Saturday, January 26, 2013

Backtrack Forensics: rootkit scanning with rkhunter

Menu: Forensics -> Anti-Virus Forensic Tools
Directory: /bin/

rkhunter is a similar tool to chkrootkit, it also scans the system for rootkits, but it is capable a bit more. Let's see, what we can do with it. It will do scans like:

"- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files"


First we can check the version, and also check if there is a newer one:

rkhunter -V - display current version
rkhunter --versioncheck - check if there is an update


then make an update to the current database:

rkhunter --update


Starting the scan is very simple:

rkhunter -c

it will run for about 20-30 minutes, and a couple of times we need to press enter to move forward.


The scan logs (what it printed on the screen, and much more) will be at /var/log/rkhunter.log.

There is one more useful task: we can do a list of SHA1 hashes of some common system files, rkhunter will save it for later, and when it runs the scan, will compare the actual hash with the stored one. If there is a change, it will drop a warning. This can be done with running:

rkhunter --propupd


The hashes are stored in /var/lib/rkhunter/db/rkhunter.dat


Official website: http://www.rootkit.nl/projects/rootkit_hunter.html

No comments: