Commit c459dfa4 authored by Francois Marier's avatar Francois Marier

Imported Upstream version 1.4.2

parent 1831d457
......@@ -27,9 +27,11 @@ baddcarma ProFTPd 1.3.0 on SuSE 10.0
linux_fqh Chinese translations
Ryan Beckett For IRIX support
Marc Becker German translation
Mark Dominik Bürkle German translation (updated)
Julien Valroff Bug reports, ideas and fixes
Dick Gevers For packaging and hosting skdet
Jan Iven Bug reports, ideas and fixes
CaPaCuL Turkish translations
And thanks to all others who contributed to Rootkit Hunter:
This diff is collapsed.
......@@ -198,18 +198,18 @@ A. Prior to any incident it is recommended that you have read
If you have a warning from another part of the checks, then
please subscribe first and then email the rkhunter-users mailing list
and tell us about your system configuration:
the purpose of the server (for example, web server, intranet
fileserver, shell server);
the (aproximate) date of the incident and when you found out;
the running distribution name, release and kernel version;
whether any passwd/shadow file data has changed;
any anomalies you find from reading the system, daemon, IDS
and firewall logs;
if all the installed software was recently updated;
what services are or were running at the time;
if you found setuid root files in directories for temporary
any anomalies you find from reading user shell histories.
The purpose of the server
(for example: web server, intranet fileserver, shell server);
The (approximate) date of the incident and when you found out;
The running distribution name, release and kernel version;
Whether any passwd or shadow file data has changed;
Any anomalies you find from reading the system, daemon, IDS
and firewall logs;
If all the installed software was recently updated;
What services are or were running at the time;
If you found setuid root files in directories for temporary
Any anomalies you find from reading user shell histories.
If your system is infected with a rootkit, cleaning it up is
not an option. Restoring is also not an option unless you are
......@@ -363,10 +363,8 @@ A. See the README file for information about the test names.
3.5) Can rkhunter handle filenames with spaces in them?
A. Generally no. Within the tests the space character is typically
used to delimit command output fields. Some tests will work, but
others will not. Additionally some tests will not like filenames
with the colon (:) character in them either.
A. Generally yes. Some tests still may not like filenames
with the colon (:) character in them though.
3.6) What does the following warning mean:
......@@ -522,9 +520,10 @@ A. You have a choice:
PHP Warning: Function registration failed - duplicate name
- pg_update in Unknown on line 0. What does this mean?
A. This is usually because you have updated the Apache version
of PHP, but forgot to update/recompile the CLI (console
version) of PHP. So recompile/update it and try again.
A. This may occur during the 'apps' test. It is usually because
you have updated the Apache version of PHP, but forgot to
update or recompile the CLI (console version) of PHP. So
update or recompile it, and then try again.
4.4) After performing some updates, all, or some, binaries in the
......@@ -578,8 +577,8 @@ A. The first thing would be to verify that the update is the cause
A. Usually you install a tool and upgrade it later. Sometimes
if you use a 'non-official' updater or package manager
(for example, from an external party, or a build from source
using an installer like RPM/DEB/TGZ), the binaries may be
(for example, from an external party, or build from source
using an installer like RPM/DEB/TGZ/TXZ), the binaries may be
installed into a different location from the original. So there
are then two binaries with the same name, but in different
locations. You will have to check which are the old binaries,
......@@ -2,7 +2,7 @@
Copyright (c) 2003-2012, Michael Boelen
Copyright (c) 2003-2014, Michael Boelen
See the LICENSE file for conditions of use and distribution.
It is recommended that all users of RootKit Hunter (RKH) join the
......@@ -62,8 +62,8 @@ ROOTKIT HUNTER INSTALLATION
Unpacking the tar file should produce a single directory called
'rkhunter-<version>'. Where '<version>' is the version number of rkhunter
being installed. For example, the rkhunter-1.3.6.tar.gz tar file will produce
the 'rkhunter-1.3.6' directory when unpacked. Within this directory is the
being installed. For example, the rkhunter-1.4.0.tar.gz tar file will produce
the 'rkhunter-1.4.0' directory when unpacked. Within this directory is the
installation script called ''.
To perform a default installation of RKH simply unpack the tarball and,
......@@ -91,13 +91,19 @@ you chose using the '--layout' switch. You can either edit the main
configuration file itself, or create a 'local' configuration file
for your own settings. This file, which must be called
'rkhunter.conf.local', must reside in the same directory as the main
configuration file. You should edit either, or both, of these files
according to your own system requirements. If the installer
encounters an existing 'rkhunter.conf' file, it will not be overwritten.
