Install rkhunter

Overview

rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online database, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD.

Instructions

1. Log into your Dedicated/VPS Server via SSH.

2. Type the follow commands:

wget http://sourceforge.net/projects/rkhunter/files/rkhunter/1.3.8/rkhunter-1.3.8.tar.gz/download

3. Now unzip the archive:

tar -zxvf rkhunter-1.3.8.tar.gz

4. Then, change directory:

cd rkhunter-1.3.8

5. Run the installer:

./installer.sh

6. You can test the installation by typing this command. Note: If successful, this scan will take about 2 minutes to complete.

/usr/local/bin/rkhunter -c

Optional settings

After this, you may want to create a cron job to run on a daily basis. Use this shell script below:

#!/bin/bash
(/usr/local/bin/rkhunter -c --sk --nocolors --check | mail -s "Daily Rkhunter Scan Report" youremail [at] email [dot] com)

Simply replace the email address with your email. You can then create a cron job in the root tasks in Plesk or via ssh.

If you would like to get only warnings inside your email simply replace

--sk --nocolors --check

--cronjob --report-warnings-only

You can also check for software updates by adding

--update

You may want to run the update on a different cronjob maybe a weekly basis.…

Fixing time drift in the servers (syncing with time servers)

Sometime the clock in the system may shows some drift ( lagging or leading) in time.  We can fix this by adjusting the tick rate in the server.

1. Compare the system time with that of any timeserver. You can use any of  the following command for this.

root@localhost ~> rdate -p rdate.cpanel.net ;date

OR

root@localhost ~> rdate -p rdate.darkorb.net ;date

Here rdate prints the time in remote timeserver( rdate.cpanel.net or rdate.darkorb.net) and date will print the current system time.

2. To synchronize the time with remote server issue the following commands.

root@localhost ~> rdate -s rdate.cpanel.net ;date

OR

root@localhost ~> rdate -s rdate.darkorb.net ;date

3. Now set the hardware clock in the server. Execute the following command for this.

root@localhost ~> hwclock –systohc

4. Now execute the same command (step1) after one or two minutes and see the drift in time. Check whether it increases or decreases.

5. Find the current tick rate using the following command. By default this will be 10000. You can interpret this as  10000 ticks causes one second in the server.

root@localhost ~> tickadj
tick = 10000

6. If the the time drift increases positively you need to reduce the tick rate. You can adjust the tick rate using the following command.

root@localhost ~> tickadj 9995
tick = 9995

7. Continue the above steps until the issue resolved.

===============

Aliter

To fix the time drift issue, you can put a cronjob to sync the time with the time server.

Add the following entry in cronjob ( type crontab -e to edit cron jobs)

*/5 * * * * rdate -s rdate.cpanel.net;/sbin/hwclock -w >/dev/null 2>&1

OR

*/5 * * * * rdate -s rdate rdate.darkorb.net;/sbin/hwclock -w >/dev/null 2>&1…