Even if you use Tripwire, you should realize that malicious attackers can still plant bad software on your system without your knowledge. In this article, you'll learn how to install and run three different antimalware applications that can help you keep your system free of malicious irritants that make users call you at the least convenient times: chkrootkit, rkhunter, and ClamAV.
Before attempting to repair a malware infection, switch to single user mode so that the malicious attacker won't be alerted to your activities or be able to cover their tracks.
chkrootkit
I've used good ol' chkrootkit
for years. Simply put, it scans important files in your system for rootkits. Rootkits are collections of malicious programs designed to compromise the root user account and keep access for an extended period of time. Rootkits are hard to detect and difficult to remove from a system. I've heard many sysadmins say that if your system is the victim of a rootkit, you should reimage (format and reinstall from media) it and restore all data from a clean backup.
[ More about chkrootkit ]
Yes, that's one solution, but have you ever reimaged a system and been able to bring it back to a state where it was prior to the infection? I never have. There's always something left off from the new system and it's always something "critical." I've spent countless hours chasing down legacy software, searching for old documentation, and begging the local software hoarder for media to reinstall some essential program that no one supports anymore and that we possibly never had a legitimate license for. I digress.
You can scan for many types of rootkits and detect certain log deletions using chkrootkit
. While it doesn't remove any infected files, it does specifically tell you which ones are infected, so that you can remove/reinstall/repair the file or package.
Follow the simple procedure below to download, install, and scan your system using chkrootkit
. Use sudo
or su
to root.
# yum update
# yum install wget gcc-c++ glibc-static
# wget -c ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
# tar –zxvf chkrootkit.tar.gz
# mkdir /usr/local/chkrootkit
# mv chkrootkit-0.xx/* /usr/local/chkrootkit
# cd /usr/local/chkrootkit
# make sense
<< compile output >>
# /usr/local/chkrootkit/chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
<< more output >>
The chkrootkit
script reports on infected files. I've never had a false positive, but your experience might be different than mine. I install chkrootkit
on every Linux system that I manage. I also set up a cron
job that performs all the above steps, except installing the dependencies, so that I always have an updated collection. I also redirect the output to a file in my user account's home directory. You could optionally have the text report emailed to you at the end of the script.
The chkrootkit
script only takes a few seconds to scan and report, so using it is not time or effort-consuming.
rkhunter
The RootKit Hunter (rkhunter
)is a rootkit detection script that automates scanning for a lot of different rootkits and other local exploits. I love rkhunter
. I've used it for years, too. Unlike chkrootkit
, rkhunter
provides a full log of its findings at /var/log/rkhunter/rkhunter.log
. If you install and run only one malware scanning application, rkhunter
should probably be it. I'm too paranoid to run just one.
[ Learn more about rkhunter ]
Here's how to install and run rkhunter
on your system. Use sudo
or su
to root.
# yum -y install epel-release
# yum -y install rkhunter
# rkhunter -c
[ Rootkit Hunter version 1.4.6 ]
Checking system commands...
Performing 'strings' command checks
Checking 'strings' command [ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
<< lots of output >>
System checks summary
=====================
File properties checks...
Required commands check failed
Files checked: 129
Suspect files: 4
Rootkit checks...
Rootkits checked : 494
Possible rootkits: 0
Applications checks...
All checks skipped
The system checks took: 1 minute and 38 seconds
All results have been written to the log file: /var/log/rkhunter/rkhunter.log
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)
The rkhunter
sometimes flags files that you've changed manually. Two of my four "suspect" files are passwd
and group
, both of which I changed manually. It also flags files that you deliberately or accidentally modify with touch
, vi
, or some other program that changes an original access or modified date. The other two files it identified as suspicious on my system were ifup
and ifdown
. I haven't figured out why yet, but I suspect that neither is a problem.
Check all flagged files even if you believe that you know what has happened.
ClamAV
From the ClamAV about page: ClamAV is an open source (GPL) anti-virus engine used in a variety of situations, including email scanning, web scanning, and endpoint security. It provides a number of utilities, including a flexible and scalable multi-threaded daemon, a command-line scanner, and an advanced tool for automatic database updates.
[ Check out the ClamAV homepage ]
To install ClamAV, become root or sudo
the following commands:
# yum -y install clamav
# freshclam
ClamAV update process started at Fri Apr 3 17:21:48 2020
daily database available for download (remote version: 25772)
Time: 27.3s, ETA: 0.0s [=============================>] 57.90MiB/57.90MiB
Testing database: '/var/lib/clamav/tmp.63140/clamav-5feeeb4cb75d1c44dd7c48b836fe457c.tmp-daily.cvd' ...
<< output >>
# clamscan -r -i /
LibClamAV Warning: fmap_readpage: pread fail: asked for 4085 bytes @ offset 11, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4088 bytes @ offset 8, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4088 bytes @ offset 8, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4085 bytes @ offset 11, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4093 bytes @ offset 3, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4093 bytes @ offset 3, got 0
<< Lots of output >>
----------- SCAN SUMMARY -----------
Known viruses: 6801836
Engine version: 0.102.2
Scanned directories: 13294
Scanned files: 64849
Infected files: 0
Total errors: 11295
Data scanned: 2668.46 MB
Data read: 2094.11 MB (ratio 1.27:1)
Time: 509.652 sec (8 m 29 s)
#
As you can see, scanning an entire system can take a few minutes, so it's easier to scan and redirect the output via cron
.
Wrapping up
My best suggestion is to schedule automatic updates and scans via cron
. You should also perform a preliminary scan as soon as you bring up a new system because this gives you a baseline. Scan after each update and software install. There's specific malware for all operating systems, so don't allow your personal prejudices to preclude you from doing what's right for your systems and your users. Be paranoid. Assume that no system is completely clean. And, while we're all at home for a while, wash your hands.
[ Want to test your sysadmin skills? Take a skills assessment today. ]
About the author
Ken has used Red Hat Linux since 1996 and has written ebooks, whitepapers, actual books, thousands of exam review questions, and hundreds of articles on open source and other topics. Ken also has 20+ years of experience as an enterprise sysadmin with Unix, Linux, Windows, and Virtualization.
Follow him on Twitter: @kenhess for a continuous feed of Sysadmin topics, film, and random rants.
In the evening after Ken replaces his red hat with his foil hat, he writes and makes films with varying degrees of success and acceptance. He is an award-winning filmmaker who constantly tries to convince everyone of his Renaissance Man status, also with varying degrees of success and acceptance.
More like this
Browse by channel
Automation
The latest on IT automation for tech, teams, and environments
Artificial intelligence
Updates on the platforms that free customers to run AI workloads anywhere
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
The latest on how we reduce risks across environments and technologies
Edge computing
Updates on the platforms that simplify operations at the edge
Infrastructure
The latest on the world’s leading enterprise Linux platform
Applications
Inside our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Customer support
- Developer resources
- Find a partner
- Red Hat Ecosystem Catalog
- Red Hat value calculator
- Documentation
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit