Commit cecc7464 authored by Julien Valroff's avatar Julien Valroff

Imported Upstream version 1.3.6

parent ef43551f
......@@ -2,9 +2,9 @@
Michael Boelen For providing and opening up RKH for
active development
John Horne For opening up a true cornucopia of enhancements
Michael Boelen Initial Rootkit Hunter developer
John Horne Current Rootkit Hunter developer
Aus9 For Wiki and documentation support
Gary Bak For enhancing AIX support and testing
Andrej Ricnik For patching and testing
konsolebox For loads of suggestions and testing
......@@ -13,7 +13,7 @@ Constantin Stefan For ideas
Iain Roberts AIX and OpenBSD support
Doncho N. Gunchev
Steph For testing
unSpawn Current Rootkit Hunter developer
......@@ -26,8 +26,14 @@ jabel FreeBSD 6.1 cli vs cron
baddcarma ProFTPd 1.3.0 on SuSE 10.0
linux_fqh Chinese translations
Ryan Beckett For IRIX support
Marc Becker German translation
Julien Valroff Bug reports, ideas and fixes
Dick Gevers For packaging and hosting skdet
Jan Iven Bug reports, ideas and fixes
Finally, thanks go to all the maintainers and end-users that have
volunteered to support RKH.
And thanks to all others who contributed to Rootkit Hunter:
the regulars on the Rootkit Hunter users mailing list, bug
reporters, package maintainers, end-users and those promoting
Rootkit Hunter usage.
......@@ -9,7 +9,8 @@
- Dates in this file are formatted as DD/MM/YYYY (European format)
- The rkhunter configuration file (default /etc/rkhunter.conf) will
not be overwritten when using the rkhunter installer.
not be overwritten when using the rkhunter installer, unless
specifically requested to do so (using the '--overwrite' option).
Be sure you compare your existing configuration file against the
one delivered in this package, in order to optimize the file for
your machine.
......@@ -17,6 +18,207 @@
* 1.3.6 (30/11/2009)
- Added ZK rootkit check.
- German translation provided.
- Added the IGNORE_PRELINK_DEP_ERR option to the configuration file. This
option can be used when a persistent prelink dependency error occurs.
Further details of its use are in the configuration file.
- Added CX rootkit check.
- Added the USER_FILEPROP_FILES_DIRS configuration option. This allows
users to add further files and directories to the file properties
check. Details are in the configuration file. The installer program
will automatically add the configuration file pathname to this option.
- Added the EPOCH_DATE_CMD configuration option. In the file properties
test any modification date/times will now be displayed in human-readable
format as well as the number of epoch seconds. This option can be used
to specify the command to use if the 'date' or 'perl' commands cannot
convert epoch seconds.
- Added the COPY_LOG_ON_ERROR configuration option. When set this will
take a copy of the log file if any errors or warnings have occurred.
- Added the WEBCMD configuration option. This allows users to specify
the command used to download data file updates from the Internet.
- It is now possible to put configuration changes into a local config
file. This file, called 'rkhunter.conf.local', must be in the same
directory as the main configuration file. Rkhunter will look for
configuration options in the main config file, and then in the local
config file if it exists. As before, for options allowed only once,
the last one seen is used. For options allowed more than once, all
options from both files will be used.
- Added the SHARED_LIB_WHITELIST configuration option to allow the
whitelisting of preloaded shared libraries.
- Made some minor changes to enable support for SliTaz Linux.
- Added the WARN_ON_OS_CHANGE and UPDT_ON_OS_CHANGE configuration
options. During the file properties check there are some O/S tests
performed to see if the O/S has changed since the last run of
'rkhunter --propupd'. By default if something has changed, then a
warning is shown. If the WARN_ON_OS_CHANGE option is unset, then no
warnings will be shown. If the UPDT_ON_OS_CHANGE option is set, and
the O/S has changed, then rkhunter will automatically update the file
properties file (in effect, it will run 'rkhunter --propupd').
- The installer now has a '--overwrite/-o' option. When used this will
overwrite the existing configuration file. This allows a site to check
the new config file (at least once) for changes, and then modify their
own 'rkhunter.conf.local' file as required. This option can then be
used to have the installer overwrite the default config file. It saves
having to move the new default config file into place on each computer.
- Locking is now possible when rkhunter runs. This prevents RKH running
more than once and corrupting any modified files such as the log file,
or the file properties file. New configuration options have been added
to handle the locking, and the configuration file contains details of
how the locking works. The default is not to use locking.
- Added support for hash functions SHA224, SHA256, SHA384 and SHA512 using
perl modules Digest-SHA-PurePerl or SHA256, both available at CPAN.
- Added the UPDATE_LANG configuration option. This can be set to those
language files the user wants to be updated when the '--update' option is
used. Since most sites may only use one language, this can reduce the
network bandwidth used. The default is to update all the languages. The
configured default language, and English (en), are always updated.
- Added the ALLOWPROMISCIF configuration option. This can be used to
specify network interfaces which are allowed to be in promiscuous mode.
- Added the SCANROOTKITMODE configuration option. If set to "THOROUGH" then
the scanrootkit function will search for filenames in all directories.
While still not optimal this is one step away from the rigidity of
searching only in known locations. Enabling this feature implies you have
the knowledge to interprete results properly.
- Added OSX rootkit check.
- Added weaponX rootkit check.
- Added the PKGMGR_NO_VRFY configuration option. This allows specified
files to be exempt from the package manager verification process. Now
that users can include their own files into the file properties check,
it is possible that changed packaged files will cause a warning to be
issued. This option allows those files to skip the package manager
verification, and be treated as non-packaged files.
- Added cb rootkit check.
- Added Fu rootkit check.
- Added LD_PRELOAD check.
- Added Adore Rootkit aka strings.o rootkit aka Dextenea check.
- Added iLLogiC rootkit check.
- Added 'Spanish' rootkit check.
- Added Xzibit rootkit check.
- Added trNkit rootkit check.
- Removed the 'os_specific' test for OpenBSD. The *BSD test is currently
only applicable to NetBSD and FreeBSD.
- Updated the ENYE LKM check.
- The '--debug' option no longer needs to be the first option on the
command line.
- Improved support for MAC's now using the bash shell by default. Include
logging of whether 64-bit is available.
- When uninstalling rkhunter, old versions of the document directory
(usually /usr/local/share/doc/rkhunter-*) will now be removed.
- The warnings from the passwd and group file changes tests are now
more specific about what has changed.
- Small change to the detection of Source Mage Linux.
- Renamed part of the 'shared_libs' test to display that it is checking
for preloaded libraries, rather than just the preload file. The pathname
of the preload file is now logged, and any found shared library files are
now logged as a warning.
- The SYSLOG_CONFIG_FILE configuration option can now take the value of
'NONE' to indicate that there is no syslog configuration file, despite
the fact that syslogd may be running.
- Some tests will now show their result as 'Whitelisted'. If a test uses a
configuration option, and this has been set, and the test passes - giving
a green result - then it will now be shown as 'Whitelisted'. The user can
now see that a test has either passed correctly - an 'OK' or 'Not found'
type result - or has passed because the test requirements have been
whitelisted. It is for the user to investigate if this is correct or not.
(This change does not currently apply to all relevant tests.)
Additionally, the configuration option WHITELISTED_IS_WHITE can be set
if the 'Whitelisted' result is to be shown in white rather than green.
For color set two users this will be shown in black.
- Improved the O/S name detection slightly for those systems which only
provide a version number.
- Rkhunter now ensures that the output from the 'lsattr' command, or
'ls -lno' on *BSD systems, and the 'file' command is valid. That is, it
produces something on stdout. If it doesn't, then the 'immutable' and/or
'scripts' test is skipped.
- Changed the RPM spec file so as not to verify the checksum, size and mtime
of the database files and the i18n files. These files may be changed by
rkhunter itself.
- The installer now uses the 'default' layout by default. It is no longer
necessary to specify the layout at all if the default is to be used.
The '--layout' option no longer needs to be the first option specified
if it is used.
- Improved Fleakit Linux Rootkit checks.
- Improved SHV4 Rootkit checks.
- Improved beX2 Rootkit check.
- Improved Phalanx2 Rootkit check to include Phalanx version 2.3d as reported
in ticket 2839813, including a PHALANX2_DIRTEST configuration option which
enables scanning for directory names and accepts the value '0' for default
directory names to search for and '1' for scanning the /etc and /usr
directories for directory names ending in '.p2' at the expense of a slightly
longer running time. Absence of the configuration option selects value '0'.
- Improved Ambient (ark) Rootkit check.
