Projects / Rootkit Hunter

Rootkit Hunter

Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, sniffers, and malware. The application consists of the main shell script, a few text-based databases, and optional Perl scripts. It can recognise and run external applications like 'skdet' and 'unhide'. It should run on almost every Unix clone.

Tags
Licenses
Operating Systems
Implementation

Recent releases

  •  30 Apr 2012 23:37

    Release Notes: This release adds eleven bugfixes, seven changes, and five new items.

    •  29 Nov 2009 16:27

      Release Notes: This release offers more ease of use and improved checks. The changelog lists 29 additions including 9 configuration options and details for 12 rootkits, 29 changes including improvements for 15 rootkit checks, and 22 bugfixes.

      •  31 Dec 2008 09:47

        Release Notes: IntoXonia-NG and Phalanx2 rootkit checks were added. Support for TCB shadow files was added. The "--propupd" option can now take an optional file, directory, or package name after it. The file properties inode check was revised. SSH configuration file tests accept key/value pairs. The Linux "os_specific" test has been split into two separate tests. The DBDIR directory can now be read-only. The ALLOWPROCDELFILE configuration option was improved. The check for hidden files and directories was improved.

        •  23 Sep 2007 07:50

          Release Notes: This is the final release of version 1.3.0. 30 new features were added. 47 changes and 16 bugfixes were made.

          •  22 Jul 2007 16:29

            Release Notes: Given the timeframe between releases, the changelog is packed listing 34 new features, 47 changes, and 16 bugfixes. A new option '--propupd' replaces 'hashupd.sh'. A new option '--pkgmgr' supports RPM, dpkg, and BSD-style package managers. Support has been added for Ubuntu, 'dash' and 'ash' shells. Internationalization (i18n) has been added. New options '--enable' and '--disable' to specify which tests are run or ignored. Support for Solaris 10 inetadm. More whitelisting options.

            Recent comments

            28 Sep 2009 16:20 solarjdp69

            Great software! Suggestion - Change the output from "not infected" to "clean". Only use the word infected if their is a suspicious or infected file, that way we can grep for the words infected or suspcious.

            25 Jan 2006 14:48 unSpawn

            Announce: Rootkit Hunter mailinglist
            I would like to announce Rootkit Hunter now has a mailinglist on SourceForge. If you run RKH please go to http://lists.sourceforge.net/mailman/listinfo/rkhunter-users to add yourself to the list to beable to ask questions, discuss topics related to RKH, to drop requests or even help out with RKH.

            Cheers, unSpawn

            20 Sep 2005 00:58 jmmurillo

            MD5 check fails on fedora core 3 file
            Hi,

            I have a Server with Fedora Core 3. Recently i updated the e2fsprogs-1.38-0.FC3.1 rpm package and then, Rkhunter returns a MD5 error in /usr/bin/lsattr file, which is included in that package. It's a false negative?

            Thanks.

            Here is the rkhunter 1.27 log:

            Rootkit Hunter 1.2.7 is running

            Determining OS... Ready

            Checking binaries

            * Selftests

            Strings (command) [ OK ]

            * System tools

            Info: prelinked files found

            Performing 'known good' check...

            /bin/cat [ OK ]

            /bin/chmod [ OK ]

            /bin/chown [ OK ]

            /bin/dmesg [ OK ]

            /bin/egrep [ OK ]

            /bin/env [ OK ]

            /bin/fgrep [ OK ]

            /bin/grep [ OK ]

            /bin/kill [ OK ]

            /bin/login [ OK ]

            /bin/ls [ OK ]

            /bin/mount [ OK ]

            /bin/netstat [ OK ]

            /bin/ps [ OK ]

            /bin/su [ OK ]

            /sbin/chkconfig [ OK ]

            /sbin/depmod [ OK ]

            /sbin/ifconfig [ OK ]

            /sbin/init [ OK ]

            /sbin/insmod [ OK ]

            /sbin/ip [ OK ]

            /sbin/modinfo [ OK ]

