{ "created": "2015-12-20T19:56:38Z", "hierarchy": [ { "name": "ROOT", "type": "folder", "uri": "/ROOT" }, { "name": "RKHunter Notes", "type": "article", "uri": "RKHunter_Notes" } ], "html": "\n\n \n \n \n \n \n \n \n \n \n \n \n RKHunter Notes – Nikhil's Personal Wiki\n \n \n \n \n \n
\n
\n \n
\n
\n \n \n\n

RKHunter Notes\n \n

\n

Installation

\n

Download the tarball,
\nextract it, and:

\n
./installer.sh --layout default --install\n
\n

You can also specify --layout RPM instead and create an RPM. However,
\nyou will need to export a value for the $RPM_BUILD_ROOT variable.
\nrkhunter installs itself as follows (on a 64-bit machine):

\n
INSTALLDIR=/usr/local  \nDBDIR=/var/lib/rkhunter/db  \nSCRIPTDIR=/usr/local/lib64/rkhunter/scripts  \nTMPDIR=/var/lib/rkhunter/tmp  \nUSER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf\n
\n

Update

\n
[root@support rkhunter-1.3.6]# rkhunter --update  \n[ Rootkit Hunter version 1.3.6 ]  \n  \nChecking rkhunter data files...  \n  Checking file mirrors.dat                                  [ No update ]  \n  Checking file programs_bad.dat                             [ No update ]  \n  Checking file backdoorports.dat                            [ No update ]  \n  Checking file suspscan.dat                                 [ No update ]  \n  Checking file i18n/cn                                      [ No update ]  \n  Checking file i18n/de                                      [ No update ]  \n  Checking file i18n/en                                      [ No update ]  \n  Checking file i18n/zh                                      [ No update ]  \n  Checking file i18n/zh.utf8                                 [ No update ]\n
\n

Configure

\n

Edit /etc/rkhunter.conf and make sure you have the package manager set
\nto RPM:

\n
PKGMGR=RPM\n
\n

Now create the properties file. It is vitally important to do this
\non a system you’re sure hasn’t been compromised.

\n
rkhunter --propupd\n
\n

Now scan your system:

\n
rkhunter -c\n
\n

The output is sent to /var/log/rkhunter.log.

\n

Other stuff

\n\n

This may or may not be innocuous, so it’s best to check. Use the files
\nbelow.

\n

Quick checker script

\n
#!/bin/bash  \n    \nSUSP_FILES=$(cat suspiciousfilelist)  \nlsof -F n -w -n | grep '^n/' | sed -e 's/^n//' | sort | uniq | grep "$SUSP_FILES"\n

Full list of files

\n
backdoor  \nadore.o  \nmod_rootme.so  \nphide_mod.o  \nlbk.ko  \nvlogger.o  \ncleaner.o  \ncleaner  \nava  \ntzava  \nmod_klgr.o  \nhydra  \nhydra.restore  \nras2xm  \nvobiscum  \nsshd3  \nsystem  \nt0rnsb  \nt0rns  \nt0rnp  \nrx4u  \nrx2me  \ncrontab  \nsshdu  \nglotzer  \nholber  \nxhide  \nxh  \nemech  \npsybnc  \nmech  \nhttpd.bin  \nmh  \nxl  \nwrite  \nPhantasmagoria.o  \nlkt.o  \nnlkt.o\n
\n

