IT Security is an important topic nowadays. Since every aspect of our daily life is affected by IT, systems security and data security became essential. Hackers penetrate companies and their IT system all around the world day by day.
Also Linux can be compromised by hackers. Although Windows is still dominant on desktops and laptops and therefore it was the main target for hackers in the past, Linux has its high market shares in the servers sector and as well at the mobile devices market .
Windows systems were mainly affected by classical viruses in the past, while Linux desktops and Linux servers where more exposed to rootkits. A rootkit is a malicious software which grants full access, known as root access, to a hacker on a compromised system.
Rootkits are difficult to detect but there is software available which can give a first hint of compromise to a systems maintainer.
Among a few open source tools there is Rootkit Hunter available to scan Linux systems. But by default it can be misconfigured and some fixes need to be done:
The Problems and their Fixes
First of all the installation of Rootkit Hunter needs to be done. I show here the installation and the fixes on a Ubuntu Desktop. The command for the installation is :
sudo apt-get install rkhunter
As a next step we want to update the rootkit definitions similar to anti virus definitions:
sudo rkhunter --update
And then we are getting this error message:
Invalid WEB_CMD configuration option: Relative pathname: "/bin/false"
Here is a screen shot with of the problem:
…and as well we see the fix for the problem in the last line of the screen shot. Here is the command to copy for you:
sudo sed -i 's/WEB_CMD=\"\/bin\/false\"/WEB_CMD=\"\"/g' /etc/rkhunter.conf
But that’s not all! As we continue another error appears, if we run “sudo rkhunter –update” again. The output is “Update failed”. But there is also a fix as you see next:
The fix for the problem as bash command:
sudo sed -i 's/UPDATE_MIRRORS=0/UPDATE_MIRRORS=1/g' /etc/rkhunter.conf sudo sed -i 's/MIRRORS_MODE=1/MIRRORS_MODE=0"\"/g' /etc/rkhunter.conf
Next we see that the command finally works:
But then another error appears if we want to ran a scan. The command for the scan is:
sudo rkunter -c
Here is the error message:
Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/egrep Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/fgrep
Here is the screen shot of the probĺem:
And as well the fix is here as code:
sudo sed -i 's/\/usr\/bin\/egrep/\/bin\/egrep/g' /etc/rkhunter.conf sudo sed -i 's/\/usr\/bin\/fgrep/\/bin\/fgrep/g' /etc/rkhunter.conf
After these modifications our rootkit check finally worked as you see here:
Rootkit Hunter is a good piece of software but on some Ubuntu version it fails if it is executed after the installation. The procedures here make Rootkit Hunter functioning properly. As well I showed how to fix a problem with updating Rootkit Hunter.
Feel free to comment my blog post!