Most people think that there are no viruses in Linux and they are right about some things. After all, there are malicious programs that could themselves spread through the system and charge other computers on the network at least. This kind of software for Linux known to the general public can be counted on your fingers. But there is another type of threat, more typical for Linux. These are rootkits, programs that are installed manually and hide their activities on the system.
These programs can give the person who installed them full access to your system, computing resources and data. This danger should not be underestimated. If your computer is connected to the Internet without using a local network (router) and without NAT technology, anyone from your ISP network can access it. It is not even necessary to know your IP address. An attacker can simply look through all the addresses on his subnet and if your computer or server finds the vulnerability he is looking for, such as a weak ssh password or any other vulnerability in the system service software or lack of configuration, your computer will be hacked.
Check Linux for viruses
To see if anyone has connected to your computer, you can see the contents of the file /var/log/audit.log or /var/log/secure.
tail -f /var/log/secure
All system events are logged here, including unsuccessful ssh logon attempts. I was surprised to see that my password had been tried. You can also see the log files of the sshd service using journalctl:
sudo journalctl _SYSTEMD_UNIT=sshd.service
And if a hacker gains access to your system, he already has many options for action – all the vulnerabilities in the system libraries and kernel will pop up and can be used to bypass Linux security mechanisms and increase privileges in the system. It is therefore not superfluous to keep your software up to date, the new software has most likely already closed known vulnerabilities, and sometimes checks your computer with a special program to find rootkits. In this article we will see how to check your computer for viruses in Linux.
To find rootkits we will use the rkhunter or RootkitHunter utility as well as chkrootkit. We will see how to install it and configure it to check correctly. In general I am more inclined to the first one, it is newer and has more features.
Virus Search with RkHunter
RkHunter (Rootkit Hunter) is an open source Linux / Unix scanning tool released under GPL license. It scans Linux for rootkits, backdoors, local exploits and vulnerabilities. At the moment, 349 rootkits are known and all of them can be found if they were installed on your system. The program is just a script to check the local files and detect known rootkits. It also checks for changes in system commands, startup files, and network interfaces to see if certain ports are being listened on.
You can install the program in Ubuntu by command:
sudo apt install rkhunter
In CentOS, you have to execute such a command:
sudo yum install rkhunter
If you have a different distribution, you can always download the installation script on SourceForge:
cd /tmp wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz tar -xvf rkhunter-1.4.2.tar.gz cd rkhunter-1.4.2 ./installer.sh --layout default --install
Before the linux scan for viruses is carried out, the utility database must be updated. To do so, execute the update procedure:
Now it is necessary to collect information about the files in the system, it is necessary so that the program can understand if anyone tried to modify the system files the next time they check. To do this, do it:
It is desirable to update regularly, so let’s create a special script and run it with cron every day. To do this, create a script file in /etc/cron.daily:
vi /etc/cron.daily/rkhunter.sh #!/bin/sh ( /usr/local/bin/rkhunter --versioncheck /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --cronjob --report-warnings-only ) | /bin/mail -s 'rkhunter Daily Run (your server)' firstname.lastname@example.org.
Here we perform version check, database update and in the last line we have planned to check and send notification to you by Email. To work, you need to replace email@example.com with your email address.
Now all you have to do is give the program execution rights:
chmod 755 /etc/cron.daily/rkhunter.sh
The installation of the program was sorted out. First let’s look at the main options of the program that we have already used or that you might need:
- –verbose-logging – maximum detailed output
- –quiet – minimum information in output
- -l, –logfile – write the program log into your file
- –cronjob – not interactive checking mode, used to run with cron, hence the name.
- –list – allows you to see what features the program holds, you can pass several parameters, test – tests, lang – languages, rootkits – rootkits.
- –unlock – removes the database lock file, may be useful if the previous session of the program was terminated incorrectly.
- –check – system check
- –update – update rootkit databases
- –versioncheck – program update
- –propupd – create file database
For example, to see all the rootkits that a program can find, run:
sudo rkhunter --list rootkits
To check Linux for viruses run the whole system from a super user:
In addition to displaying the information on the screen, the program will create a check log. Do not pay much attention to the information displayed during the check, it is a little bit reduced, it will become clearer when viewing the log.
Unfortunately, the program works only in English, so to understand the state of your system you will have to understand a little English.
To help you understand what the program does and how to analyze its results, let’s take a look at the scan log.
First the program initializes and downloads configuration files, there is nothing interesting here. Note that we are looking at the system check log, update logs and database creation, they are higher in the same file, we are not interested. The system check starts with these lines:
The program scans system utilities and tries to identify suspicious features there, including comparing the utility hash with the hash stored in the database to see if it has been modified. Usually, if everything is fine with the utilities, the log is filled with such lines:
File parameters are also checked, for example, if a file should be binary and it is a script, it is not okay:
When a suspicious file is detected, the program immediately explains the problem. This may be a false positive, but you should check these files or you can reinstall the packages to which they belong.
Next, Linux will check for viruses and look for known rootkits:
Usually, if something is found in this section, it means that there is a rootkit in the system and something has to be done with it, but usually we see the lines Not found:
Next, the search for unwanted software will start:
Checking dangerous ports:
At the stage of checking the configuration files, we also get a warning:
But here you can see that the problem is not in the virus but in the fact that the program simply has nothing to compare with.
Next, the system settings are checked and here too the program does not like everything:
Namely, two things are allowed root access via ssh and the ability to use the first version protocol to connect to ssh. And she is right, it is very insecure.
Next, we will scan the file system:
And some hidden files were found, but they all seem to be good. You can track which program works with a particular file using the lsof command:
sudo lsof | grep /address/file
It remains to check the applications:
[12:16:25] Info: Starting test name 'apps'. [12:16:25] Checking application versions.
And a small report on the problems found:
For the convenience of viewing the log, you can not look at it completely, but select only warnings:
sudo cat /var/log/rkhunter.log | grep -A5 "\[ Warning \]".
The parameter A5 means to show five more lines after the line with the detected occurrence, so we won’t miss anything for sure.
Now let’s have a look at another program that can be used to check Linux for rootkits. This is chkrootkit. It is functional but also does a good job.