From LQWiki
This page can be translated to major languages here http://www.online-translator.com/ or google for other translators. I am changing to thumbnails, click on the link to see the bigger picture (no pun intended)
FAQ
Moved to this page FAQ.
CVS and Beta edition
on new page CVS-rkh
Beta is now here
http://sourceforge.net/project/showfiles.php?group_id=155034
DOWNLOAD
Download from here. http://sourceforge.net/project/showfiles.php?group_id=155034
Go to the same link to download hashupd, if required. But lets start here.
INSTALLING
Assuming you have downloaded the file to a folder where you have write powers eg /home/your name/Download
you will have file called rkhunter-(version number).tar.gz (currently 1.2.9)
open a terminal and issue the following commands in italics
cd /pathway to file folder/
tar zxfv rkhunter-version-number.tar.gz
cd rkhunter-version number
su (and root passwd)
./installer.sh
http://www.filehigh.com/viewimg.php?f=28132&i=289205
If successful you get a message Installation ready http://www.filehigh.com/viewimg.php?f=28132&i=289207
You can delete the tar.gz file as the install placed the executables in /usr/
If you have errors, read Installing_Software and correct them.
UPDATING DATABASE
Getting unknown version numbers for your Distro.
If you do not update your database first you may also get this
http://www.filehigh.com/viewimg.php?f=28132&i=279590
So update the database files in /usr/local/rkhunter/lib/rkhunter/db with this command rkhunter --update
Run the command again until you get SIX up to dates. http://www.filehigh.com/viewimg.php?f=28132&i=281993
I recommend you do not alter the file /usr/local/etc/rkhunter.conf until it checks your system for the first time.
There is currently a overwrite of your md5sums if you first had to use the hashupd so each time you update...re-run the hashupd.....this is going to be fixed soonish.
CVS edition users may instead get
The file of stored file properties (rkhunter.dat) is empty
so run
rkhunter --propupd
The cvs FAQ says When using the '--propupd' option it is the users responsibility to ensure that the files on their system are genuine. Rootkit Hunter can only inform the user of a change to the files, not whether they are the original files or not. Although Rootkit Hunter can use a package manager for some systems, it must be remembered that the package manager itself uses files stored on the system. Those files may have been tampered with.
YOUR FIRST SCAN
There are options available by the command rkhunter --help
I suggest the following command- which will checkall with keyboard prompt skip
rkhunter -c -sk
http://www.filehigh.com/viewimg.php?f=28132&i=289849
Here is the result.
http://www.filehigh.com/viewimg.php?f=28132&i=289857
If your distro is not in the current database you will get a warning like this.
http://www.filehigh.com/viewimg.php?f=28132&i=279575]
see hashupd to fix this issue.
CHECK FOR WARNINGS
Scrolling up in Konsole (the default terminal for KDE users) I can see this warning.
Note you may have more than one set of warnings. http://www.filehigh.com/viewimg.php?f=28132&i=279588
so I need to inspect the hidden directory (folder) for .java
http://www.filehigh.com/viewimg.php?f=28132&i=289868
And the hidden udevdb folder.
Note as per the readme files and the configuration file already mentioned, your disto may use different hidden directories and files, I am on a Mandriva. http://www.filehigh.com/viewimg.php?f=28132&i=279577
Lets drill down one layer http://www.filehigh.com/viewimg.php?f=28132&i=279579
Lets peek at the other etc hidden files as well. They are are at the top of the list in the file manager.
http://www.filehigh.com/viewimg.php?f=28132&i=289875
OK warning is also seen for checking my ssh config here
http://www.filehigh.com/viewimg.php?f=28132&i=343668
Getting BAD result
You may get a scan result that shows a BAD
http://www.filehigh.com/viewimg.php?f=28132&i=331541
In the example, you would read the FAQ and research your software installer and remember (if possible) what updates you did....and that they were from a trusted source etc.
I scrolled thru my Mandriva /var/log/syslog and saw the date etc of when I updated this file.
I could research this further as per the FAQ but I remember the download.
Jan 20 17:15:39 g MandrivaUpdate[4161]: [RPM] wget-1.10.2-3.1mdv2007.0 installed Jan 20 17:15:39 g MandrivaUpdate[4161]: [RPM] wget-1.10.2-3mdk removed
So while the update engine failed to update my wget hash, I just run the hashupd.sh to update locally and then rescan.