Instead the installer creates a new configuration file, but with a
unique number as its suffix. Please inspect the new configuration file
and copy over any changes to the existing main configuration file, or
to your local configuration file.
configuration file. Alternatively you can create a directory, named
'rkhunter.d', in the same directory as the main configuration file.
Within 'rkhunter.d' you can then create further configuration files.
The only restriction is that the file names end in '.conf'.
You should edit the configuration file(s) according to your own
system requirements.
If the installer encounters an existing 'rkhunter.conf' file, it will
not be overwritten. Instead the installer creates a new configuration
file, but with a unique number as its suffix. Please inspect the new
configuration file, and copy over any changes to the existing main
configuration file or to your local configuration file(s).
The main RKH script will be installed into the '/usr/local/bin'
directory or where you chose using the '--layout' switch. Man pages will
......@@ -133,6 +139,8 @@ To see what other options can be used with rkhunter, enter:
rkhunter --help
or see the 'rkhunter' man page.
NOTE: The first run of 'rkhunter' after installation may give some
warning messages. Please see the FAQ file and the rkhunter mailing
......@@ -156,7 +164,7 @@ It is then necessary to change to the 'files' directory:
Within the directory will be a copy of the 'rkhunter.conf' configuration
file. You can modify this file according to your requirements if you
wish, but note the installer has already set the necessary variables.
To run RKH, as root simply enter the following command:
......@@ -193,7 +201,7 @@ way is to use the 'tar' command, such as:
Obviously, for official releases, you will need to use the correct tarball
name. For example:
tar xzf rkhunter-1.3.6.tar.gz
tar xzf rkhunter-1.4.0.tar.gz
For users of systems with alternative implementations of 'tar', for example
Solaris users, you may need to break the extraction process into two steps
......@@ -212,7 +220,7 @@ rkhunter files. The sub-directory name will contain the rkhunter version
number, or, for CVS tarballs, it will simply be called 'rkhunter'.
Change into this directory:
cd rkhunter-1.3.6 (for an official release tarball)
cd rkhunter-1.4.0 (for an official release tarball)
or cd rkhunter (for CVS and CVS tarballs)
Now, we can run the installer program as described in the section above
......@@ -286,7 +294,7 @@ sub-directory).
During uninstallation, the installer will remove the initial configuration
file (usually '/etc/rkhunter.conf'). However, any other files beginning with
'rkhunter.conf' are not removed. These may be removed manually.
'rkhunter.conf' are not removed. These may be removed manually if wished.
When installing RKH, some directories may have been created. However,
RKH is unaware of this when being uninstalled. As such, and especially
......@@ -344,7 +352,7 @@ ultimately to the program default value of 'none'. The command-line options
The supplied RKH configuration file will have some tests already disabled.
These are generally CPU and/or I/O intensive tests, or ones which may be prone
to giving false-positive results. They can, of course, be enabled by editing
the DISABLE_TESTS list. To run the tests from the command line, either user
the DISABLE_TESTS list. To run the tests from the command line, either use
the '--enable' command-line option with the specified test name, or use
either '--enable all' or '--disable none'.
......@@ -427,7 +435,7 @@ systems, 'DPKG' for Debian-based systems, 'BSD' for *BSD systems, and
indicate not to use a package manager. The program default is 'NONE'.
Any file which is not part of a package is treated as before, that is,
the HASH_FUNC configuration file option, or the '--hash' command-line
the HASH_CMD configuration file option, or the '--hash' command-line
option, will be used.
It should be noted that all the package managers, except 'SOLARIS', provide
......@@ -478,7 +486,7 @@ installation this would have been in '/var/lib/rkhunter/db'.
