A way to detect the rootkits and exploits in CentOS/RHEL
There are many ways that your server can be compromised by remote systems and malicious softwares. It’s important that once you discovered the attack, you try to find out how. Knowing how the attacker got in can help you reduce the risk of future compromises. Few such malwares and vulnerabilities are rootkit, backdoor and exploit.
Rootkits are softwares that can provide the administrative access to the servers. This malware can be planted into the targeted system by an attacker through following means:
- Network port
- An un-patched system
- System with a weak administrator password etc.
Rootkits replace normal programs and system libraries that are part of the operating system on victim machines with versions that superficially appear to be normal, but that in reality subvert the security of the machine and cause malicious functions to be executed. This kind of attack does not usually trigger automated network security controls like intrusion detection systems. It can be discovered only by digging deep on the affected system for behavioural change.
Backdoor is a means to access a computer system or encrypted data that bypasses the system’s security mechanisms. Attackers often use back-doors that they detect or install themselves as part of exploit. In some cases, a worm or virus is designed to take advantage of a backdoor created by an earlier attack. In simple words, the default password can function as back-doors if they are not changed by the user. Another example would be some debugging features that can also act as back-doors if they are not removed in the release version.
Exploit is a piece of software, data or a sequence of commands that takes advantage of a bug or vulnerabilities to cause unanticipated behaviour. In simple words “to use something for one’s own advantage”.
rkhunter is a popular tool to detect such vulnerabilities and malwares . It can scan the entire system for rootkits and help us to defend ourselves against potential threats.
rkhunter
rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It checks the system against a database of known rootkits as well as perform the following security checks:
- Compare MD5 hash
- Look for default files used by rootkits
- Check wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files
Install rkhunter on CentOS and RHEL
All files required for installation of rkhunter are contained in the EPEL repository.
$ yum install epel-releaseOnce the EPEL repository is installed, issue the following commands as root to start the installation routine and for updating the database.
$ sudo yum install rkhunter
$ rkhunter --updateUpdate system file properties
This is a necessary step to establish a foundation database file to compare scans. On a clean install, the first run of propupd creates a new database file. On later scans, running the propupd command updates the database file. Update the database file when you are satisfied you have only trusted source system file changes.
$ rkhunter --propupdAutomate Rootkit Hunter using CRON
rkhunter can be setup to run checks every day so that we always have up-to-date information about intrusions. This can be accomplished by creating a cronjob.
Create a cron file in the following location /etc/cron.daily/rkhunter.sh and place the following script in the file.
#!/bin/sh
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Scan Report (PutYourServerNameHere)' your@email.hereUpdate the script with the email address to which the report should be sent.
- The
--versioncheckchecks if our threat definitions are up to date. - The
--updateoption updates our threat definitions, if required. - The
--cronjoboption bypasses interactive key presses.
Set execute permission on the file you have just created
$ chmod 755 /etc/cron.daily/rkhunter.shThe cron utility will run once daily and a report will be sent via email. Emails will be sent only if issues/problems surface. Otherwise, no emails will be sent.
Manual Scan
You can initiate a manual scan by issuing the following command:
rkhunter -cwhich runs rkhunter in interactive mode. In other words, when it gets to the end of a particular scan, you need to press ‘enter’ to continue. If you want to “auto-skip” interactive mode, add the -sk option:
rkhunter -c -skYour scan results will look as follows:
System checks summary
=====================File properties checks...
Files checked: 130
Suspect files: 0Rootkit checks...
Rootkits checked : 498
Possible rootkits: 0Applications checks...
All checks skippedThe system checks took: 14 minutes and 34 secondsAll results have been written to the log file: /var/log/rkhunter/rkhunter.logNo warnings were found while checking the system.
Conclusion
If a rootkit has been installed in a compromised system, rebuilding the system is the best course of action. Because rootkits are so proficient in hiding themselves. Extremely strong monitoring and intrusion-detection/intrusion-prevention efforts need to be implemented. This article serves as an introductory tutorial to detection of rootkits.
References
