Subscribe to the feed

Even if you use Tripwire, you should realize that malicious attackers can still plant bad software on your system without your knowledge. In this article, you'll learn how to install and run three different antimalware applications that can help you keep your system free of malicious irritants that make users call you at the least convenient times: chkrootkit, rkhunter, and ClamAV.

Before attempting to repair a malware infection, switch to single user mode so that the malicious attacker won't be alerted to your activities or be able to cover their tracks.

chkrootkit

I've used good ol' chkrootkit for years. Simply put, it scans important files in your system for rootkits. Rootkits are collections of malicious programs designed to compromise the root user account and keep access for an extended period of time. Rootkits are hard to detect and difficult to remove from a system. I've heard many sysadmins say that if your system is the victim of a rootkit, you should reimage (format and reinstall from media) it and restore all data from a clean backup.

[ More about chkrootkit ]

Yes, that's one solution, but have you ever reimaged a system and been able to bring it back to a state where it was prior to the infection? I never have. There's always something left off from the new system and it's always something "critical." I've spent countless hours chasing down legacy software, searching for old documentation, and begging the local software hoarder for media to reinstall some essential program that no one supports anymore and that we possibly never had a legitimate license for. I digress.

You can scan for many types of rootkits and detect certain log deletions using chkrootkit. While it doesn't remove any infected files, it does specifically tell you which ones are infected, so that you can remove/reinstall/repair the file or package.

Follow the simple procedure below to download, install, and scan your system using chkrootkit. Use sudo or su to root.

# yum update
# yum install wget gcc-c++ glibc-static
# wget -c ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
# tar –zxvf chkrootkit.tar.gz
# mkdir /usr/local/chkrootkit
# mv chkrootkit-0.xx/* /usr/local/chkrootkit
# cd /usr/local/chkrootkit
# make sense

<< compile output >>

# /usr/local/chkrootkit/chkrootkit

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
<< more output >>

The chkrootkit script reports on infected files. I've never had a false positive, but your experience might be different than mine. I install chkrootkit on every Linux system that I manage. I also set up a cron job that performs all the above steps, except installing the dependencies, so that I always have an updated collection. I also redirect the output to a file in my user account's home directory. You could optionally have the text report emailed to you at the end of the script.

The chkrootkit script only takes a few seconds to scan and report, so using it is not time or effort-consuming.

rkhunter

The RootKit Hunter (rkhunter)is a rootkit detection script that automates scanning for a lot of different rootkits and other local exploits. I love rkhunter. I've used it for years, too. Unlike chkrootkit, rkhunter provides a full log of its findings at /var/log/rkhunter/rkhunter.log. If you install and run only one malware scanning application, rkhunter should probably be it. I'm too paranoid to run just one.

[ Learn more about rkhunter ]

Here's how to install and run rkhunter on your system. Use sudo or su to root.

# yum -y install epel-release
# yum -y install rkhunter

# rkhunter -c

[ Rootkit Hunter version 1.4.6 ]

Checking system commands...

  Performing 'strings' command checks
    Checking 'strings' command                               [ OK ]

  Performing 'shared libraries' checks
    Checking for preloading variables                        [ None found ]
    Checking for preloaded libraries                         [ None found ]
    Checking LD_LIBRARY_PATH variable                        [ Not found ]

<< lots of output >>


System checks summary
=====================

File properties checks...
    Required commands check failed
    Files checked: 129
    Suspect files: 4

Rootkit checks...
    Rootkits checked : 494
    Possible rootkits: 0

Applications checks...
    All checks skipped

The system checks took: 1 minute and 38 seconds

All results have been written to the log file: /var/log/rkhunter/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)

The rkhunter sometimes flags files that you've changed manually. Two of my four "suspect" files are passwd and group, both of which I changed manually. It also flags files that you deliberately or accidentally modify with touch, vi, or some other program that changes an original access or modified date. The other two files it identified as suspicious on my system were ifup and ifdown. I haven't figured out why yet, but I suspect that neither is a problem.

Check all flagged files even if you believe that you know what has happened.

ClamAV

From the ClamAV about page: ClamAV is an open source (GPL) anti-virus engine used in a variety of situations, including email scanning, web scanning, and endpoint security. It provides a number of utilities, including a flexible and scalable multi-threaded daemon, a command-line scanner, and an advanced tool for automatic database updates.

[ Check out the ClamAV homepage ]

To install ClamAV, become root or sudo the following commands:

# yum -y install clamav

# freshclam

ClamAV update process started at Fri Apr  3 17:21:48 2020
daily database available for download (remote version: 25772)
Time: 27.3s, ETA: 0.0s [=============================>] 57.90MiB/57.90MiB        
Testing database: '/var/lib/clamav/tmp.63140/clamav-5feeeb4cb75d1c44dd7c48b836fe457c.tmp-daily.cvd' ...

<< output >>

# clamscan -r -i /

LibClamAV Warning: fmap_readpage: pread fail: asked for 4085 bytes @ offset 11, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4088 bytes @ offset 8, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4088 bytes @ offset 8, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4085 bytes @ offset 11, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4093 bytes @ offset 3, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4093 bytes @ offset 3, got 0

<< Lots of output >>

----------- SCAN SUMMARY -----------
Known viruses: 6801836
Engine version: 0.102.2
Scanned directories: 13294
Scanned files: 64849
Infected files: 0
Total errors: 11295
Data scanned: 2668.46 MB
Data read: 2094.11 MB (ratio 1.27:1)
Time: 509.652 sec (8 m 29 s)
# 

As you can see, scanning an entire system can take a few minutes, so it's easier to scan and redirect the output via cron.

Wrapping up

My best suggestion is to schedule automatic updates and scans via cron. You should also perform a preliminary scan as soon as you bring up a new system because this gives you a baseline. Scan after each update and software install. There's specific malware for all operating systems, so don't allow your personal prejudices to preclude you from doing what's right for your systems and your users. Be paranoid. Assume that no system is completely clean. And, while we're all at home for a while, wash your hands.

[ Want to test your sysadmin skills? Take a skills assessment today. ]


About the author

Ken has used Red Hat Linux since 1996 and has written ebooks, whitepapers, actual books, thousands of exam review questions, and hundreds of articles on open source and other topics. Ken also has 20+ years of experience as an enterprise sysadmin with Unix, Linux, Windows, and Virtualization.

Follow him on Twitter: @kenhess for a continuous feed of Sysadmin topics, film, and random rants.

In the evening after Ken replaces his red hat with his foil hat, he writes and makes films with varying degrees of success and acceptance. He is an award-winning filmmaker who constantly tries to convince everyone of his Renaissance Man status, also with varying degrees of success and acceptance.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

Browse by channel

automation icon

Automation

The latest on IT automation for tech, teams, and environments

AI icon

Artificial intelligence

Updates on the platforms that free customers to run AI workloads anywhere

open hybrid cloud icon

Open hybrid cloud

Explore how we build a more flexible future with hybrid cloud

security icon

Security

The latest on how we reduce risks across environments and technologies

edge icon

Edge computing

Updates on the platforms that simplify operations at the edge

Infrastructure icon

Infrastructure

The latest on the world’s leading enterprise Linux platform

application development icon

Applications

Inside our solutions to the toughest application challenges

Original series icon

Original shows

Entertaining stories from the makers and leaders in enterprise tech