1. Summary
  2. Files
  3. Support
  4. Report Spam
  5. Create account
  6. Log in
Warning: Can't synchronize with the repository (/nfs/sf-svn/r/rk/rkhunter does not appear to be a Subversion repository.). Look in the Trac log for more information.

CONTENTS

Introduction

Flowchart

Download Tarball

Clean Install the Rootkit Hunter executable

Modify the configuration file called rkhunter.conf

Commands --propupd and --update

First Scan

Check Log and modify CONF

Activity -- Abnormal or Normal and results of Software Modified

Scan - Manual or Automatic

Check Log

Some common log entries

Investigate

Intrusion Procedure

Validate or obtain a second opinion

Run --propupd and or modify CONF

End of flowchart ......Non-essential but maybe relevant information below

Examples of some commands that can be run manually

Mail Deletion

Remove an installed RKH

Online FAQ, README and new configuration files.........-Preview or Download

Licensing

Credits and Contact

Link to cvs wiki

[wiki:#Introduction]

Introduction

Rootkit Hunter (commonly abbreviated as "RKH") is a security monitoring and analyzing tool for POSIX compliant systems, to help you detect known rootkits, malware and signal general bad security practices. Rootkits have a certain structure and files in certain areas, known to the Rootkit Hunter team. This is similar to virus signatures. RKH offers additional scans that may assist you.

One of the features RKH offers is a scan for changed file properties similar to some criteria that file integrity checkers use. It is completely dependent on ensuring you have a correct database to scan from. In general this can be achieved by installing Rootkit Hunter right after a clean Operating System installation.

Rootkit Hunter is not a reactive tool: it only enumerates encountered threats. It is up to you to read the log file and investigate suspicious activity.

The RKH team includes documentation with each release (which you can also find on-line). In addition this Wiki offers limited suggestions. Another source of information is the rkhunter-users mailing list archive. If you can not find a solution to your problem in those sources of information, would like to suggest improvements or would like to discuss a breach of security you are invited to join the rkhunter-users mailing list. If you would like to submit a patch you can also use our Sourceforge bug tracker.


This scanning tool needs root powers to run as a manual scan or it needs root powers to create a cron job. Therefore, you will need root powers to view the log which is under /var/log/

The RKH configuration file has a number of options. The most important ones are discussed below. You can also run

man rkhunter

for other options.

Remarks
CONF (the RKH configuration file) refers to /etc/rkhunter.conf, /usr/local/etc/rkhunter.conf or where you installed it if you chose a non-standard location.

Commands can be copied and pasted into your shell. Please be aware you need to change the path and your login name as appropriate. Konsole users can use pull down menu and select paste. My home folder is /home/gordy.....change my commands to suit. RKH uses US spelling in commands while I use Australian spelling elsewhere.

Disclaimer
I am not a part of the RKH develpoment team but the prime RKH Wiki editor and a RKH home user. My documentation and suggestions have been verified by the Rkhunter team. I accept no blame for any of this Wiki text I wrote. Please use independent advice if you have any concerns or refer to the intrusion procedures.

New Operating System FAQ

Please read the unpacked file under rkhunter-1.3.8/files/development/new-os-support.

It includes references to :
awk cat chmod chown cp cut date egrep grep head ls mv sed sort tail touch tr uname uniq wc

ROOTKIT HUNTER REQUIREMENTS

Please note that RKH has some requirements:
Before RKH starts it will check that certain required commands
are present on the system. These are typical commands such as
'cat', 'sed', 'head', 'tail', etc. If a command is missing then RKH will not run.

Some tests require commands such as stat, readlink, md5/md5sum or
sha1/sha1sum. If these are not present, then RKH has perl
scripts which will automatically be used instead. However, this
requires perl, and certain modules, being present. If they are
not, then the tests will be skipped. Readlink is provided as a
script itself, and does not use perl. Other tests will use other
commands. If the relevant command is not found on the system,
then the test will be skipped.

A tool should be present with which to download file updates.
Currently wget, curl, (e)links, lynx and GET are supported. If your
system does not allow the possibility to install one of these
applications, but does run perl, you can use 'bget' available from
http://www.cpan.org/authors/id/E/EL/ELIJAH/. If you use another
generic method of updating RKH then please let us know. Additionally,
a non-standard command to be used for file downloads can be
configured in the RKH configuration file.

Some tests require single-purpose tools. RKH does not depend on
these, but it will use them if it finds them. They can enhance
RKH's detection capabilities.
The tools are:
-- Skdet
Tests for SucKIT, Adore, Adore-NG, UNFshit, UNFkmem and frontkey.
http://dvgevers.home.xs4all.nl/

-- Unhide and unhide-tcp (C versions)
Finds hidden processes.
http://unhide.sourceforge.net

-- Unhide (Ruby version)
Finds hidden processes.
https://launchpad.net/unhide.rb

If the relevant tool is not found, then the test is skipped.

Next