rkhunter.conf: OK. Please remove any /usr/local/etc/rkhunter.conf.* files manually. Removing installation directories: Removing /usr/local/lib/rkhunter: OK. Removing /usr/local/share/doc/rkhunter-1.3.4: OK. Removing /var/lib/rkhunter: OK. Done removing files. Please double-check. root@rkhunter > which rkhunter which: no rkhunter in ...... There you have it. Hunting rookits with the help of rkhunter. A very helpful tool for any UNIX/Linux admin. If you found this helpful please click our ads. Thanks for visiting and watch for future advanced rkhunter techniques - MrOss
Last Updated ( Saturday, 18 April 2009 )

Next >