Sources

\n\n\n\n
\n \n
\n \n \n \n \n \n\n", "id": "02413a45-6b5f-533b-81f5-ea8bd9b96c4f", "modified": "2026-01-13T18:47:28Z", "revisions": [ { "authorEmail": "mail@nikhil.io", "authorName": "Nikhil Anand", "date": "2026-01-13T18:47:28Z", "id": "2436477560f26e23d00a24add1cbfeafdca4af78", "shortId": "24364775", "subject": "No compression\n", "content": "Installation\n------------\n\n[Download the tarball](http://sourceforge.net/projects/rkhunter/files/),\nextract it, and:\n\n ./installer.sh --layout default --install\n\nYou can also specify `--layout RPM` instead and create an RPM. However,\nyou will need to export a value for the `$RPM_BUILD_ROOT` variable.\n`rkhunter` installs itself as follows (on a 64-bit machine):\n\n INSTALLDIR=/usr/local \n DBDIR=/var/lib/rkhunter/db \n SCRIPTDIR=/usr/local/lib64/rkhunter/scripts \n TMPDIR=/var/lib/rkhunter/tmp \n USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf\n\nUpdate\n------\n\n [root@support rkhunter-1.3.6]# rkhunter --update \n [ Rootkit Hunter version 1.3.6 ] \n \n Checking rkhunter data files... \n   Checking file mirrors.dat                                  [ No update ] \n   Checking file programs_bad.dat                             [ No update ] \n   Checking file backdoorports.dat                            [ No update ] \n   Checking file suspscan.dat                                 [ No update ] \n   Checking file i18n/cn                                      [ No update ] \n   Checking file i18n/de                                      [ No update ] \n   Checking file i18n/en                                      [ No update ] \n   Checking file i18n/zh                                      [ No update ] \n   Checking file i18n/zh.utf8                                 [ No update ]\n\nConfigure\n---------\n\nEdit `/etc/rkhunter.conf` and make sure you have the package manager set\nto RPM:\n\n PKGMGR=RPM\n\nNow create the properties file. *It is **vitally** important to do this\non a system you're **sure** hasn't been compromised.*\n\n rkhunter --propupd\n\nNow scan your system:\n\n rkhunter -c\n\nThe output is sent to `/var/log/rkhunter.log`.\n\nOther stuff\n-----------\n\n* In case you're warned about scripts, files and directories which you\n *know* are okay, you can whitelist them with `SCRIPTWHITELIST`,\n `ALLOWHIDDENFILE`, and `ALLOWHIDDENDIR` respectively in\n `rkhunter.conf`.\n* You may get warnings like these in `rkhunter.log`:\n\n Warning: One or more of these files were found: backdoor, adore.o, mod_rootme.so...\n\nThis may or may not be innocuous, so it's best to check. Use the files\nbelow.\n\n### Quick checker script\n\n```bash\n#!/bin/bash \n \nSUSP_FILES=$(cat suspiciousfilelist) \nlsof -F n -w -n | grep '^n/' | sed -e 's/^n//' | sort | uniq | grep \"$SUSP_FILES\"\n```\n\n### Full list of files\n\n backdoor \n adore.o \n mod_rootme.so \n phide_mod.o \n lbk.ko \n vlogger.o \n cleaner.o \n cleaner \n ava \n tzava \n mod_klgr.o \n hydra \n hydra.restore \n ras2xm \n vobiscum \n sshd3 \n system \n t0rnsb \n t0rns \n t0rnp \n rx4u \n rx2me \n crontab \n sshdu \n glotzer \n holber \n xhide \n xh \n emech \n psybnc \n mech \n httpd.bin \n mh \n xl \n write \n Phantasmagoria.o \n lkt.o \n nlkt.o\n\nSources\n-------\n\n* [Linux Detecting / Checking Rootkits with Chkrootkit and rkhunter Software](http://www.cyberciti.biz/faq/howto-check-linux-rootkist-with-detectors-software/)\n* [rkhunter installation notes](http://oesediez.blogspot.com/2008/06/installing-rootkit-hunter-on-centos-5.html)\n* [rkhunter RPMs on sw.be](http://packages.sw.be/rkhunter/)\n* [Detailed Installation and Configuration](http://sourceforge.net/apps/trac/rkhunter/wiki/SPRKH)\n" }, { "authorEmail": "mail@nikhil.io", "authorName": "Nikhil Anand", "date": "2015-12-27T07:27:56Z", "id": "1aa29105a45aa67523ffb61e73bcc415f935a47e", "shortId": "1aa29105", "subject": "Fix Markdown conversion\n\nSaw half a season of The Office\n", "content": "Installation\n------------\n\n[Download the tarball](http://sourceforge.net/projects/rkhunter/files/),\nextract it, and:\n\n ./installer.sh --layout default --install\n\nYou can also specify `--layout RPM` instead and create an RPM. However,\nyou will need to export a value for the `$RPM_BUILD_ROOT` variable.