A rootkit is a collection of software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software. It is software used by a hacker to gain constant administrator-level access to a computer or network. Today rootkits are generally associated with malware such as trojans, worms, viruses that conceal their existence and actions from users and other system processes.

Rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD. rkhunter is notable due to its inclusion in popular operating systems.

All files required for installation of rkhunter are contained in the Extra Packages for Enterprise Linux repository. The EPEL repository provides easy to install packages for commonly used CentOS enterprise software. Install the EPEL repository:

yum install epel-release

Once the EPEL repository has been installed, issue the following command as root to start the installation routine.

yum -y install rkhunter

Update the rkhunter database to get the latest definitions:

rkhunter --update

Next, you need to update system file properties. This is a necessary step to establish a foundation database file to compare scans. On a clean install, the first run of propupd creates a new database file. On later scans, running the propupd command updates the database file. So, to update the database file if you are satisfied you have only trusted source system file changes, use the following command:

rkhunter --propupd

Open the configuration file for rkhunter for editing and set up e-mail notifications, which can be enabled by editing the MAIL-ON-WARNING value as below. You will then receive a message when rkhunter hits a warning. Please note that local mail has to be set up correctly for mail notifications to function.

vi /etc/rkhunter.conf MAIL-ON-WARNING=username@domainname.com

The parameter ALLOW_SSH_ROOT_USER tells rkhunter whether or not the root user is allowed to ssh into the system. This is unset by default in the file. Rkhunter will complain about this on every run. If you have disabled root login, you should set this parameter to "no".

ALLOW_SSH_ROOT_USER=no

For a system not using modules, you should disable OS-specific checks in the disable checks list as otherwise, you may experience false positives during scans. The Linux specific tests relate to modules, so none of them is relevant for a system not using modules:

DISABLE_TESTS=suspscan hidden_procs deleted_files packet_cap_apps apps os_specific

Current versions of rkhunter have a cronjob preinstalled under /etc/cron.daily . If you want daily reports being sent somewhere other than to the local root mail account at /var/spool/mail/root by default (warnings, if found, are already sent to the address specified above), you can edit the configuration file for the cronjob:

vi /etc/sysconfig/rkhunter MAILTO=username@domainname.com

You can initiate a manual scan with auto-skip, i.e. you don’t have to press enter at the end of each scan to test the set up by issuing the following command:

rkhunter -c -sk

If any warnings are found you should receive the following mail:

Please inspect this machine, because it may be infected.

To check the log for more detail use the following command: