Rootkit Hunter--check if your system has been compromised

Download Rootkit Hunter Here

Untar and cd into the directory

./installer.sh –layout default –isntall

rkhunter –update

Now, you have to edit the Root Kit Hunter config file -on the newer Rootkit Hunter versions, it is the /etc/rkhunter.conf file, the older ones, /usr/local/etc/rkhunter.conf- in order to use the Package Manager of your Linux distro, for Redhatish distros, use:

PKGMGR=RPM

And now, you must create the rkhunter.dat file, it is very important to create and only create this file if you know for a fact that the box you are installing Root Kit Hunter has not been compromised.

[root@webs10 rkhunter-1.3.2]# rkhunter --propupd

You can now test it, like this:

[root@webs10 rkhunter-1.3.2]# rkhunter -c

And then, when you are thru playing with it, create a shell script like the one below, so you can invoke it from a cronjob, it will send an email to the root account on the server, if problems arise when executed (root’s emails are forwarded, right?):

!/bin/sh /usr/local/bin/rkhunter --update /bin/nice -n +19 /usr/local/bin/rkhunter --cronjob --report-warnings-only --createlogfile | /bin/mail -s "RKH daily run /bin/hostname" root # EoF

Then, make it executable:

chmod 0700 /path/to/script/script.sh

If you get an email with a message like this:

Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression One or more warnings have been found while checking the system. Please check the log file (/var/log/rkhunter.log)

You can actually add that file to the Root Kit Hunter config file, so you won’t get that same notification via email every day (of course, make sure it is a valone data and that it is not reportin
g you that your server got 0wned :p )

ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz