Is my server hacked? Lets check it with rootkit hunter

RookHit Hunter is a command-line utility that will search your machine for malicious binaries - also known as 'rootkits' - which will let the bad guys (or gals) get 'root' on your machine. As you now now, with root privileges, your machine is theirs. You have been '0wn3d' as they say in cracker land. RootKit Hunter is available at:http://www.rootkit.nl/projects/rootkit_hunter.html

Installation is easy. Just unpack the tarball and run the install script provided. To run the utility, just do the following:

Code:
rkhunter -c --createlogfile
This will check everything and create a log file in /var/log/ called rkhunter.log
Essentially, the utility has two main functions. One is to look for rootkits (logically) on the system. The other is to check binaries and other files for evidence of tampering and vulnerabilities. It will even inform you about bad practices. For example, if it finds that your SSH configuration file allows root logins, it will warn you. It will also track down suspicious looking dot files and tell you about those.

The tool is interactive, meaning that by default, you need to push enter after the phases of checking are completed. However, you can run it from a cron job and disable this interactive mode.

The best way to approach using this is to install it and use it directly after a clean install of the entire operating system. Then use it periodically. It's a good idea to run it right before you update your system after security alerts. When you run it subsequently, you should be on the alert for false positive, as rootkit hunter makes hash checks of your binaries. A systems update could theoretically set off an alert as the checksums on the binaries should change.

Was this answer helpful?

 Print this Article

Also Read

Installing Rkhunter (Rootkit Hunter) in RHEL, CentOS and Fedora

Rkhunter (Rootkit Hunter) is an open source Unix/Linux based scanner tool for Linux systems...

How to Block Traffic by Country in the CSF Firewall?

One of the most-requested features on cPanel servers is the ability to manage and filter traffic...

How to Secure PHP from php.ini

PHP's default configuration file, php.ini (usually found in /etc/php.ini on most Linux systems)...

Installing and configuring Spamassassin on CentOS

If you run your own mail server you'll want it to run spam filtering software to reduce the...

Disable shell access for unknown users

Suspect there are other users in your system that have shell access to your system? Please follow...