Confirmation that rkhunter can be installed

About this document

We confirmed what will be done about rkhunter, which is famous as a rootkit countermeasure.

--Confirmed installation and operation on Ubuntu20.04LTS. Seems to be the same for other distributions ――Since it was introduced and operated properly, I wrote it instead of a memo. It should be more helpful than just I put it in.

Eguzekutibusamari

--rkhunter can also check for suspicious things other than rootkits. --The introduction cost is minimal, and the operating cost is considered to be minimal because the mechanism is simple. --The target is "modification after intrusion" such as rootkit. It is considered good to create an environment where you can be aware of intrusion while making efforts to prevent intrusion.

Installation

If you look at rkhunter's project page, you should see the installation tutorial. Since there is, proceed with reference to it.

Package installation

When I thought about it, there was a package.

# apt-get install rkhunter

Unfortunately, the default settings are (intentionally?) Incorrect and do not work.

――It seems that you can check without updating the database, but that doesn't make much sense.

# rkhunter --update
Invalid WEB_CMD configuration option: Relative pathname: "/bin/false"
# 

Adjustment

Adjust /etc/rkhunter.conf. Since the purpose is to visually check the operation, the display is switched to Japanese.

--Language settings

--Settings related to commands used in --update

--Inspection settings

The default config doesn't work properly. Please note that there are few articles that mention this.

--When you look at UPDATE_MIRRORS, MIRRORS_MODE, WEB_CMD, it seems that you don't want to show the ubuntu mirror or you should mirror it yourself (if you make it available immediately, a lot of access will occur). --The language setting was set to ja to indicate that "it can be set", but en is better for operation. I don't want to use Japanese like grep" warning "/ var / log / rkhunter. --It seems necessary to set PKGMGR.

Confirmation and update

After the change, use --config-check (short form: -C) to check, and then use --update to update the database.

[Rootkit Hunter version 1.4.6 ]

Check the rkhunter data file...
File mirrors.Check dat[No update]
File programs_bad.Check dat[No update]
File backdoorports.Check dat[No update]
File suspscan.Check dat[No update]
File i18n/Check cn[No update]
File i18n/Check de[No update]
File i18n/Check en[No update]
File i18n/Check tr[No update]
File i18n/tr.Check utf8[No update]
File i18n/Check zh[No update]
File i18n/zh.Check utf8[No update]
File i18n/Check ja[No update]
root@tooltest:~# 

--"Updated" or "No update" is displayed for the first time (the above has been updated many times, so there is no update) --If "Skipped" is Checking file i18n / de etc., a specific language is specified by ʻUPDATE_LANG`.

Scan and check results

See the wiki first scan for the scan.

The scan results are long, so I put them in the appendix at the end. Only summaries are handled here.

----check can be shortened with -c, but it may be mistaken for -C of --config-check. ---- skip-keypress can be shortened with -sk. --Generally, it seems to scan with -c -sk

# rkhunter --check --skip-keypress
(snip)
System check overview
=====================

File property check...
File check: 143
Suspicious file: 0

Rootkit check...
Rootkit checked: 477
Potential rootkit: 0

Application check...
All checks have been skipped.

System check tool: 1 minute and 38 seconds

All results have been written to the log file: /var/log/rkhunter.log

No warnings were found during the system check.

# vi /etc/rkhunter.conf 

Confirmation of inspection contents

It is described in detail in /var/log/rkhunter.log.

--By default, it will be overwritten, so you should change it according to the operation method. It may be a record of when it changed. ――It seems that you are checking various things besides the backdoor and rootkit. An overview is given below --Check for files with suspicious content --Check for the existence of sniffer log files --Check tripwire --Check for suspicious shared memory segments --Check the loaded kernel module and kernel module name --Check backdoor port and hidden port --Check the promiscuous interface --Check packet capture application --Check passwordless account --Check SSH and syslog settings --Check the version of the application (exim, gpg, httpd, named, openssl, php, procmail, proftpd, sshd)

Summary

As a recent trend, it is important to be able to quickly notice that it is impossible / intruded to prevent all intrusions. It is thought that safer operation can be achieved by using it in combination with other tools while considering the scope of application of rkhunter.

--Easy to install, but it is necessary to adjust the settings according to the operation --When updating the OS, it is necessary to consider when to --popupd to create a reference value. ――It is necessary to assume what kind of response flow will be -Do not mistake the scope of measures --Not intruded: WAF, secure program, vulnerability management, antivirus software, etc. --Be aware even if intruded: SIEM, SOAR, tampering detection, etc. (rkhunter corresponds here) --It is necessary to take measures such as rootkit in that you may be the perpetrator. --As a zombie, used as an attack minion. It becomes the first host visible to the victim.

Appendix

scan

Logs on the console

A warning has been issued because lwp-request was updated after rkhunter --propupd. If you can confirm that there is no problem, do --propupd and it will be recognized as the current one, and no warning will be issued from the next time.

# rkhunter -c -sk
[Rootkit Hunter version 1.4.6 ]

Check system commands...

Perform a "strings" command check
Check the "strings" command[ OK ]

Perform a "shared library" check
Check preload variables[No discovery]
Check the preload library[No discovery]
    「LD_LIBRARY_Check the "PATH" variable[Undiscovered]

Perform a file property check
Check prerequisites[ OK ]
    /usr/sbin/adduser                                        [ OK ]
    /usr/sbin/chroot                                         [ OK ]
    /usr/sbin/cron                                           [ OK ]
    /usr/sbin/depmod                                         [ OK ]
    /usr/sbin/fsck                                           [ OK ]
    /usr/sbin/groupadd                                       [ OK ]
    /usr/sbin/groupdel                                       [ OK ]
    /usr/sbin/groupmod                                       [ OK ]
    /usr/sbin/grpck                                          [ OK ]
    /usr/sbin/ifconfig                                       [ OK ]
    /usr/sbin/init                                           [ OK ]
    /usr/sbin/insmod                                         [ OK ]
    /usr/sbin/ip                                             [ OK ]
    /usr/sbin/lsmod                                          [ OK ]
    /usr/sbin/modinfo                                        [ OK ]
    /usr/sbin/modprobe                                       [ OK ]
    /usr/sbin/nologin                                        [ OK ]
    /usr/sbin/pwck                                           [ OK ]
    /usr/sbin/rmmod                                          [ OK ]
    /usr/sbin/route                                          [ OK ]
    /usr/sbin/rsyslogd                                       [ OK ]
    /usr/sbin/runlevel                                       [ OK ]
    /usr/sbin/sulogin                                        [ OK ]
    /usr/sbin/sysctl                                         [ OK ]
    /usr/sbin/useradd                                        [ OK ]
    /usr/sbin/userdel                                        [ OK ]
    /usr/sbin/usermod                                        [ OK ]
    /usr/sbin/vipw                                           [ OK ]
    /usr/sbin/unhide                                         [ OK ]
    /usr/sbin/unhide-linux                                   [ OK ]
    /usr/sbin/unhide-posix                                   [ OK ]
    /usr/sbin/unhide-tcp                                     [ OK ]
    /usr/bin/awk                                             [ OK ]
    /usr/bin/basename                                        [ OK ]
    /usr/bin/bash                                            [ OK ]
    /usr/bin/cat                                             [ OK ]
    /usr/bin/chattr                                          [ OK ]
    /usr/bin/chmod                                           [ OK ]
    /usr/bin/chown                                           [ OK ]
    /usr/bin/cp                                              [ OK ]
    /usr/bin/curl                                            [ OK ]
    /usr/bin/cut                                             [ OK ]
    /usr/bin/date                                            [ OK ]
    /usr/bin/df                                              [ OK ]
    /usr/bin/diff                                            [ OK ]
    /usr/bin/dirname                                         [ OK ]
    /usr/bin/dmesg                                           [ OK ]
    /usr/bin/dpkg                                            [ OK ]
    /usr/bin/dpkg-query                                      [ OK ]
    /usr/bin/du                                              [ OK ]
    /usr/bin/echo                                            [ OK ]
    /usr/bin/ed                                              [ OK ]
    /usr/bin/egrep                                           [ OK ]
    /usr/bin/env                                             [ OK ]
    /usr/bin/fgrep                                           [ OK ]
    /usr/bin/file                                            [ OK ]
    /usr/bin/find                                            [ OK ]
    /usr/bin/fuser                                           [ OK ]
    /usr/bin/GET                                             [ OK ]
    /usr/bin/grep                                            [ OK ]
    /usr/bin/groups                                          [ OK ]
    /usr/bin/head                                            [ OK ]