- Improved BOBkit Rootkit check.
- Improved Dica-Kit Rootkit check.
- Improved Evil strings test.
- Improved Possible rootkit files and directories test.
- Improved Suspicious startup file strings test.
- Improved Suspicious open files test.
- Improved Known bad Linux kernel modules test.
- Improved Dreams Rootkit check.
- Improved Universal Rootkit (URK) check.
- Improved FreeBSD Rootkit (FBRK) check and removed standalone ImperialS version.
- When using the Korn shell the application check could give a spurious
error printing out '-1'.
- The debug code only partially worked when using the Korn shell.
- Fixed the option parsing in the configuration file such that leading
and trailing whitespace are now correctly removed.
- When displaying the list of checked rootkit names, the list was supposed
to be sorted.
- If the '--list' option was used more than once with the same argument
(e.g. '--list tests --list tests'), it displayed the wrong information.
- The rootkit strings check wasn't logging a warning for the particular
string found. It was, however, displaying an overall test failure
warning on the screen though.
- The rootkit file whitelisting wasn't applied to the startup script
malware check. Also the summary wasn't showing if any possible rootkits
had been found or not.
- If the '--propupd' option was used with either of the '--enable/--disable'
command-line options, then the file properties would not be stored.
However, if, for example, the 'hashes' test was enabled, then only these
would be stored. In all cases the relevant test was not run after the
file properties were obtained, unless the '--check' option was also used.
- The installer now uses a basic 'echo' command. Hopefully it should work
on all UNIX/Linux systems, and avoid any further "-e"'s being displayed.
- Changed how rkhunter detects the Korn shell, and added a test to see if
the 'echo -e' command works or not. As with the installer, this should
allow rkhunter to work on all UNIX/Linux systems, and avoid any further
"-e"'s being displayed.
- When converting the case of characters, unpredictable results could
occur when other languages were specified (via LANG). We now use character
classes rather than the 'a-z' and 'A-Z' ranges.
- For the 'ports' test ensure that only local ports are checked. Also if a
port is whitelisted, the result will say so.
- Using '--hash MD5 --propupd' on a prelinked system caused an error.
- If a non-existent syslog config file was put into the RKH configuration
file, then rkhunter incorrectly said that it was found.
- If the use of prelinking changed, and the 'hashes' test was disabled, then
rkhunter correctly logged a warning (of an O/S change) but did not display
it unless the '--rwo' option was used. It now displays the warning whether
'--rwo' is used or not.
- The 'group_accounts' test now checks /etc/passwd, as well as the shadow
file, for passwordless accounts.
- If the passwd file did not exist, then a warning of this was logged three
times. It is now logged once as a warning, and as an info message for the
other times.
- It was possible for the network ports test to incorrectly display a warning
due to an uninitialised variable.
- The SSH configuration file tests now allow for leading spaces/tabs.
- When using the '--debug' option, and running the 'suspscan' test, the debug
file itself could be logged as suspicious. It is now skipped from the test.
- Ensure the /proc/ksyms or /proc/kallsyms file is readable before using it.
- If the mirrors.dat file has been locally modified to provide a mirror, then
the installer will no longer overwrite the file.
* 1.3.4 (31/12/2008)
......@@ -290,7 +492,7 @@
values using the '--propupd' option.
- The '--checkall' option has been changed to '--check'. The old option is
still recognised, but will be deprecated at some time.
- If a logfile is to be written, but not appended to, then the old log file
- If a log file is to be written, but not appended to, then the old log file
is moved to '<logfile name>.old' now. The same happens to the rkhunter.dat
file if the --propupd option is used.
- The previous 'known good' hash check now also checks the files inode, uid,
......@@ -50,7 +50,7 @@ The latest version of this FAQ can be found at the RKH web site.
4.1) What does the following warning mean:
The file of stored file properties (rkhunter.dat) is empty,
and so must be created. To do this type in
and should be created. To do this type in
'rkhunter --propupd'.
4.2) Rootkit Hunter skips some checks, and the logfile indicates
that certain commands are missing. What can I do?
......@@ -68,6 +68,9 @@ The latest version of this FAQ can be found at the RKH web site.
installed. How it this possible?
5.2) Can I be notified when a new release will be available?
6.1) Common whitelisting examples
......@@ -153,7 +156,8 @@ A. The RKH source contains an rkhunter.spec file which will
A. Prior to any incident it is recommended that you have read
"Intruder Detection Checklist". This is available from or
This document will tell you what to check, and makes it easier
for you to find out and answer any questions.
......@@ -169,7 +173,7 @@ A. Prior to any incident it is recommended that you have read
binaries. If so, then please check further:
1. If you run a file integrity checker, for example Aide,
Samhain, or tripwire, consult the results from running those
Samhain, or Tripwire, consult the results from running those
tools. Note they must be installed directly after the O/S
installation in order to be useful, and you must keep a copy
of the binary, configuration files and databases off-site.
......@@ -265,7 +269,7 @@ A. Some distributions, for example Red Hat and OpenBSD, do patch
If you wish you can skip the application version check completely
by adding the 'apps' test name to the DISABLE_TESTS option in your
rkhunter.conf configuration file.
rkhunter configuration file.
3.3) How can I automatically run Rootkit Hunter every day?
......@@ -361,7 +365,8 @@ A. See the README file for information about the test names.
A. Generally no. Within the tests the space character is typically
used to delimit command output fields. Some tests will work, but
others will not.
others will not. Additionally some tests will not like filenames
with the colon (:) character in them either.
3.6) What does the following warning mean:
......@@ -404,7 +409,7 @@ A. The first run of rkhunter after an installation will usually give
message. Once the reason for the warning has been found, and you
believe that rkhunter has given a false-positive result, then
looking in the configuration file may show you that the relevant
item can be whitelisted.
item can be whitelisted. Also see WHITELISTING EXAMPLES below.
3.8) When I used the '--propupd' option, Rootkit Hunter told me
......@@ -474,7 +479,7 @@ A. The output from rkhunter probably shows something like this:
4.1) What does the following warning mean:
The file of stored file properties (rkhunter.dat) is empty,
and so must be created. To do this type in
and should be created. To do this type in
'rkhunter --propupd'.
A. For rkhunter to perform file property checks, it must first
......@@ -592,3 +597,39 @@ A. Yes, you can join the rkhunter-announce mailing list. This is
6.1) After Rootkit Hunter has run you may encounter items in the log file
you would like to whitelist. First verify that the entries are
safe to add. The results of running these commands can be added to
your rkhunter.conf. Please adjust the commands and the location of
your rkhunter.log and verify the results before adding them. Do not
automate adding whitelist entries to your rkhunter.conf.
Allow script replacements ("properties" test):
awk -F"'" '/replaced by a script/ {print "SCRIPTWHITELIST="$2}' rkhunter.log
Allow processes using deleted files ("deleted_files" test):
awk '/Process: / {print "ALLOWPROCDELFILE="$3}' rkhunter.log | sort -u
Allow Xinetd services:
awk '/Found enabled xinetd service/ {print $NF}' rkhunter.log |\
xargs -iX grep -e "server[[:blank:]]" 'X' | awk '{print "XINETD_ALLOWED_SVC="$NF}'
Allow packet capturing applications ("packet_cap_apps" test):
awk -F"'" '/is listening on the network/ {print "ALLOWPROCLISTEN="$2}' rkhunter.log
Allow "suspicious" files ("filesystem" test):
grep '^\[..:..:..\][[:blank:]]\{6\}.*/dev/shm/.*:' rkhunter.log |\
awk '{print "ALLOWDEVFILE="$2}' | sed -e "s|:$||g"
Allow hidden directories ("filesystem" test):
awk '/Warning: Hidden directory/ {print "ALLOWHIDDENDIR="$6}' rkhunter.log
Allow hidden files ("filesystem" test):
awk '/Warning: Hidden file/ {print "ALLOWHIDDENFILE="$6}' rkhunter.log |\
sed -e "s|:$||g"
......@@ -2,7 +2,7 @@
Copyright (c) 2003-2008, Michael Boelen
Copyright (c) 2003-2009, Michael Boelen
See the LICENSE file for conditions of use and distribution.
It is recommended that all users of RootKit Hunter (RKH) join the
......@@ -35,14 +35,18 @@ Please note RKH has some requirements:
system does not allow the possibility to install one of these
applications, but does run perl, you can use 'bget' available from If you use another
generic method of updating RKH then please let us know.
generic method of updating RKH then please let us know. Additionally,
a non-standard command to be used for file downloads can be
configured in the RKH configuration file.
