Install and use rootkit Hunter under Linux (rootkit Detection Scan Tool)

Among the official sources, rootkit Hunter can do things such as detecting rootkit programs, detecting backdoor procedures, and host-side suite checking issues.

Official Downloads:

Project:http://www.rootkit.nl/projects/rootkit_hunter.html
Download:http://downloads.sourceforge.net/rkhunter/rkhunter-1.4.2.tar.gz?use_mirror=jaist

Decompression Installation:

Extract
#tar-ZXVF rkhunter-1.3.4.tar.gz
Installation
#cd rkhunter-1.3.4
#./installer.sh-h
Usage:./installer.sh <parameters>
Ordered Valid parameters:
--help (-H): Show Help
--examples: Show Installation instance
--layout <value>: Select Installation Template (install required parameters).
Template selection:
-Default: (FHS compliant),
-USR,
-/usr/local,
-Oldschool: Previous version installation path,
-Custom: Customizing the installation path,
-Rpm:for building RPM ' s. Requires $RPM _build_root.
-Deb:for building DEB ' s. Requires $DEB _build_root.
--striproot:strip path from custom layout (for package maintainers).
--install: Install according to the selection directory
--show: Show Installation path
--remove: Uninstall Rkhunter
--version: Show installed version

I am using the installation instructions:

#./installer.sh--layout Default--install

Rkhunter Action:

#/usr/local/bin/rkhunter--PROPUPD
#/usr/local/bin/rkhunter-c--sk-rwo

The result is "medium strokes", which is basically the life of reinstalling the system. However, judging from the results of the inspection, you can determine the type of rootkit and replaced system files. At the same time, some of the program version of the detection, provide more information.

Instruction parameter Description:

/usr/local/bin/rkhunter
Usage:rkhunter {--check |--update |--versioncheck |
--PROPUPD [{filename | directory | package name},...] |
--list [{Tests | {lang | languages} | rootkits},...] |
--version | --HELP} [Options]
Current options are:
--append-log append log to log file without overwriting original log
--bindir <directory> Use the specified command directories
-C,--check detects the current system
--CS2,--color-set2 Use the second color set for output
--configfile <file> use a specific configuration file
--cronjob run periodically as cron
(Contains parameters-C,--sk,--nocolors)
--dbdir <directory> Use the specified database directory
--debug Debug mode (do not use unless required)
--disable <test>[,<test&gt ...] Skip the specified Check object (default is None)
--display-logfile Displays the log file contents at the end
--enable <test>[,<test&gt ...] To check for a specified test object
(All objects are detected by default)
--hash {MD5 | SHA1 |   NONE | Use the specified file hash function
&LT;COMMAND&GT} (Default is SHA1)
-H,--help Display Help menu
--lang,--language <language> Specify the language to use
(Default is 中文版)
--list [Tests | languages | List Test Objects Ming Dynasty, use language, can detect Trojan program
Rootkits
-L,--logfile [file] written to the specified log file name
(Default Is/var/log/rkhunter.log)
--noappend-log to overwrite log file without appending log
--nocolors output shows only black and white color
--nolog does not write to the log file
--nomow,--no-mail-on-warning If there is a warning message, do not send the message
--ns,--nosummary does not display the results of the check statistics
--NOVL,--no-verbose-logging does not show verbose records
--pkgmgr {RPM | DPKG |  BSD | Use a specific package to manage hash-value validation for files
None} (Default is None)
--propupd [File | directory | Update the entire document property database or just update the specified entry
Package] ...
-Q,--quiet quiet mode (no output at all)
--rwo,--report-warnings-only only displays warning messages
-R,--rootdir <directory> using the specified root directory
--sk,--skip-keypress automatically completes all detections, skips keyboard input
--summary displays the statistics of the test results
(This is the default)
--syslog [facility.priority] records detection start and end times to the system log
(Default level is Authpriv.notice)
--tmpdir <directory> Use the specified temp directory
--update Detection Update content
--VL,--verbose-logging using verbose logging (on by default)
-V,--version display version information
--versioncheck detect the latest version
-X,--autox automatically start detection when x is in use
-X,--no-autox when X is in use, not self-starting detection

With Rootkit hunter, detecting rootkit programs, detecting backdoor programs, and host-side suite checking issues becomes easy, and rootkit hunter can automatically help us do these complex tasks.