RKHunter Notes Revision as of Monday, 21 December 2015 at 02:30 UTC

Installation

Download the tarball,
extract it, and:

 ./installer.sh --layout default --install

You can also specify --layout RPM instead and create an RPM. However,
you will need to export a value for the $RPM_BUILD_ROOT variable.
rkhunter installs itself as follows (on a 64-bit machine):

 INSTALLDIR=/usr/local
 DBDIR=/var/lib/rkhunter/db
 SCRIPTDIR=/usr/local/lib64/rkhunter/scripts
 TMPDIR=/var/lib/rkhunter/tmp
 USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf

Update

 [root@support rkhunter-1.3.6]# rkhunter --update
 [ Rootkit Hunter version 1.3.6 ]
 
 Checking rkhunter data files...
   Checking file mirrors.dat                                  [ No update ]
   Checking file programs_bad.dat                             [ No update ]
   Checking file backdoorports.dat                            [ No update ]
   Checking file suspscan.dat                                 [ No update ]
   Checking file i18n/cn                                      [ No update ]
   Checking file i18n/de                                      [ No update ]
   Checking file i18n/en                                      [ No update ]
   Checking file i18n/zh                                      [ No update ]
   Checking file i18n/zh.utf8                                 [ No update ]

Configure

Edit /etc/rkhunter.conf and make sure you have the package manager set
to RPM:

 PKGMGR=RPM

Now create the properties file. It is vitally important to do this
on a system you’re sure hasn’t been compromised.

 rkhunter --propupd

Now scan your system:

 rkhunter -c

The output is sent to /var/log/rkhunter.log.

Other stuff

• In case you’re warned about scripts, files and directories which you
  know are okay, you can whitelist them with SCRIPTWHITELIST,
  ALLOWHIDDENFILE, and ALLOWHIDDENDIR respectively in
  rkhunter.conf.

• You may get warnings like these in rkhunter.log:

 Warning: One or more of these files were found: backdoor, adore.o, mod_rootme.so...

This may or may not be innocuous, so it’s best to check. Use the files
below.

Quick checker script

 #!/bin/bash
 
 SUSP_FILES=$(cat suspiciousfilelist)
 lsof -F n -w -n | grep '^n/' | sed -e 's/^n//' | sort | uniq | grep "$SUSP_FILES"

Full list of files

 backdoor
 adore.o
 mod_rootme.so
 phide_mod.o
 lbk.ko
 vlogger.o
 cleaner.o
 cleaner
 ava
 tzava
 mod_klgr.o
 hydra
 hydra.restore
 ras2xm
 vobiscum
 sshd3
 system
 t0rnsb
 t0rns
 t0rnp
 rx4u
 rx2me
 crontab
 sshdu
 glotzer
 holber
 xhide
 xh
 emech
 psybnc
 mech
 httpd.bin
 mh
 xl
 write
 Phantasmagoria.o
 lkt.o
 nlkt.o

Sources

• Linux Detecting / Checking Rootkits with Chkrootkit and rkhunter
  Software
• rkhunter installation
  notes
• rkhunter RPMs on sw.be
• Detailed Installation and
  Configuration