Additionally, the mirror directory must have an 'i18n' sub-directory which
contains all the current language translation files for the various versions
of rkhunter. Each version is put into its own sub-directory. So, for example,
there would be a '1.3.5' sub-directory, a '1.3.6' sub-directory and so on,
there would be a '1.4.0' sub-directory, a '1.4.2' sub-directory and so on,
all within the 'i18n' directory. Again, the database directory will already
have had the 'i18n' sub-directory installed in to it, but it will only
contain the language files for the current version of rkhunter. There are
......@@ -508,7 +516,7 @@ to this:
mirrors.dat rkhunter_latest.dat i18n suspscan.dat
1.3.5 ============ 1.3.6 ============ 1.3.7
1.3.8 ============ 1.4.0 ============ 1.4.2
/ | \ / | \ / | \
/ | \ / | \ / | \
cn en i18n.ver cn en i18n.ver cn en i18n.ver
......@@ -517,7 +525,7 @@ to this:
Finally, if the '--versioncheck' option is to be supported with the local
mirror, then the directory, 'rkhunter_data' in the above example, must
contain a file called 'rkhunter_latest.dat'. This file must contain the
current rkhunter version number (for example, '1.3.6') and no other text.
current rkhunter version number (for example, '1.4.0') and no other text.
It is possible to similarly define 'remote' mirrors, which begin with the
text 'remote='. At present though there is no real difference between a
#! /usr/bin/perl -w
# A simple util to check the lines in the i18n/en file
# exist in the rkhunter program.
# Author: John Horne (17-2-07)
my $keyword = my $arg = my $found = '';
my $search_string = my $ignore_case = '';
my $dir = '/var/lib/rkhunter/db/i18n';
my $rkh = '/usr/local/bin';
while (@ARGV) {
$arg = shift;
if ($arg =~ /^--?d$/io) {
$dir = shift;
elsif ($arg =~ /^--?p$/io) {
$rkh = shift;
elsif ($arg =~ /^--?s$/io) {
$search_string = shift;
if (! defined($search_string) || ! $search_string) {
print "No search string given.\n";
exit 1;
$ignore_case = '-i' if ($arg =~ /s$/o);
elsif ($arg =~ /^--?h$/io) {
print "\nUsage: i18nchk [-d i18n_dir] [-p rkhunter_dir] [-{sS} search_string]\n\n";
else {
print "Unknown option: $arg\n";
exit 1;
if (! $dir || ! -d $dir) {
print "Unable to find the i18n directory.\n";
exit 1;
elsif (! $rkh || ! -d $rkh) {
print "Unable to find the rkhunter program.\n";
exit 1;
if ($search_string) {
$found = `grep $ignore_case "$search_string" $dir/en`;
if ($found) {
print $found;
else {
print "Search string not found.\n";
unless (open(I18N, "$dir/en")) {
print "Unable to open i18n file: $!\n";
exit 1;
while (defined($keyword = <I18N>)) {
next if ($keyword =~ /^\s*(#|$)/o);
next if ($keyword =~ /^version:/io);
next if ($keyword eq "MSG_TYPE_PLAIN:\n");
if ($keyword =~ /^([^:]+):\s*\S/o) {
$keyword = $1;
else {
print "Keyword $keyword has no value.\n";
$keyword = $1 if ($keyword =~ /^MSG_TYPE_(.*)/o);
$keyword = $1 if ($keyword =~ /^MSG_RESULT_(.*)/o);
if ($keyword =~ /[a-z]/o) {
print "Keyword $keyword contains lowercase characters.\n";
$found = `egrep -e " $keyword( |\$)" $rkh/rkhunter`;
unless ($found) {
print "Keyword $keyword not found in rkhunter.\n";
# print "$keyword\n";
Some of the tests within RKH use commands which do not have standard options.
An example is the 'ps' command: for GNU linux we would use 'ps aux', but for
SunOS or IRIX we would use 'ps -ef'. As such the test can run for all these
operating systems, but RKH must be coded to handle each of them differently.
In cases were an O/S is not supported by a test, then RKH will usually mark the
test as 'skipped'. The user should look in the log file to see why the test was
skipped. It may be that we can then include code to enable the test for that
O/S, or the user can include it as a disabled test in the configuration file.
The problem is that when we are asked to support a new O/S, we need to find out
which command options are avaiable. We can then see if the test will run on the
new O/S, or if we need to modify RKH to support it.
This file lists those instances in RKH where whichever operating system is
used, RKH will use different commands and/or command options.
RKH makes the assumtion that certain commands are standard among all UNIX,
Linux and *BSD operating systems. If one or more of these commands are not
present on the system, then RKH will not run.
The current list of required commands is:
awk cat chmod chown cp cut date egrep grep head
ls mv sed sort tail touch tr uname uniq wc
1) What is the output of the 'uname' command?
This is a very basic command, but it is possible it may not work or may not
provide the information we want.
