Rkhunter Installation

Rkhunter is a very useful tool that is used to check for trojans, rootkits, and other security problems. This tutorial will touch on installing and setting up a daily report for rkhunter.
Installing:

wget -c http://downloads.rootkit.nl/rkhunter-1.1.1.tar.gz
tar -zxvf rkhunter-1.1.1.tar.gz
cd rkhunter-1.1.1
./installer.sh

Now you can run a test scan with the following command:

/usr/local/bin/rkhunter -c
How to setup a daily scan report?

pico /etc/cron.daily/rkhunter.sh

add the following replacing your email address:

#!/bin/bash
(/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "Daily Rkhunter Scan Report" email@domain.com)

chmod +x /etc/cron.daily/rkhunter.sh
I just got a false positive!! What do i do?

False positives are warnings which indicates there is a problem, but aren't really a problem. Example: some Linux distro updated a few common used binaries like `ls` and `ps`. You (as a good sysadmin) update the new packages and run (ofcourse) daily Rootkit Hunter. Rootkit Hunter isn't yet aware of these new files and while scanning it resports some "bad" files. In this case we have a false positive. You could always have your datacenter or a system administrator check out the server to verify that it is not compromised.

More information on rkhunter can be found here: http://www.rootkit.nl

Similar Articles : Compile 2.6.7, 2.6.8, 2.6.8.1, 2.6.9, 2.6.10, 2.6.11.6 Kernel w/module-init-tools, Rkhunter Installation, Detect and Clean a hacked server T0rnkit Tutorial, How to install KISS Firewall, How to Disable Telnet, How to install mod_security for Apache, How to install BFD (Brute Force Detection), How to install APF (Advanced Policy Firewall), E-mail Alert on Root SSH Login, Mask Your Web Server for Enhanced Security, Guide to Chkrootkit - checking for intruders, Creating a Welcome message for SSH logins, Disable Direct Root Login, RootCheck - Root Check, Changing APF log for TDP/UDP drop's