\n`rkhunter` installs itself as follows (on a 64-bit machine):\n\n INSTALLDIR=/usr/local \n DBDIR=/var/lib/rkhunter/db \n SCRIPTDIR=/usr/local/lib64/rkhunter/scripts \n TMPDIR=/var/lib/rkhunter/tmp \n USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf\n\nUpdate\n------\n\n [root@support rkhunter-1.3.6]# rkhunter --update \n [ Rootkit Hunter version 1.3.6 ] \n \n Checking rkhunter data files... \n   Checking file mirrors.dat                                  [ No update ] \n   Checking file programs_bad.dat                             [ No update ] \n   Checking file backdoorports.dat                            [ No update ] \n   Checking file suspscan.dat                                 [ No update ] \n   Checking file i18n/cn                                      [ No update ] \n   Checking file i18n/de                                      [ No update ] \n   Checking file i18n/en                                      [ No update ] \n   Checking file i18n/zh                                      [ No update ] \n   Checking file i18n/zh.utf8                                 [ No update ]\n\nConfigure\n---------\n\nEdit `/etc/rkhunter.conf` and make sure you have the package manager set\nto RPM:\n\n PKGMGR=RPM\n\nNow create the properties file. *It is **vitally** important to do this\non a system you're **sure** hasn't been compromised.*\n\n rkhunter --propupd\n\nNow scan your system:\n\n rkhunter -c\n\nThe output is sent to `/var/log/rkhunter.log`.\n\nOther stuff\n-----------\n\n* In case you're warned about scripts, files and directories which you\n *know* are okay, you can whitelist them with `SCRIPTWHITELIST`,\n `ALLOWHIDDENFILE`, and `ALLOWHIDDENDIR` respectively in\n `rkhunter.conf`.\n* You may get warnings like these in `rkhunter.log`:\n\n Warning: One or more of these files were found: backdoor, adore.o, mod_rootme.so...\n\nThis may or may not be innocuous, so it's best to check. Use the files\nbelow.\n\n### Quick checker script\n\n```bash\n#!/bin/bash \n \nSUSP_FILES=$(cat suspiciousfilelist) \nlsof -F n -w -n | grep '^n/' | sed -e 's/^n//' | sort | uniq | grep \"$SUSP_FILES\"\n```\n\n### Full list of files\n\n backdoor \n adore.o \n mod_rootme.so \n phide_mod.o \n lbk.ko \n vlogger.o \n cleaner.o \n cleaner \n ava \n tzava \n mod_klgr.o \n hydra \n hydra.restore \n ras2xm \n vobiscum \n sshd3 \n system \n t0rnsb \n t0rns \n t0rnp \n rx4u \n rx2me \n crontab \n sshdu \n glotzer \n holber \n xhide \n xh \n emech \n psybnc \n mech \n httpd.bin \n mh \n xl \n write \n Phantasmagoria.o \n lkt.o \n nlkt.o\n\nSources\n-------\n\n* [Linux Detecting / Checking Rootkits with Chkrootkit and rkhunter Software](http://www.cyberciti.biz/faq/howto-check-linux-rootkist-with-detectors-software/)\n* [rkhunter installation notes](http://oesediez.blogspot.com/2008/06/installing-rootkit-hunter-on-centos-5.html)\n* [rkhunter RPMs on sw.be](http://packages.sw.be/rkhunter/)\n* [Detailed Installation and Configuration](http://sourceforge.net/apps/trac/rkhunter/wiki/SPRKH)\n" }, { "authorEmail": "mail@nikhil.io", "authorName": "Nikhil Anand", "date": "2015-12-21T02:30:47Z", "id": "d658e80d1ecb97b196531c7b15a0f9af709c05de", "shortId": "d658e80d", "subject": "Incremental\n", "content": "Installation\n------------\n\n[Download the tarball](http://sourceforge.net/projects/rkhunter/files/),\nextract it, and:\n\n` ./installer.sh --layout default --install`\n\nYou can also specify `--layout RPM` instead and create an RPM. However,\nyou will need to export a value for the `$RPM_BUILD_ROOT` variable.