2) Is the '/bin' directory a link to '/usr/bin'?
In order to cut down on the time repeatedly looking for files in '/bin' and
'/usr/bin', RKH can exclude '/bin' if it is a link to '/usr/bin'. This occurs
on the AIX, IRIX and SunOS operating systems.
3) What is the output of the 'uname -m' command?
Typically 'uname -m' can be used to determine if the system is 32 or 64-bit.
For other operating systems, we have to use other commands. For example,
'sysctl' on FreeBSD and OSX, 'uname -p' on SunOS and AIX.
4) Does 'ls -ld /etc/*release* /etc/*version* /etc/issue' show some sort of 'release' or
version file being present?
In order to find out some information about the O/S, such as its version
number, RKH will look in '/etc' for any one of various files. Typically this
information will come from '/etc/lsb-release', or specific O/S versions such as
'/etc/debian_version' or '/etc/gentoo_release'.
The RKH configuration file contains an option to set the specific file name, if
RKH cannot correctly detect a 'release' file.
5) Does the O/S support setting an 'immutable-bit' on files? If so, then is the
'lsattr' command present?
This is one of the file properties checks. However, at present only Linux and
*BSD support the immutable-bit on files. If the system supports the
immutable-bit, but 'lsattr' is not present, then does 'ls -lno' show the file
6) What is the output of the 'netstat -an' command?
RKH may use this output in determining if certain ports are being used.
However, the output from 'netstat' varies wildly amongst different operating
systems. So we need to see the output in order to ensure that RKH handles it
7) Does the 'ifconfig' or 'ifconfig -a' command show the available network interfaces?
RKH looks at the network interfaces to see if they are in promiscuous mode.
8) Is the 'ip' command present? If so, then can it show the interfaces present,
and if so how? (Perhaps using 'ip -s link'?)
As above, this is a second check for promiscuous interfaces.
9) Does the file '/proc/net/packet' exist? (It may be zero-sized.) If it does
exist, then is the 'lsof' command present on the system as well?
This is used by RKH to see if there are any applications watching the network
interfaces. The 'lsof' command is used by several tests in RKH.
10) Does the 'ps ax' command display the processes running on the system? If
not, then does 'ps -ef' work instead? If not, what options to the 'ps' command
cause it to show all the current running processes on the system (the output
must include the PID and the process (command) being run by that PID).
RKH uses the 'ps' command for a few tests. However, the output varies a lot
amongst different operating systems, so we have to code RKH according to each
11) Does the 'date +%s' command show the number of seconds since the epoch?
Does it also understand "date --date '5 seconds ago'"? If not then perl
will be needed.
This is used by RKH in order to add to filenames to make them random.
12) Is the 'stat' command present on the system, and if so, does the
'stat -c '%i 0%a %u %g %s %Y:' /etc/motd' command work?
If not try using 'stat -f ...'.
This should display some numbers relating to the ('/etc/motd') file attributes.
If it doesn't work, then we may need to see the man page for the 'stat'
13) Does the grep command need the '-a' option, or some other option, in
order to treat binary (language) files as text files. See GREP_OPT in RKH.
14) Does the 'readlink' command exist, and if so does it support the '-f'
option to get the full pathname. If not, then the builtin command may be
# We start with the definitions of the message types and results. There
# are very few of these, so including these and all the parts of each
......@@ -240,7 +240,7 @@ FILE_PROP_SKIP_HASH_PRELINK:'prelink'-Kommando wurde nicht gefunden.
FILE_PROP_SKIP_HASH_SHA1:Dieses System benutzt prelinking, aber die das Kommando für die Hash-Funktion sieht nicht nach SHA1 oder MD5 aus.
FILE_PROP_SKIP_HASH_LIBSAFE:Libsafe wurde gefunden, dies kann Fehler verursachen. Deaktivieren Sie, sofern möglich, libsafe und starten das prelink-Kommando erneut. Abschließend die Hash-Werte erneuern mittels 'rkhunter --propupd'.
FILE_PROP_SKIP_IMMUT:'lsattr'-Kommando wurde nicht gefunden - alle immutable-bit Überprüfungen werden übersprungen.
FILE_PROP_SKIP_SCRIPT:'file'-Kommando wurde nicht gefunden - Alle Skript-Ersetzungs-Überprüfungen werden übersprungen..
