Rootkit Hunter
Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, sniffers, and malware. The application consists of the main shell script, a few text-based databases, and optional Perl scripts. It can recognise and run external applications like 'skdet' and 'unhide'. It should run on almost every Unix clone.
| Tags | Systems Administration Monitoring Security |
|---|---|
| Licenses | GPL |
| Operating Systems | Unix |
| Implementation | Unix Shell |
Recent releases
- 31 Dec 2008 09:47
Changes: IntoXonia-NG and Phalanx2 rootkit checks were added. Support for TCB shadow files was added. The "--propupd" option can now take an optional file, directory, or package name after it. The file properties inode check was revised. SSH configuration file tests accept key/value pairs. The Linux "os_specific" test has been split into two separate tests. The DBDIR directory can now be read-only. The ALLOWPROCDELFILE configuration option was improved. The check for hidden files and directories was improved.
- 23 Sep 2007 00:50
Changes: This is the final release of version 1.3.0. 30 new features were added. 47 changes and 16 bugfixes were made.
- 22 Jul 2007 09:29
Changes: Given the timeframe between releases, the changelog is packed listing 34 new features, 47 changes, and 16 bugfixes. A new option '--propupd' replaces 'hashupd.sh'. A new option '--pkgmgr' supports RPM, dpkg, and BSD-style package managers. Support has been added for Ubuntu, 'dash' and 'ash' shells. Internationalization (i18n) has been added. New options '--enable' and '--disable' to specify which tests are run or ignored. Support for Solaris 10 inetadm. More whitelisting options.
- 29 Sep 2006 22:38
Changes: This release added support for RHEL WS/AS/ES 3 Taroon update 8, Fedora Core 5, and SuSE 10. Checks were added for packet capturing applications and processes using deleted files. The netstat check was enabled for AIX and the backdoor check was enabled for SunOS. Logfile specification and checks were added.
- 14 Feb 2006 04:49
Changes: A new alias was added for --skip-keypress. Additional support for Fedora Core 4, FreeBSD 4.11, 5.2, 5.3, 5.4, and 6.0, CentOS 3.3 ('final' and 'Final'), CentOS 3.5, 4.1, and 4.2, Debian 3.1 (AMD64), RHEL WS/AS/ES 3, Taroon update 6, RHEL WS 4, Nahant Update 1 and 2, and Slackware 10.2 was provided. Some small enhancements and hash updates were also included.
- All comments
Recent commentsAnnounce: Rootkit Hunter mailinglist
I would like to announce Rootkit Hunter now has a mailinglist on SourceForge. If you run RKH please go to http://lists.sourceforge.net/mailman/listinfo/rkhunter-users to add yourself to the list to beable to ask questions, discuss topics related to RKH, to drop requests or even help out with RKH.
Cheers, unSpawn
MD5 check fails on fedora core 3 file
Hi,
I have a Server with Fedora Core 3. Recently i updated the e2fsprogs-1.38-0.FC3.1 rpm package and then, Rkhunter returns a MD5 error in /usr/bin/lsattr file, which is included in that package. It's a false negative?
Thanks.
Here is the rkhunter 1.27 log:
Rootkit Hunter 1.2.7 is running
Determining OS... Ready
Checking binaries
* Selftests
Strings (command) [ OK ]
* System tools
Info: prelinked files found
Performing 'known good' check...
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/dmesg [ OK ]
/bin/egrep [ OK ]
/bin/env [ OK ]
/bin/fgrep [ OK ]
/bin/grep [ OK ]
/bin/kill [ OK ]
/bin/login [ OK ]
/bin/ls [ OK ]
/bin/mount [ OK ]
/bin/netstat [ OK ]
/bin/ps [ OK ]
/bin/su [ OK ]
/sbin/chkconfig [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/modinfo [ OK ]
/sbin/runlevel [ OK ]
/sbin/sysctl [ OK ]
/sbin/syslogd [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/kill [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/lsattr [ BAD ] <---- MD5 fails
/usr/bin/pstree [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/users [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
-------------------------------------------------
Rootkit Hunter found some bad or unknown hashes. This can be happen due replaced
binaries or updated packages (which give other hashes). Be sure your hashes are
fully updated (rkhunter --update). If you're in doubt about these hashes, contact
the author (fill in the contact form).