4) Some tests require single-purpose tools. RKH does not depend on
these, but it will use them if it finds them - they can enhance
RKH's detection capabilities. The tools are:
these, but it will use them, after you have run '--propupd', if it
finds them - they can enhance RKH's detection capabilities.
The tools are:
- Skdet
Tests for SucKIT, Adore, Adore-NG, UNFshit, UNFkmem and
- Unhide
Finds hidden processes.
......@@ -54,8 +58,8 @@ ROOTKIT HUNTER INSTALLATION
Unpacking the tar file should produce a single directory called
'rkhunter-<version>'. Where '<version>' is the version number of rkhunter
being installed. For example, the rkhunter-1.3.0.tar.gz tar file will produce
the 'rkhunter-1.3.0' directory when unpacked. Within this directory is the
being installed. For example, the rkhunter-1.3.6.tar.gz tar file will produce
the 'rkhunter-1.3.6' directory when unpacked. Within this directory is the
installation script called ''.
To perform a default installation of RKH simply unpack the tarball and,
......@@ -63,37 +67,36 @@ as root, run the installation script:
tar zxf rkhunter-<version>.tar.gz
cd rkhunter-<version>
./ --layout default --install
./ --install
Note: If some form of file permission error is shown, then check that the
'' script is executable.
RKH installation supports custom layouts. To show some examples
./ --examples
As an another example, to install all files beneath /opt, run:
./ --layout custom /opt --install
To show where files are installed using the 'oldschool' layout
./ --layout oldschool --show
The layout named 'RPM' may not be chosen since it is used solely
for installing RKH using RPM.
The installer also has a help option:
./ --help
The default installation process will install a configuration file,
called 'rkhunter.conf', into the '/etc' directory or where
you chose using the --layout switch. Please edit the configuration
file according to your own system requirements. If the installer
encounters an existing rkhunter.conf, it will not be overwritten.
Instead the installer creates a new configuration file, but with
a unique number as its suffix. Please inspect the new configuration
file and copy over any changes to the existing configuration file.
you chose using the '--layout' switch. You can either edit the main
configuration file itself, or create a 'local' configuration file
for your own settings. This file, which must be called
'rkhunter.conf.local', must reside in the same directory as the main
configuration file. You should edit either, or both, of these files
according to your own system requirements. If the installer
encounters an existing 'rkhunter.conf' file, it will not be overwritten.
Instead the installer creates a new configuration file, but with a
unique number as its suffix. Please inspect the new configuration file
and copy over any changes to the existing main configuration file, or
to your local configuration file.
The main RKH script will be installed into the '/usr/local/bin'
directory or where you chose using the --layout switch. Man pages will
directory or where you chose using the '--layout' switch. Man pages will
be installed into '/usr/local/share/man', and other documentation will
be installed into the '/usr/local/share/doc' directory. RKH data files,
language support, and a directory for temporary files will be
......@@ -128,8 +131,8 @@ To see what other options can be used with rkhunter, enter:
NOTE: The first run of 'rkhunter' after installation may give some
warning messages. Please see the FAQ file for more details
about this.
warning messages. Please see the FAQ file and the rkhunter mailing
list archive posts for more details about this.
......@@ -186,7 +189,7 @@ way is to use the 'tar' command, such as:
Obviously, for official releases, you will need to use the correct tarball
name. For example:
tar xzf rkhunter-1.3.2.tar.gz
tar xzf rkhunter-1.3.6.tar.gz
For users of systems with alternative implementations of 'tar', for example
Solaris users, you may need to break the extraction process into two steps
......@@ -195,13 +198,18 @@ Solaris users, you may need to break the extraction process into two steps
gunzip rkhunter-CVS.tar.gz
tar xf rkhunter-CVS.tar
Additionally it is possible to download from CVS directly using the command:
cvs co -P rkhunter
The extraction process will create a sub-directory containing all the
rkhunter files. The sub-directory name will contain the rkhunter version
number, or, for CVS tarballs, it will simply be called 'rkhunter'.
Change into this directory:
cd rkhunter-1.3.2 (for an official release tarball)
or cd rkhunter (for CVS tarballs)
cd rkhunter-1.3.6 (for an official release tarball)
or cd rkhunter (for CVS and CVS tarballs)
Now, we can run the installer program as described in the section above
about standalone installations:
......@@ -240,10 +248,10 @@ INSTALLATION INFORMATION FOR x86_64 SYSTEMS
The installation of RKH is largely independent of the system architecture.