FILE_PROP_SKIP_SCRIPT:'file'-Kommando wurde nicht gefunden - Alle Skript-Ersetzungs-Überprüfungen werden übersprungen.
FILE_PROP_OS_CHANGED:Die lokale Host-Konfiguration oder das Betriebssystem hat sich geändert.
FILE_PROP_DAT_MISSING:Die Datei mit den gespeicherten Dateieigenschaften (rkhunter.dat) existiert nicht und muss erstellt werden. Um dies zu veranlassen führen Sie 'rkhunter --propupd' aus.
FILE_PROP_DAT_EMPTY:Die Datei mit den gespeicherten Dateieigenschaften (rkhunter.dat) ist leer und muss erstellt werden. Um dies zu veranlassen führen Sie 'rkhunter --propupd' aus.
......@@ -544,3 +544,95 @@ LIST_TESTS:Verfügbare Überprüfungen lauten:
LIST_GROUPED_TESTS:Gruppierte Überprüfungen lauten:
LIST_LANGS:Verfügbare Sprachen:
LIST_RTKTS:Rootkits überprüft für:
APPS_DAT_NOTAFILE:Die Datei der unsicheren Anwendungsversionen ist keine Datei: $1
CONFIG_LOCALCONFIGFILE:Verwende lokale Konfigurationsdatei '$1'
FILE_PROP_BROKEN_LINK_WL_TGT:Gebrochene Verknüpfung gefunden, aber die Existenz des Ziels ist mittels Whitelist freigegeben: '$1'
FILE_PROP_DAT_MISSING_INFO:Die Dateieigenschaften-Prüfung wird ausgeführt da Prüfungen auch ohne die rkhunter.dat Datei ausgeführt werden können.
FILE_PROP_EPOCH_DATE_CMD:Benutze '$1' um Epochen-Zeitstempel umzurechnen.
FILE_PROP_IGNORE_PRELINK_DEP_ERR:Ignoriere Prelink-Abhängigkeit für Datei '$1'
FILE_PROP_IMMUT_NOT_SET:Datei '$1' hat das immutable-bit nicht gesetzt.
FILE_PROP_IMMUT_SET:Die immutable-bit Prüfung wird invertiert.
FILE_PROP_NO_OS_WARNING:Warnungen über Betriebssystem-Änderungen wurden deaktiviert nach Anwenderwunsch.
FILE_PROP_NO_SYSHASH_BL:Die Datei ist eine gebrochene Verknüpfung: $1
FILE_PROP_SKIP_FILE_CMD:Keine Ausgabe vom 'file' Kommando - alle Skript-Ersetzungs-Überprüfungen werden übersprungen.
FILE_PROP_SKIP_IMMUT_CMD:Keine Ausgabe vom '$1' Kommando - alle immutable-bit Überprüfungen werden übersprungen.
FILE_PROP_SYSHASH_UNAVAIL_BL:derzeitiger Hash-Wert: nicht verfügbar (mögliche gebrochene Verknüpfung)
FILE_PROP_WL_STR:Datei '$1' und Zeichenkette '$2' gefunden: sie sind mittels Whitelist freigegeben für '$3' Überprüfung.
GROUP_CHANGES_FOUND:Änderungen gefunden in ger group-Datei für Gruppe '$1':
GROUP_CHANGES_GID:Die Gruppen-Nummer wurde geändert von '$1' nach '$2'
GROUP_CHANGES_GRPADD:Benutzer '$1' wurde der Gruppe hinzugefügt
GROUP_CHANGES_GRPREM:Benutzer '$1' wurde aus der Gruppe entfernt
GROUP_CHANGES_IDADD:Gruppe '$1' wurde der group-Datei hinzugefügt.
GROUP_CHANGES_IDREM:Gruppe '$1' wurde aus der group-Datei entfernt.
GROUP_CHANGES_PWD:Der Gruppen-Name wurde geändert von '$1' nach '$2'
HASH_FUNC_PERL_SHA:Benutze das perl-Modul $1 (mit $2) für die Datei-Hash Prüfungen
HASH_PKGMGR_SUM:Benutze die gespeicherten 16-bit Prüfsummen für die Paketverifikation
KSYMS_UNAVAIL:Alle ksyms und kallsyms Prüfungen werden übersprüngen - die Datei ist nicht lesbar.
LIST_PERL:Perl Modul Installations Status:
LOCK_FAIL:Unfähig die Sperrdatei zu sperren: rkhunter ist nicht gelaufen!
