Projects / Rootkit Hunter

Rootkit Hunter

Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, sniffers, and malware. The application consists of the main shell script, a few text-based databases, and optional Perl scripts. It can recognise and run external applications like 'skdet' and 'unhide'. It should run on almost every Unix clone.

Tags
Licenses
Operating Systems
Implementation

RSS Recent releases

  •  01 May 2012 01:35

    Release Notes: This release adds eleven bugfixes, seven changes, and five new items.

    •  29 Nov 2009 16:46

      Release Notes: This release offers more ease of use and improved checks. The changelog lists 29 additions including 9 configuration options and details for 12 rootkits, 29 changes including improvements for 15 rootkit checks, and 22 bugfixes.

      •  31 Dec 2008 09:47

      Release Notes: IntoXonia-NG and Phalanx2 rootkit checks were added. Support for TCB shadow files was added. The "--propupd" option can now take an optional file, directory, or package name after it. The file properties inode check was revised. SSH configuration file tests accept key/value pairs. The Linux "os_specific" test has been split into two separate tests. The DBDIR directory can now be read-only. The ALLOWPROCDELFILE configuration option was improved. The check for hidden files and directories was improved.

      •  23 Sep 2007 00:50

      Release Notes: This is the final release of version 1.3.0. 30 new features were added. 47 changes and 16 bugfixes were made.

      •  22 Jul 2007 09:29

      Release Notes: Given the timeframe between releases, the changelog is packed listing 34 new features, 47 changes, and 16 bugfixes. A new option '--propupd' replaces 'hashupd.sh'. A new option '--pkgmgr' supports RPM, dpkg, and BSD-style package managers. Support has been added for Ubuntu, 'dash' and 'ash' shells. Internationalization (i18n) has been added. New options '--enable' and '--disable' to specify which tests are run or ignored. Support for Solaris 10 inetadm. More whitelisting options.

      RSS Recent comments

      28 Sep 2009 16:20 solarjdp69 Thumbs up

      Great software! Suggestion - Change the output from "not infected" to "clean". Only use the word infected if their is a suspicious or infected file, that way we can grep for the words infected or suspcious.

      25 Jan 2006 14:48 unSpawn

      Announce: Rootkit Hunter mailinglist
      I would like to announce Rootkit Hunter now has a mailinglist on SourceForge. If you run RKH please go to lists.sourceforge.net/... to add yourself to the list to beable to ask questions, discuss topics related to RKH, to drop requests or even help out with RKH.

      Cheers, unSpawn

      20 Sep 2005 00:58 jmmurillo

      MD5 check fails on fedora core 3 file
      Hi,

      I have a Server with Fedora Core 3. Recently i updated the e2fsprogs-1.38-0.FC3.1 rpm package and then, Rkhunter returns a MD5 error in /usr/bin/lsattr file, which is included in that package. It's a false negative?

      Thanks.

      Here is the rkhunter 1.27 log:

      Rootkit Hunter 1.2.7 is running

      Determining OS... Ready

      Checking binaries

      * Selftests

      Strings (command) [ OK ]

      * System tools

      Info: prelinked files found

      Performing 'known good' check...

      /bin/cat [ OK ]

      /bin/chmod [ OK ]

      /bin/chown [ OK ]

      /bin/dmesg [ OK ]

      /bin/egrep [ OK ]

      /bin/env [ OK ]

      /bin/fgrep [ OK ]

      /bin/grep [ OK ]

      /bin/kill [ OK ]

      /bin/login [ OK ]

      /bin/ls [ OK ]

      /bin/mount [ OK ]

      /bin/netstat [ OK ]

      /bin/ps [ OK ]

      /bin/su [ OK ]

      /sbin/chkconfig [ OK ]

      /sbin/depmod [ OK ]

      /sbin/ifconfig [ OK ]

      /sbin/init [ OK ]

      /sbin/insmod [ OK ]

      /sbin/ip [ OK ]

      /sbin/modinfo [ OK ]

      /sbin/runlevel [ OK ]

      /sbin/sysctl [ OK ]