\n`rkhunter` installs itself as follows (on a 64-bit machine):\n\n` INSTALLDIR=/usr/local` \n` DBDIR=/var/lib/rkhunter/db` \n` SCRIPTDIR=/usr/local/lib64/rkhunter/scripts` \n` TMPDIR=/var/lib/rkhunter/tmp` \n` USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf`\n\nUpdate\n------\n\n` [root@support rkhunter-1.3.6]# rkhunter --update` \n` [ Rootkit Hunter version 1.3.6 ]` \n` ` \n` Checking rkhunter data files...` \n`   Checking file mirrors.dat                                  [ No update ]` \n`   Checking file programs_bad.dat                             [ No update ]` \n`   Checking file backdoorports.dat                            [ No update ]` \n`   Checking file suspscan.dat                                 [ No update ]` \n`   Checking file i18n/cn                                      [ No update ]` \n`   Checking file i18n/de                                      [ No update ]` \n`   Checking file i18n/en                                      [ No update ]` \n`   Checking file i18n/zh                                      [ No update ]` \n`   Checking file i18n/zh.utf8                                 [ No update ]`\n\nConfigure\n---------\n\nEdit `/etc/rkhunter.conf` and make sure you have the package manager set\nto RPM:\n\n` PKGMGR=RPM`\n\nNow create the properties file. *It is **vitally** important to do this\non a system you're **sure** hasn't been compromised.*\n\n` rkhunter --propupd`\n\nNow scan your system:\n\n` rkhunter -c`\n\nThe output is sent to `/var/log/rkhunter.log`.\n\nOther stuff\n-----------\n\n- In case you're warned about scripts, files and directories which you\n *know* are okay, you can whitelist them with `SCRIPTWHITELIST`,\n `ALLOWHIDDENFILE`, and `ALLOWHIDDENDIR` respectively in\n `rkhunter.conf`.\n\n\n\n- You may get warnings like these in `rkhunter.log`:\n\n` Warning: One or more of these files were found: backdoor, adore.o, mod_rootme.so...`\n\nThis may or may not be innocuous, so it's best to check. Use the files\nbelow.\n\n### Quick checker script\n\n` #!/bin/bash` \n` ` \n` SUSP_FILES=$(cat suspiciousfilelist)` \n` lsof -F n -w -n | grep '^n/' | sed -e 's/^n//' | sort | uniq | grep \"$SUSP_FILES\"`\n\n### Full list of files\n\n` backdoor` \n` adore.o` \n` mod_rootme.so` \n` phide_mod.o` \n` lbk.ko` \n` vlogger.o` \n` cleaner.o` \n` cleaner` \n` ava` \n` tzava` \n` mod_klgr.o` \n` hydra` \n` hydra.restore` \n` ras2xm` \n` vobiscum` \n` sshd3` \n` system` \n` t0rnsb` \n` t0rns` \n` t0rnp` \n` rx4u` \n` rx2me` \n` crontab` \n` sshdu` \n` glotzer` \n` holber` \n` xhide` \n` xh` \n` emech` \n` psybnc` \n` mech` \n` httpd.bin` \n` mh` \n` xl` \n` write` \n` Phantasmagoria.o` \n` lkt.o` \n` nlkt.o`\n\nSources\n-------\n\n- [Linux Detecting / Checking Rootkits with Chkrootkit and rkhunter\n Software](http://www.cyberciti.biz/faq/howto-check-linux-rootkist-with-detectors-software/)\n- [rkhunter installation\n notes](http://oesediez.blogspot.com/2008/06/installing-rootkit-hunter-on-centos-5.html)\n- [rkhunter RPMs on sw.be](http://packages.sw.be/rkhunter/)\n- [Detailed Installation and\n Configuration](http://sourceforge.net/apps/trac/rkhunter/wiki/SPRKH)\n" }, { "authorEmail": "mail@nikhil.io", "authorName": "Nikhil Anand", "date": "2015-12-20T19:56:38Z", "id": "db631b8df01ced0879b91973143be8220121728f", "shortId": "db631b8d", "subject": "RKHunter Notes : v2\n", "content": "Installation\n------------\n\n[Download the tarball](http://sourceforge.net/projects/rkhunter/files/),\nextract it, and:\n\n` ./installer.sh --layout default --install`\n\nYou can also specify `--layout RPM` instead and create an RPM. However,\nyou will need to export a value for the `$RPM_BUILD_ROOT` variable.