Older News Items

Project News for Rootkit Hunter

  • Rootkit Hunter release 1.4.0

    The Rootkit Hunter project team is pleased to announce the release of version 1.4.0.
    New:

    Added the '--list propfiles' command-line option. This will dump out the list of filenames that will be searched for when building the file properties database. By default the list is not shown if just '--list' is used.
    Added Jynx rootkit check.
    Added Turtle/Turtle2 rootkit check.
    Added KBeast rootkit check.
    The installer now supports the Slackware TXZ package layout option.

    Changes:

    Allow the ALLOWDEVFILE, ALLOWHIDDENFILE and ALLOWHIDDENDIR options to use '%' as the space character. (Note: This is a temporary fix).
    The ALLOWPROCDELFILE option can now use wildcards in the file names.
    The '--list perl' command-line option now shows whether the perl command itself is installed or not.
    The 'shared_libs' test now allows whitelisting of the preloading environment variables.
    The '-r/--rootdir' command-line options, and the ROOTDIR configuration option are now deprecated. If they are used then an error message will be displayed. The options will have no effect, but rkhunter will continue. The options will be completely removed at the next release.
    The 'hidden_ports' test will now show if a found port is TCP or UDP.
    It is now possible to whitelist ports in the 'hidden_ports' test using the PORT_WHITELIST configuration option.

    Bugfixes:

    Allow the ALLOWPROCDELFILE option to work again.
    Correct the check of the ProFTPD version number.
    Fix the FreeBSD 'sockstat' command check to ensure that the correct fields are used.
    Fix for newer version of the 'file' command when reporting scripts.
    Fix the ALLOWHIDDENFILE option to allow hidden symbolic links.
    The 'filesystem' check now handles files and directories with spaces in their names correctly.
    The 'startup_files' test was displaying file names with spaces in them incorrectly. Also the test was not checking files which were in hidden directories.
    Ensure that the ALLOWDEVFILE, ALLOWHIDDENFILE and ALLOWHIDDENDIR options re-evaluate their whitelisting lists to ensure that any wildcard entries are the most recent. (A time window previously existed which meant that the list was processed, but new files could be created before the test was run. As such they were reported as false-positive warnings, when they should have been whitelisted.)
    Allow the EXISTWHITELIST option to work with symbolic links.
    The test of whether prelinking is being used or not was sometimes causing the file properties hash test to be skipped, without the real reason being stated. Now the hash test will proceed but the user will still get a warning (because it detects that prelinking was used and is not now, or vice-versa).
    Rkhunter will now check to see if the 'head' and 'tail' commands understand the '-n' option. If they do, then it will be used. If they do not, then the older 'head -1' and 'tail -1' commands will be used.

    For more details please see the CHANGELOG.

    2012-04-30 16:25:28 PDT by unspawn

  • Rootkit Hunter release 1.3.8

    The Rootkit Hunter project team is pleased to announce the release of version 1.3.8.

    The change log lists 24 bug fixes, 29 changes and 18 new items. Naming a few:

    * Whitelist rootkit strings (RTKT_FILE_WHITELIST).
    * Whitelist items not always present (EXISTWHITELIST).
    * Whitelist combined pathname and port number (PORT_WHITELIST).
    * Added Whirlpool and Ripemd160 hashes to file properties check.
    * Support for DragonFly BSD.
    * Support for Solaris OS package management.
    * The 'suspicious files' check display each item individually.
    * The '--enable' and '--disable' command-line options may now be specified more than once.
    * Grsecurity-enabled systems may now run the network 'ports' test.
    * Allow test names for the 'unhide' command (UNHIDE_TESTS).
    * Rootkit checks added: OS X Togroot and Boonana (Koobface.A) trojan, Solaris Wanuk backdoor and worm and Inqtana worm.
    * Better support for *BSD commands and OS X.

    For more details please see the CHANGELOG at http://rkhunter.cvs.sourceforge.net/viewvc/*checkout*/rkhunter/rkhunter/files/CHANGELOG.
    Rootkit Hunter release 1.3.8 obsoletes all previous releases: please upgrade.

    Thanks to John Horne and all contributors who made this release possible by providing code, submitting ideas, bugs, fixes, documentation, helping out on the rkhunter-users mailing list and promoting Rootkit Hunter. For more details please see the ACKNOWLEDGMENTS.

