RootKit Hunter (rkhunter) tips

Missing Kernel modules warning

For those of you getting the following warning on Debian systems:

Warning: The kernel modules directory '/lib/modules' is missing or empty.

This is due to the fact that your kernel does support modules but there are none actually on the system and so rkhunter thinks there MAY be a problem. To get rid of the warning simple edit /etc/rkhunter.conf and change:

DISABLE_TESTS="suspscan deleted_files packet_cap_apps apps"

to include “avail_modules”:

DISABLE_TESTS="suspscan deleted_files packet_cap_apps apps avail_modules"

all done. enjoy one less warning. ;)

What to do about hidden processes

If the processes are truly hidden, then yes it's probably something you should worry about. But it's possible that you've got a false positive situation.

When rkhunter runs an audit and tells you that there are hidden processes, try to cd to the /proc/<pid> directory for the process (where <pid> is one of the process ID numbers output by rkhunter). If you can't cd into the directory, then the process isn't really hidden, it was just in the middle of exiting when the rkhunter check ran and rkhunter was confused and you probably have nothing to worry about.

If you do manage to cd into the /proc/<pid> directory, then it's likely you have a problem. Interesting things to do once you're in the /proc/<pid> directory include:

  • cat cmdline

should give you the name the process is running under

  • sudo cat environ | perl -pe 's/\000/\n/g'

gets you the environment variable settings for the process

  • sudo ls -l fd

shows you what files the process currently has open

  • sudo ls -l cwd

shows you the current working directory of the process (which could be interesting if the process was started by the attacker from their rootkit installation directory)

There's plenty of other cool stuff you can do with the various bits of information under /proc, but the above should be enough to help you figure out what the process(es) are doing and how much trouble you're in.

/var/customers/webs/cw01/wiki/data/pages/security/rkhunter.txt · Last modified: 2011/06/28 08:26 by wadmin
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki