From LQWiki

ROOTKIT HUNTER FREQUENTLY ASKED QUESTIONS (FAQ)

The sourceforge version of this FAQ can be found in CVS at the RKH web site.

http://rkhunter.cvs.sourceforge.net/rkhunter/rkhunter/files/

The wiki faq may differ as others or myself make changes as per the wiki rules.

if your browser has no back function the main page is here http://wiki.linuxquestions.org/wiki/Rootkit_Hunter

Contents 1 GENERAL QUESTIONS 2 INSTALLATION QUESTIONS 3 USAGE QUESTIONS 4 ERROR, WARNING & other MESSAGES 5 UPDATING QUESTIONS

GENERAL QUESTIONS

1.1) What is Rootkit Hunter?

Rootkit Hunter (RKH) is an easy-to-use tool which checks computers running UNIX (clones) for the presence of rootkits and other unwanted tools.

1.2) What are rootkits?

Most times they are self-hiding toolkits used by blackhats, crackers and scriptkiddies, to avoid the eye of the sysadmin.

1.3) Can I help with the development of this project?

Yes, everyone can help in some way. For example:

Help your fellow Rootkit Hunter users on the rkhunter-users mailing list;

Send a copy of an undetected rootkit to us so that it can be added and help others;

Are you a package maintainer? If so, then please submit your changes to us so that everyone can benefit from them;

Are you an end-user? FOSS, and hence RKH, ultimately depends upon you. Contributing is your responsibility, not someone elses. Whatever you contribute is very much welcomed.

eg contribute or discuss enhancing Rootkit Hunter with us; submit a patch or discuss enhancements; file a bug report; or test the application by using it on your servers.

1.4) I like your software! How can I thank you?

Simple - by contributing. See question 1.3 above.

1.5) Which CLI application do the maintainers prefer?

bash

INSTALLATION QUESTIONS

2.1) How do I install Rootkit Hunter?

Instructions on installing RKH can be found in the README file.

2.2) How do I create a Rootkit Hunter RPM file?

The RKH source contains an rkhunter.spec file which will allow an RPM to be built. To build the RPM run the following command:

rpmbuild -ta rkhunter-<version>.tar.gz

NOTE: The RKH development team do not support any third-party RPM files. However, the rkhunter.spec file will be maintained.

USAGE QUESTIONS

3.1) Rootkit Hunter tells me there is something wrong with my system. What do I do?

Prior to any incident it is recommended that you have read "Intruder Detection Checklist". This is available from http://www.cert.org/tech_tips/intruder_detection_checklist.html
This document will tell you what to check, and makes it easier for you to find out and answer any questions.

If you are unsure as to whether your system is compromised, you can get a second opinion from sources such as the rkhunter-users mailing list, the Linux oriented forum www.linuxQuestions.org, or even IRC.

If just one check fails with RKH, then it is possible you have what is called a 'false positive'. Sometimes this will happen due to package updates, customised configurations or changed binaries. If so, then please validate:

.......Files:

If you run a file integrity checker, for example Aide, Samhain, or tripwire, consult the results from running those tools. Note they must be installed directly after the O/S installation in order to be useful, and you must keep a copy of the binary, configuration files and databases off-site.

Also note that running those tools, and Rootkit Hunter, is no substitute for updating software when updates are released, and proper host and network hardening.

If you don't run a file integrity checker you can possibly use your distributions package management system if it is configured to deal with verification.

Run 'strings ' and check the results for untrusted file paths (for example, /dev/.hiddendir)

Check recently updated binaries and their original source.

Run command

file <file>

and compare the results with other files, especially trusted binaries. If some binaries are statically linked and others are all dynamic, then they could have been trojaned.

.....Other warnings:
If you have a warning about another part of the checks, then please email the rkhunter-users mailing list and tell us about your system configuration:

--the purpose of the server (for example, web server, intranet fileserver, shell server);

--the (aproximate) date of the incident and when you found out;

--the running distribution name, release and kernel version;

--whether any passwd/shadow data has changed;

--any anomalies you find from reading the system, daemon, IDS and firewall logs;

--if all the installed software was recently updated;

--what services are or where running at the time;

--if you found setuid root files in directories for temporary files;

--any anomalies you find from reading user shell histories.

If your system is infected with a rootkit, cleaning up is not an option. Restoring is also not an option unless you are skilled, and have autonomous and an independent means of verifying that the backup is clean, and does not contain misconfigured or stale software. Never trust a compromised machine. Period.

Read "Steps for Recovering from a UNIX or NT System Compromise". This is available from
http://www.cert.org/tech_tips/root_compromise.html

A clean install of the system is recommended after backing up the full system. To do this follow these steps:

1. Stay calm. Be methodical.

2. From another machine inform users, and the network, facility or host owner, that the machine is compromised.

3. Get the host offline or make sure the firewall is raised to only allow network traffic to and from your management IP address or range.