            /sbin/runlevel [ OK ]

            /sbin/sysctl [ OK ]

            /sbin/syslogd [ OK ]

            /usr/bin/file [ OK ]

            /usr/bin/find [ OK ]

            /usr/bin/kill [ OK ]

            /usr/bin/killall [ OK ]

            /usr/bin/lsattr [ BAD ] <---- MD5 fails

            /usr/bin/pstree [ OK ]

            /usr/bin/sha1sum [ OK ]

            /usr/bin/stat [ OK ]

            /usr/bin/users [ OK ]

            /usr/bin/w [ OK ]

            /usr/bin/watch [ OK ]

            /usr/bin/who [ OK ]

            /usr/bin/whoami [ OK ]

            -------------------------------------------------

            Rootkit Hunter found some bad or unknown hashes. This can be happen due replaced

            binaries or updated packages (which give other hashes). Be sure your hashes are

            fully updated (rkhunter --update). If you're in doubt about these hashes, contact

            the author (fill in the contact form).

            -------------------------------------------------

            07 Jun 2005 06:02 fox_inti

            problem with Hash tests on Suse
            Hi rkhunter is not doing the Hash tests on my system:

            Rootkit Hunter 1.2.7, Copyright 2003-2005, Michael Boelen

            .

            .

            [14:20:02] ---------------------------- System checks ----------------------------

            [14:20:02] Info: kernel is 2.6

            [14:20:02] Info: Found /etc/SuSE-release

            [14:20:02] Info: Full OS name = SuSE Linux 9.2 (i586)

            [14:20:02] Info: OS ID = 163

            [14:20:02] Info: Using /usr/bin/md5sum to verify MD5 hashes

            [14:20:02] Info: /usr/bin/md5sum found

            [14:20:02] Info: using /usr/local/rkhunter/lib/rkhunter/tmp as temporary directory

            [14:20:02] Info: UID is zero (root)

            [14:20:02] Info: Perl version 5.8.5 found

            [14:20:02] Info: Digest::MD5 installed (version 2.33).

            [14:20:02] Info: Using Perl Digest::MD5 module instead of /usr/bin/md5sum

            [14:20:02] Info: Digest::SHA1 installed (version 2.10).

            [14:20:02] Info: ksyms file check will be skipped (/proc/ksyms not available on this system)

            [14:20:02] ---------------------------- File checks -----------------------------

            [14:20:02] Checking /usr/local/rkhunter/lib/rkhunter/db/md5blacklist.dat... OK

            [14:20:02] Checking /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat... OK

            [14:20:02] Checking /usr/local/rkhunter/lib/rkhunter/db/programs_bad.dat... OK

            [14:20:02] Checking /usr/local/rkhunter/lib/rkhunter/db/programs_good.dat... OK

            [14:20:02] ------------------------------ Selftests ------------------------------

            [14:20:02] Strings selftest: scanning for string /usr/sbin/ntpsx... OK

            [14:20:02] Strings selftest: scanning for string /usr/lib/.../ls... OK

            .

            .

            all OK

            .

            .

            [14:20:03] ---------------------------- MD5 hash tests ---------------------------

            [14:20:03] Starting MD5 checksum test (/usr/local/rkhunter/lib/rkhunter/scripts/filehashmd5.pl)

            [14:20:09] ------------------------------ Rootkits ------------------------------

            Thats all it shows

            if i run the .pl manualy i get:

            /usr/local/rkhunter/lib/rkhunter/scripts/filehashmd5.pl /bin/ps

            f9d313f205a74e710baa3c3702caa145

            Any ideas what's wrong?

            24 May 2005 23:37 MBoelen

            Re: strange update issue.
            This is solved in release version 1.2.7

            Screenshot

            Project Spotlight

            OpenStack4j

            A Fluent OpenStack client API for Java.

            Screenshot

            Project Spotlight

            TurnKey TWiki Appliance

            A TWiki appliance that is easy to use and lightweight.