LOCK_UNUSED:Sperrungen werden nicht verwendet
LOCK_USED:Sperren wird verwendet: timeout beträgt $1 Sekunden
LOCK_WAIT:Warte auf Sperrdatei
MSG_RESULT_WHITELISTED:durch Whitelisting erlaubt
NETWORK_HIDDEN_PORTS_CHK_NAME:Tor Nummer: $1:$2 wird benutzt von $3
NETWORK_HIDDEN_PORTS_FOUND:Versteckte Tore gefunden:
NETWORK_HIDDEN_PORTS_PATH_WHITELIST:Verstecktes $1 port $2 wird benutzt von $3: der Pfadname ist mittels Whitelist erlaubt.
NETWORK_HIDDEN_PORTS_PORT_WHITELIST:Verstecktes $1 port $2 gefunden: das Tor ist mittels Whitelist erlaubt.
NETWORK_HIDDEN_PORTS:Prüfe auf versteckte ports
NETWORK_HIDDEN_PORTS_TRUSTED_WHITELIST:Verstecktes $1 Tor $2 wird benutzt von $3: der Pfadname ist vertrauenswürdig.
NETWORK_PORTS_BACKDOOR_LOG:Führe Prüfung auf Hintertüren-ports aus
NETWORK_PORTS_BACKDOOR:Prüfe auf Hintertüren-ports
NETWORK_PORTS_BKDOOR_FOUND:Netzwerk $1 Tor $2 wird benutzt${3}. Mögliches Rootkit: $4
NETWORK_PORTS_BKDOOR_FOUND:Nutzen Sie das 'lsof -i' oder 'netstat -an' Kommando um dies zu prüfen.
NETWORK_PORTS_FILE_NOTAFILE:Die Datei der bekannten Hintertüren-ports ist keine Datei: $1
NETWORK_PROMISC_WLIST:Netzwerk-Schnittstellen, die im promiscuous-Modus betrieben werden dürfen: $1
OSINFO_DO_UPDT:Die Dateieigenschaften-Datei wird automatisch auf den neuesten Stand gebracht.
PWD_CHANGES_COMM:Der Konto-Kommentar wurde von '$1' nach '$2' geändert.
PWD_CHANGES_FOUND:Änderungen gefunden in der passwd Datei für Benutzer '$1':
PWD_CHANGES_GID:Die GID wurde geändert von '$1' nach '$2'
PWD_CHANGES_HOME:Das Heimatverzeichnis wurde geändert von '$1' nach '$2'
PWD_CHANGES_IDADD:Benutzer '$1' wurde der passwd-Datei hinzugefügt.
PWD_CHANGES_IDREM:Benutzer '$1' wurde aus der passwd-Datei entfernt.
PWD_CHANGES_PWD:Das Passwort wurde geändert von '$1' nach '$2'
PWD_CHANGES_SHL:Die login shell wurde geändert von '$1' nach '$2'
PWD_CHANGES_UID:Die UID wurde geändert von '$1' nach '$2'
PWDGRP_CHANGES_UNK:Unbekanntes Feld gefunden in der $1 Datei: altes Feld: '$2', neues Feld: '$3'
RKHDAT_ADD_NEW_ENTRY:Füge neuen Dateieintrag zur 'rkhunter.dat' Datei hinzu: $1
RKHDAT_DEL_OLD_ENTRY:Lösche nicht existierenden Dateieintrag aus der 'rkhunter.dat' Datei: $1
ROOTKIT_MALWARE_HIDDEN_PROCS_NOUNHIDE:Die Nutzung von '$1' wurde unterdrückt auf Benutzerwunsch.
ROOTKIT_MALWARE_HIDDEN_PROCS_RUBY_ERR:Das 'unhide.rb' Kommand ergab einen Fehler:
ROOTKIT_MALWARE_HIDDEN_PROCS_UNH_ERR:'unhide' nicht ausgeführt: ungültiger konfigurierter Testname: $1
ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_VERS:Gefundene 'unhide' Kommando-Version: $1
ROOTKIT_OS_DFLY_PKGDB_NOTOK:Die Paketdatenbank scheint inkonsistent zu sein.
ROOTKIT_OS_DFLY_PKGDB_NOTOK:Dies mag kein Sicherheitsproblem sein, aber 'pkg_admin check' auszuführen könnte helfen, das Problem zu diagnostizieren.
