Rootkit Hunter (rkhunter) 是 Unix Like 环境下扫瞄 rootkit, 后门及本机漏洞的工具, 下文会介绍在 RHEL, CentOS 及 Fedora 安装及使用 rkunter 的方法。
如果是 RHEL 及 CentOS 要先安装 RPMForge Repository:
RHEL / CentOS 7:
# yum install http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm
RHEL / CentOS 6 64 bit:
# wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
# rpm -Uvh rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
# rpm -Uvh rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
RHEL / CentOS 6 32 bit:
# wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.i686.rpm
# rpm -Uvh rpmforge-release-0.5.3-1.el6.rf.i686.rpm
# rpm -Uvh rpmforge-release-0.5.3-1.el6.rf.i686.rpm
安装 Rootkit Hunter
# yum install rkhunter
安装好 Rootkit Hunter 后, 就像防毒软件一样, 先更新数据库:
# /usr/local/bin/rkhunter –update
# /usr/local/bin/rkhunter –propupd
# /usr/local/bin/rkhunter –propupd
更新数据库后, 就可以用 Rootkit Hunter 扫瞄了, 以下是手动扫瞄方法:
# rkhunter -c
扫瞄完成后, Rootkit Hunter 会将结果储存到 /var/log/rkhunter.log, 可以检查里面出现 “Warning” 字串的地方:
# grep Warning /var/log/rkhunter.log
出现 “Warning” 的地方, 就是 Rootkit Hunter 认为有可疑的档案。