4. Backup your data. If you do not intend to investigate the problem, then do not backup any binaries or binary data which you cannot verify.

5. Verify the integrity of your backup by visual inspection (authentication data, configurations, log files), or by using a file integrity checker or your distributions package management tools.

6. Install your host with a fresh install. Whilst you are updating and configuring the software and services, restrict network access to the system using authentication features like accounts, PAM, firewall, TCP wrappers, and daemon configurations. Make sure you properly harden the machine.

7. Investigate the old log files, and the tools used if possible. Also investigate the services which were vulnerable at the time of attack.

3.2) Rootkit Hunter tells me a lot of installed software is vulnerable. What does that mean?

It means that the software possibly contains software bugs which make local or remote attacks possible. In the worst case, a person with malicious intentions could gain full access to your server.

3.3) Rootkit Hunter tells me that I have vulnerable applications installed. But I have fully patched my server! How is this possible?

Some distributions, for example Red Hat and OpenBSD, do patch old versions of software. However, Rootkit Hunter thinks it is an old version, and so sees it as being vulnerable.

If you wish you can skip the application check by using the
'--skip-application-check' command-line option.

3.4) How can I run Rootkit Hunter every day?

/etc/cron.daily/rkhunter

---

#!/bin/sh ( /usr/local/bin/rkhunter --versioncheck /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --cronjob --report-warnings-only ) | /bin/mail -s 'rkhunter Daily Run' root

---

For Linux systems, if the script is saved in the /etc/cron.daily directory, then the system will automatically run it once per day.

Alternatively, the rkhunter command can be added directly to your root crontab, e.g.:

30 5 * * * /rkhunter -c --cronjob 

Rootkit Hunter will now run at 5:30 (AM).

3.5) Database queries -good-bad-and the ugly

On a Mandriva distro I have this folder of database files /usr/local/rkhunter/lib/rkhunter/db

The GOOD files refers to project members running a check on a known clean install, with or without updates/upgrades.

The BAD files include scans of a known rootkit or corrupted file due to other malacious activity.

Please do not become complacent if your scan results in nil bad and all OK.

3.6) Database queries - disabled software-services running

A number of people may have software installed, but (mainly in /etc/ folder)....the daemon is turned off or the service is disabled. The checks rkh does is for running services or enabled daemons.

eg John Horne of rkh mail list replied to a question and stated for /usr/bin/ssh

The test looks for sshd, not ssh, since that is what will decide if someone can access your system or not.

3.7) I have done a clean install and I have bad hashes, why?

And I have disabled the network, and verified the iso image md5sum from a reliable mirror.

There are 3 main reasons

1 Your distro and version is not up-to-date in the data files from the server. And you forgot to run the update command.

2 You did run update command but there is still no updated hashes in the database.

So, you have false positives as your package manager and with no network to corrupt the clean install..and the iso image checks are all ok....so the negatives are not a concern. Now, run the hashupd command.

3 Your distro was and is corrupt. Refer to (3.1)

3.8) I need to run hashupd and when I run the update command to rkh I get a distro unknown result. Why?

John Horne replies

These are two separate processes: one is the RKH --update option, the other is the hashupd.sh script. Both run independently of each other and each will overwrite the os.dat script. So, yes, if you used the hashupd.sh script, and then ran RKH --update, it will overwrite os.dat and lose your O/S name. You have to run hashupd.sh again afterwards.

The hashupd.sh script was a quick mechanism to allow users to update their own local os.dat with their particular system details - mainly for those instances where the O/S had not yet been permanently put in to os.dat, or prelinking had caused the hashes to become invalid.

ERROR, WARNING & other MESSAGES

4.1) What does the warning "Determining OS... Warning: this operating system is not fully supported!" mean?

It simply means that not all functions and checks can be performed, because the system is 'unknown' to RKH.

If you want support for the O/S, then please open a Support request in the RKH tracker system on the web site.

4.2) Rootkit Hunter gives me an error message that some binary could not be found. What do I do?

Sometimes a binary cannot be found in the PATH variable. Because Rootkit Hunter tries to run the binary by executing it without a full pathname, the system will search its PATH. If the binary couldn't be found, then an error will occur.

eg. Checking loaded kernel modules

/usr/local/bin/rkhunter

lsmod: command not found

Warning! found difference in output

To resolve this enter the command 'echo $PATH' and check that your PATH settings are correct.

4.3) I get warnings from PHP, like:
PHP Warning: Function registration failed - duplicate name - pg_update in Unknown on line 0. What does this mean?

