RootkitHunter

From charlesreid1

Rootkit Hunter is a program that will look for rootkits. It can be downloaded from SourceForge here:

http://sourceforge.net/projects/rkhunter/

Rootkit Hunter was designed to run on Linux machines, and is therefore straightforward to run on a Linux machine. Running it on a Mac is a little more tricky. See below for details.

Installation

Installing to Default Location (/usr/local)

By default, Rootkit Hunter (RH) installs to /usr/local.

1. Download the tarball from SourceForge

2. Unpack the tarball, 

tar xvzf rkhunter-1.x.x

3. Go into the directory created 

cd rkhunter-1.x.x

4. Run the installation script (must be run as superuser): 

sudo ./installer.sh --install

Installing to Custom Location

I like to keep all external programs in their own directory, in ~/pkg. To install RH to a custom location,

1. Download the tarball from SourceForge

2. Unpack the tarball (see above)

3. Go into the directory created

4. Run the installation script, specifying the installation location (does NOT need to be run as superuser): 

./installer.sh --layout custom /path/to/pkg/rkhunter-1.x.x --install

5. Add /path/to/pkg/rkhunter-1.x.x/bin to your $PATH


Usage

Before You Run

Before you use RH, you need to update RH's property database. (Ideally, this should be done immediately after a fresh installation of your operating system, before any outside network connections are made.) You must run this as the superuser. 

sudo rkhunter --propupd

Configuring Rootkit Hunter

Rootkit Hunter can be configured with many different options. These are set in a config file, located at:

/etc/rkhunter.conf

or, if you installed RH to a custom location,

/path/to/pkg/rkhunter-1.x.x/etc/rkhunter.conf

The section Interpreting the Results below will give some examples of how the configuration file can be used.

Running Rootkit Check

To run the rootkit check procedure, you must run it as the superuser. 

sudo rkhunter --check

This will output the result of each check to stdout, and will also record the results in /var/log/rkhunter.log (you have to be the superuser to read this file). To output to a custom log file, run 

sudo rkhunter --check --logfile /path/to/custom/logfile

You may also want to skip the "Press <Enter> to Continue" prompts: 

sudo rkhunter --skip-keypress

Interpreting the Results

Mac

DISCLAIMER: Rootkit Hunter was not designed to run on Macs, so you will see several warnings on Macs that are simply due to the differences between Mac and Linux. I'll cover these, so you can recognize them. Google is also useful in investigating whether something is truly a problem or whether it is a harmless error.

"Script Text Executable" Warnings

You will probably see several warnings that look like this: 

[00:00:00]   /usr/bin/fuser                                  [ Warning ]
[00:00:00] Warning: The command '/usr/bin/fuser' has been replaced by a script: /usr/bin/fuser: perl script text executable

[00:00:00]   /usr/bin/whatis                                 [ Warning ]
[00:00:00] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable

These warnings are harmless, and are basically informing you that programs like /usr/bin/whatever are not binary executable programs, but are actually scripts. If you want to be sure, you can always open the executable script in a text editor.

To ignore these files during future RH checks, add the following to the RH config file: 

SCRIPTWHITELIST="/sbin/nologin"
SCRIPTWHITELIST="/sw/bin/which"
SCRIPTWHITELIST="/usr/bin/whatis"
SCRIPTWHITELIST="/usr/bin/fuser"

etc... You should add the things that are specific to your system (meaning, don't just copy and paste the lines above.) These lines will tell RH to ignore these files during future checks.

Dica-Kit Rootkit Warning

If you run RH on a Mac you will also see the warning: 

[00:00:00] Warning: Dica-Kit Rootkit                         [ Warning ]
[00:00:00]          File '/etc/sshd_config' found
[00:00:00]          File '/etc/ssh_host_key' found

This warning is purely due to a difference between Mac and Linux. Linux stores the files sshd_config and ssh_host_key in the location /etc/ssh/, and Mac stores the files in the location /etc/. Apparently the Dica-Kit Rootkit puts these two files in the same place that Mac puts them, so this will cause a false positive for the Dica-Kit Rootkit on Mac.

To prevent the false positive, you can add the following to your RH config file: 

RTKT_FILE_WHITELIST=/etc/sshd_config
RTKT_FILE_WHITELIST=/etc/ssh_host_key

No System Startup Files Found Warning

If you run RH on a Mac you will see warnings that look like this: 

[00:00:00] Warning: Checking for possible rootkit strings    [ Warning ]
[00:00:00]          No system startup files found.

[00:00:00] Info: Starting test name 'startup_malware'
[00:00:00]   Checking for system startup files               [ Warning ]
[00:00:00] Warning: No system startup files found.

This, again, is due to differences between Mac and Linux. It's looking for Linux startup files, but Mac does not keep any of its system startup files in the locations where RH is looking.

It is possible to skip this test by adding the following to the config file: 

STARTUP_PATHS="none"

Hidden Files and Directories

You may also see a warning like this: 

[00:00:00]   Checking for hidden files and directories       [ Warning ]
[00:00:00] Warning: Hidden file found: /usr/._local: AppleDouble encoded Macintosh file
[00:00:00] Warning: Hidden file found: /usr/share/man/man5/.rhosts.5.gz: 
      gzip compressed data, was ".rhosts.5", from Unix, last modified: Mon Jan 01 00:00:00 2000

It is not clear what the .rhosts.5.gz file is actually for, but this is another Mac-specific warning: you will get this warning on any Mac system. You can tell RH to ignore this file by adding this file to the whitelist, which can be done by adding this to your config file: 

EXISTWHITELIST="/usr/share/man/man5/.rhosts.5.gz"
EXISTWHITELIST="/usr/._local"

Application Out Of Date

Yet another Mac-specific warning comes from applications that appear to be "out of date", and therefore pose a security risk: 

[00:00:00]   Checking version of OpenSSL                     [ Warning ]
[00:00:00] Warning: Application 'openssl', version '0.9.7l', is out of date, and possibly a security risk.

In fact, the Apple-provided security updates patch these programs, but don't update the version number. So, as long as you are up-to-date with your Apple-provided security updates, you are fine.

To check if you are up-to-date, click the Apple in the upper left hand corner, then click "Software Update...", and download and install any software updates.

BEWARE!!! If you install your own versions of programs (for example, if you download, compile, and build from source a version of GPG, or Apache, or OpenSSL), you MUST heed these warnings and update your version of the program. See Upgrading Software page for info on how to do this.

To ignore applications that you are confident are safe, add them to the app whitelist in your config file: 

APP_WHITELIST="openssl gpg"

and to whitelist a specific version (THIS IS SAFER), 

APP_WHITELIST="openssl:0.9.71 gpg"
Retrieved from "https://charlesreid1.com/w/index.php?title=RootkitHunter&oldid=1518"