      /sbin/syslogd [ OK ]

      /usr/bin/file [ OK ]

      /usr/bin/find [ OK ]

      /usr/bin/kill [ OK ]

      /usr/bin/killall [ OK ]

      /usr/bin/lsattr [ BAD ] <---- MD5 fails

      /usr/bin/pstree [ OK ]

      /usr/bin/sha1sum [ OK ]

      /usr/bin/stat [ OK ]

      /usr/bin/users [ OK ]

      /usr/bin/w [ OK ]

      /usr/bin/watch [ OK ]

      /usr/bin/who [ OK ]

      /usr/bin/whoami [ OK ]

      -------------------------------------------------

      Rootkit Hunter found some bad or unknown hashes. This can be happen due replaced

      binaries or updated packages (which give other hashes). Be sure your hashes are

      fully updated (rkhunter --update). If you're in doubt about these hashes, contact

      the author (fill in the contact form).

      -------------------------------------------------

      07 Jun 2005 06:02 fox_inti

      problem with Hash tests on Suse
      Hi rkhunter is not doing the Hash tests on my system:

      Rootkit Hunter 1.2.7, Copyright 2003-2005, Michael Boelen

      .

      .

      [14:20:02] ---------------------------- System checks ----------------------------

      [14:20:02] Info: kernel is 2.6

      [14:20:02] Info: Found /etc/SuSE-release

      [14:20:02] Info: Full OS name = SuSE Linux 9.2 (i586)

      [14:20:02] Info: OS ID = 163

      [14:20:02] Info: Using /usr/bin/md5sum to verify MD5 hashes

      [14:20:02] Info: /usr/bin/md5sum found

      [14:20:02] Info: using /usr/local/rkhunter/lib/rkhunter/tmp as temporary directory

      [14:20:02] Info: UID is zero (root)

      [14:20:02] Info: Perl version 5.8.5 found

      [14:20:02] Info: Digest::MD5 installed (version 2.33).

      [14:20:02] Info: Using Perl Digest::MD5 module instead of /usr/bin/md5sum

      [14:20:02] Info: Digest::SHA1 installed (version 2.10).

      [14:20:02] Info: ksyms file check will be skipped (/proc/ksyms not available on this system)

      [14:20:02] ---------------------------- File checks -----------------------------

      [14:20:02] Checking /usr/local/rkhunter/lib/rkhunter/db/md5blacklist.dat... OK

      [14:20:02] Checking /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat... OK

      [14:20:02] Checking /usr/local/rkhunter/lib/rkhunter/db/programs_bad.dat... OK

      [14:20:02] Checking /usr/local/rkhunter/lib/rkhunter/db/programs_good.dat... OK

      [14:20:02] ------------------------------ Selftests ------------------------------

      [14:20:02] Strings selftest: scanning for string /usr/sbin/ntpsx... OK

      [14:20:02] Strings selftest: scanning for string /usr/lib/.../ls... OK

      .

      .

      all OK

      .

      .

      [14:20:03] ---------------------------- MD5 hash tests ---------------------------

      [14:20:03] Starting MD5 checksum test (/usr/local/rkhunter/lib/rkhunter/scripts/filehashmd5.pl)

      [14:20:09] ------------------------------ Rootkits ------------------------------

      Thats all it shows

      if i run the .pl manualy i get:

      /usr/local/rkhunter/lib/rkhunter/scripts/filehashmd5.pl /bin/ps

      f9d313f205a74e710baa3c3702caa145

      Any ideas what's wrong?

      24 May 2005 23:37 MBoelen

      Re: strange update issue.
      This is solved in release version 1.2.7

      Links

      Heartbeat

      Google Chart
      Popularity Score
      922.70
      Vitality Score
      18.46
      Subscriptions
      694
      Voting Score: 66 (71 votes)
      Screenshot

      Project Spotlight

      XML-Grammar-Fiction

      Lightweight markup languages and XML grammars for writing prose and screenplays.

      Screenshot

      Project Spotlight

      CmdOption

      A simple annotation-driven command line parser toolkit for Java 5 applications.