This can happen with any updates and new software, so do not panic. Please read the FAQ. and see the hashupd for further information.
OPTIONAL you can modify CONFIG FILE
/usr/local/etc/rkhunter.conf
Now that I am confident all is ok with the hidden stuff, you can choose to modify the config file to uncomment the relevant hidden files or directories and /or add such to the file.
LAST SCAN
After I decided to modify the config file I re-scanned.
http://www.filehigh.com/viewimg.php?f=28132&i=289940
HASHUPD
Hashup.d is a way of updating your hash data (md5sums) file if your distro is not in the current data file.
It is also used when you have updated your software and the sourceforge site is currently a little behind in hashes.
Naturally read the FAQ on security checks before you rush in and run the hashupd.sh file.
Download it from the same link at top of page.
It is recommended you run this command on a clean install with no potential corruption from a network....To run this after you have already connected to the net may create a false hash for a corrupted file.
However, each time you run the update command you then need to run the hashup command.....until your operating system is in the os data file. This is because each update command overwrites your locally produced data file....unless you run rkh with a different path to data.
Note that I run my hashup as a sh command like this
rkhunter --update (data file is overwritten)
cd /pathway to file for hashupd
sh hashup.d (local hash file overwrites again)
rkhunter -c -sk
The pic shows the first end part of the update and the full hashup image.
http://www.filehigh.com/viewimg.php?f=28132&i=289924
ROOTKIT DETECTED
unSpawn must be acknowledged as providing all assistance in my attempt to get a kit installed.
http://www.filehigh.com/viewimg.php?f=28132&i=316850
The result screen is misleading as it was not a true rootkit as it is used for honeypots and was deliberately installed to illustrate the scan process. Even the rootkit area does not call it a rootkit. However, if you did not install it then it is a kit.
To locate that something was installed that is strange, I needed to scroll up to the rootkit area.
http://www.filehigh.com/viewimg.php?f=28132&i=314760
Join the mailing list and post your abbreviated result that is troubling you and let the team help you. Then you can help by adding to the database if its a kit.
I suggest you stop using the hard drive system and get onto another computer or use a live cd to now research the named kit. The team at the mailing list will of course give better advice than I.
Hopefully, you have partimage images to restore, otherwise as per unSpawn's kind articles on security, you need to do a clean install.
There are so many live cds now-a-days download one now from http://www.distromania.com or http://www.distrowatch.org
Lots of security links and advice is here (unSpawn's sticky post) http://www.linuxquestions.org/questions/showthread.php?t=45261
Good advice and history here http://www.cs.wright.edu/people/faculty/pmateti/Courses/499/Fortification/obrien.html Note that author David O'Brien recommends that you can not restore backups UNLESS they are verified. That means you had to do a clean install....run multiple testers...then store off computer to be trusted.
For simple users like me, partimage stored on dvd or cdr is good enough. For Sysadmin you probably won't be reading this? However, restore each image and rescan with the updated tools such as rkhunter to be sure to be sure.
And some more nice info http://www.fish2.com/tct/help-when-broken-into
UNHIDE SCANNER (OPTIONAL)
You may wish to run other scanners including UNHIDE
OTHER QUERIES NOT IN READMES ETC
I suggest you search the archive emails for rkhunter here
http://sourceforge.net/mailarchive/forum.php?forum=rkhunter-users
If no luck pls subscribe to the mailing list.
Be aware that its only a small number of volunteers so speedy replies may not occur if large number of emails.
ADVOCACY...other site mentions
This list, if others contribute, pls consider only those that link to the sourceforge site. The exception to my own rule is this link as it is a major site likely to be visited by newbies.
http://www.linux.org/lessons/advanced/x507.html
Better sites include:
http://www.foogazi.com/2007/01/03/the-best-linux-security-tools/ probable google hit with those keywords
Mandriva does not yet have it in the main package but as a contribute package and dox at wiki are here
http://wiki.mandriva.com/en/Docs/SysAdmin/Security/rkhunter
Ubuntu mentions the logfile here
https://help.ubuntu.com/community/LinuxLogFiles#head-3f1d6beea5180048c68c2f0fb4848eb236061e04
and that its on their list of security tools here
https://help.ubuntu.com/community/InstallingSecurityTools?highlight=%28rootkit%29%7C%28hunter%29
This page is available under a