RKHunter Notes

Installation

Download the tarball,
extract it, and:

./installer.sh --layout default --install

You can also specify --layout RPM instead and create an RPM. However,
you will need to export a value for the $RPM_BUILD_ROOT variable.
rkhunter installs itself as follows (on a 64-bit machine):

INSTALLDIR=/usr/local  
DBDIR=/var/lib/rkhunter/db  
SCRIPTDIR=/usr/local/lib64/rkhunter/scripts  
TMPDIR=/var/lib/rkhunter/tmp  
USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf

Update

[root@support rkhunter-1.3.6]# rkhunter --update  
[ Rootkit Hunter version 1.3.6 ]  
  
Checking rkhunter data files...  
  Checking file mirrors.dat                                  [ No update ]  
  Checking file programs_bad.dat                             [ No update ]  
  Checking file backdoorports.dat                            [ No update ]  
  Checking file suspscan.dat                                 [ No update ]  
  Checking file i18n/cn                                      [ No update ]  
  Checking file i18n/de                                      [ No update ]  
  Checking file i18n/en                                      [ No update ]  
  Checking file i18n/zh                                      [ No update ]  
  Checking file i18n/zh.utf8                                 [ No update ]

Configure

Edit /etc/rkhunter.conf and make sure you have the package manager set
to RPM:

PKGMGR=RPM

Now create the properties file. It is vitally important to do this
on a system you’re sure hasn’t been compromised.

rkhunter --propupd

Now scan your system:

rkhunter -c

The output is sent to /var/log/rkhunter.log.

Other stuff

  • In case you‚Äôre warned about scripts, files and directories which you
    know are okay, you can whitelist them with SCRIPTWHITELIST,
    ALLOWHIDDENFILE, and ALLOWHIDDENDIR respectively in
    rkhunter.conf.

  • You may get warnings like these in rkhunter.log:

    Warning: One or more of these files were found: backdoor, adore.o, mod_rootme.so...
    

This may or may not be innocuous, so it’s best to check. Use the files
below.

Quick checker script

#!/bin/bash  
    
SUSP_FILES=$(cat suspiciousfilelist)  
lsof -F n -w -n | grep '^n/' | sed -e 's/^n//' | sort | uniq | grep "$SUSP_FILES"

Full list of files

backdoor  
adore.o  
mod_rootme.so  
phide_mod.o  
lbk.ko  
vlogger.o  
cleaner.o  
cleaner  
ava  
tzava  
mod_klgr.o  
hydra  
hydra.restore  
ras2xm  
vobiscum  
sshd3  
system  
t0rnsb  
t0rns  
t0rnp  
rx4u  
rx2me  
crontab  
sshdu  
glotzer  
holber  
xhide  
xh  
emech  
psybnc  
mech  
httpd.bin  
mh  
xl  
write  
Phantasmagoria.o  
lkt.o  
nlkt.o

Sources