\n`rkhunter` installs itself as follows (on a 64-bit machine):\n\n` INSTALLDIR=/usr/local` \n` DBDIR=/var/lib/rkhunter/db` \n` SCRIPTDIR=/usr/local/lib64/rkhunter/scripts` \n` TMPDIR=/var/lib/rkhunter/tmp` \n` USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf`\n\nUpdate\n------\n\n` [root@support rkhunter-1.3.6]# rkhunter --update` \n` [ Rootkit Hunter version 1.3.6 ]` \n` ` \n` Checking rkhunter data files...` \n`   Checking file mirrors.dat                                  [ No update ]` \n`   Checking file programs_bad.dat                             [ No update ]` \n`   Checking file backdoorports.dat                            [ No update ]` \n`   Checking file suspscan.dat                                 [ No update ]` \n`   Checking file i18n/cn                                      [ No update ]` \n`   Checking file i18n/de                                      [ No update ]` \n`   Checking file i18n/en                                      [ No update ]` \n`   Checking file i18n/zh                                      [ No update ]` \n`   Checking file i18n/zh.utf8                                 [ No update ]`\n\nConfigure\n---------\n\nEdit `/etc/rkhunter.conf` and make sure you have the package manager set\nto RPM:\n\n` PKGMGR=RPM`\n\nNow create the properties file. *It is **vitally** important to do this\non a system you're **sure** hasn't been compromised.*\n\n` rkhunter --propupd`\n\nNow scan your system:\n\n` rkhunter -c`\n\nThe output is sent to `/var/log/rkhunter.log`.\n\nOther stuff\n-----------\n\n- In case you're warned about scripts, files and directories which you\n *know* are okay, you can whitelist them with `SCRIPTWHITELIST`,\n `ALLOWHIDDENFILE`, and `ALLOWHIDDENDIR` respectively in\n `rkhunter.conf`.\n\n\n\n- You may get warnings like these in `rkhunter.log`:\n\n` Warning: One or more of these files were found: backdoor, adore.o, mod_rootme.so...`\n\nThis may or may not be innocuous, so it's best to check. Use the files\nbelow.\n\n### Quick checker script\n\n` #!/bin/bash` \n` ` \n` SUSP_FILES=$(cat suspiciousfilelist)` \n` lsof -F n -w -n | grep '^n/' | sed -e 's/^n//' | sort | uniq | grep \"$SUSP_FILES\"`\n\n### Full list of files\n\n` backdoor` \n` adore.o` \n` mod_rootme.so` \n` phide_mod.o` \n` lbk.ko` \n` vlogger.o` \n` cleaner.o` \n` cleaner` \n` ava` \n` tzava` \n` mod_klgr.o` \n` hydra` \n` hydra.restore` \n` ras2xm` \n` vobiscum` \n` sshd3` \n` system` \n` t0rnsb` \n` t0rns` \n` t0rnp` \n` rx4u` \n` rx2me` \n` crontab` \n` sshdu` \n` glotzer` \n` holber` \n` xhide` \n` xh` \n` emech` \n` psybnc` \n` mech` \n` httpd.bin` \n` mh` \n` xl` \n` write` \n` Phantasmagoria.o` \n` lkt.o` \n` nlkt.o`\n\nSources\n-------\n\n- [Linux Detecting / Checking Rootkits with Chkrootkit and rkhunter\n Software](http://www.cyberciti.biz/faq/howto-check-linux-rootkist-with-detectors-software/)\n- [rkhunter installation\n notes](http://oesediez.blogspot.com/2008/06/installing-rootkit-hunter-on-centos-5.html)\n- [rkhunter RPMs on sw.be](http://packages.sw.be/rkhunter/)\n- [Detailed Installation and\n Configuration](http://sourceforge.net/apps/trac/rkhunter/wiki/SPRKH)\n\n[Category:Installation Logs](Category:Installation_Logs \"wikilink\")\n[Category:Nikhil's Notes](Category:Nikhil's_Notes \"wikilink\")\n[Category:From a past sysadmin\nlife](Category:From_a_past_sysadmin_life \"wikilink\")\n" }, { "authorEmail": "mail@nikhil.io", "authorName": "Nikhil Anand", "date": "2015-12-20T19:56:38Z", "id": "2d92d03e0e365fcdeb3ee0f11b99210ca0fc121a", "shortId": "2d92d03e", "subject": "RKHunter Notes : First Draft\n", "content": "Installation\n------------\n\n[Download the tarball](http://sourceforge.net/projects/rkhunter/files/),\nextract it, and:\n\n` ./installer.sh --layout default --install`\n\nYou can also specify `--layout RPM` instead and create an RPM. However,\nyou will need to export a value for the `$RPM_BUILD_ROOT` variable.