Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [rkhunter]

rkhunter (Rootkit Hunter) is an easy-to-use tool for Unix which checks systems for the presence of rootkits and other unwanted tools.

rkhunter (Rootkit Hunter) is an easy-to-use tool for which checks systems for the presence of and other unwanted tools.

Website: http://rkhunter.sourceforge.net

Wikipedia: http://en.wikipedia.org/wiki/Rkhunter

More rootkit informations: http://www.rootkit.nl

See also

40 questions
1
vote
1 answer

Are rkhunter and chrootkit still effective linux rootkit scanners?

AFAICT neither have had much activity since the first half of 2014. Are there any other open source linux root scanners out there or reasonable commercial alternatives?
steveinatorx
  • 111
  • 4
1
vote
4 answers

rkhunter warnings - whitelisting

I'm getting a set of warnings via rkhunter that I can't seem to suppress using ALLOWDEVFILE. Here's a piece of what gets flagged: Checking /dev for suspicious file types [ Warning ] Warning: Suspicious file types found in…
AvatarKava
  • 101
  • 2
  • 8
1
vote
2 answers

RKHunter reported processes that are using deleted files or are listening on the network

I ran Rootkit Hunter 1.4.0 on a Debian Wheezy server and I am confused by the output. I enabled every tests using the following piece of configuration: ENABLE_TESTS="all" DISABLE_TESTS="none" The output is the following: Warning: The following…
astorije
  • 183
  • 3
  • 9
1
vote
1 answer

Correct procedure for RKHunter file changes

I run RKHunter on Ubuntu as well as as automated system / package updates. Last night I started receiving RKHunter warnings as listed below and whilst it's obviously easy for me to just do: rkhunter --propupd That could potentially mask someone…
user385762
  • 135
  • 3
1
vote
1 answer

Rkhunter triggered last night warning for a possible infection. What next?

Last night rkhunter triggered with the following warnings: [04:10:23] Warning: Network TCP port 32982 is being used by /usr/lib/apache2/mpm-prefork/apache2. Possible rootkit: Solaris Wanuk Use the 'lsof -i' or 'netstat -an' command to…
Luuk D. Jansen
  • 157
  • 2
  • 7
1
vote
1 answer

Using Nagios With RKhunter

I have installed rkhunter and would like the rootkit checks to be done automatically with alerts. How would i go about integrating RKhunter with nagios? One scenario would be if a root kit is found, i would receive a critical alert on nagios else…
Anonymous
  • 74
  • 6
1
vote
4 answers

Crontab and rkhunter Scheduling

I've got a system with Ubuntu 12.04 which has rkhunter installed. Currently the rkhunter daily scan script is located in /etc/cron.daily/rkhunter. Every day at 7pm EST the rkhunter script is executed and the following is added to the…
Andrew Anderson
  • 121
  • 1
  • 5
1
vote
1 answer

Can someone explain this rkhunter report?

This is my rkhunter output that I recently set so I get this report every morning, could somone please explain if I have a serious problem here (I know about httpd, openssl, php and sshd not up to date, but all other commands I don't understand -…
Nikola
  • 777
  • 4
  • 12
  • 21
1
vote
1 answer

rkhunter update failed, cannot find dat files

I have a CentOs 7.6 up and running with rkhunter for a long time now. After all my os updates, I run rkhunter --update --propupd but it fails since recently. [ Rootkit Hunter version 1.4.6 ] File updated: searched for 175 files, found 133 Checking…
Zian
  • 113
  • 5
1
vote
2 answers

rkhunter reports change in file properties, but I don't see that they've been updated by yum

Maybe I'm being overcautious, but I recently received the following warnings from rkhunter: Warning: The file properties have changed: File: /bin/dmesg Current hash: e94b12f49e53695bf5161a445c00b3f97e37e9a8 Stored hash :…
Jeremy Blum
  • 125
  • 6
0
votes
2 answers

rkhunter: whitlist for test 'packet_cap_apps'

W have here a CentOS 7 server with rkhunter installed. Since yesterday we get following rkhunter warning: [01:10:30] Info: Starting test name 'packet_cap_apps' [01:10:30] Checking for packet capturing applications [ Warning ] [01:10:30]…
Steffen
  • 929
  • 3
  • 13
  • 28
0
votes
1 answer

anacron fails to run rkhunter each day

I put a rkhunter script in daily.cron on Apache Centos 7. When I manually run the script, it works fine. but leaving it in daily.cron it fails to run. I get this email every day instead. /etc/cron.daily/rkhunter: /etc/cron.daily/rkhunter: line 3:…
Zuriel
  • 101
  • 2
0
votes
2 answers

rkhunter: prelinking hash function warning

We are using rkhunter to check to scan our server periodically. Server operating system is CentOS 6/7. But since last rkhunter update (to currently version 1.4.4) we getting following warning message: [10:12:09] Performing file properties…
Steffen
  • 929
  • 3
  • 13
  • 28
0
votes
1 answer

How to get rkhunter PORT_WHITELIST='* ...' to work on Ubuntu 16.04?

My /etc/rkhunter.conf.local contains this line: PORT_WHITELIST='* TCP:7000' If I run rkhunter -c it appears that the star is being shell expanded: root@willow / # rkhunter -c Invalid entry specified in PORT_WHITELIST configuration option:…
David Tinker
  • 557
  • 1
  • 8
  • 16
0
votes
1 answer

Removing RKHunter (installed with apt) when RKhunter Installed from source

I installed rkhunter from source (1.40 I think) and then later updated to 1.4.2 from source (as there is no app update function in rkhunter and the latest version in apt is old) however that means I have the old version at /usr/bin/rkhunter and the…
The Naughty Otter
  • 111
  • 2
1
2
3