26
45
#################################################################################
29
See the website for the latest and complete FAQ
50
What's up with Rootkit Hunter? I haven't seen any updates in *ages*!
51
In the second quarter (IIRC) of 2006 the founder of Rootkit Hunter (abbrev.: RKH)
52
found out the hard way maintaining FOSS can be difficult when RL commitments overrule.
53
Management of the project (read: responsability ;-p) was taken over by unSpawn and
54
a project group comprising of developers and testers was formed. The Rootkit Hunter
55
project team is committed to making sure development continues. If you're interested
56
in joining the development team send an email to unspawn at users dot sourceforge dot
57
net (--verbosity appreciated).
61
What is Rootkit Hunter?
62
It is an easy-to-use tool which checks machines running UNIX (clones) for the
63
presence of rootkits and other unwanted tools.
68
Most times it are selfhiding toolkits used by blackhats/crackers/scriptkiddies to
69
avoid the eye of the sysadmin.
73
How do I install Rootkit Hunter?
74
Download the gzipped tarball, extract it and run the installation script.
76
download Rootkit Hunter from http://rkhunter.sourceforge.net
77
Note: It doesn't matter where you save the archive
80
# tar zxf rkhunter-<version>.tar.gz
86
Or you can create a RPM file with the integrated rkhunter.spec file and install
88
# rpmbuild -ta rkhunter-<version>.tar.gz
89
Note: I don't support any 3rd party RPM file, but I will maintain the spec file.
90
If you have questions/suggestions about the spec file, please let us know.
94
Rootkit Hunter tells me there is something wrong with my system, what to do?
95
* Read "Intruder Detection Checklist" first:
96
http://www.cert.org/tech_tips/intruder_detection_checklist.html
97
it tells you what to check. This makes it easier for you to find out and
99
* Remember that if you are unsure you can get a second opinion about everywhere
100
from the rkhunter-users mailinglist to Linux-oriented fora like LinuxQuestions.org
103
(1) If just one check fails, it is possible you have an so called false positive.
104
Sometimes this will happen due to package updates, custom configurations or
105
changed binaries. If so, please validate:
108
- If you run a file integrity checker like Aide, Samhain or even tripwire consult
109
the result from running those tools. Note they must be installed directly after
110
the O.S. installation to be useful and you must keep a copy of the binary, config
111
and databases off-site. Also note running those and Rootkit Hunter is no substitute
112
for updating software when updates are released and proper host and network hardening.
113
- If you don't run a file integrity checker you can possibly use your distributions
114
package management system if it (is configured to) deal with verification.
115
- "strings <file>" and check for untrusted file paths (things like /dev/.hiddendir)
116
- recently updated binaries and their original source. If it is due an update, please sent
117
us an URI to the changed file (like a RPM), so I can add new hashes to the databases.
118
- "file <file>" and compare them with others (especially trusted binaries). If some binaries
119
are linked static and others are all dynamic, than they could have been trojaned..
122
If you have a warning about another part of the checks, please join the rkhunter-users
123
mailinglist and tell us about your system configuration:
124
- purpose of the server (for example: webserver, intranet fileserver, shell server),
125
- the (aproximate) date of the incident and when you found out,
126
- the running distribution name, release and kernel version,
127
- if any passwd/shadow data has changed,
128
- any anomalies you find from reading system, daemon, IDS and firewall logs,
129
- if all installed software was recently updated,
130
- what services are or where running at the time,
131
- if you found setuid root files in directories for temporary files,
132
- any anomalies you find from reading user shell histories.
135
(2) If your system is infected with an rootkit, cleaning up is not an option. Restoring
136
is also not an option unless you are skilled and have autonomous and independant means of
137
verifying the backup is a) clean and b) does not contain misconfigured or stale software.
138
Never trust a compromised machine. Period.
140
* Read "Steps for Recovering from a UNIX or NT System Compromise":
141
http://www.cert.org/tech_tips/root_compromise.html
143
A clean install of the system is recommended after backing up the full system. So follow
145
1. Stay calm. Be methodical.
146
2. From another machine inform users (and the network, facility or host owner) the machine
148
3. Get the host offline or make sure the firewall is raised to only allow traffic to and from
149
your management IP or range.
150
4. Backup your data. If you do not intend to investigate: do not backup binaries or binary data
151
you have not the means for to verify their integrity.
152
5. Verify the integrity of your backup by visual inspection (auth data, configs, logs) or using
153
a file integrity checker or your distributions package management tools.
154
6. Install your host with a fresh install and restrict network access to it using the systems
155
authentication features like accounts, PAM, firewall, tcp wrappers, daemon configs, while
156
you update and configure software and services. Please make sure you properly harden the machine.
157
7. Investigate the old log files and the possible used tools. Also investigate the services which
158
were vulnerable at the time of hack.
162
What does the warning "Determining OS... Warning: this operating system is not fully
164
It simply means: not all functions and checks can be performed, because the system is
165
'unknown' to the script (things like which md5 utility is available, md5 hashes for
166
this system etc.). If you want support for a newly distro, please join the
167
rkhunter-users mailinglist and tell us which distro you are using.
171
Rootkit Hunter gives me a error some binary couldn't be found, what do do?
172
Sometimes a binary can't be found in the PATH variable. Because Rootkit Hunter just tries
173
to run the binary by executing it without a path, the systems will searches it path. If
174
the binary couldn't be found, an error will occur.
