Rootkit Hunter
Nov 14, 2008how i can install rootkit hunter on centOs?
and is it different with CHKROOTKIT?
how i can install rootkit hunter on centOs?
and is it different with CHKROOTKIT?
how to correct it?
Code:
---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Checking for prerequisites [ Warning ]
The file of stored file properties (rkhunter.dat) does not exist, and so must be created. To do this type in 'rkhunter --propupd'.
Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
is used, all the files on their system are known to be genuine, and installed from a
reliable source. The rkhunter '--check' option will compare the current file properties
against previously stored values, and report if any values differ. However, rkhunter
cannot determine what has caused the change, that is for the user to do.
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)
I was thinking of getting one of our server admins to install the Rootkit Hunter.
Would this have any effect on our server resources and stability.
Im trying to be more security minded after afew weeks ago when our server was hijacked, and I dont want to go through this again.
How can I get rootkit hunter to email me the results?
I tried
MAILTO=me@mydomain
0 0 * * * /root/rkhunter-1.3.2/files/rkhunter --cronjob
and
MAILTO=me@mydomain 0 0 * * * /root/rkhunter-1.3.2/files/rkhunter --cronjob
But it is not sending the email, nothing even show up in my exim_mainlog.
How can I stop the rootkit hunter false positives?
It is alerting on these, on a fresh OS install:
Checking for prerequisites [ Warning ]
/usr/bin/groups [ Warning ]
/usr/bin/ldd [ Warning ]
/usr/bin/whatis [ Warning ]
/sbin/ifdown [ Warning ]
/sbin/ifup [ Warning ]
2009/05/19 03:15:01 ossec-rootcheck: No rootcheck_files file: './db/rootkit_files.txt'
2009/05/19 03:15:01 ossec-rootcheck: No rootcheck_trojans file: './db/rootkit_trojans.txt'
How can i 'fix' this?
other options over chkrootkit and rkhunter since they are pretty outdated, and so far have found:
Curuncula:
[url]
Unhide:
[url]
What is a rootkit? The following link is a very good read to answer that question.
http://linux.oreillynet.com/pub/a/li...4/rootkit.html
In Summary, a rootkit is a trojan installed on your Linux server after someone has broken into it. These files are used to cover the hackers tracks, and to give the hacker tools to do more dirty work from your server.
Usage:
1. su - (change to root user)
2. mkdir /usr/local/chkrootkit
3. wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
4. tar -xvzf chkrootkit.tar.gz
5. cd chkrootkit*
6. cp * /usr/local/chkrootkit
7. cd /usr/local/chkrootkit
8. make sense
Now scan your system:
1. cd /usr/local/chkrootkit
2. ./chkrootkit
chkrootkit may from time to time give false positives. If you ever get a positive or "infected hit" scan a second time. If you do get a positive hit, google the hit to research the issue and steps to correct.
Part 2 - automated chkrootkit, and emailed results.
I'm lazy, and like my server to do the work for me so I have it scan every day, and email me the results.
Usage:
1. vi /etc/cron.daily/chkrootkit
2. add the following code.
Code:
#!/bin/bash
(cd /usr/local/chkrootkit; ./chkrootkit -q 2>&1 | mail -s "Daily chkrootkt scan" you@yourdomain.com)
3. chmod 0755 /etc/cron.daily/chkrootkit
This will email you@yourdomain.com every morning with your chkrootkit results. the -q option will only show you exploits.
Removal:
If you don't like getting the emails or just want to remove this from your server:
1. rm /etc/cron.daily/chkrootkit
2. rm -rf /usr/local/chkrootkit
All files will now be deleted from your server.
I was following this guide: url]
It's very nice but, 4 years old. So now I am wondering what is best rookit detector, and what is best firewall for centOS 5.
My Windows VPS has come under heavy attack by hackers trying to get through MSFTPSVC for the past month and they finally managed to somehow get in 2 days ago. Somehow, the "Allow anonymous login" setting was selected in my FTP settings and they got in.
