|
|
B1
What is Rootkit Hunter?
It is an easy-to-use tool which checks machines running UNIX (clones) for the presence of rootkits and other unwanted tools.
--------------------------------------------------------------------------------
B2
What are rootkits?
Most times it are selfhiding toolkits used by blackhats/crackers/scriptkiddies to avoid the eye of the sysadmin.
--------------------------------------------------------------------------------
B3
How do I install Rootkit Hunter?
Download the gzipped tarball, extract it and run the installation script.
download:
# wget http://downloads.rootkit.nl/rkhunter-<version>.tar.gz
Note: It doesn't matter where you save the tarball
extract:
# tar zxf rkhunter-<version>.tar.gz
installation:
# cd rkhunter
# ./installer.sh
--------------------------------------------------------------------------------
B4
Rootkit Hunter tells me there is something wrong with my system, what to do?
(1) If your system is infected with an rootkit, it's almost impossible to clean it up (lets say with a full warranty it's clean). Never trust a machine which has been infected with a rootkit, because hiding is his main purpose.
A clean install of the system is recommended after backing up the full system. So follow the next steps:
1. Get the host offline
2. Backup your data (as much as possible, including binaries and logfiles)
3. Verify the integrity of this data
4. Install your host with a fresh install
5. Investigate the old log files and the possible used tools. Also investigate the services which were vulnerable at the time of hack.
(2) If just one check fails, it is possible you have an so called false positive. Sometimes this will happen due custom configurations or changed binaries. If so, please validate:
Files:
- "strings <file>" and check for untrusted file paths (things like /dev/.hiddendir)
- recently updated binaries and their original source. If it is due an update, please sent me an URI to the changed file (like a RPM), so I can add new hashes to the databases.
- "file <file>" and compare them with others (especially trusted binaries). If some binaries are linked static and others are all dynamic, than they could have been trojaned..
Other warnings:
If you have a warning about another part of the checks, please fill in the contact form and tell me something about your system configuration.
--------------------------------------------------------------------------------
B5
What does the warning "Determining OS... Warning: this operating system is not fully supported!" mean?
It simply means: not all functions and checks can be performed, because the system is 'unknown' to the script (things like which md5 utility is available, md5 hashes for this system etc.). If you want
support for a newly distro, please mail me by filling in the contact form and tell me which distro you are using.
--------------------------------------------------------------------------------
B6
Rootkit Hunter gives me a error some binary couldn't be found, what do do?
Sometimes a binary can't be found in the PATH variable. Because Rootkit Hunter just tries to run the binary by executing it without a path, the systems will searches it path. If the binary couldn't be found, an error will occur.
For example:
Checking loaded kernel modules... /usr/local/bin/rkhunter: lsmod: command not found
[ Warning! (found difference in output) ]
Please enter `echo $PATH` and check your path settings.
--------------------------------------------------------------------------------
B7
Rootkit Hunter tells me a lot of installed software is 'vulnerable', what does it mean?
It means this software does possible contain software bugs which make external (or local) attacks possible. In worst case, an bad person can get full access to your server.
--------------------------------------------------------------------------------
B8
Rootkit Hunter tells me I have vulnerable applications installed, but I have fully patched my server! How is this possible?
Some distributions like Red Hat and OpenBSD do patch old versions. So Rootkit Hunter thinks it's a old version, but instead it's a safe patched version. If you have the same situation, don't use the program version checker (--skip-application-check), to suppress the false positives.
Errors from external software
E1 - I use prelinking, but after performing some updates all binaries are 'BAD' when checking with Rootkit Hunter, what to do?
A: Most times the prelinking database has to be rebuild (prelinking will optimize your binaries and libraries). This is because after every change in 1 of the binaries (or libraries), it needs to optimize all files again.
On Red Hat / Fedora, run:
# /etc/cron.daily/prelink
--------------------------------------------------------------------------------
E2
I get warnings from PHP, like:
PHP Warning: Function registration failed - duplicate name - pg_update in Unknown on line 0
Most times this is because you have updated the Apache version of PHP, but forgot to update/recompile the CLI (console version) of PHP. So recompile/update it and retry.
Update problems/questions
U1
Rootkit Hunter tells me I have multiple versions installed, how it this possible?
Most times you install a tool and upgrade it later. Sometimes if you use a 'non-official' updater (let's say from an external party, build from source/using a installer like RPM/DEB/TGZ), the binaries will be installed in another place than the original. So there are two binaries with the same name, but on another place (/usr/bin and /usr/local/bin for example). You have to check which binaries are old and can be safely removed/replaced (tip: make a copy / use replace, instead of removing).
--------------------------------------------------------------------------------
8. Q: Although Rootkit Hunter tells me my binaries do have the correct hashes (=OK), the logfile shows a lot of incorrect items. How is that possible?
A: Because the main program is a shell script, a lot of small utilities are used to read the database (in fact a CSV-alike file). The output you see in the logfile is debug information and contains of a lot of extra information. Because every line of the hash database will be read and compared with the real hash of the binary, it will have some good and bad hashes for one single binary (because the multiple versions of a single binary). Every line will be available in the logfile too, so if a hash DOESN'T match with the binary, it will log this too. If ONE of the multiple hashes match, you don't have to worry about the 'failed' lines.
--------------------------------------------------------------------------------
9. Q: How can I run Rootkit Hunter on a daily basis?
A: Add it as a cronjob to /etc/crontab
Example:
30 5 * * * root </path>/rkhunter -c --cronjob <more options>
Rootkit Hunter will now run at 5:30 (AM)
--------------------------------------------------------------------------------
10. Q: My operating system isn't supported! Can you add support for it?
A: Yes and no. Please use the contact form (http://www.rootkit.nl/contact/) and fill in which operating system you're using (include system architecture!).
--------------------------------------------------------------------------------
11. Q: Can I be notified when a new release will be available?
A: Yes you can, please subscribe to the Freshmeat project page
URL: http://freshmeat.net/projects/rkhunter/
--------------------------------------------------------------------------------
12. Q: What is the best way to run Rootkit Hunter from the crontab?
A: Add a cronjob with the parameters '-c --quiet --cronjob'. It will run Rootkit Hunter without colors and without layout characterics (--cronjob). Rootkit Hunter will only show text when it founds some warnings or errors. Very nice when you own a lot of machines and don't want to have a huge amount of mail ;-)
--------------------------------------------------------------------------------
13. Q: Can I help with the development of this project?
A: Everyone can help, but only with the following parts:
- Testing the application by using it on your server(s)
- Buy me a book (see wishlist)
- Donate a (temporary) shell account so I can test on foreign/untested operating systems (like non-i386 architectures)
- Sent tips, trics or ideas about future options of Rootkit Hunter
--------------------------------------------------------------------------------
14. Q: I like your software! How can I thank you?
A1: Send me a mail (by filling in the contact form) and tell me you like my tool.
A2: Buy me a book. See the wishlist on the right side of this website.
A3: Write about my tool and spread the word. |
|
IP卡
狗仔卡
发表于 2004-11-24 11:14:51
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
发表于 2004-11-24 12:35:49
楼主