    /usr/bin/id                                              [ OK ]
    /usr/bin/ip                                              [ OK ]
    /usr/bin/ipcs                                            [ OK ]
    /usr/bin/kill                                            [ OK ]
    /usr/bin/killall                                         [ OK ]
    /usr/bin/last                                            [ OK ]
    /usr/bin/lastlog                                         [ OK ]
    /usr/bin/ldd                                             [ OK ]
    /usr/bin/less                                            [ OK ]
    /usr/bin/logger                                          [ OK ]
    /usr/bin/login                                           [ OK ]
    /usr/bin/ls                                              [ OK ]
    /usr/bin/lsattr                                          [ OK ]
    /usr/bin/lsmod                                           [ OK ]
    /usr/bin/lsof                                            [ OK ]
    /usr/bin/mail                                            [ OK ]
    /usr/bin/md5sum                                          [ OK ]
    /usr/bin/mktemp                                          [ OK ]
    /usr/bin/more                                            [ OK ]
    /usr/bin/mount                                           [ OK ]
    /usr/bin/mv                                              [ OK ]
    /usr/bin/netstat                                         [ OK ]
    /usr/bin/newgrp                                          [ OK ]
    /usr/bin/passwd                                          [ OK ]
    /usr/bin/perl                                            [ OK ]
    /usr/bin/pgrep                                           [ OK ]
    /usr/bin/ping                                            [ OK ]
    /usr/bin/pkill                                           [ OK ]
    /usr/bin/ps                                              [ OK ]
    /usr/bin/pstree                                          [ OK ]
    /usr/bin/pwd                                             [ OK ]
    /usr/bin/readlink                                        [ OK ]
    /usr/bin/rkhunter                                        [ OK ]
    /usr/bin/runcon                                          [ OK ]
    /usr/bin/sed                                             [ OK ]
    /usr/bin/sh                                              [ OK ]
    /usr/bin/sha1sum                                         [ OK ]
    /usr/bin/sha224sum                                       [ OK ]
    /usr/bin/sha256sum                                       [ OK ]
    /usr/bin/sha384sum                                       [ OK ]
    /usr/bin/sha512sum                                       [ OK ]
    /usr/bin/size                                            [ OK ]
    /usr/bin/sort                                            [ OK ]
    /usr/bin/ssh                                             [ OK ]
    /usr/bin/stat                                            [ OK ]
    /usr/bin/strace                                          [ OK ]
    /usr/bin/strings                                         [ OK ]
    /usr/bin/su                                              [ OK ]
    /usr/bin/sudo                                            [ OK ]
    /usr/bin/tail                                            [ OK ]
    /usr/bin/telnet                                          [ OK ]
    /usr/bin/test                                            [ OK ]
    /usr/bin/top                                             [ OK ]
    /usr/bin/touch                                           [ OK ]
    /usr/bin/tr                                              [ OK ]
    /usr/bin/uname                                           [ OK ]
    /usr/bin/uniq                                            [ OK ]
    /usr/bin/users                                           [ OK ]
    /usr/bin/vmstat                                          [ OK ]
    /usr/bin/w                                               [ OK ]
    /usr/bin/watch                                           [ OK ]
    /usr/bin/wc                                              [ OK ]
    /usr/bin/wget                                            [ OK ]
    /usr/bin/whatis                                          [ OK ]
    /usr/bin/whereis                                         [ OK ]
    /usr/bin/which                                           [ OK ]
    /usr/bin/who                                             [ OK ]
    /usr/bin/whoami                                          [ OK ]
    /usr/bin/numfmt                                          [ OK ]
    /usr/bin/kmod                                            [ OK ]
    /usr/bin/systemd                                         [ OK ]
    /usr/bin/systemctl                                       [ OK ]
    /usr/bin/mawk                                            [ OK ]
    /usr/bin/lwp-request                                     [warning]
    /usr/bin/bsd-mailx                                       [ OK ]
    /usr/bin/dash                                            [ OK ]
    /usr/bin/x86_64-linux-gnu-size                           [ OK ]
    /usr/bin/x86_64-linux-gnu-strings                        [ OK ]
    /usr/bin/telnet.netkit                                   [ OK ]
    /usr/bin/w.procps                                        [ OK ]
    /usr/lib/systemd/systemd                                 [ OK ]

Check rootkits...

