Step-By-Step Tutorial: Use rootkit malware scanner (rkhunter) to detect malware

What are rootkit malware? How to perform rootkit malware scanner. How to detect rootkit malware in RHEL or CentOS Linux. What is rkhunter? How to perform rootkit malware scanner in centos using rkhunter. How to detect malware in CentOS.

Step-By-Step Tutorial: Use rootkit malware scanner (rkhunter) to detect malware

In this article I will give you a steps by step guide to detect malware by using rootkit malware scanner in Linux.
This article was written while using CentOS 7, so it is safe to say that it also fully covers RHEL 7, Fedora, Oracle Enterprise Linux and generally the whole Red Hat family of operating systems and possibly Novell’s SLES and OpenSUSE.

 

What is Rootkit? Why I should be worried?

Rootkits are nasty pieces of malware. They can listen for commands from their masters, steal sensitive data, and send it to their masters or provide an easy access backdoor for their masters. They're designed to be stealthy with the ability to hide themselves from plain view.

Sometimes they'll replace utilities such as ls or ps with their own Trojan versions that will show all files or processes on the system except for the ones that are associated with the rootkit. Rootkits can infect any operating system even our beloved Linux.

In order to plant a rootkit an attacker has to have already gained administrative privileges on a system. It can affect any operating system

Rootkits can be divided into two basic types.

  • Traditionally, rootkits replaced binaries, such as ls, ifconfig, inetd, killall, login, netstat, passwd, pidof, or ps with Trojaned versions. These Trojaned versions have been written to hide certain processes or information from the administrator.
  • The second type of rootkit is the loadable kernel module (LKM). A kernel rootkit is loaded as a driver or kernel extension.

Both types can be a real problem. If you suspect that a computer has been infected with a rootkit, you will need to run a rootkit checker on the system to perform rootkit malware scanner and ensure that the filesystem has not been compromised.

 

Install rkhunter (rootkit malware scanner)

rkhunter is a shell script which carries out various checks on the local system to try and detect known rootkits and malware. It also performs checks to see if commands have been modified, if the system startup files have been modified, and various checks on the network interfaces, including checks for listening applications.

rkhunter is available as part of EPEL repository. On RHEL/CentOS 7 you can install EPEL repo using the below command

[root@rhel-7 ~]# rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Retrieving https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
warning: /var/tmp/rpm-tmp.tmX9As: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:epel-release-7-11                ################################# [100%]

Next install the rkhunter rpm

[root@rhel-7 ~]# yum -y install rkhunter

 

Update Rootkit Signatures

Before we start it is a good idea to update the rootkit signatures to detect the latest identified malware from your Linux host.

[root@rhel-7 ~]# rkhunter --update
[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ Updated ]
  Checking file programs_bad.dat                             [ Updated ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ Updated ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ Updated ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/tr                                      [ Updated ]
  Checking file i18n/tr.utf8                                 [ Updated ]
  Checking file i18n/zh                                      [ Updated ]
  Checking file i18n/zh.utf8                                 [ Updated ]
  Checking file i18n/ja                                      [ Updated ]

 

Different Types of Rootkits

Rootkit Hunter can search for many different types of rootkits. Here is a partial list:

5808 Trojan—Variant A
Ambient (ark) Rootkit
Apache Worm
Balaur Rootkit
Beastkit
beX2
BOBKit
CiNIK Worm (Slapper.B variant)
Devil Rootkit
Dica
Dreams Rootkit
Duarawkz Rootkit
Flea Linux Rootkit
FreeBSD Rootkit
GasKit
Heroin LKM
HjC Rootkit
ignoKit
ImperalsS-FBRK
Irix Rootkit
Kitko
Knark
Li0n Worm
Lockit/LJK2
mod_rootme (Apache backdoor)
MRK
Ni0 Rootkit
NSDAP (Rootkit for SunOS)
Optic Kit (Tux)
Oz Rootkit
Portacelo
R3dstorm Toolkit
RH-Sharpe’s Rootkit
RSHA’s Rootkit
Scalper Worm
Shutdown
SHV4 Rootkit
SHV5 Rootkit
Sin Rootkit
Slapper
Sneakin Rootkit
SunOS Rootkit
Superkit
TBD (Telnet BackDoor)
TeLeKiT
T0rn Rootkit
Trojanit Kit
URK (Universal Rootkit)
VcKit
Volc Rootkit
X-Org SunOS Rootkit
zaRwT.KiT Rootkit

 

Rootkit Malware Scanner with Rkhunter

Now since our signatures are up to date the next task would be to scan all the rootkit malware and affected files so we will perform rootkit malware scanner using rkhunter:

[root@rhel-7 ~]# rkhunter -c
[ Rootkit Hunter version 1.4.6 ]

Checking system commands...

  Performing 'strings' command checks
    Checking 'strings' command                               [ OK ]

  Performing 'shared libraries' checks
    Checking for preloading variables                        [ None found ]
    Checking for preloaded libraries                         [ None found ]
    Checking LD_LIBRARY_PATH variable                        [ Not found ]

  Performing file properties checks
    Checking for prerequisites                               [ Warning ]
    /usr/sbin/adduser                                        [ OK ]
    /usr/sbin/chkconfig                                      [ OK ]
    /usr/sbin/chroot                                         [ OK ]
    /usr/sbin/grpck                                          [ OK ]
    /usr/sbin/ifdown                                         [ Warning ]
    /usr/sbin/ifup                                           [ Warning ]
    /usr/sbin/init                                           [ OK ]

	{output trimmed}
	
    /usr/bin/mailx                                           [ OK ]
    /usr/lib/systemd/systemd                                 [ OK ]
	
  Performing system configuration file checks
    Checking for an SSH configuration file                   [ Found ]
    Checking if SSH root access is allowed                   [ Not set ]
    Checking if SSH protocol v1 is allowed                   [ Not set ]
    Checking for other suspicious configuration settings     [ None found ]
    Checking for a running system logging daemon             [ Found ]
    Checking for a system logging configuration file         [ Found ]
    Checking if syslog remote logging is allowed             [ Not allowed ]

  Performing filesystem checks
    Checking /dev for suspicious file types                  [ None found ]
    Checking for hidden files and directories                [ None found ]

[Press  to continue]



System checks summary
=====================

File properties checks...
    Required commands check failed
    Files checked: 123
    Suspect files: 4

Rootkit checks...
    Rootkits checked : 485
    Possible rootkits: 0

Applications checks...
    All checks skipped

The system checks took: 118 minutes and 33 seconds

All results have been written to the log file: /var/log/rkhunter/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)

 

Analyse the Rootkit logs

Next now we can check the log file to understand the cause of all the Warnings.

[root@rhel-7 ~]# grep -i warning /var/log/rkhunter/rkhunter.log
[11:33:04] Warning: Download of 'mirrors.dat' failed: Unable to determine the latest version number.
[11:33:44] Warning: Download of 'programs_bad.dat' failed: Unable to determine the latest version number.
[11:34:25] Warning: Download of 'backdoorports.dat' failed: Unable to determine the latest version number.
[11:35:05] Warning: Download of 'suspscan.dat' failed: Unable to determine the latest version number.
[11:35:45] Warning: Download of 'i18n.ver' failed: Unable to determine the latest version number.
[11:35:47] Info: Command line is /usr/bin/rkhunter --cronjob --nocolors --report-warnings-only
[11:35:47] Info: No mail-on-warning address configured
[11:35:51] Warning: Checking for prerequisites               [ Warning ]
[11:35:51] Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
[11:35:51]   /usr/sbin/ifdown                                [ Warning ]
[11:35:51] Warning: The command '/usr/sbin/ifdown' has been replaced by a script: /usr/sbin/ifdown: Bourne-Again shell script, ASCII text executable
[11:35:51]   /usr/sbin/ifup                                  [ Warning ]
[11:35:51] Warning: The command '/usr/sbin/ifup' has been replaced by a script: /usr/sbin/ifup: Bourne-Again shell script, ASCII text executable
[11:35:53]   /usr/bin/egrep                                  [ Warning ]
[11:35:53] Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
[11:35:53]   /usr/bin/fgrep                                  [ Warning ]
[11:35:53] Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
Warning: Checking for prerequisites               [ Warning ]
Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
Warning: The command '/usr/sbin/ifdown' has been replaced by a script: /usr/sbin/ifdown: Bourne-Again shell script, ASCII text executable
Warning: The command '/usr/sbin/ifup' has been replaced by a script: /usr/sbin/ifup: Bourne-Again shell script, ASCII text executable
Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable

Next you can go ahead and decide if this was a false alarm or if anything requires a fix or immediate attention.

 

Lastly I hope the steps from the article to use rootkit malware scanner on Linux (CentOS/RHEL 7) was helpful. So, let me know your suggestions and feedback using the comment section.

 

Leave a Comment

Please use shortcodes <pre class=comments>your code</pre> for syntax highlighting when adding code.