This is usually because you have updated the Apache version of PHP, but forgot to update/recompile the CLI (console version) of PHP. So recompile/update it and try again.

4.4) I use prelinking, but after performing some updates, all, or some, binaries are 'BAD' when running the MD5 hash check. What can I do?

The first thing would be to verify that the update is the cause of the reported 'BAD' files. Checking the system log files should indicate what has been updated.

If the update is the cause, then it is most likely that the prelinking database has become out of step with the rkhunter local MD5 hash values. To correct this will require rebuilding the prelinking database and the rkhunter local hash values.

Prelinking is used by the system to optimize the use of binary files and libraries.

To correct this problem you will need to use a small utility, called 'hashupd.sh', which is downloadable from the sourceforge web site as part of rkhunter http://sourceforge.net/project/showfiles.php?group_id=155034
Download the utility, and make it executable.

On RedHat/Fedora, it is necessary to carry out the following procedure:

1) If you are running SELinux then temporarily disable it by typing command

setenforce 0

Note: If you are unsure whther you are running SELinux or not, then type command

sestatus

A line containing 'Current mode: enforcing' indicates that you are running SELinux. If it says 'permissive', then you are not currently running SELinux, and can ignore the steps about SELinux.

2) Run the daily prelink update script - to do this type in /etc/cron.daily/prelink;

3) Run the hashupd.sh script to update your local hash values;

4) Run rkhunter;

5) If rkhunter still shows 'BAD' hash entries, then type command

rm /etc/prelink.cache

and repeat the procedure from step 2. Note: Step 2 may now take some time to complete.

6) Re-enable SELinux, if you disabled it, by typing in command

setenforce 1

Hopefully rkhunter will now work without any problems with hash values.

For other Linux distributions you will need to determine if, and how, prelinking takes place, and whether SELinux is present or not. It is possible that the above sequence will work for other distributions, but it is for the user to check this.

4.5) RKH detects hidden files or directories. What is the concern here?

Directory and filenames starting with one or more dots are historically considered suspect since they do not show up in an command of

ls -l

While you can take "bad" shortcuts like taking file or directory names as irrefutable proof of what they're used for, use your distro's package management tools to check what package a file belongs to and to verify if it's altered since installed. If that's the case they're what you call "false positives" which you can add to the ignore section of rkhunter.conf to ignore reporting them. See first page on the later scan result.

For the files that don't belong to any package you can use other tools for clues like for instance "stat" to see when they where modified and/or accessed and "file" / "strings" to check what it contains.

4.6) What about pre-link errors?

Sujit Nair writes

prelink -uma ( remove all prelink )

prelink -av ( prelink all libraries )

If you are using libsafe you are bound to see some prelink errors that can be safely ignored

4.7) I get Testing running processes... [ Skipped ]?

John Horne replies The test will be skipped if you do not have the 'lsof' command on your system.

4.8) I get /usr/sbin/prelink: /bin/more: at least one of file's dependencies has changed since prelinking /bin/more [ BAD ]?

John Horne replies Prelinking is no verification of a file's integrity. As such I would run

rpm -Vf /bin/more

to ensure that the file and its package are correct (no output indicates that it is okay). Although it can, and has been, argued that even that does not

• guarantee* that the file is genuine! It is for you to satisfy yourself

that the file/package is valid; RKH can only indicate that something has changed.

4.9) The file of stored file properties (rkhunter.dat) is empty?

This is for cvs (1.3 series and soon to be released stable 1.3 series.)

FAQ advises run

rkhunter --propupd

UPDATING QUESTIONS

5.1) What's up with Rootkit Hunter? I haven't seen any updates in ages.

In the second quarter of 2006, the founder of Rootkit Hunter found out the hard way that maintaining FOSS can be difficult when real-life commitments overrule. Management of the project was taken over by unSpawn, and a project group comprising of developers and testers was formed.

The Rootkit Hunter project team is committed to making sure development continues. If you are interested in joining the development team, then send an email message to

unspawn at users dot sourceforge dot net

5.2) Rootkit Hunter tells me that I have multiple versions installed. How it this possible?

Usually you install a tool and upgrade it later. Sometimes if you use a 'non-official' updater or package manager eg, from an external party, or a build from source using an installer like RPM/DEB/TGZ), the binaries may be installed into a different location from the original. So there are then two binaries with the same name, but in different locations. You will have to check which are the old binaries, and remove them.

5.3) Can I be notified when a new release will be available?

Yes, you can join the rkhunter-announce mailing list. This is a low volume list. Details can be found on the RKH web site.

5.4) Any plans for what changes in next release?

Well, the data file situation is likely to change as RKH moves to a local hash system incorporating the hashupd so that RKH can get rid of os (and default) hashes.