help centre
For more info visit status.atmail.com

How can we help?


Search our knowledge base for answers to
common questions and latest updates.



My activities New request

Follow

Rootkit Hunter

Stewart -

PROBLEM

Is my server compromised?

ENVIRONMENT

  • On-Premise Server + WebMail Installations: Version 6.0 > Current Version
  • Webmail Only Installations: Version 6.0 > Current Version

CAUSE

Rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. Rkhunter scans the file system by comparing SHA-1 hashes of important files, with confirmed safe files in online databases. Rkhunter searches for the default directories of the rootkits, hidden files, wrong permissions, suspicious strings in kernal modules and runs special tests for Linux.

RESOLUTION

  1. Downloading Rkhunter

The first thing you need to do is download the latest version of Rkhunter. You can do this by either going to http://www.rootkit.nl/projects/rootkit_hunter.html or by using the Wget command listed below:
    cd /tmp
 
    wget "http://internode.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz
"
  2. Installing Rkhunter

After you have downloaded the latest version of Rkhunter, you will need to run the following commands as the root user in order to install Rkhunter:
    tar -xvf rkhunter-1.4.0.tar.gz

    cd rkhunter-1.4.0

    ./installer.sh --layout default --install
  3. Updating Rkhunter

Once you have installed Rkhunter, you will need to update it, this will fill the database properties by using the following commands:
    /usr/local/bin/rkhunter --update

    /usr/local/bin/rkhunter --propupd
  4. Setting Cronjob and Email Alerts

You will now need to create a file called rkhunter.sh in /etc/cron.daily/ using your preferred editor. This file will scan your system daily, sending email notifications to your email id.

    vi /etc/cron.daily/rkhunter.sh

  5. Now you need to add the following lines into the file, replacing "YourServerNameHere" and "your@email.com" with the appropriate details.

    #!/bin/sh
    
(
    
/usr/local/bin/rkhunter --versioncheck

    /usr/local/bin/rkhunter --update
    
/usr/local/bin/rkhunter --cronjob --report-warnings-only

    ) | /bin/mail -s 'rkhunter Daily Run (YourServerNameHere)' your@email.com
  6. 



Now, set execute permissions on the file by entering the following command:

    chmod 755 /etc/cron.daily/rkhunter.sh

  7. Manual Scan and Usage

You can now scan the entire file system by running the following command. Be sure to run the Rkhunter as the root user.

    rkhunter --check

  8. 



The command that you just entered will output a log file in /var/log/rkhunter.log, displaying the check files created by Rkhunter.

If you would like more information regarding Rkhunter run the following command:

    rkhunter --help
 
Have more questions? Submit a request

Comments


Contact our support team


+61 (7) 5357 6605       support@atmail.com