Cómo buscar rootkits, puertas traseras y exploits usando Rootkit Hunter en Linux


Chicos, si son lectores habituales de tecmint.com, notarán que este es nuestro tercer artículo sobre herramientas de seguridad. En nuestros dos artículos anteriores, le brindamos toda la orientación sobre cómo proteger los sistemas Apache y Linux de ataques de malware, DOS y DDOS mediante LMD (Linux Malware Detect).

Nuevamente estamos aquí para presentar una nueva herramienta de seguridad llamada Rkhunter (Rootkit Hunter). Este artículo lo guiará sobre la forma de instalar y configurar RKH (RootKit Hunter) en sistemas Linux usando código fuente.

¿Qué es Rkhunter?

Rkhunter (Rootkit Hunter) es una herramienta de escaneo basada en Unix/Linux de código abierto para sistemas Linux lanzada bajo GPL que escanea puertas traseras, rootkits y exploits locales en sus sistemas.

Analiza archivos ocultos, permisos incorrectos establecidos en binarios, cadenas sospechosas en el kernel, etc. Para saber más sobre Rkhunter y sus características, visite http://rkhunter.sourceforge.net/.

Instale Rootkit Hunter Scanner en sistemas Linux

Primero, descargue la última versión estable de la herramienta Rkhunter en http://rkhunter.sourceforge.net/ o use el siguiente comando Wget para descargarlo en sus sistemas.

# cd /tmp
# wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz

Una vez que haya descargado la última versión, ejecute los siguientes comandos como usuario root para instalarla.

# tar -xvf rkhunter-1.4.6.tar.gz 
# cd rkhunter-1.4.6
# ./installer.sh --layout default --install
Checking system for:
 Rootkit Hunter installer files: found
 A web file download command: wget found
Starting installation:
 Checking installation directory "/usr/local": it exists and is writable.
 Checking installation directories:
  Directory /usr/local/share/doc/rkhunter-1.4.2: creating: OK
  Directory /usr/local/share/man/man8: exists and is writable.
  Directory /etc: exists and is writable.
  Directory /usr/local/bin: exists and is writable.
  Directory /usr/local/lib64: exists and is writable.
  Directory /var/lib: exists and is writable.
  Directory /usr/local/lib64/rkhunter/scripts: creating: OK
  Directory /var/lib/rkhunter/db: creating: OK
  Directory /var/lib/rkhunter/tmp: creating: OK
  Directory /var/lib/rkhunter/db/i18n: creating: OK
  Directory /var/lib/rkhunter/db/signatures: creating: OK
 Installing check_modules.pl: OK
 Installing filehashsha.pl: OK
 Installing stat.pl: OK
 Installing readlink.sh: OK
 Installing backdoorports.dat: OK
 Installing mirrors.dat: OK
 Installing programs_bad.dat: OK
 Installing suspscan.dat: OK
 Installing rkhunter.8: OK
 Installing ACKNOWLEDGMENTS: OK
 Installing CHANGELOG: OK
 Installing FAQ: OK
 Installing LICENSE: OK
 Installing README: OK
 Installing language support files: OK
 Installing ClamAV signatures: OK
 Installing rkhunter: OK
 Installing rkhunter.conf: OK
Installation complete

Ejecute el actualizador RKH para completar las propiedades de la base de datos ejecutando el siguiente comando.

# /usr/local/bin/rkhunter --update
# /usr/local/bin/rkhunter --propupd
[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ Updated ]
  Checking file programs_bad.dat                             [ No update ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ No update ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/tr                                      [ No update ]
  Checking file i18n/tr.utf8                                 [ No update ]
  Checking file i18n/zh                                      [ No update ]
  Checking file i18n/zh.utf8                                 [ No update ]
  Checking file i18n/ja                                      [ No update ]
File created: searched for 177 files, found 131, missing hashes 1

Cree un archivo llamado rkhunter.sh en /etc/cron.daily/, que luego escanea su sistema de archivos todos los días y envía notificaciones por correo electrónico a su identificación de correo electrónico. Cree el siguiente archivo con la ayuda de su editor favorito.

# vi /etc/cron.daily/rkhunter.sh

Agregue las siguientes líneas de código y reemplace "YourServerNameHere" con su "Nombre de servidor" y "[email protected]" con su "Email Id".

#!/bin/sh
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Run (PutYourServerNameHere)' [email protected]

Establezca el permiso de ejecución en el archivo.

# chmod 755 /etc/cron.daily/rkhunter.sh

Para escanear todo el sistema de archivos, ejecute Rkhunter como usuario root.

# rkhunter --check
[ Rootkit Hunter version 1.4.6 ]

Checking system commands...

  Performing 'strings' command checks
    Checking 'strings' command                               [ OK ]

  Performing 'shared libraries' checks
    Checking for preloading variables                        [ None found ]
    Checking for preloaded libraries                         [ None found ]
    Checking LD_LIBRARY_PATH variable                        [ Not found ]

  Performing file properties checks
    Checking for prerequisites                               [ OK ]
    /usr/local/bin/rkhunter                                  [ OK ]
    /usr/sbin/adduser                                        [ OK ]
    /usr/sbin/chkconfig                                      [ OK ]
    /usr/sbin/chroot                                         [ OK ]
    /usr/sbin/depmod                                         [ OK ]
    /usr/sbin/fsck                                           [ OK ]
    /usr/sbin/fuser                                          [ OK ]
    /usr/sbin/groupadd                                       [ OK ]
    /usr/sbin/groupdel                                       [ OK ]
    /usr/sbin/groupmod                                       [ OK ]
    /usr/sbin/grpck                                          [ OK ]
    /usr/sbin/ifconfig                                       [ OK ]
    /usr/sbin/ifdown                                         [ Warning ]
    /usr/sbin/ifup                                           [ Warning ]
    /usr/sbin/init                                           [ OK ]
    /usr/sbin/insmod                                         [ OK ]
    /usr/sbin/ip                                             [ OK ]
    /usr/sbin/lsmod                                          [ OK ]
    /usr/sbin/lsof                                           [ OK ]
    /usr/sbin/modinfo                                        [ OK ]
    /usr/sbin/modprobe                                       [ OK ]
    /usr/sbin/nologin                                        [ OK ]
    /usr/sbin/pwck                                           [ OK ]
    /usr/sbin/rmmod                                          [ OK ]
    /usr/sbin/route                                          [ OK ]
    /usr/sbin/rsyslogd                                       [ OK ]
    /usr/sbin/runlevel                                       [ OK ]
    /usr/sbin/sestatus                                       [ OK ]
    /usr/sbin/sshd                                           [ OK ]
    /usr/sbin/sulogin                                        [ OK ]
    /usr/sbin/sysctl                                         [ OK ]
    /usr/sbin/tcpd                                           [ OK ]
    /usr/sbin/useradd                                        [ OK ]
    /usr/sbin/userdel                                        [ OK ]
    /usr/sbin/usermod                                        [ OK ]
....
[Press  to continue]


Checking for rootkits...

  Performing check of known rootkit files and directories
    55808 Trojan - Variant A                                 [ Not found ]
    ADM Worm                                                 [ Not found ]
    AjaKit Rootkit                                           [ Not found ]
    Adore Rootkit                                            [ Not found ]
    aPa Kit                                                  [ Not found ]
.....

[Press  to continue]


  Performing additional rootkit checks
    Suckit Rookit additional checks                          [ OK ]
    Checking for possible rootkit files and directories      [ None found ]
    Checking for possible rootkit strings                    [ None found ]

....
[Press  to continue]


Checking the network...

  Performing checks on the network ports
    Checking for backdoor ports                              [ None found ]
....
  Performing system configuration file checks
    Checking for an SSH configuration file                   [ Found ]
    Checking if SSH root access is allowed                   [ Warning ]
    Checking if SSH protocol v1 is allowed                   [ Warning ]
    Checking for a running system logging daemon             [ Found ]
    Checking for a system logging configuration file         [ Found ]
    Checking if syslog remote logging is allowed             [ Not allowed ]
...
System checks summary
=====================

File properties checks...
    Files checked: 137
    Suspect files: 6

Rootkit checks...
    Rootkits checked : 383
    Possible rootkits: 0

Applications checks...
    Applications checked: 5
    Suspect applications: 2

The system checks took: 5 minutes and 38 seconds

All results have been written to the log file: /var/log/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

El comando anterior genera un archivo de registro en /var/log/rkhunter.log con los resultados de verificación realizados por Rkhunter.

# cat /var/log/rkhunter.log
[11:21:04] Running Rootkit Hunter version 1.4.6 on tecmint
[11:21:04]
[11:21:04] Info: Start date is Mon Dec 21 11:21:04 AM IST 2020
[11:21:04]
[11:21:04] Checking configuration file and command-line options...
[11:21:04] Info: Detected operating system is 'Linux'
[11:21:04] Info: Found O/S name: Fedora release 33 (Thirty Three)
[11:21:04] Info: Command line is /usr/local/bin/rkhunter --check
[11:21:04] Info: Environment shell is /bin/bash; rkhunter is using bash
[11:21:04] Info: Using configuration file '/etc/rkhunter.conf'
[11:21:04] Info: Installation directory is '/usr/local'
[11:21:04] Info: Using language 'en'
[11:21:04] Info: Using '/var/lib/rkhunter/db' as the database directory
[11:21:04] Info: Using '/usr/local/lib64/rkhunter/scripts' as the support script directory
[11:21:04] Info: Using '/usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /bin /sbin /usr/libexec /usr/local/libexec' as the command directories
[11:21:04] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[11:21:04] Info: No mail-on-warning address configured
[11:21:04] Info: X will be automatically detected
[11:21:04] Info: Found the 'basename' command: /usr/bin/basename
[11:21:04] Info: Found the 'diff' command: /usr/bin/diff
[11:21:04] Info: Found the 'dirname' command: /usr/bin/dirname
[11:21:04] Info: Found the 'file' command: /usr/bin/file
[11:21:04] Info: Found the 'find' command: /usr/bin/find
[11:21:04] Info: Found the 'ifconfig' command: /usr/sbin/ifconfig
[11:21:04] Info: Found the 'ip' command: /usr/sbin/ip
[11:21:04] Info: Found the 'ipcs' command: /usr/bin/ipcs
[11:21:04] Info: Found the 'ldd' command: /usr/bin/ldd
[11:21:04] Info: Found the 'lsattr' command: /usr/bin/lsattr
...

Para obtener más información y opciones, ejecute el siguiente comando.

# rkhunter --help

Si te gustó este artículo, compartir es la forma correcta de agradecer.