RKHUNTER
WHAT ARE ROOTKITS
- Rootkits are the combination of several programs that are designed to take the root access .
QUESTION
- Most
rootkits use the power of the kernel to hide themselves, they are only
visible from within the kernel. Then how do I detect rootkits under
Debian Linux server?
ANSWER To find rootkits in your KERNEL , this tool which is preinstalled in Backtrack 5 r3 help you to find rootkits . INTRODUCTION
rkhunter
(Rootkit Hunter) is a Unix-based tool that scans for rootkits,
backdoors and possible local exploits. It does this by comparing SHA-1
hashes of important files with known good ones in online database,
searching for default directories (of rootkits), wrong permissions,
hidden files, suspicious strings in kernel modules, and special tests
for Linux and FreeBSD.
This tool scans for rootkits, backdoors and local exploits by running tests like:
- MD5 hash compare - Look for default files used by rootkits - Wrong file permissions for binaries - Look for suspected strings in LKM and KLD modules - Look for hidden files - Optional scan within plaintext and binary files
Rootkit Hunter is released as GPL licensed project and free for everyone to use.
System requirements:
- Compatible operating system (see 'Supported operating systems') - Bourne Again Shell (BASH)
Supported operating systems
Supported: - Most Linux distributions - Most *BSD distributions
Currently unsupported: - NetBSD
Tested on: - AIX 4.1.5 / 4.3.3 - ALT Linux - Aurora Linux - CentOS 3.1 / 4.0 - Conectiva Linux 6.0 - Debian 3.x - FreeBSD 4.3 / 4.4 / 4.7 / 4.8 / 4.9 / 4.10 - FreeBSD 5.0 / 5.1 / 5.2 / 5.2.1 / 5.3 - Fedora Core 1 / Core 2 / Core 3 - Gentoo 1.4, 2004.0, 2004.1 - Macintosh OS 10.3.4-10.3.8 - Mandrake 8.1 / 8.2 / 9.0-9.2 / 10.0 / 10.1 - OpenBSD 3.4 / 3.5 - Red Hat Linux 7.0-7.3 / 8 / 9 - Red Hat Enterprise Linux 2.1 / 3.0 - Slackware 9.0 / 9.1 / 10.0 / 10.1 - SME 6.0 - Solaris (SunOS) - SuSE 7.3 / 8.0-8.2 / 9.0-9.2 - Ubuntu - Yellow Dog Linux 3.0 / 3.01
Confirmed to work also on: - CLFS - DaNix (Debian clone) - PCLinuxOS - VectorLinux SOHO 3.2 / 4.0 - CPUBuilders Linux - Virtuozzo (VPS)
HOW TO OPEN RKHUNTER
- To open rkhunter on backtrack 5r3 , follow the steps -
- Backtrack >Forensics > Anti-Virus Forensic Tools > rkhunter
- See the below image for more details -
|
RKHUNTER MENU ON BACKTRACK 5 |
RKHUNTER OPENED
|
RKHUNTER OPENED |
UPDATE YOUR RKHUNTER
- To update rkhunter , use the follwing command .
- Command : rkhunter --update
- See the below image for more help
CHECKING SYSTEM COMMANDS
- To start checking for rootkits , give the following commands :-
- Command : rkhunter --check
- See the below image for more details -
CHECKING FOR THE ROOTKITS
- It ask you to press enter to start the next checking process .
- See the below image for more details -
|
CHECKING FOR ROOTKITS |
CHECKING FOR NETWORKS
|
RKHUNTER : CHECKING FOR NETWORKS |
CHECKING FOR APPLICATIONS
|
RKHUNTER SUMMARY |
- This is how you can use rkhunter on your backtrack 5r3 machine.
- Keep following www.abiadonis.blogspot.com , because more tutorials in a queue.
- Redefine your security with www.abiadonis.blogspot.com
|
Comments