* changelog RootkitHunter v1.4.6 (20/02/2018) New:
– Added support for Alpine Linux (busybox).
– Added the ‘Diamorphine LKM’ test.
– Added the ALLOWIPCPID configuration file option. This will allow specific PIDs to be whitelisted from the shared memory check.
– Added the ALLOWIPCUSER configuration file option. This will allow specific usernames to be whitelisted from the shared memory check.
– Added the IPC_SEG_SIZE configuration file option. This can be used to set the minimum shared memory segment size to check. The default value is 1048576 bytes (1MB).
– Added the SKIP_INODE_CHECK configuration file option. Setting this option will disable the reporting of any changed inode numbers. The default is to report inode changes. (This option may be useful for filesystems such as Btrfs.)
– Added Ebury sshd backdoor test.
– Added a new SSH configuration test to check for various suspicious configuration options. Currently there is only one check which relates to the Ebury backdoor.
– Added basic test for Jynx2 rootkit.
– Added Komplex trojan test.
– Added basic test for KeRanger running process.
– Added test for Keydnap backdoor.
– Added basic test for Eleanor backdoor running process.
– Added basic tests for Mokes backdoor.
– Added tests for Proton backdoor.
– Added the SUSPSCAN_WHITELIST configuration file option. This option can be used to whitelist file pathnames from the ‘suspscan’ test.
– The ‘ipc_shared_mem’ test will now log the minimum segment size that will be checked. It will also log the size of any segments which appear suspicious (that is, larger than the configured allowed maximum size).
– If verbose logging is disabled, then generally only the test name and the final result for the test will now be logged.
– Kernel symbol checks will now use the ‘System.map’ file, if it exists, and no other kernel symbol file can be found.
What is Rootkit Hunter?
Rootkit Hunter (RKH) is an easy-to-use tool which checks computers running UNIX (clones) for the presence of rootkits and other unwanted tools.
What are rootkits?
Most times they are self-hiding toolkits used by blackhats, crackers and scriptkiddies, to avoid the eye of the sysadmin.
ROOTKIT HUNTER AS PART OF YOUR SECURITY STRATEGY
Rootkit Hunter is a host-based, passive, post-incident, path-based tool.
– Host-based means it only diagnoses the host you run it on.
– Passive means it has to be scheduled or run manually.
– Post-incident means it can only be effective when a breach of security is suspected, is in progress or has already occurred. Due to the nature of software that hides processes and files it may be beneficial to run Rootkit Hunter from a bootable medium if a breach of security is suspected and the machine can be booted from a bootable medium.
– Path-based means RKH will check for filenames. It does not include or use heuristics or signatures like for instance an antivirus product could. Do understand that the SCANROOTKITMODE configuration option and “suspscan” functionality are just crude attempts to try and bridge that gap.
Rootkit Hunter is best deployed as part of your security strategy.
– Most breaches of security are preceded by reconnaissance. Regular system and log file auditing provides the necessary “early warning” capabilities.
– RKH does not replace, or absolve you from performing, proper host hardening. common administration errors that may result in a breach of security includes failing to apply updates when they are released, misconfiguration, lack of access restrictions and lack of auditing. Please see your distribution documentation and search the ‘net.
– Do not rely on one tool or one class of tools. Consider installing same-class tools like Chkrootkit or OSSEC-HIDS and consider overlap as a Good Thing. Additionally it is suggested you install and use a separate filesystem integrity scanner like Samhain, Aide, Integrit, Osiris (or even tripwire) to provide you with a second opinion.
– Like with all data used for verifying integrity it is recommended to regularly save a copy of your RKH data files off-site.
tar xf rkhunter-1.4.6.tar.gz
./installer.sh --install ( for Root User)