Rkhunter official website is: http://www.rootkit.nl/projects/rootkit_hunter.html
Rkhunter is a tool for professional detection systems to infect rootkits, using scripts to confirm that the system is infected with the functionality that Rootkit,rootkit can achieve:
"1" MD5 verification test, check whether the file has been changed
"2" detects binary and System tool files used by rootkiit
"3" detects the signature of a Trojan horse program
"4" detection system commonly used file program is normal
"5" Testing system related tests
"6" Detects hidden system files
"7" detects the suspected core module KVM
"8" detection system started listening port
This time use rootkit-1.4.2 version, the specific process:
[Email protected] ~]# CD/USR/LOCAL/SRC
[Email protected] ~]# wget http://skylineservers.dl.sourcef ... hunter-1.4.2.tar.gz
[Email protected] ~]# tar zxf rkhunter-1.4.2.tar.gz-c.
[Email protected] ~]# CD rkhunter-1.4.2
[Email protected] ~]#/installer.sh--layout default--install
The default installation method is used here. Rkhunter installed to the/usr/local/sbin/directory by default
Rkhunter tool parameters are many, the use is relatively simple, run directly rkhunter will display the command usage, the following part of the common parameters
-C,--Check detects the current system
--configfile <file> Specify a specific configuration file
--cronjob running as a scheduled task
--sk,--skip-keypress automatically completes all detections and skips cross-validation
--summary Display test Results statistics
--update Detection Update content
-V,--version displays release information
--versioncheck Detecting a new version
Using/USR/LOCAL/BIN/RKHUNTER-C to detect the system
Here is the first part of the content, the first system command detection. Mainly the binary files of the detection system, these files are most susceptible to rootkit infection attacks. The display OK typeface is normal, the display werning represents the exception, the display not found does not need too big attention
[Rootkit Hunter version 1.4.2]
Checking system Commands ...
Performing ' Strings ' command checks
Checking ' Strings ' command [OK]
Performing ' Shared libraries ' checks
Checking for preloading variables [None found]
Checking for preloaded libraries [None found]
Checking ld_library_path variable [not found]
Performing file properties Checks
Checking for prerequisites [Warning]
/usr/local/bin/rkhunter [OK]
/sbin/chkconfig [OK]
/sbin/depmod [OK]
/sbin/fsck [OK]
/sbin/fuser [OK]
>>>>>>>>>>>>>> slightly <<<<<<<<<<<<< <<<<<<<<<<<<<
The following is the second part of the main detection of common rootkit procedures. Display not found indicates that the system is not infected with this rootkit
Checking for rootkits ...
Performing check of known rootkit files and directories
55808 trojan-variant A [not found]
ADM Worm [not found]
Ajakit Rootkit [not found]
Adore Rootkit [not found]
APa Kit [not found]
Apache Worm [not found]
Ambient (Ark) Rootkit [not found]
>>>>>>>>>>>>>> slightly <<<<<<<<<<<<< <<<<<<<<<<<<<<
The third part, mainly some special or attachment detection, such as for rootkit file and directory detection, malware detection and the specified kernel module detection display
Performing additional rootkit checks
Suckit Rookit Additional checks [OK]
Checking for possible rootkit files and directories [None found]
Checking for possible rootkit strings [None found]
Performing malware Checks
Checking running processes for suspicious files [None found]
Checking for login backdoors [None found]
Checking for suspicious directories [None found]
>>>>>>>>>>>>>> slightly <<<<<<<<<<<<< <<<<<<<<<<<<<<
Part IV. Network, System port, System boot file, System user and group configuration, SSH configuration, file system detection, etc.
Checking the network ...
Performing checks on the network ports
Checking for backdoor ports [None found]
Performing checks on the network interfaces
Checking for promiscuous interfaces [None found]
>>>>>>>>>>>>>> slightly <<<<<<<<<<<<< <<<<<<<<<<<<<<
Part V: Primarily for application version detection
Checking The Local host ...
Performing system boot Checks
Checking for local host name [Found]
Checking for system startup files [Found]
Checking system startup files for malware [None found]
>>>>>>>>>>>>>> slightly <<<<<<<<<<<<< <<<<<<<<<<<<<<
Part VI: This part of the output is a summary of all the above detection, from this can probably understand the server directory security status
Checking Application Versions ...
Checking version of GnuPG [OK]
Checking version of OpenSSL [OK]
Checking version of PHP [OK]
Checking version of Procmail MTA [OK]
Checking version of OpenSSH [OK]
System Checks Summary
=====================
File Properties Checks ...
Required commands check failed
Files checked:142
Suspect Files:5
>>>>>>>>>>>>>> slightly <<<<<<<<<<<<< <<<<<<<<<<<<<<
Use Rkhunter detection on Linux endpoints to display the problem directly. Green means normal, red indicates a problem, then it needs attention. The above Rphunter detection requires ENTER to confirm continued detection. To implement automatic detection, you need to execute the following command:
[Email protected] ~]#/usr/local/bin/rkhunter--check--skip-keypress
If you want to use the Rkhunter scheduled task to run, you can join the/etc/crontab scheduled task:
XX * * * */usr/local/bin/rhkunter--check--cronjob # #RHKunter会在每天0点0分运行一次
This article from "Linux Nest" blog, declined reprint!
Rkhunterr System Detection