\n`rkhunter` installs itself as follows (on a 64-bit machine):\n\n` INSTALLDIR=/usr/local` \n` DBDIR=/var/lib/rkhunter/db` \n` SCRIPTDIR=/usr/local/lib64/rkhunter/scripts` \n` TMPDIR=/var/lib/rkhunter/tmp` \n` USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf`\n\nUpdate\n------\n\n` [root@support rkhunter-1.3.6]# rkhunter --update` \n` [ Rootkit Hunter version 1.3.6 ]` \n` ` \n` Checking rkhunter data files...` \n`   Checking file mirrors.dat                                  [ No update ]` \n`   Checking file programs_bad.dat                             [ No update ]` \n`   Checking file backdoorports.dat                            [ No update ]` \n`   Checking file suspscan.dat                                 [ No update ]` \n`   Checking file i18n/cn                                      [ No update ]` \n`   Checking file i18n/de                                      [ No update ]` \n`   Checking file i18n/en                                      [ No update ]` \n`   Checking file i18n/zh                                      [ No update ]` \n`   Checking file i18n/zh.utf8                                 [ No update ]`\n\nConfigure\n---------\n\nEdit `/etc/rkhunter.conf` and make sure you have the package manager set\nto RPM:\n\n` PKGMGR=RPM`\n\nNow create the properties file. *It is **vitally** important to do this\non a system you're **sure** hasn't been compromised.*\n\n` rkhunter --propupd`\n\nNow scan your system:\n\n` rkhunter -c`\n\nThe output is sent to `/var/log/rkhunter.log`.\n\nOther stuff\n-----------\n\n- In case you're warned about scripts, files and directories which you\n *know* are okay, you can whitelist them with `SCRIPTWHITELIST`,\n `ALLOWHIDDENFILE`, and `ALLOWHIDDENDIR` respectively in\n `rkhunter.conf`.\n\n\n\n- You may get warnings like these in `rkhunter.log`:\n\n` Warning: One or more of these files were found: backdoor, adore.o, mod_rootme.so...`\n\nThis may or may not be innocuous, so it's best to check. Use the files\nbelow.\n\n### Quick checker script\n\n` #!/bin/bash` \n` ` \n` SUSP_FILES=$(cat suspiciousfilelist)` \n` lsof -F n -w -n | grep '^n/' | sed -e 's/^n//' | sort | uniq | grep \"$SUSP_FILES\"`\n\n### Full list of files\n\n` backdoor` \n` adore.o` \n` mod_rootme.so` \n` phide_mod.o` \n` lbk.ko` \n` vlogger.o` \n` cleaner.o` \n` cleaner` \n` ava` \n` tzava` \n` mod_klgr.o` \n` hydra` \n` hydra.restore` \n` ras2xm` \n` vobiscum` \n` sshd3` \n` system` \n` t0rnsb` \n` t0rns` \n` t0rnp` \n` rx4u` \n` rx2me` \n` crontab` \n` sshdu` \n` glotzer` \n` holber` \n` xhide` \n` xh` \n` emech` \n` psybnc` \n` mech` \n` httpd.bin` \n` mh` \n` xl` \n` write` \n` Phantasmagoria.o` \n` lkt.o` \n` nlkt.o`\n\nSources\n-------\n\n- [Linux Detecting / Checking Rootkits with Chkrootkit and rkhunter\n Software](http://www.cyberciti.biz/faq/howto-check-linux-rootkist-with-detectors-software/)\n- [rkhunter installation\n notes](http://oesediez.blogspot.com/2008/06/installing-rootkit-hunter-on-centos-5.html)\n- [rkhunter RPMs on sw.be](http://packages.sw.be/rkhunter/)\n- [Detailed Installation and\n Configuration](http://sourceforge.net/apps/trac/rkhunter/wiki/SPRKH)\n\n[Category:Installation Logs](Category:Installation_Logs \"wikilink\")\n[Category:Knowledgebase\nArticles](Category:Knowledgebase_Articles \"wikilink\") [Category:Nikhil's\nNotes](Category:Nikhil's_Notes \"wikilink\") [Category:From a past\nsysadmin life](Category:From_a_past_sysadmin_life \"wikilink\")\n" } ], "sizeInBytes": 3867, "source": "Installation\n------------\n\n[Download the tarball](http://sourceforge.net/projects/rkhunter/files/),\nextract it, and:\n\n ./installer.sh --layout default --install\n\nYou can also specify `--layout RPM` instead and create an RPM. However,\nyou will need to export a value for the `$RPM_BUILD_ROOT` variable.\n`rkhunter` installs itself as follows (on a 64-bit machine):\n\n INSTALLDIR=/usr/local \n DBDIR=/var/lib/rkhunter/db \n SCRIPTDIR=/usr/local/lib64/rkhunter/scripts \n TMPDIR=/var/lib/rkhunter/tmp \n USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf\n\nUpdate\n------\n\n [root@support rkhunter-1.3.6]# rkhunter --update \n [ Rootkit Hunter version 1.3.6 ] \n \n Checking rkhunter data files... \n   Checking file mirrors.dat                                  [ No update ] \n   Checking file programs_bad.dat                             [ No update ] \n   Checking file backdoorports.dat                            [ No update ] \n   Checking file suspscan.dat                                 [ No update ] \n   Checking file i18n/cn                                      [ No update ] \n   Checking file i18n/de                                      [ No update ] \n   Checking file i18n/en                                      [ No update ] \n   Checking file i18n/zh                                      [ No update ] \n   Checking file i18n/zh.utf8                                 [ No update ]\n\nConfigure\n---------\n\nEdit `/etc/rkhunter.conf` and make sure you have the package manager set\nto RPM:\n\n PKGMGR=RPM\n\nNow create the properties file. *It is **vitally** important to do this\non a system you're **sure** hasn't been compromised.*\n\n rkhunter --propupd\n\nNow scan your system:\n\n rkhunter -c\n\nThe output is sent to `/var/log/rkhunter.log`.\n\nOther stuff\n-----------\n\n* In case you're warned about scripts, files and directories which you\n *know* are okay, you can whitelist them with `SCRIPTWHITELIST`,\n `ALLOWHIDDENFILE`, and `ALLOWHIDDENDIR` respectively in\n `rkhunter.conf`.\n* You may get warnings like these in `rkhunter.log`:\n\n Warning: One or more of these files were found: backdoor, adore.o, mod_rootme.so...\n\nThis may or may not be innocuous, so it's best to check. Use the files\nbelow.\n\n### Quick checker script\n\n```bash\n#!/bin/bash \n \nSUSP_FILES=$(cat suspiciousfilelist) \nlsof -F n -w -n | grep '^n/' | sed -e 's/^n//' | sort | uniq | grep \"$SUSP_FILES\"\n```\n\n### Full list of files\n\n backdoor \n adore.o \n mod_rootme.so \n phide_mod.o \n lbk.ko \n vlogger.o \n cleaner.o \n cleaner \n ava \n tzava \n mod_klgr.o \n hydra \n hydra.restore \n ras2xm \n vobiscum \n sshd3 \n system \n t0rnsb \n t0rns \n t0rnp \n rx4u \n rx2me \n crontab \n sshdu \n glotzer \n holber \n xhide \n xh \n emech \n psybnc \n mech \n httpd.bin \n mh \n xl \n write \n Phantasmagoria.o \n lkt.o \n nlkt.o\n\nSources\n-------\n\n* [Linux Detecting / Checking Rootkits with Chkrootkit and rkhunter Software](http://www.cyberciti.biz/faq/howto-check-linux-rootkist-with-detectors-software/)\n* [rkhunter installation notes](http://oesediez.blogspot.com/2008/06/installing-rootkit-hunter-on-centos-5.html)\n* [rkhunter RPMs on sw.be](http://packages.sw.be/rkhunter/)\n* [Detailed Installation and Configuration](http://sourceforge.net/apps/trac/rkhunter/wiki/SPRKH)\n", "title": "RKHunter Notes", "untracked": false, "uri": "/RKHunter_Notes", "relativePath": "RKHunter Notes.md" }