Rootkit Hunter v1.4.6: security monitoring and analyzing tool for POSIX compliant systems

by do son · February 26, 2018

Rootkit Hunter (commonly abbreviated as RKH) is a security monitoring and analyzing tool for POSIX compliant systems, to help you detect known rootkits, malware, and signal general bad security practices. Rootkits have a certain structure and files in certain areas, known to the Rootkit Hunter team. This is similar to virus signatures. RKH offers additional scans that may assist you.

One of the features RKH offers is a scan for changed file properties similar to some criteria that file integrity checkers use. It is completely dependent on ensuring you have a correct database to scan from. In general, this can be achieved by installing Rootkit Hunter right after a clean Operating System installation.

Rootkit Hunter is not a reactive tool: it only enumerates encountered threats. It is up to you to read the log file and investigate suspicious activity.

The RKH team includes documentation with each release (which you can also find online). In addition, this Wiki offers limited suggestions. Another source of information is the rkhunter-users mailing list archive. If you can not find a solution to your problem in those sources of information, would like to suggest improvements or would like to discuss a breach of security you are invited to join the rkhunter-users mailing list. If you would like to submit a patch you can also use our Sourceforge bug tracker.

This scanning tool needs root powers to run as a manual scan or it needs root powers to create a cron job. Therefore, you will need root powers to view the log which is under /var/log/

Changelog * 1.4.6 (20/02/2018)

New:

– Added support for Alpine Linux (busybox).
– Added the ‘Diamorphine LKM’ test.
– Added the ALLOWIPCPID configuration file option. This will allow specific PIDs to be whitelisted from the shared memory check.
– Added the ALLOWIPCUSER configuration file option. This will allow specific usernames to be whitelisted from the shared memory check.
– Added the IPC_SEG_SIZE configuration file option. This can be used to set the minimum shared memory segment size to check. The default value is 1048576 bytes (1MB).
– Added the SKIP_INODE_CHECK configuration file option. Setting this option will disable the reporting of any changed inode numbers. The default is to report inode changes. (This option may be useful for filesystems such as Btrfs.)
– Added Ebury sshd backdoor test.
– Added a new SSH configuration test to check for various suspicious configuration options. Currently, there is only one check which relates to the Ebury backdoor.
– Added basic test for Jynx2 rootkit.
– Added Komplex trojan test.
– Added basic test for KeRanger running process.
– Added test for Keydnap backdoor.
– Added basic test for Eleanor backdoor running process.
– Added basic tests for Mokes backdoor.
– Added tests for Proton backdoor.
– Added the SUSPSCAN_WHITELIST configuration file option. This option can be used to whitelist file pathnames from the ‘suspscan’ test.

Changes:

– The ‘ipc_shared_mem’ test will now log the minimum segment size that will be checked. It will also log the size of any segments which appear suspicious (that is, larger than the configured allowed maximum size).
– If verbose logging is disabled, then generally only the test name and the final result for the test will now be logged.
– Kernel symbol checks will now use the ‘System.map’ file, if it exists, and no other kernel symbol file can be found.

Bugfixes:

– For prelinked systems ensure that the default hash function is SHA1 and not SHA256.
– The result from the ‘hidden_procs’ test was not being calculated correctly.
– Checking the O/S version number could be missed in some cases.
– Minor improvement to the *BSD immutable files check.
– The ‘OS_VERSION_FILE’ configuration option pathname cannot be a link, but this was not checked.
– Improved checks for the O/S name on Devuan systems.
– Handling of the ‘/etc/issue’ file during O/S detection has now improved. Escape sequences are either replaced or removed.
More…

Download