Rootkit Hunter - security monitoring and analyzing tool for POSIX compliant systems.

Rootkit Hunter – security monitoring and analyzing tool for POSIX compliant systems.

What is Rootkit Hunter?
Rootkit Hunter (RKH) is an easy-to-use tool which checks computers running UNIX (clones) for the presence of rootkits and other unwanted tools.

What are rootkits?
Most times they are self-hiding toolkits used by blackhats, crackers and scriptkiddies, to avoid the eye of the sysadmin.

Rootkit Hunter v1.4.5

Rootkit Hunter is a host-based, passive, post-incident, path-based tool.
– Host-based means it only diagnoses the host you run it on.
– Passive means it has to be scheduled or run manually.
– Post-incident means it can only be effective when a breach of security is suspected, is in progress or has already occurred. Due to the nature of software that hides processes and files it may be beneficial to run Rootkit Hunter from a bootable medium if a breach of security is suspected and the machine can be booted from a bootable medium.
– Path-based means RKH will check for filenames. It does not include or use heuristics or signatures like for instance an antivirus product could. Do understand that the SCANROOTKITMODE configuration option and “suspscan” functionality are just crude attempts to try and bridge that gap.

Rootkit Hunter is best deployed as part of your security strategy.
– Most breaches of security are preceded by reconnaissance. Regular system and log file auditing provides the necessary “early warning” capabilities.
– RKH does not replace, or absolve you from performing, proper host hardening. common administration errors that may result in a breach of security includes failing to apply updates when they are released, misconfiguration, lack of access restrictions and lack of auditing. Please see your distribution documentation and search the ‘net.
– Do not rely on one tool or one class of tools. Consider installing same-class tools like Chkrootkit or OSSEC-HIDS and consider overlap as a Good Thing. Additionally it is suggested you install and use a separate filesystem integrity scanner like Samhain, Aide, Integrit, Osiris (or even tripwire) to provide you with a second opinion.
– Like with all data used for verifying integrity it is recommended to regularly save a copy of your RKH data files off-site.