Admin at 07:03, 10 March 2011

2011-03-10T07:03:59Z

← Older revision		Revision as of 07:03, 10 March 2011
Line 207:		Line 207:
	APP_WHITELIST="openssl:0.9.71 gpg"		APP_WHITELIST="openssl:0.9.71 gpg"
	</pre>		</pre>

			[[Category:Computers]]
			[[Category:Programs]]

Admin at 15:04, 9 March 2011

2011-03-09T15:04:19Z

← Older revision		Revision as of 15:04, 9 March 2011
Line 2:		Line 2:

	http://sourceforge.net/projects/rkhunter/		http://sourceforge.net/projects/rkhunter/

			Rootkit Hunter was designed to run on Linux machines, and is therefore straightforward to run on a Linux machine. Running it on a Mac is a little more tricky. See below for details.

	= Installation =		= Installation =

Admin: /* Hidden Files and Directories */

2011-03-09T14:52:28Z

Hidden Files and Directories

← Older revision		Revision as of 14:52, 9 March 2011
Line 176:		Line 176:
	<pre>		<pre>
	EXISTWHITELIST="/usr/share/man/man5/.rhosts.5.gz"		EXISTWHITELIST="/usr/share/man/man5/.rhosts.5.gz"
			EXISTWHITELIST="/usr/._local"
	</pre>		</pre>

Admin: /* Running Rootkit Check */

2011-03-09T14:51:33Z

Running Rootkit Check

← Older revision		Revision as of 14:51, 9 March 2011
Line 84:		Line 84:
	</pre>		</pre>

			You may also want to skip the "Press <Enter> to Continue" prompts:

			<pre>
			sudo rkhunter --skip-keypress
			</pre>

	= Interpreting the Results =		= Interpreting the Results =

Admin: /* Application Out Of Date */

2011-03-09T14:49:03Z

Application Out Of Date

← Older revision		Revision as of 14:49, 9 March 2011
Line 187:		Line 187:
	To check if you are up-to-date, click the Apple in the upper left hand corner, then click "Software Update...", and download and install any software updates.		To check if you are up-to-date, click the Apple in the upper left hand corner, then click "Software Update...", and download and install any software updates.

	'''BEWARE!!!''' If you install your own versions of programs (for example, if you download, compile, and build from source a version of GPG, or Apache, or OpenSSL), you MUST heed these warnings and update your version of the program.		'''BEWARE!!!''' If you install your own versions of programs (for example, if you download, compile, and build from source a version of GPG, or Apache, or OpenSSL), you MUST heed these warnings and update your version of the program. See [[Upgrading Software]] page for info on how to do this.

	To ignore applications that you are confident are safe, add them to the app whitelist in your config file:		To ignore applications that you are confident are safe, add them to the app whitelist in your config file:

Admin: /* Hidden Files and Directories */

2011-03-09T14:47:39Z

Hidden Files and Directories

← Older revision		Revision as of 14:47, 9 March 2011
Line 164:		Line 164:
	[00:00:00] Checking for hidden files and directories [ Warning ]		[00:00:00] Checking for hidden files and directories [ Warning ]
	[00:00:00] Warning: Hidden file found: /usr/._local: AppleDouble encoded Macintosh file		[00:00:00] Warning: Hidden file found: /usr/._local: AppleDouble encoded Macintosh file
	[00:00:00] Warning: Hidden file found: /usr/share/man/man5/.rhosts.5.gz: gzip compressed data, was ".rhosts.5", from Unix, last modified: ~~Sat Nov 24 15~~:15:~~22 2007~~		[00:00:00] Warning: Hidden file found: /usr/share/man/man5/.rhosts.5.gz:
			gzip compressed data, was ".rhosts.5", from Unix, last modified: Mon Jan 01 00:00:00 2000
	</pre>		</pre>

Admin: Created page with "Rootkit Hunter is a program that will look for rootkits. It can be downloaded from SourceForge here: http://sourceforge.net/projects/rkhunter/ = Installation = == Installing ..."