However, RKH does have some support scripts and these need to be installed
into the appropriate library directory. When using the 'default' layout
option, or one of the known layout options (for example, '/usr' or
'/usr/local'), then the relevant 'lib64' directory will be used only if it
already exists. For a 'custom' layout, the 'lib64' directory will be used
into the appropriate library directory. When performing a default
installation, or using one of the known layout options (for example, '/usr'
or '/usr/local'), then the relevant 'lib64' directory will be used only if
it already exists. For a 'custom' layout, the 'lib64' directory will be used
and created if necessary. Standalone installations do not use any special
library directory at all. RPM installations will use the relevant 'lib64'
directory only if the system architecture is detected as being 'x86_64'.
......@@ -258,7 +266,7 @@ was installed using a default installation, then run:
tar zxf rkhunter-<version>.tar.gz
cd rkhunter-<version>
./ --layout default --remove
./ --remove
If you chose a different layout, for example '/usr', then run the
installer using:
......@@ -273,8 +281,8 @@ the installer will remove the whole installation directory (the 'files'
During uninstallation, the installer will remove the initial configuration
file. However, if RKH was installed more than once, then any additional
configuration files are not removed. These may be removed manually.
file (usually '/etc/rkhunter.conf'). However, any other files beginning with
'rkhunter.conf' are not removed. These may be removed manually.
When installing RKH, some directories may have been created. However,
RKH is unaware of this when being uninstalled. As such, and especially
......@@ -457,7 +465,7 @@ installation this would have been in '/var/lib/rkhunter/db'.
Additionally, the mirror directory must have an 'i18n' sub-directory which
contains all the current language translation files for the various versions
of rkhunter. Each version is put into its own sub-directory. So, for example,
there would be a '1.3.1' sub-directory, a '1.3.2' sub-directory and so on,
there would be a '1.3.5' sub-directory, a '1.3.6' sub-directory and so on,
all within the 'i18n' directory. Again, the database directory will already
have had the 'i18n' sub-directory installed in to it, but it will only
contain the language files for the current version of rkhunter. There are
......@@ -473,8 +481,8 @@ Within each rkhunter version sub-directory of the 'i18n' directory, it is
necessary to have a file called 'i18n.ver'. This file simply contains a list
of the available language files, and their version numbers. For example:
So, as an example, the mirror file structure will need to look similar
to this:
......@@ -487,7 +495,7 @@ to this:
mirrors.dat rkhunter_latest.dat i18n suspscan.dat
1.3.4 ============ 1.3.5 ============ 1.3.6
1.3.5 ============ 1.3.6 ============ 1.3.7
/ | \ / | \ / | \
/ | \ / | \ / | \
cn en i18n.ver cn en i18n.ver cn en i18n.ver
......@@ -496,7 +504,7 @@ to this:
Finally, if the '--versioncheck' option is to be supported with the local
mirror, then the directory, 'rkhunter_data' in the above example, must
contain a file called 'rkhunter_latest.dat'. This file must contain the
current rkhunter version number (for example, '1.3.0') and no other text.
current rkhunter version number (for example, '1.3.6') and no other text.
It is possible to similarly define 'remote' mirrors, which begin with the
text 'remote='. At present though there is no real difference between a
......@@ -572,8 +580,8 @@ part of rkhunter, and as such is continuously changing. You should endeavour
to keep your translation up to date with the current version of rkhunter.
If a problem is found with RKH, it is recommended that users initially
try and resolve the problem themselves. This can be done by first
......@@ -610,7 +618,80 @@ information as possible about the problem, but do not make the
message excessively long! Information such as your operating system
and version of RKH should always be included.
Please be advised that while you are free to ask for advice in your
favourite IRC channel, all-purpose forum or distribution mailing list,
the demonstrated level of general and security knowledge and exprience,
and therefore the quality of responses, may vary (very much).
If you are sure the problem is a bug, or want it considered as a
support request, then please submit it directly into the tracker
When you think you have a (potential) security problem it is advised to
think and inform yourself thoroughly before you act. Please consider
checking the FAQ, the rkhunter-users mailing list archives, your
distribution documentation about security and security issues and the
CERT Intruder Detection Checklist, formerly located at, and
archived at\
If you do not have the required knowledge and experience to deal with
security issues then please ensure yourself that the people who respond
do and have.