    2010-11-16 17:06:27 PST by unspawn

  • Rootkit Hunter announces release 1.3.6

    The Rootkit Hunter project team is pleased to announce the release of version 1.3.6 on 2009/11/29.

    This release offers more ease of use and improved rootkit and malware checks. The change log lists 29 additions including 9 configuration options and details for 12 rootkits, 29 changes including improvements for 15 rootkit checks and 22 bugfixes. Naming a few:

    * New IGNORE_PRELINK_DEP_ERR configuration option in case of persistent prelink dependency errors.
    * New USER_FILEPROP_FILES_DIRS configuration option to add files and directories to the file properties check.
    * New COPY_LOG_ON_ERROR configuration option to copy the log file if any errors or warnings have occurred.
    * New WEBCMD configuration option to specify the command used to download data file updates from the Internet.
    * Rkhunter will look for configuration options in the main configuration file, and then in the local configuration file if it exists.
    * New SHARED_LIB_WHITELIST configuration option for whitelisting preloaded shared libraries.
    * New WARN_ON_OS_CHANGE configuration option. If unset then no warnings will be shown.
    * New UPDT_ON_OS_CHANGE configuration option. If set and the O/S has changed then rkhunter will automatically update properties ('rkhunter --propupd').
    * Added support for hash functions SHA224, SHA256, SHA384 and SHA512 using CPAN perl modules Digest-SHA-PurePerl or SHA256.
    * New UPDATE_LANG configuration option.
    * New ALLOWPROMISCIF configuration option.
    * New PKGMGR_NO_VRFY configuration option for fine-grained package manager verification process control.
    * Rootkit checks added: Adore Rootkit (aka strings.o aka Dextenea) cb, CX, Fu, iLLogiC, ld-linuxv.so.1, 'Spanish', trNkit, Xzibit, ZK.
    * Updated rootkit / malware checks: Ambient (ark), beX2, BOBkit, Dica-kit, Dreams, Enye LKM, evil strings test, Fleakit, FreeBSD, Phalanx2, SHV4, Universal (URK).

    For more details please see the CHANGELOG at http://rkhunter.cvs.sourceforge.net/viewvc/*checkout*/rkhunter/rkhunter/files/CHANGELOG.
    Rootkit Hunter release 1.3.6 obsoletes all previous releases: please upgrade.

    Thanks to John Horne and all contributors who made this release possible by providing code, submitting ideas, bugs, fixes, documentation, helping out on the rkhunter-users mailing list and promoting Rootkit Hunter. For more details please see the ACKNOWLEDGMENTS.

    2009-11-29 08:09:41 PST by unspawn

  • Rootkit Hunter announces release 1.3.4

    The change log lists 4 additions, 8 changes and 9 bugfixes.
    Naming a few:
    - Added IntoXonia-NG rootkit check.
    - Added Phalanx2 rootkit check.
    - Added support for TCB shadow files.
    - The '--propupd' option can now take an optional file, directory or package name after it.
    - Revised file properties inode check.
    - Tests against the SSH configuration file now accept the key/value pair.
    - Improved the O/S name detection.
    - The Linux 'os_specific' test has now been split into two separate tests.
    - Improved ALLOWPROCDELFILE configuration option.
    - Improved hidden files and directories check.
    - The DBDIR directory can now be read-only, after installation.
    - Improved debug file option.
    - The system startup file and directory tests have now been merged.


    Thanks to John Horne and all contributors who made this release possible by providing code, submitting ideas, bugs, fixes, documentation, helping out on the rkhunter-users mailing list and promoting Rootkit Hunter.

    2008-12-30 14:55:40 PST by unspawn

  • Rootkit Hunter release 1.3.2

    The Rootkit Hunter project team announces release 1.3.2.

    The changelog lists 3 additions, 6 changes and 14 bugfixes. Naming a few:
    - Socklog and rsyslog daemons support.
    - IRIX/IRIX64 support.
    - Application version check errors mostly ignored.
    - Unset ALLOW_SSH_ROOT_USER and ALLOW_SSH_PROT_V1.
    - Application check whitelisting.
    - 'pflog' checked for all *BSD now.
    - Correct scanning of /dev in LAZY mode.
    - Whitelisted passwordless account names logged.
    - Corrected obtaining process names in Solaris.
    - Unset MANPATH for .spec (OpenSuSE).
    - Correct hidden files/directories test behaviour.
    - Cater for those using fdesc/fdescfs.


    2008-02-27 09:14:14 PST by unspawn