Perform a check for known rootkit files and directories
    55808 Trojan - Variant A                                 [Undiscovered]
    ADM Worm                                                 [Undiscovered]
    AjaKit Rootkit                                           [Undiscovered]
    Adore Rootkit                                            [Undiscovered]
    aPa Kit                                                  [Undiscovered]
    Apache Worm                                              [Undiscovered]
    Ambient (ark) Rootkit                                    [Undiscovered]
    Balaur Rootkit                                           [Undiscovered]
    BeastKit Rootkit                                         [Undiscovered]
    beX2 Rootkit                                             [Undiscovered]
    BOBKit Rootkit                                           [Undiscovered]
    cb Rootkit                                               [Undiscovered]
    CiNIK Worm (Slapper.B variant)                           [Undiscovered]
    Danny-Boy's Abuse Kit                                    [Undiscovered]
    Devil RootKit                                            [Undiscovered]
    Diamorphine LKM                                          [Undiscovered]
    Dica-Kit Rootkit                                         [Undiscovered]
    Dreams Rootkit                                           [Undiscovered]
    Duarawkz Rootkit                                         [Undiscovered]
    Ebury backdoor                                           [Undiscovered]
    Enye LKM                                                 [Undiscovered]
    Flea Linux Rootkit                                       [Undiscovered]
    Fu Rootkit                                               [Undiscovered]
    Fuck`it Rootkit                                          [Undiscovered]
    GasKit Rootkit                                           [Undiscovered]
    Heroin LKM                                               [Undiscovered]
    HjC Kit                                                  [Undiscovered]
    ignoKit Rootkit                                          [Undiscovered]
    IntoXonia-NG Rootkit                                     [Undiscovered]
    Irix Rootkit                                             [Undiscovered]
    Jynx Rootkit                                             [Undiscovered]
    Jynx2 Rootkit                                            [Undiscovered]
    KBeast Rootkit                                           [Undiscovered]
    Kitko Rootkit                                            [Undiscovered]
    Knark Rootkit                                            [Undiscovered]
    ld-linuxv.so Rootkit                                     [Undiscovered]
    Li0n Worm                                                [Undiscovered]
    Lockit / LJK2 Rootkit                                    [Undiscovered]
    Mokes backdoor                                           [Undiscovered]
    Mood-NT Rootkit                                          [Undiscovered]
    MRK Rootkit                                              [Undiscovered]
    Ni0 Rootkit                                              [Undiscovered]
    Ohhara Rootkit                                           [Undiscovered]
    Optic Kit (Tux) Worm                                     [Undiscovered]
    Oz Rootkit                                               [Undiscovered]
    Phalanx Rootkit                                          [Undiscovered]
    Phalanx2 Rootkit                                         [Undiscovered]
    Phalanx2 Rootkit (extended tests)                        [Undiscovered]
    Portacelo Rootkit                                        [Undiscovered]
    R3dstorm Toolkit                                         [Undiscovered]
    RH-Sharpe's Rootkit                                      [Undiscovered]
    RSHA's Rootkit                                           [Undiscovered]
    Scalper Worm                                             [Undiscovered]
    Sebek LKM                                                [Undiscovered]
    Shutdown Rootkit                                         [Undiscovered]
    SHV4 Rootkit                                             [Undiscovered]
    SHV5 Rootkit                                             [Undiscovered]
    Sin Rootkit                                              [Undiscovered]
    Slapper Worm                                             [Undiscovered]
    Sneakin Rootkit                                          [Undiscovered]
    'Spanish' Rootkit                                        [Undiscovered]
    Suckit Rootkit                                           [Undiscovered]
    Superkit Rootkit                                         [Undiscovered]
    TBD (Telnet BackDoor)                                    [Undiscovered]
    TeLeKiT Rootkit                                          [Undiscovered]
    T0rn Rootkit                                             [Undiscovered]
    trNkit Rootkit                                           [Undiscovered]
    Trojanit Kit                                             [Undiscovered]
    Tuxtendo Rootkit                                         [Undiscovered]
    URK Rootkit                                              [Undiscovered]
    Vampire Rootkit                                          [Undiscovered]
    VcKit Rootkit                                            [Undiscovered]
    Volc Rootkit                                             [Undiscovered]
    Xzibit Rootkit                                           [Undiscovered]
    zaRwT.KiT Rootkit                                        [Undiscovered]
    ZK Rootkit                                               [Undiscovered]

