What are rootkit malware? How to perform rootkit malware scanner. How to detect rootkit malware in RHEL or CentOS Linux. What is rkhunter? How to perform rootkit malware scanner in centos using rkhunter. How to detect malware in CentOS.
In this article I will give you a steps by step guide to detect malware by using rootkit malware scanner in Linux.
This article was written while using CentOS 7, so it is safe to say that it also fully covers RHEL 7, Fedora, Oracle Enterprise Linux and generally the whole Red Hat family of operating systems and possibly Novell’s SLES and OpenSUSE.
What is Rootkit? Why I should be worried?
Rootkits are nasty pieces of malware. They can listen for commands from their masters, steal sensitive data, and send it to their masters or provide an easy access backdoor for their masters. They're designed to be stealthy with the ability to hide themselves from plain view.
Sometimes they'll replace utilities such as ls or ps with their own Trojan versions that will show all files or processes on the system except for the ones that are associated with the rootkit. Rootkits can infect any operating system even our beloved Linux.
In order to plant a rootkit an attacker has to have already gained administrative privileges on a system. It can affect any operating system
Rootkits can be divided into two basic types.
- Traditionally, rootkits replaced binaries, such as ls, ifconfig, inetd, killall, login, netstat, passwd, pidof, or ps with Trojaned versions. These Trojaned versions have been written to hide certain processes or information from the administrator.
- The second type of rootkit is the loadable kernel module (LKM). A kernel rootkit is loaded as a driver or kernel extension.
Both types can be a real problem. If you suspect that a computer has been infected with a rootkit, you will need to run a rootkit checker on the system to perform rootkit malware scanner and ensure that the filesystem has not been compromised.
Install rkhunter (rootkit malware scanner)
rkhunter is a shell script which carries out various checks on the local system to try and detect known rootkits and malware. It also performs checks to see if commands have been modified, if the system startup files have been modified, and various checks on the network interfaces, including checks for listening applications.
rkhunter is available as part of EPEL repository. On RHEL/CentOS 7 you can install EPEL repo using the below command
[root@rhel-7 ~]# rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm Retrieving https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm warning: /var/tmp/rpm-tmp.tmX9As: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY Preparing... ################################# [100%] Updating / installing... 1:epel-release-7-11 ################################# [100%]
Next install the rkhunter rpm
[root@rhel-7 ~]# yum -y install rkhunter
Update Rootkit Signatures
Before we start it is a good idea to update the rootkit signatures to detect the latest identified malware from your Linux host.
[root@rhel-7 ~]# rkhunter --update [ Rootkit Hunter version 1.4.6 ] Checking rkhunter data files... Checking file mirrors.dat [ Updated ] Checking file programs_bad.dat [ Updated ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ Updated ] Checking file i18n/cn [ No update ] Checking file i18n/de [ Updated ] Checking file i18n/en [ No update ] Checking file i18n/tr [ Updated ] Checking file i18n/tr.utf8 [ Updated ] Checking file i18n/zh [ Updated ] Checking file i18n/zh.utf8 [ Updated ] Checking file i18n/ja [ Updated ]
Different Types of Rootkits
Rootkit Hunter can search for many different types of rootkits. Here is a partial list:
5808 Trojan—Variant A Ambient (ark) Rootkit Apache Worm Balaur Rootkit Beastkit beX2 BOBKit CiNIK Worm (Slapper.B variant) Devil Rootkit Dica Dreams Rootkit Duarawkz Rootkit Flea Linux Rootkit FreeBSD Rootkit GasKit Heroin LKM HjC Rootkit ignoKit ImperalsS-FBRK Irix Rootkit Kitko Knark Li0n Worm Lockit/LJK2 mod_rootme (Apache backdoor) MRK Ni0 Rootkit NSDAP (Rootkit for SunOS) Optic Kit (Tux) Oz Rootkit Portacelo R3dstorm Toolkit RH-Sharpe’s Rootkit RSHA’s Rootkit Scalper Worm Shutdown SHV4 Rootkit SHV5 Rootkit Sin Rootkit Slapper Sneakin Rootkit SunOS Rootkit Superkit TBD (Telnet BackDoor) TeLeKiT T0rn Rootkit Trojanit Kit URK (Universal Rootkit) VcKit Volc Rootkit X-Org SunOS Rootkit zaRwT.KiT Rootkit
Rootkit Malware Scanner with Rkhunter
Now since our signatures are up to date the next task would be to scan all the rootkit malware and affected files so we will perform rootkit malware scanner using rkhunter:
[root@rhel-7 ~]# rkhunter -c [ Rootkit Hunter version 1.4.6 ] Checking system commands... Performing 'strings' command checks Checking 'strings' command [ OK ] Performing 'shared libraries' checks Checking for preloading variables [ None found ] Checking for preloaded libraries [ None found ] Checking LD_LIBRARY_PATH variable [ Not found ] Performing file properties checks Checking for prerequisites [ Warning ] /usr/sbin/adduser [ OK ] /usr/sbin/chkconfig [ OK ] /usr/sbin/chroot [ OK ] /usr/sbin/grpck [ OK ] /usr/sbin/ifdown [ Warning ] /usr/sbin/ifup [ Warning ] /usr/sbin/init [ OK ] {output trimmed} /usr/bin/mailx [ OK ] /usr/lib/systemd/systemd [ OK ] Performing system configuration file checks Checking for an SSH configuration file [ Found ] Checking if SSH root access is allowed [ Not set ] Checking if SSH protocol v1 is allowed [ Not set ] Checking for other suspicious configuration settings [ None found ] Checking for a running system logging daemon [ Found ] Checking for a system logging configuration file [ Found ] Checking if syslog remote logging is allowed [ Not allowed ] Performing filesystem checks Checking /dev for suspicious file types [ None found ] Checking for hidden files and directories [ None found ] [Press to continue] System checks summary ===================== File properties checks... Required commands check failed Files checked: 123 Suspect files: 4 Rootkit checks... Rootkits checked : 485 Possible rootkits: 0 Applications checks... All checks skipped The system checks took: 118 minutes and 33 seconds All results have been written to the log file: /var/log/rkhunter/rkhunter.log One or more warnings have been found while checking the system. Please check the log file (/var/log/rkhunter/rkhunter.log)
Analyse the Rootkit logs
Next now we can check the log file to understand the cause of all the Warnings.
[root@rhel-7 ~]# grep -i warning /var/log/rkhunter/rkhunter.log
[11:33:04] Warning: Download of 'mirrors.dat' failed: Unable to determine the latest version number.
[11:33:44] Warning: Download of 'programs_bad.dat' failed: Unable to determine the latest version number.
[11:34:25] Warning: Download of 'backdoorports.dat' failed: Unable to determine the latest version number.
[11:35:05] Warning: Download of 'suspscan.dat' failed: Unable to determine the latest version number.
[11:35:45] Warning: Download of 'i18n.ver' failed: Unable to determine the latest version number.
[11:35:47] Info: Command line is /usr/bin/rkhunter --cronjob --nocolors --report-warnings-only
[11:35:47] Info: No mail-on-warning address configured
[11:35:51] Warning: Checking for prerequisites [ Warning ]
[11:35:51] Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
[11:35:51] /usr/sbin/ifdown [ Warning ]
[11:35:51] Warning: The command '/usr/sbin/ifdown' has been replaced by a script: /usr/sbin/ifdown: Bourne-Again shell script, ASCII text executable
[11:35:51] /usr/sbin/ifup [ Warning ]
[11:35:51] Warning: The command '/usr/sbin/ifup' has been replaced by a script: /usr/sbin/ifup: Bourne-Again shell script, ASCII text executable
[11:35:53] /usr/bin/egrep [ Warning ]
[11:35:53] Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
[11:35:53] /usr/bin/fgrep [ Warning ]
[11:35:53] Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
Warning: Checking for prerequisites [ Warning ]
Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
Warning: The command '/usr/sbin/ifdown' has been replaced by a script: /usr/sbin/ifdown: Bourne-Again shell script, ASCII text executable
Warning: The command '/usr/sbin/ifup' has been replaced by a script: /usr/sbin/ifup: Bourne-Again shell script, ASCII text executable
Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
Next you can go ahead and decide if this was a false alarm or if anything requires a fix or immediate attention.
Lastly I hope the steps from the article to use rootkit malware scanner on Linux (CentOS/RHEL 7) was helpful. So, let me know your suggestions and feedback using the comment section.
Am I the only one who sees that “RKHUNTER” has been abandoned since 2014 ? there are no new signatures /definitions or updates 😀
also when i execute rkhunter –update i get the following output:
Invalid WEB_CMD configuration option: Relative pathname: “/bin/false”
why doesn’t specify the location of files it deems suspicious? with suspicious processes, no drama, it gives me a PID, and so i can automate a kill command via a crontab entry. but it tells me one file on my machine is suspicious, but doesn’t specify where it is or what it’s called in the log, even when i add the option of verbose
How do you DELETE/REMOVE a virus infected file??
That depends on the type of the file. If it is part of some software? rpm? or just an individual file which can be easily deleted.
My log also reflects similar output as shown above i.e ifup ifdown (the same 4 file) replaced by scripts. It will be really helpful if you could explain whether these are default detection for any Centos system and how to understand if its a false alarm. Thanks in advance.
The log explains this Warning “
The command '/usr/sbin/ifdown' has been replaced by a script: /usr/sbin/ifdown: Bourne-Again shell script, ASCII text executable“