Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: Ruby script

Googling confirmed that this error was normal on Ubuntu systems, but I found no solution. Fortunately the solution was simple, simply editing /etc/rkhunter.conf and adding the following line at the appropriate place:

SCRIPTWHITELIST=/usr/bin/unhide.rb

1. Check for existing infection
2. Protect against future infection

If you are unsure what a Rootkit is, then please read the Rootkit Wikipedia page before continuing.

Warning

This is how I checked and protected against rootkits and is not how I would recommend that anyone else should do so.

Step 1: rkhunter

I suggest you visit the rkhunter website at: http://rkhunter.sourceforge.net/

$ sudo apt-get install rkhunter
$ sudo rkhunter --upgrade
$ sudo rkhunter --checkall --createlogfile

Read the output and take corrective action as required.

Step 2: chkrootkit

I suggest you visit the chkrootkit website at:

• http://www.chkrootkit.org

In particular, the FAQS would suggest that you shouldn’t trust the chkrootkit to use the commands on your system, bearing in mind that you suspect that they might be compromised; I chose not to take this additional precaution - you should make your decision based on the exposure of your server to the Internet and your assessment of the likelihood of your having a rootkit.

$ sudo apt-get install chkrootkit
$ sudo chkrootkit

Step 4: tripwire

• http://sourceforge.net/projects/tripwire/

Tripwire creates a database of your system files and then tracks any changes to them.

$ sudo apt-get install tripwire

Follow all the prompts, which will require you to create a Site Key Pass-phrase and a Local key Pass-phrase. Next we need to create the database:

$ sudo tripwire --init
Wrote database file: /var/lib/tripwire/hostname.domain.com.twd
The database was successfully generated.

Next we run a first check:

$ sudo tripwire --check

This will doubtless come back with far more information than you really want. For example I received loads of lines about “/proc/PIDNO/”.

References

• Implementing Tripwire
• Howto Linux - Tripwire

A better way

• Combining AIDE and Tripwire

• Why Linux?.

If you are determined to run Windows, then read on!

Secure your network

A recent study found that an unpatched Windows PC connected to the Internet without a firewall, lasted just four minutes.

Use a hardware firewall

Various studies concluded that so called Personal Firewall software is flawed in concept. Read more about it on Wikipedia, including some of the criticisms:

• Personal Firewall

The good news is that combined modem, router, network switch and Wireless access point can be purchased for less than £50. Linksys and Draytek have a great reputation, and I personally have had no problems with Netgear. Just try and get a personal recommendation, and ensure that it does have a built-in firewall.

Encrypt your Wireless

Often people don’t bother encrypting their wireless network. I believe this is often based on the incorrect assumption that the worst that will happen is that someone will be able to use your broadband for free. The real reason to encrypt your wireless, is because anyone on your wireless network is inside your network, and can thus browse the file-shares on your computer and potentially exploit your machines. The fact that they have bypassed your firewall is a big advantage to them.

Avoid WEP encryption, which can be cracked, and instead opt for WPA encryption.

Secure your PC

Don’t run as administrator

Most Windows users run either as “administrator” or with an account that has administrator rights. This gives any virus that you run full rights to do whatever they want on your PC. Instead you should run as a limited-user account and only login as administrator when you need to, or use the Run as administrator option.

Read more about this subject:

• http://windows.about.com/od/security/a/why_limited.htm

If you have teenage children, it is a good idea to create user accounts for them and restrict them to limited-user rights.

Keep your PC updated

You must use the Windows updater to keep your PC updated with critical updates. If you are running anything older than Windows XP SP2, then consider upgrading, or better still consider changing to Linux.

• Why Linux?

Install anti-virus software

I would avoid all the free trials that come with a new PC, and I would avoid Norton - which will have devastating effect on your PC. Instead I would have a look at the following:

• AVG Free Edition
• Avast Home Edition
• AntiVir Personal Edition

I have only personally tried AVG, but understand that the others are also good.

Install anti-spyware software

Microsoft Defender is now included in Microsoft Vista, and is available for install for Windows XP and this is a logical choice.

• Microsoft Defender
• Spybot - Search & Destroy
• Ad-Aware

I have personally used all of these programs without issue.

If you have already installed some anti-spyware program, make sure it’s not a rogue:

• Spyware Warrior: Rogue Anti-Spyware

Avoid Internet Explorer

Use Mozilla Firefox instead of Internet Explorer. Only use Internet Explorer for those sites that you trust implicitly.

Be cautious

• Do not open email attachments unless you know the sender and are expecting the attachment
• Do not click on hyperlinks in emails (they’re as dangerous as attachments)
• Do not visit dubious websites
• Never follow links in pop-ups
• Delete any chain e-mails or unwanted messages without forwarding
• Don’t reply to junk emails, nor follow links to remove yourself from their database, often all you are doing is confirming that your email address is valid
• When installing software, read every step thoroughly to ensure that you do not install additional software without realising it

Further Reading

• Why Linux?
• Windows XP - Surviving the first day