Internet-connected servers are subject to constant attacks every day. If a firewall and an upgraded system are the first rules for a secure system, it shouldn’t also be avoided checking regularly against a possible intrusion. The tools described in this short guide are designed to check for malware, rootkits, and viruses on the server. It is recommended to run them regularly (every night at a certain time) and send the result by email.
Chkrootkit and Lynis (formerly Rkhunter) can be used to scan the system when we detect activity that does not seem right, such as overloading the server, suspicious processes, or when the server has started to send spam out of the blue.
All of these tools require connection as a root user. Before proceeding, log in as root; if you are connected through SSH with a regular user, run the sudo su command to become root.
chkrootkit – Linux scanner for rootkit
Chkrootkit is a classic scanner for rootkits detection. It checks your server to detect rootkit-triggered suspicious processes and also search for known rootkit files.
On Ubuntu or Debian servers, you can install from the software repository by running the command:
apt-get install chkrootkit
To begin checking the server with chkrootkit, run the command:
A false-positive report is:
Checking ‘bindshell’… INFECTED (PORTS: 465)
You do not have to worry, because this message appears on email servers, 465 being the SMTPS (Secure SMTP) port for sending emails. As I said, it is a known positive false report.
Another false-positive report is:
Searching for Suckit rootkit … Warning: /sbin/init INFECTED
To add chkrootkit to the cron, we need to check the place where it is installed first. Run command:
root@s1:/home/user# which chkrootkit
Note that Chkrootkit is installed in /usr/sbin/chkrootkit.
To create the cron task:
0 3 * * * /usr/sbin/chkrootkit 2>&1 | mail -s “running chkrootkit result” firstname.lastname@example.org
This task will run every night at 3:00. Change the chkrootkit address with the one that resulted from the command which chkrootkit and enter your email address to get the result.
Lynis – Universal security audit tool and rootkit scanner
Lynis (formerly rkhunter) is a security audit tool for Linux and BSD. It performs detailed verification of many aspects of security and various system configurations. We will download the latest versions from https://cisofy.com/download/lynis/:
tar xvfz lynis-2.1.1.tar.gz
mv lynis /usr/local/
ln -s /usr/local/lynis/lynis /usr/local/bin/lynis
With the above commands we will install Lynis into /usr/local/lynis and create a symbolic link for easier access. Now we run the following order to see if we have the latest version:
lynis update info
Now we will scan the rootkit detection system by running the command:
lynis audit system
Lynis will do a few checks and then stop to let you read the results. Press [ENTER] to continue scanning or [CTRL] + C to stop:
At the end we’ll get a scan summary.
To run Lynis as an automatic task by night, we will add a cron job:
0 3 * * * /usr/local/bin/lynis --quick 2>&1 | mail -s "running lynis result" email@example.com
It will run every night at 03:00 and send the report by email.