They even managed to turn off my firewall. I guessing they used a buffer overflow or some other Windows Server 2003 weakness that was fixed in SP2 (too bad SP2 is'nt supported by SWSoft yet).
The attacks began less than 1 week after I had signed up with Virpus. I did'nt even have my domain name pointing to the server or a site up when the first set of dictionary attacks began. How common is that 0_0 ?
Anyway, since I now know they've gotten in I've run a virus check and everything looks clean but I really want to run some kind of root kit detection software. I've tried everything suggested on the antirootkit website but none of them seem to work on a VPS.
trying to secure my new server that will be opening for shared hosting.
So far I've found:
CHKRootKit, RKHunter, and ClamAV
As for Firewall, I've setup CSF but my question is, what is a good setting for blocking SYN Floods without blocking clients who might be browsing their site and, using DA, and FTP.
In the past I've used:
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j DROP
iptables -A INPUT -p tcp --syn -m limit --limit 3/s --limit-burst 5 -j DROP
and took down some pretty big attacks, but it was very touchy.
For securities purposes whats best to install?
Feel free to suggest any others.
Server is running cpanel
Possible root kit, what can I do?
Sorry for the long post, but I need some feedback.
One of the main reasons that I went from a windows dedicated server to a VPS was because I had several attacks on my server that cost lots of time and money. The only reason to these attacks was that it has to be a root kit in one of the programs I used on my server.
I have used SolarVPS for over 6 months now, and have used most of the same software I used on my dedicated server. I have not had any attacks or somebody gaining access to my VPS.
Last week I got a new Windows VPS from JaguarPC. I installed the same software as always (I will list the software later) and day two of my new VPS somebody had full access, had created a new admin user, installed Utorrent, downloaded and uploaded over 10 GB of movies and music before I discovered the security issue.
Beside my normal software I had downloaded a free downloadmanager, so I could download my plesk backup files faster than on a single download connection. That was the only other software beside my normal software.
But I never used that download manager on my dedicated server, but the same thing happened there also. A user got full access, created a new admin user for remote desktop, etc. I also use different password for the different VPS/DS/hosting plans, but some parts of the main level password is the same.
Last time the user was names support, this time the user was named Dave
I change password often, this year I have changed my password 4-5 times. I have different password for different levels on my VPS/servers. On password for Admin, one for Plesk, one for FTP access to my sites, one for e-mail, one for MySQL etc etc.
I have changed OS at home from XP to Vista, and have only installed 100% secure programs at my home computer. I have not installed one free program or any cracks, warez etc. I also use different antivirus and anti spyware software at home. So the problem can most likely not be at my home computers.
My current software I use on my VPS’s are: (I have some more, but that was the software I used on new VPS)
WinRar 3.61 from [url]
Bandwidth monitor Pro from [url]
Weblog Expert 4.1 from [url]
And the only software I don’t use on my VPS at SolarVPS:
Free Download Manager from [url]
The strange thing is that last time, over 6-7 months ago when I had all the problems with my dedicated server, I traced the IP the hackers had used to login to my DS to Germany.
This time on my new VPS the person has to be from Germany or on country they speak German. The mp3s and the movies where almost all in German.
My plan for the future:
I think I will buy a new VPS plan to test my software. Install one and one software, and see when somebody get access to my VPS. I have to use a provider that offer free OS reloads, so I can reload the OS after I have tested one and one of my programs.
Do anybody know about any companies that allow me to get free OS reloads and provide a Windows 2003 server?
Or will the backup function in VZPP work as OS reload if I take a backup of my new clean VPS and then install software. If it is a rootkit, and I restore, will the rootkit go away? If yes, I can use all providers with VZPP.
And do I have to tell the company what I have planned to do? A rootkit on my VPS will not affect other VPS, so they can get the same rootkit, or the main server?