"SLC5X: Letter R: rkhunter
rkhunter - rkhunter scans for rootkits, backdoors and local exploits
Rootkit scanner is [a] scanning tool to ensure you for about 99.9% you're
clean of nasty tools. This tool scans for rootkits, backdoors and local
exploits by running tests like:
- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files
- Software version checks
- Application tests
Rootkit Hunter is released as a GPL licensed project and free for
everyone to use.
This version has been customized/patched for CERN, and includes a
(patched) copy of "unhide" by yjesus AT security-projects.com
This version currently sends reports back to CERN, to evaluate for
false positives. If you do not want this, please don't install it.
by Jan Iven (2009-09-28):
- whitelist "fipscheck" hmac files
- turn off network port checks that give FPs
- minor tweaks for unhide output and patterns
by Jan Iven (2009-03-19):
- handle osinfo changes automatically, instead of carping
- unhide: multithreaded zombies don't show up in "ps axH" (but do in "ps ax", so are not hidden)
- network: only warn for connections *to* evil ports, not *from* them.
by Jan Iven (2009-03-09):
- fix xinetd another xinetd whitelisting bug - accept "bad timestamp but otherwise OK"
by Jan Iven (2009-01-29):
- fix xinetd whitelisting bug; still needs "properties" test to be run before
- add "uname" and rkhunter version to warning mail
by Jan Iven (2009-01-19):
- updated/patched "unhide"
- xinetd: trust RPM-added services
- missing "default" hashes - fall back to RPM
- accept stricter SSH-for-root configs without warning.
- rename cron job to "zz_" to give prelink a chance to run
- keep default config and use CERN-specific only for cronjob. and only at CERN.
by Jan Iven (2009-01-05):
- go to 1.3.4