Perform additional rootkit checks
Suckit Rootkit additional check[ OK ]
Check for possible rootkit files and directories[No discovery]
Check for possible rootkit strings[No discovery]

Perform malware check
Check process execution for suspicious files[No discovery]
Check login backdoor[No discovery]
Check the sniffer log file[No discovery]
Check for suspicious directories[No discovery]
Suspicious shared memory segment[No discovery]
Check Apache backdoor[Undiscovered]

Perform Linux-specific checks
Check for loaded kernel modules[ OK ]
Check kernel module name[ OK ]

Network check...

Perform a network port check
Check the backdoor port[No discovery]

Perform a network interface check
Check the promiscuous interface[No discovery]

Check localhost...

Perform a system boot check
Check the local host name[Discovery]
Check system startup files[Discovery]
Check for malware system startup files[No discovery]

Perform group and account checks
Check password file[Discovery]
root equivalent(UID 0)Check your account[No discovery]
Check for passwordless accounts[No discovery]
Check for password file changes[No discovery]
Group file change check[No discovery]
Check the shell history file for the root account[ OK ]

Perform a system configuration file check
Check the SSH config file[Undiscovered]
Check the running system logging daemon[Discovery]
Check the system logging configuration file[Discovery]
Syslog Check if remote logging is allowed[Disallowed]

Perform a file system check
    「/Check for suspicious file types in dev[No discovery]
Check hidden files and directories[No discovery]


System check overview
=====================

File property check...
File check: 143
Suspicious file: 1

Rootkit check...
Rootkit checked: 477
Potential rootkit: 0

Application check...
All checks have been skipped.

System check tool: 1 minute and 25 seconds

All results have been written to the log file: /var/log/rkhunter.log

One or more warnings were found during the system check.
logfile(/var/log/rkhunter.log)Please check.

# 

Recommended Posts

Confirmation that rkhunter can be installed
File types that can be used with Go
Functions that can be used in for statements
Building Sphinx that can be written in Markdown
List packages that can be updated with pip
Import libraries that cannot be pip installed with PyCharm
Color list that can be set with tkinter (memorial)
Python knowledge notes that can be used with AtCoder
ANTs image registration that can be used in 5 minutes
[Django] About users that can be used on template
Deep learning course that can be crushed on site
Limits that can be analyzed at once with MeCab
List the classes that can be referenced by ObjCClass
Format summary of formats that can be serialized with gensim
It seems that Skeleton Tracking can be done with RealSense
Basic knowledge of DNS that can not be heard now
Goroutine (parallel control) that can be used in the field
Text analysis that can be done in 5 minutes [Word Cloud]
Goroutine that can be used in the field (errgroup.Group edition)
Scripts that can be used when using bottle in Python
Implement a thread that can be paused by exploiting yield
I investigated the pretreatment that can be done with PyCaret
Let's make a diagram that can be clicked with IPython
Evaluation index that can be specified in GridSearchCV of sklearn
Packages that should be included
Maybe it can be recursed
When pydub cannot be installed
[Python] Make a graph that can be moved around with Plotly
[Python] I made my own library that can be imported dynamically
Investigation of DC power supplies that can be controlled by Python
Make a Spinbox that can be displayed in Binary with Tkinter
A timer (ticker) that can be used in the field (can be used anywhere)
About character string handling that can be placed in JSON communication
Make a currency chart that can be moved around with Plotly (2)
Python standard input summary that can be used in competition pro
Comparison of 4 styles that can be passed to seaborn with set_context
Make a Spinbox that can be displayed in HEX with Tkinter
Python standard module that can be used on the command line
Make a currency chart that can be moved around with Plotly (1)