index

Contents

Introduction -------See below
Flowchart
Download
Clean install
Modify initial config
Update system file properties
First scan
Check log and edit config
Abnormal, normal and system upgrade results
Manual and automatic scans, including mail
Log
Investigate
Intrusion procedure
Validate and second opinion
Update properties if no intrusion
Other manual scans
Mail deletion
Remove/delete old RKH
FAQ
License
Credits
CVS - not for production machines etc

Pages outside flowchart but deemed necessary
skdet
unhide C version

Introduction

Rootkit Hunter (commonly abbreviated as RKH) is a security monitoring and analyzing tool for POSIX compliant systems, to help you detect known rootkits, malware and signal general bad security practices. Rootkits have a certain structure and files in certain areas, known to the Rootkit Hunter team. This is similar to virus signatures. RKH offers additional scans that may assist you.

One of the features RKH offers is a scan for changed file properties similar to some criteria that file integrity checkers use. It is completely dependent on ensuring you have a correct database to scan from. In general this can be achieved by installing Rootkit Hunter right after a clean Operating System installation.

Rootkit Hunter is not a reactive tool: it only enumerates encountered threats. It is up to you to read the log file and investigate suspicious activity.

The RKH team includes documentation with each release (which you can also find on-line). In addition this Wiki offers limited suggestions. Another source of information is the rkhunter-users mailing list archive. If you can not find a solution to your problem in those sources of information, would like to suggest improvements or would like to discuss a breach of security you are invited to join the rkhunter-users mailing list. If you would like to submit a patch you can also use our Sourceforge bug tracker.

This scanning tool needs root powers to run as a manual scan or it needs root powers to create a cron job. Therefore, you will need root powers to view the log which is under /var/log/

The RKH configuration file has a number of options. The most important ones are discussed in wiki. You can also run

" $ man rkhunter
" # rkhunter --help

Remarks
I use CONF to refer to the RKH configuration file /etc/rkhunter.conf, /usr/local/etc/rkhunter.conf or where you installed it if you chose a non-standard location.

Commands can be copied and pasted into your shell. Please be aware you need to change the path and your login name as appropriate. RKH uses US spelling in commands while I use Australian spelling in wiki.

Rootkit Hunter Requirements

Before RKH starts it will check that certain required commands are present on the system. These are typical commands such as
'cat', 'sed', 'head', 'tail', etc. If a command is missing then RKH will not run.

Some tests require commands such as stat, readlink, md5/md5sum or sha1/sha1sum. If these are not present, then RKH has perl scripts which will automatically be used instead. However, this requires perl, and certain modules, being present. If they are not, then the tests will be skipped. Readlink is provided as a script itself, and does not use perl. Other tests will use other commands. If the relevant command is not found on the system, then the test will be skipped.

A tool should be present with which to download file updates. Currently wget, curl, (e)links, lynx and GET are supported. If your system does not allow the possibility to install one of these applications, but does run perl, you can use 'bget' available from
http://www.cpan.org/authors/id/E/EL/ELIJAH/.
If you use another generic method of updating RKH then please let us know. Additionally, a non-standard command to be used for file downloads can be configured in the RKH configuration file. Some tests require single-purpose tools. RKH does not depend on these, but it will use them if it finds them. They can enhance RKH's detection capabilities.

The tools are:

• skdet
• unhide and unhide-tcp (C versions)

If the relevant tool is not found, then the test is skipped.

wiki root commands and wiki syntax

I use su and not sudo. So if any wiki page says

" $ su -

try 'sudo -i'. YMMV

Also I use the " as a quick way to show colour in a home user web browser. Don't copy and paste it, if it is left of the $ or # sign please.

Where I show commands
$ = non-root user command.......# = root user command

CONF my way of referring to rkhunter.conf....AKA the config file.
hash # in the CONF means the setting is commented out and so
remove the comment = remove the #

Next page