2011-03-09T14:46:40Z

Created page with "Rootkit Hunter is a program that will look for rootkits. It can be downloaded from SourceForge here: http://sourceforge.net/projects/rkhunter/ = Installation = == Installing ..."

New page

Rootkit Hunter is a program that will look for rootkits. It can be downloaded from SourceForge here:

http://sourceforge.net/projects/rkhunter/

= Installation =

== Installing to Default Location (/usr/local) ==

By default, Rootkit Hunter (RH) installs to <code>/usr/local</code>.

1. Download the tarball from SourceForge

2. Unpack the tarball,

<pre>
tar xvzf rkhunter-1.x.x
</pre>

3. Go into the directory created

<pre>
cd rkhunter-1.x.x
</pre>

4. Run the installation script (must be run as superuser):

<pre>
sudo ./installer.sh --install
</pre>

== Installing to Custom Location ==

I like to keep all external programs in their own directory, in <code>~/pkg</code>. To install RH to a custom location,

1. Download the tarball from SourceForge

2. Unpack the tarball (see above)

3. Go into the directory created

4. Run the installation script, specifying the installation location (does NOT need to be run as superuser):

<pre>
./installer.sh --layout custom /path/to/pkg/rkhunter-1.x.x --install
</pre>

5. Add <code>/path/to/pkg/rkhunter-1.x.x/bin</code> to your <code>$PATH</code>

= Usage =

== Before You Run ==

Before you use RH, you need to update RH's property database. (Ideally, this should be done immediately after a fresh installation of your operating system, before any outside network connections are made.) You must run this as the superuser.

<pre>
sudo rkhunter --propupd
</pre>

== Configuring Rootkit Hunter ==

Rootkit Hunter can be configured with many different options. These are set in a config file, located at:

<code>/etc/rkhunter.conf</code>

or, if you installed RH to a custom location,

<code>/path/to/pkg/rkhunter-1.x.x/etc/rkhunter.conf</code>

The section [[RootkitHunter#Interpreting the Results|Interpreting the Results]] below will give some examples of how the configuration file can be used.

== Running Rootkit Check ==

To run the rootkit check procedure, you must run it as the superuser.

<pre>
sudo rkhunter --check
</pre>

This will output the result of each check to stdout, and will also record the results in /var/log/rkhunter.log (you have to be the superuser to read this file). To output to a custom log file, run

<pre>
sudo rkhunter --check --logfile /path/to/custom/logfile
</pre>

= Interpreting the Results =

== Mac ==

'''DISCLAIMER:''' Rootkit Hunter was not designed to run on Macs, so you will see several warnings on Macs that are simply due to the differences between Mac and Linux. I'll cover these, so you can recognize them. Google is also useful in investigating whether something is truly a problem or whether it is a harmless error.

=== "Script Text Executable" Warnings ===

You will probably see several warnings that look like this:

<pre>
[00:00:00] /usr/bin/fuser [ Warning ]
[00:00:00] Warning: The command '/usr/bin/fuser' has been replaced by a script: /usr/bin/fuser: perl script text executable

[00:00:00] /usr/bin/whatis [ Warning ]
[00:00:00] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
</pre>

These warnings are harmless, and are basically informing you that programs like /usr/bin/whatever are not binary executable programs, but are actually scripts. If you want to be sure, you can always open the executable script in a text editor.

To ignore these files during future RH checks, add the following to the RH config file:

<pre>
SCRIPTWHITELIST="/sbin/nologin"
SCRIPTWHITELIST="/sw/bin/which"
SCRIPTWHITELIST="/usr/bin/whatis"
SCRIPTWHITELIST="/usr/bin/fuser"
</pre>

etc... You should add the things that are specific to your system (meaning, don't just copy and paste the lines above.) These lines will tell RH to ignore these files during future checks.