-------------------------------------------------
problem with Hash tests on Suse
Hi rkhunter is not doing the Hash tests on my system:
Rootkit Hunter 1.2.7, Copyright 2003-2005, Michael Boelen
.
.
[14:20:02] ---------------------------- System checks ----------------------------
[14:20:02] Info: kernel is 2.6
[14:20:02] Info: Found /etc/SuSE-release
[14:20:02] Info: Full OS name = SuSE Linux 9.2 (i586)
[14:20:02] Info: OS ID = 163
[14:20:02] Info: Using /usr/bin/md5sum to verify MD5 hashes
[14:20:02] Info: /usr/bin/md5sum found
[14:20:02] Info: using /usr/local/rkhunter/lib/rkhunter/tmp as temporary directory
[14:20:02] Info: UID is zero (root)
[14:20:02] Info: Perl version 5.8.5 found
[14:20:02] Info: Digest::MD5 installed (version 2.33).
[14:20:02] Info: Using Perl Digest::MD5 module instead of /usr/bin/md5sum
[14:20:02] Info: Digest::SHA1 installed (version 2.10).
[14:20:02] Info: ksyms file check will be skipped (/proc/ksyms not available on this system)
[14:20:02] ---------------------------- File checks -----------------------------
[14:20:02] Checking /usr/local/rkhunter/lib/rkhunter/db/md5blacklist.dat... OK
[14:20:02] Checking /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat... OK
[14:20:02] Checking /usr/local/rkhunter/lib/rkhunter/db/programs_bad.dat... OK
[14:20:02] Checking /usr/local/rkhunter/lib/rkhunter/db/programs_good.dat... OK
[14:20:02] ------------------------------ Selftests ------------------------------
[14:20:02] Strings selftest: scanning for string /usr/sbin/ntpsx... OK
[14:20:02] Strings selftest: scanning for string /usr/lib/.../ls... OK
.
.
all OK
.
.
[14:20:03] ---------------------------- MD5 hash tests ---------------------------
[14:20:03] Starting MD5 checksum test (/usr/local/rkhunter/lib/rkhunter/scripts/filehashmd5.pl)
[14:20:09] ------------------------------ Rootkits ------------------------------
Thats all it shows
if i run the .pl manualy i get:
/usr/local/rkhunter/lib/rkhunter/scripts/filehashmd5.pl /bin/ps
f9d313f205a74e710baa3c3702caa145
Any ideas what's wrong?
Re: strange update issue.
This is solved in release version 1.2.7
strange update issue.
Hey
A very strange issue here, I've tried to update rootkit hunter from 1.2.5 to 1.2.6.
Now after update, when I try rkhunter --update, I get this:
Mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated
Using mirror http://mirror11.mirror.rkhunter.org
[DB] Mirror file : Up to date
[DB] MD5 hashes system binaries : Update available
Action: Database updated (current version: 2005050600, new version 2005051900)
[DB] Operating System information : Update available
Action: Database updated (current version: 2005050700, new version 2005052200)
[DB] MD5 blacklisted tools/binaries : Up to date
[DB] Known good program versions : Up to date
[DB] Known bad program versions : Up to date
But if I try rkhunter --update again, I get the same message, seems like the MD5 hashes system binaries db and Operating System information db are not getting updated.
MD5 hashes db is always showing 2005050600 as current version although the latest is quite high but doesn't seem to be getting updated.
Sames goes, with OS information, current version is 2005050700 and new version is 2005052200, but not getting updated.
Any ideas?
Thanks,
Prashant