ROOTKIT_PHALANX2_PROC_FOUND:Laufenden Prozess 'ata/0' gefunden
ROOTKIT_PHALANX2_PROC_PPID:Erwarte 'kthread' Eltern-PID '$1', fand Eltern-PID '$2'
ROOTKIT_PHALANX2_PROC:Prüfe Prozessliste auf Prozess 'ata/0'
ROOTKIT_PHALANX2_PROC_PS_ERR:Ausführung von 'ps' ergab unerwartete Ergebnisse: möglicherweise nicht unterstützte Kommandozeilen-Argumente.
SET_FILE_PROP_FILE_COUNT_BL:Datei $1: suchte nach $2 Dateien, fand $3, gebrochene Verknüpfungen $4
SET_FILE_PROP_FILE_COUNT_NOHASH_BL:Datei $1: suchte nach $2 Dateien, fand $3, fehlende Hashwerte $4, gebrochene Verknüpfungen $5
SET_FILE_PROP_FILE_COUNT_NOHASH_PROPOPT_BL:Datei $1: suchte nach $2 Dateien, fand $3 von $4, fehlende Hashwerte $5, gebrochene Verknüpfungen $6
SET_FILE_PROP_FILE_COUNT_PROPOPT_BL:Datei $1: suchte nach $2 Dateien, fand $3 von $4, gebrochene Verknüpfungen $5
SHARED_LIBS_PRELOAD_LIB_FOUND:Fand vorabgeladene geteilte Bibliothek: $1
SHARED_LIBS_PRELOAD_LIB_WLIST:Fand vorabgeladene geteilte Bibliothek '$1': sie ist mittels Whitelist erlaubt.
SUMMARY_LOGFILE_COPIED:Logdatei kopiert nach $1
SUSPSCAN_DAT_MISSING:Die Datendatei der verdächtigen Inhalte fehlt oder ist leer: $1
SUSPSCAN_DAT_MISSING:Führen Sie 'rkhunter --update' aus, um die Vorgabe-Datei wieder herzustellen.
SUSPSCAN_DAT_NOTAFILE:Die Datendatei der verdächtigen Inhalte ist keine Datei: $1
SYSTEM_CONFIGS_SSH_PROTO_DIFF1:SSH Konfigurations-Option 'Protocol': $1
SYSTEM_CONFIGS_SSH_PROTO_DIFF2:Rkhunter Konfigurations-Option 'ALLOW_SSH_PROT_V1': $1
SYSTEM_CONFIGS_SYSLOG_REMOTE_LOG:Konfigurationsdatei erlaubt Logging über das Netzwerk: $1
UPDATE_SKIPPED:Sprachdateien-Update übersprungen auf Benutzerwunsch.
USER_CMD_LIST:Schliesse Benutzer-Kommandos für Dateieigenschaften-Prüfung ein:
USER_DIR_LIST:Schliesse Benutzer-Verzeichnisse für Dateieigenschaften-Prüfung ein:
USER_EXCLUDE_PROP:Schliesse von Dateieigenschaften-Prüfung aus:
USER_FILE_LIST:Schliesse Benutzer-Dateien für Dateieigenschaften-Prüfung ein:
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
.\" rkhunter - RootKit Hunter
.TH rkhunter 8 "November 2011"
.TH rkhunter 8 "January 2014"
rkhunter \- RootKit Hunter
......@@ -220,22 +220,20 @@ stdout. Regular logging will continue as per default or as specified by the
filename which starts with \fI/tmp/rkhunter\-debug\fP.
.IP "\fB\-\-disable <test>[,<test>...]\fP"
This option tells \fBrkhunter\fP not to run the specified tests. If this
option is used, and \fB\-\-propupd\fP is not specified, then the
\fB\-\-check\fP command option is assumed. Read the README file for more
information about test names. By default no tests are disabled.
This option tells \fBrkhunter\fP not to run the specified tests. Read the
README file for more information about test names. By default no tests are
.IP \fB\-\-display\-logfile\fP
This option will cause the logfile to be displayed on the screen once
\fBrkhunter\fP has finished.
.IP "\fB\-\-enable <test>[,<test>...]\fP"
This option tells \fBrkhunter\fP to only run the specified tests. If this
option is used, and \fB\-\-propupd\fP is not specified, then the
\fB\-\-check\fP command option is assumed. If only one test name, other than
\fIall\fP, is given, then the \fB\-\-skip\-keypress\fP option is also assumed.
