Welcome, Guest! Log In | Create Account

Warning: Can't synchronize with the repository (/nfs/sf-svn/r/rk/rkhunter does not appear to be a Subversion repository.). Look in the Trac log for more information.

#Contents?

CONTENTS

Introduction
Flowchart
FAQ, Readme and new configuration files-Preview and Download
Download Tarball
Clean Install
Install Rootkit Hunter executable
Modify the configuration file called rkhunter.conf
Commands --propupd and --update
First Scan
Check Log and modify CONF
Abnormal Activity
Regular System Activity
Software Modified
Scan - Manual or Automatic
Check Log
Investigate
Intrusion Procedure
Validate
Second Opinion
Run --propupd and or modify CONF
Examples of commands with no changed CONF
Mail Deletion
Remove an installed RKH
Run Manual Tests
Licensing
Credits and Contact

#Introduction?

Introduction

Rootkit Hunter (commonly abbreviated as "RKH") is a security monitoring and analyzing tool for POSIX compliant systems, to help you detect known rootkits, malware and signal general bad security practices. Rootkits have a certain structure and files in certain areas, known to the Rootkit Hunter team. This is similar to virus signatures. RKH offers additional scans that may assist you.

One of the features RKH offers is a scan for changed file properties similar to some criteria that file integrity checkers use. It is completely dependent on ensuring you have a correct database to scan from. In general this can be achieved by installing Rootkit Hunter right after a clean Operating System installation.

Rootkit Hunter is not a reactive tool: it only enumerates encountered threats. It is up to you to read the log file and investigate suspicious activity.

The RKH team includes documentation with each release (which you can also find on-line). In addition this Wiki offers limited suggestions. Another source of information is the rkhunter-users mailing list archive. If you can not find a solution to your problem in those sources of information, would like to suggest improvements or would like to discuss a breach of security you are invited to join the rkhunter-users mailing list. If you would like to submit a patch you can also use our Sourceforge bug tracker.


The RKH configuration file has a number of options. The most important ones are discussed below. You can also run 

man rkhunter

for other options.

Remarks
CONF (the RKH configuration file) refers to /etc/rkhunter.conf, /usr/local/etc/rkhunter.conf or where you installed it if you chose a non-standard location.

Commands can be copied and pasted into your shell. Please be aware you need to change the path and your login name as appropriate. Konsole users can use pull down menu and select paste. My home folder is /home/gordy.....change my commands to suit. RKH uses US spelling in commands while I use Australian spelling elsewhere.

Disclaimer
I am not a part of the RKH develpoment team but the prime RKH Wiki editor and a RKH home user. My documentation and suggestions have been verified by the Rkhunter team. I accept no blame for any of this Wiki text I wrote. Please use independent advice if you have any concerns or refer to the intrusion procedures.


If you wish to go to single page at some stage within these multi-pages....click on Wiki tab and then click on home please.


Next


Copyright © 2009 Geeknet, Inc. All rights reserved. Terms of Use