=== Dica-Kit Rootkit Warning ===

If you run RH on a Mac you will also see the warning:

<pre>
[00:00:00] Warning: Dica-Kit Rootkit [ Warning ]
[00:00:00] File '/etc/sshd_config' found
[00:00:00] File '/etc/ssh_host_key' found
</pre>

This warning is purely due to a difference between Mac and Linux. Linux stores the files <code>sshd_config</code> and <code>ssh_host_key</code> in the location <code>/etc/ssh/</code>, and Mac stores the files in the location <code>/etc/</code>. Apparently the Dica-Kit Rootkit puts these two files in the same place that Mac puts them, so this will cause a false positive for the Dica-Kit Rootkit on Mac.

To prevent the false positive, you can add the following to your RH config file:

<pre>
RTKT_FILE_WHITELIST=/etc/sshd_config
RTKT_FILE_WHITELIST=/etc/ssh_host_key
</pre>

=== No System Startup Files Found Warning ===

If you run RH on a Mac you will see warnings that look like this:

<pre>
[00:00:00] Warning: Checking for possible rootkit strings [ Warning ]
[00:00:00] No system startup files found.

[00:00:00] Info: Starting test name 'startup_malware'
[00:00:00] Checking for system startup files [ Warning ]
[00:00:00] Warning: No system startup files found.
</pre>

This, again, is due to differences between Mac and Linux. It's looking for Linux startup files, but Mac does not keep any of its system startup files in the locations where RH is looking.

It is possible to skip this test by adding the following to the config file:

<pre>
STARTUP_PATHS="none"
</pre>

=== Hidden Files and Directories ===

You may also see a warning like this:

<pre>
[00:00:00] Checking for hidden files and directories [ Warning ]
[00:00:00] Warning: Hidden file found: /usr/._local: AppleDouble encoded Macintosh file
[00:00:00] Warning: Hidden file found: /usr/share/man/man5/.rhosts.5.gz: gzip compressed data, was ".rhosts.5", from Unix, last modified: Sat Nov 24 15:15:22 2007
</pre>

It is not clear what the .rhosts.5.gz file is actually for, but this is another Mac-specific warning: you will get this warning on any Mac system. You can tell RH to ignore this file by adding this file to the whitelist, which can be done by adding this to your config file:

<pre>
EXISTWHITELIST="/usr/share/man/man5/.rhosts.5.gz"
</pre>

=== Application Out Of Date ===

Yet another Mac-specific warning comes from applications that appear to be "out of date", and therefore pose a security risk:

<pre>
[00:00:00] Checking version of OpenSSL [ Warning ]
[00:00:00] Warning: Application 'openssl', version '0.9.7l', is out of date, and possibly a security risk.
</pre>

In fact, the Apple-provided security updates patch these programs, but don't update the version number. So, as long as you are up-to-date with your Apple-provided security updates, you are fine.

To check if you are up-to-date, click the Apple in the upper left hand corner, then click "Software Update...", and download and install any software updates.

'''BEWARE!!!''' If you install your own versions of programs (for example, if you download, compile, and build from source a version of GPG, or Apache, or OpenSSL), you MUST heed these warnings and update your version of the program.

To ignore applications that you are confident are safe, add them to the app whitelist in your config file:

<pre>
APP_WHITELIST="openssl gpg"
</pre>

and to whitelist a specific version (THIS IS SAFER),

<pre>
APP_WHITELIST="openssl:0.9.71 gpg"
</pre>

RootkitHunter - Revision history

Admin at 07:03, 10 March 2011

Admin at 15:04, 9 March 2011

Admin: /* Hidden Files and Directories */

Admin: /* Running Rootkit Check */

Admin: /* Application Out Of Date */

Admin: /* Hidden Files and Directories */

Admin: Created page with "Rootkit Hunter is a program that will look for rootkits. It can be downloaded from SourceForge here: http://sourceforge.net/projects/rkhunter/ = Installation = == Installing ..."