Read the README file for more information about test names. By default all
tests are enabled. All the test names are listed below under TESTS.
This option tells \fBrkhunter\fP to only run the specified tests. If only one
test name, other than \fIall\fP, is given, then the \fB\-\-skip\-keypress\fP
option is assumed. Read the README file for more information about test
names. By default all tests are enabled. All the test names are listed below
under TESTS.
.IP "\fB\-\-hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |\fP"
\fB NONE | <command>}\fP
......@@ -405,7 +403,6 @@ THREE=three,three. Simple globbing (/dev/shm/file-*) works.
.IP \fBpasswd_changes\fP
.IP \fBports\fP
.IP \fBpossible_rkt_files\fP
.IP \fBpossible_rkts\fP
.IP \fBpossible_rkt_strings\fP
.IP \fBpromisc\fP
.IP \fBproperties\fP
This diff is collapsed.
......@@ -6,7 +6,7 @@
%define name rkhunter
%define ver 1.4.0
%define ver 1.4.1
%define rel 1
%define epoch 0
......@@ -11,8 +11,8 @@
INSTALLER_NAME="Rootkit Hunter installer"
INSTALLER_COPYRIGHT="Copyright 2003-2012, Michael Boelen"
INSTALLER_COPYRIGHT="Copyright 2003-2014, Michael Boelen"
Under active development by the Rootkit Hunter project team. For reporting
......@@ -24,7 +24,7 @@ of the GNU General Public License. See LICENSE for details.
......@@ -415,12 +415,14 @@ selectTemplate() { # Take input from the "--install parameter"
RKHINST_DB_FILES="backdoorports.dat mirrors.dat programs_bad.dat suspscan.dat"
RKHINST_SIG_FILES="RKH_dso.ldb RKH_Glubteba.ldb RKH_jynx.ldb RKH_kbeast.ldb RKH_libkeyutils1.ldb RKH_libkeyutils.ldb RKH_libncom.ldb RKH_pamunixtrojan.ldb RKH_shv.ldb RKH_sniffer.ldb RKH_sshd.ldb RKH_turtle.ldb RKH_xsyslog.ldb"
if [ "${RKHINST_LAYOUT}" = "DEB" ]; then
......@@ -498,6 +500,10 @@ showTemplate() { # Take input from the "--install parameter"
echo "Databases: ${RKHTMPVAR}"
echo "Signatures: ${RKHTMPVAR}"
echo "Temporary files: ${RKHTMPVAR}"
......@@ -615,7 +621,7 @@ doInstall() {
# Perl will be found in rkhunter itself.
if [ -f "${RKHINST_ETC_DIR}/rkhunter.conf" ]; then
echo "Starting update:"
......@@ -670,6 +676,7 @@ doInstall() {
echo "USER_FILEPROP_FILES_DIRS=$PREFIX/rkhunter" >>rkhunter.conf
echo "USER_FILEPROP_FILES_DIRS=$PREFIX/rkhunter.conf" >>rkhunter.conf
test -f "$PREFIX/rkhunter.conf.local" && echo "USER_FILEPROP_FILES_DIRS=$PREFIX/rkhunter.conf.local" >>rkhunter.conf
test -d "$PREFIX/rkhunter.d" && echo "USER_FILEPROP_FILES_DIRS=$PREFIX/rkhunter.d/*.conf" >>rkhunter.conf
sed -e "s|-f /etc/rkhunter.conf|-f $PREFIX/rkhunter.conf|g" -e "s|CONFIGFILE=\"/etc|CONFIGFILE=\"$PREFIX|g" rkhunter >rkhunter.
mv -f rkhunter. rkhunter
......@@ -843,6 +850,23 @@ doInstall() {
# ClamAV signatures
for FILE in `find ./files/signatures -type f`; do
cp "${FILE}" "${RKHINST_SIG_DIR}" >/dev/null 2>&1
test $ERRCODE -ne 0 && break
if [ $ERRCODE -eq 0 ];then
echo " Installing ClamAV signatures: OK"
echo " Installing ClamAV signatures: FAILED: Code $ERRCODE"
exit 1
# Application
case "${RKHINST_LAYOUT}" in
......@@ -1021,7 +1045,7 @@ doInstall() {
doRemove() {
echo "Starting uninstallation"