177
Checking loaded kernel modules... /usr/local/bin/rkhunter: lsmod: command not found
178
[ Warning! (found difference in output) ]
179
Please enter `echo $PATH` and check your path settings.
183
Rootkit Hunter tells me a lot of installed software is 'vulnerable', what does it mean?
184
It means this software does possible contain software bugs which make external (or local)
185
attacks possible. In worst case, a person with malicious intentions can get full access
190
Rootkit Hunter tells me I have vulnerable applications installed, but I have fully patched
191
my server! How is this possible?
192
Some distributions like Red Hat and OpenBSD do patch old versions. So Rootkit Hunter thinks
193
it's a old version, but instead it's a safe patched version. If you have the same situation,
194
don't use the program version checker (--skip-application-check), to suppress the false positives.
198
Rootkit Hunter installation fails with Solaris, why?
199
You have to use the bash shell to install Rootkit Hunter.
201
# (/path/to)bash installer.sh
205
How can I run Rootkit Hunter every day?
207
You can create a cronjob script like this:
208
=========== /etc/cron.daily/rkhunter ====================
210
( /usr/local/bin/rkhunter --versioncheck
211
/usr/local/bin/rkhunter --update
212
/usr/local/bin/rkhunter --cronjob --report-warnings-only
213
) | /bin/mail -s 'rkhunter Daily Run' root
214
=========================================================
215
Or add a line in your /etc/crontab file directly.
218
Errors from external software
220
E1 - I use prelinking, but after performing some updates all binaries are 'BAD' when checking
221
with Rootkit Hunter, what to do?
222
Most times the prelinking database has to be rebuild (prelinking will optimize your binaries
223
and libraries). This is because after every change in 1 of the binaries (or libraries), it needs
224
to optimize all files again. On Red Hat / Fedora, run:
225
# /etc/cron.daily/prelink
229
I get warnings from PHP, like:
230
PHP Warning: Function registration failed - duplicate name - pg_update in Unknown on line 0
232
Most times this is because you have updated the Apache version of PHP, but forgot to update/recompile
233
the CLI (console version) of PHP. So recompile/update it and retry.
236
Update problems/questions
239
Rootkit Hunter tells me I have multiple versions installed, how it this possible?
241
Most times you install a tool and upgrade it later. Sometimes if you use a 'non-official' updater
242
(let's say from an external party, build from source/using a installer like RPM/DEB/TGZ), the
243
binaries will be installed in another place than the original. So there are two binaries with the
244
same name, but on another place (/usr/bin and /usr/local/bin for example). You have to check which
245
binaries are old and can be safely removed/replaced (tip: make a copy / use replace, instead of
250
Although Rootkit Hunter tells me my binaries do have the correct hashes (=OK), the logfile
251
shows a lot of incorrect items. How is that possible?
252
Because the main program is a shell script, a lot of small utilities are used to read the database
253
(in fact a CSV-alike file). The output you see in the logfile is debug information and contains of
254
a lot of extra information. Because every line of the hash database will be read and compared with
255
the real hash of the binary, it will have some good and bad hashes for one single binary (because
256
the multiple versions of a single binary). Every line will be available in the logfile too, so if
257
a hash DOESN'T match with the binary, it will log this too. If ONE of the multiple hashes match,
258
you don't have to worry about the 'failed' lines.
262
How can I run Rootkit Hunter on a daily basis?
263
Add it as a cronjob to /etc/crontab. Example:
264
30 5 * * * root </path>/rkhunter -c --cronjob <more options>
265
Rootkit Hunter will now run at 5:30 (AM)
269
My operating system isn't supported! Can you add support for it?
270
A: Yes and no. Please join the rkhunter-users mailinglist and tell us which operating system you're using
271
include system architecture.
275
Can I be notified when a new release will be available?
276
A: Yes you can, please join the rkhunter-announce mailinglist (low volume) or subscribe to the Freshmeat
277
project page: http://freshmeat.net/projects/rkhunter/. If you're a Sourceforge user like us you can also
278
monitor the project for changes. Luckily the Sourceforge is *that* easy to use I don't need to give you
283
What is the best way to run Rootkit Hunter from the crontab?
284
A: Add a cronjob with the parameters '-c --quiet --cronjob'. It will run Rootkit Hunter without colors and
285
without layout characterics (--cronjob). Rootkit Hunter will only show text when it founds some warnings
286
or errors. Very nice when you own a lot of machines and don't want to have a huge amount of mail ;-)
290
Can I help with the development of this project?
291
Everyone can help, period.
292
- Help your fellow Rootkit Hunter users on the rkhunter-users mailinglist,
293
- Send a copy of an undetected rootkit so it can be added and help others,
294
- Are you a package maintainer? Please submit your changes so *everyone* can benefit from it,
295
- Are you an enduser? Ultimately FOSS, and so RKH, depends on *you*. Contributing is *your*
296
responsability, not someone elses. Whatever you contribute constructively is very much welcome:
297
contribute or discuss enhancing Rootkit Hunter with us, submit a patch or discuss enhancements,
298
file a bug report, test the application by using it on your servers.
302
I like your software! How can I thank you?
303
Simple. By contributing.
306
See http://rkhunter.sourceforge.net for the latest and complete FAQ.
307
(when the site is updated, OK)