- Logging in, killing processes, deleting files, powering down, rebooting
the machine, removing or installing software may signal the intruder and
may destroy vital information. If you need to communicate with people or
compile software then do use a different machine to work on.
- If usage of the machine is governed by rules and regulations consider
alerting the designated security officer or team, systems or network
administrators or IT department before doing anything else.
- In your initial email or post include as much information and make it
as detailed as possible. The more details you provide the more efficient
the troubleshooting or incident response process will be.
- Do not be easily satisfied or mistake "don't worry" type of replies for
qualitatively good answers: read the FAQ, ask for specific steps to take
and commands to run so you can verify things yourself.
- Please act timely and responsibly. (Potential) security problems should be
prioritized and acted on at the time of reporting, not days or weeks later.
Rootkit Hunter is a host-based, passive, post-incident, path-based tool.
- Host-based means it only diagnoses the host you run it on.
- Passive means it has to be scheduled or run manually.
- Post-incident means it can only be effective when a breach of security
is suspected, is in progress or has already occurred. Due to the nature of
software that hides processes and files it may be beneficial to run Rootkit
Hunter from a bootable medium if a breach of security is suspected and the
machine can be booted from a bootable medium.
- Path-based means RKH will check for filenames. It does not include or use
heuristics or signatures like for instance an antivirus product could. Do
understand that the SCANROOTKITMODE configuration option and "suspscan"
functionality are just crude attempts to try and bridge that gap.
Rootkit Hunter is best deployed as part of your security strategy.
- Most breaches of security are preceded by reconnaissance. Regular system
and log file auditing provides the necessary "early warning" capabilities.
- RKH does not replace, or absolve you from performing, proper host hardening.
Common administration errors that may result in a breach of security includes
failing to apply updates when they are released, misconfiguration, lack of
access restrictions and lack of auditing.
Please see your distribution documentation and search the 'net.
- Do not rely on one tool or one class of tools. Consider installing same-
class tools like Chkrootkit or OSSEC-HIDS and consider overlap as a Good
Thing. Additionally it is suggested you install and use a separate filesystem
integrity scanner like Samhain, Aide, Integrit, Osiris (or even tripwire) to
provide you with a second opinion.
- Like with all data used for verifying integrity it is recommended to
regularly save a copy of your RKH data files off-site.
# WISHLIST : Personal and public 'wishes' for Rootkit Hunter
# Notes:
# - All things below CAN be integrated in future, but there are no planned
# dates available. *Your* support can change help that!
# Request:
# - Do you have a copy of an undetected rootkit? Please send it to us, so
# it can be added and help others.
# - Are you a package maintainer? Please submit your changes through
# so *everyone* can benefit from it.
# - Are you an enduser? If you want to submit a patch or discuss enhancements,
# file a bug report, have comments, gripes or questions please
# visit on how you can best reach the project team and
# fellow Rootkit Hunter users.
- more dedicated medior developers
- more dedicated testers
- Add MD5 check for unknown OSes
- Add/improve Tuxkit
- Missing hashes for any releases of supported
- Promiscuous mode detection. In kernel-2.6 the ifconfig + ip (iproute2)
method is no longer working.
- Comparing LKM/KLD startups from rc-scripts (differences)
- Checking for kldload (*BSD) and loading of LKMs in rc-scripts
- Black/whitelisting of LKM/KLD
- Check for multiple instances of tools (like file, ls, ps, find)
- Set lo interface into promisc mode to test ifconfig
- Improve support for Sebek LKM
- Option to use Perl modules on a different place than the usual
(requested by Henk Wevers)
- Debian package (.deb)
- Scanning of multiple machines by using a central server
- Add support for SSH version of
- Adding comparision between Rootkit Hunter and other projects (pros/cons).
*** Maybe someone would like to help us with this? I would like an objective comparison.
- Remove whereis parameter '-b' (doesn't exist)
- Use /usr/pkg/bin/perl instead of /usr/bin/perl
# Syntax: <port>:<description>:protocol
......@@ -7,9 +7,24 @@ Version:2007080301
# The protocol must be UDP or TCP.
1524:Possible FreeBSD (FBRK) Rootkit backdoor:TCP:
1984:Fuckit Rootkit:TCP: