Rootkit Hunter Changelog

What's new in Rootkit Hunter 1.4.2

Feb 24, 2014

New:
The 'ssh', 'sshd' and 'telnet' commands are now checked as part of the file properties test.
It is now possible to include configuration files found in a local configuration directory. This directory, called 'rkhunter.d', must be in the same directory as the main configuration file. Only files ending in '.conf' will be treated as configuration files, all other files will be ignored. The configuration options found in the files will be merged with the options found in the main configuration file and the local configuration file, if present. Both the local configuration file, and the 'rkhunter.d' configuration files, will only override a previously specified option if the option can only be specified once, or, for list options, if the null string is given. The installer will automatically include any configuration files to the file properties test.
A new configuration file option, 'SHOW_SUMMARY_WARNINGS_NUMBER', can be set so that the summary will display the actual number of warnings found, rather than the default message which simply states that one or more warnings were found. If no warnings were found, then it will be stated that '0' warnings were found.
The tests to see if 'syslog' is running, and its configuration file is present, have now been changed. The test has been renamed to state 'system logging' rather than 'syslog', and will now detect if 'systemd' logging is being used as well as, or instead of, syslog.
Two new tests have been added to the 'filesystem' checks. The first will check if any configured log files are missing, and the second will check if any configured log files are empty. The second test will also check if the log files are missing, but only report it if the first test has not done so. For both tests the results are only shown if the relevant test has been configured. To enable this there are also two new configuration file options
MISSING_LOGFILES and EMPTY_LOGFILES.
Added the 'UNHIDETCP_OPTS' configuration option. This may be set to options which are then used by the 'unhide-tcp' command. By default no options are used.
Added the SHOW_SUMMARY_TIME configuration option. This can be used to specify where the summary scan time should be displayed, if at all. The default (as before) is to display the time both on the screen and in the log file.
Added the PORT_PATH_WHITELIST configuration option to be used when specifying a pathname. Other port whitelisting types use the PORT_WHITELIST option as before.
Added Turkish translation files.
Added System V Shared Memory test for Linux.
Added ClamAV-compatible signatures for an Apache DSO, pam_unix.so backdoor, xsyslog, SHV4, SHV5, Kbeast, libncom, Jynx, Turtle, Glupteba, trojaned OpenSSH daemon, improved libkeyutils.1.9.so and common sniffer strings. These signatures are highly experimental, prone to false positives and must be run manually using ClamAV. Currently no update mechanism is provided and the rkhunter-users mailing list may or may not provide support for any questions about these signatures.

New in Rootkit Hunter 1.4.0 (Apr 27, 2012)

New:
Added the '--list propfiles' command-line option. This will dump out
the list of filenames that will be searched for when building the file
properties database. By default the list is not shown if just '--list'
is used.
Added Jynx rootkit check.
Added Turtle/Turtle2 rootkit check.
Added KBeast rootkit check.
The installer now supports the Slackware TXZ package layout option.
Changes:
Allow the ALLOWDEVFILE, ALLOWHIDDENFILE and ALLOWHIDDENDIR options to
use '%' as the space character. (Note: This is a temporary fix).
The ALLOWPROCDELFILE option can now use wildcards in the file names.
The '--list perl' command-line option now shows whether the perl
command itself is installed or not.
The 'shared_libs' test now allows whitelisting of the preloading
environment variables.
The '-r/--rootdir' command-line options, and the ROOTDIR
configuration option are now deprecated. If they are used then an
error message will be displayed. The options will have no effect,
but rkhunter will continue. The options will be completely removed
at the next release.
The 'hidden_ports' test will now show if a found port is TCP or UDP.
It is now possible to whitelist ports in the 'hidden_ports' test
using the PORT_WHITELIST configuration option.
Bugfixes:
Allow the ALLOWPROCDELFILE option to work again.
Correct the check of the ProFTPD version number.
Fix the FreeBSD 'sockstat' command check to ensure that the correct
fields are used.
Fix for newer version of the 'file' command when reporting scripts.
Fix the ALLOWHIDDENFILE option to allow hidden symbolic links.
The 'filesystem' check now handles files and directories with spaces
in their names correctly.
The 'startup_files' test was displaying file names with spaces in
them incorrectly. Also the test was not checking files which were
in hidden directories.
Ensure that the ALLOWDEVFILE, ALLOWHIDDENFILE and ALLOWHIDDENDIR
options re-evaluate their whitelisting lists to ensure that any
wildcard entries are the most recent. (A time window previously
existed which meant that the list was processed, but new files
could be created before the test was run. As such they were reported
as false-positive warnings, when they should have been whitelisted.)
Allow the EXISTWHITELIST option to work with symbolic links.
The test of whether prelinking is being used or not was sometimes
causing the file properties hash test to be skipped, without the
real reason being stated. Now the hash test will proceed but the
user will still get a warning (because it detects that prelinking was
used and is not now, or vice-versa).
Rkhunter will now check to see if the 'head' and 'tail' commands
understand the '-n' option. If they do, then it will be used. If they
do not, then the older 'head -1' and 'tail -1' commands will be used.

New in Rootkit Hunter 1.3.8 (Nov 17, 2010)

New:
It is now possible to whitelist specific rootkit strings in
specific files using the RTKT_FILE_WHITELIST option. Details
are in the configuration file.
For those systems on which files generally have the immutable
-bit set, the 'immutable' test can now be reversed (that is,
warnings will be issued for files which do not have the bit
set). The configuration file option IMMUTABLE_SET can be set
to '1' to enable this. By default it is '0'.
The installer now supports the ppc64 architecture.
The RTKT_FILE_WHITELIST option can be used to whitelist
reported 'suspicious files' found in the 'running_procs' test.
Using the EXISTWHITELIST configuration option it is now possible
to whitelist files and directories that might not always be
present on the system. Whitelisted items are, in effect,
whitelisted from 'existence' checks.
Added a new test to check for hidden network ports being used.
It is called 'hidden_ports'. This test is disabled by default,
and will only run if the 'unhide-tcp' command is present.
Added support for DragonFly BSD.
Added Inqtana worm check (variants A, B and C).
It is now possible to whitelist a combined pathname and port number
with the PORT_WHITELIST configuration option. Details are in the
configuration file.
Added Togroot rootkit check.
It is now possible to specify 'SOLARIS' as a package manager for
Solaris systems. It can be used to check several of the file
properties, such as the file permissions, ownership, size and so
on. By default the stored 16-bit hash value is not used, and a hash
value will be calculated, as before, using the configured hash
function. However, if it is wished that the stored hash value is
used, then the USE_SUNSUM configuration option must be enabled.
The command-line option '--list perl' may be used to see the
installation status of perl modules that may be used by some of
the tests.
For the file properties test the hash functions 'Whirlpool' and
'Ripemd160' may now be specified. However, only the relevant perl
module will be looked for when using these functions.
Added Solaris Wanuk backdoor and worm checks.
The new command-line option '-C' (or '--config-check') can be
used to check the rkhunter configuration files. This will check
most of the options, but only for the tests which would normally
be run (as defined by the enable and disable options). The program
exits once the check has run. See the man page for more details.
The 'hidden_procs' test will now run the 'unhide.rb' command if it
is present. This is the Ruby version of the original C 'unhide'
program. (The 'unhide' command is also still run if found.)
Added the DISABLE_UNHIDE configuration option. This allows users
to disable one or other of the 'unhide' or 'unhide.rb' commands
if they are both present on the system. The default is to look
for and run both commands.
Added OS X Boonana (Koobface.A) trojan check.
Changes:
Allow the 'unhide' command to be detected on Linux systems.
Allow most of the whitelisting-type configuration options to
be specified more than once in the configuration file.
NIS entries are now ignored when checking the password file.
The use of '--disable all' on the command-line is now allowed
provided that the '--enable' option is also used, and not set
to 'none'. Disabling all the tests in the configuration file
will still give an error.
If the enabled and disabled test name(s) are the same, then an
error will now be displayed. This only applies to certain
non-grouped test names.
The check of syslog remote logging no longer considers a
127.x.x.x address as being remote.
In the configuration file the WEBCMD option has now changed
name to WEB_CMD. However, the old name will still be recognised.
If the UPDT_ON_OS_CHANGE option is set, and an O/S change has been
detected, a message is now logged stating that an automatic
update will occur. Additionally, the output of the update is no
longer displayed (it looked confusing).
Removed the automatic exception of TDB database files from the
'filesystem' check. (This seems to have been introduced in version
1.1.3, but we have whitelisting now.)
The file properties test now handles broken links. These were
previously reported as an error. If there are any broken links,
then the '--propupd' option will report how many have been found.
The old configuration options LOCAL_RC_PATH and SYSTEM_RC_DIR
have now been removed. They were replaced by STARTUP_PATHS at
version 1.3.6.
Most of the configuration options which take a list of pathnames,
and which are not set in the provided config file, can now be
specified more than once. They are all now space-separated lists
as well.
The 'suspicious files' check in the 'running_procs' test now displays
each found file individually. Additionally the warning will include
the command being executed, the PID, the user id, the full pathname
that appears to be suspicious, and the possible rootkit name.
Reverted a change to the 'os_specific' test so that it will show the
test as being skipped for O/S's which have no specific tests. Without
this if the test was enabled on its own, then nothing at all was
displayed.
More rigorous testing of the various '.dat' files before each test
which uses them has now been included. If a problem is found, then
a warning is displayed.
The ALLOW_SSH_ROOT_USER configuration option can no longer be set
to 'yes' if the 'PermitRootLogin' option is not set in the SSH
configuration file. A value of 'unset' must be used.
The ALLOW_SSH_PROT_V1 configuration option can no longer be set
to '1' if the 'Protocol' option is not set in the SSH configuration
file. A value of '2' must be used. (The use of '1' in this instance
was an undocumented, but allowed setting.)
The '--enable' and '--disable' command-line options may now be
specified more than once.
The default behaviour when the command-line option '--disable' is
used has been changed. Rkhunter will now also include the
configuration file option used to disable tests, in order to
determine overall which tests to run. This is more intuitive for the
user. If the previous behaviour of only the '--disable' option being
used to determine which tests to run, then the new '--nocf' option
must also be used.
The network 'ports' test no longer displays the details of the test
on the screen, but just shows the overall result. This brings the test
format more inline with the other tests. The result of individual
ports being checked is still logged as before.
The 'sort' and 'uniq' commands are now required to be on the system
in order to run rkhunter.
Grsecurity-enabled systems may now run the network 'ports' test. If
this causes a problem, then that particular test can be disabled.
Improved support for OS X a little bit more.
When using the installer '--show' option, if a directory does not
exist, then it will now state that the directory will be created.
The 'hidden_procs' test used to run the 'unhide sys' command. Now
it is possible to specify which test names to provide to the 'unhide'
command by using the UNHIDE_TESTS configuration option. It defaults
to 'sys'. This allows for additional tests to be run with 'unhide'
if the user wishes, and caters for newer versions of 'unhide' which
have several new options. Increased the amount of logging of what
rkhunter is doing during the 'hidden_procs' test.
Both the '--bindir' command-line option and the BINDIR configuration
file option may now be specified more than once. The description of
how these options affect the PATH of rkhunter has been reworded in
both the supplied rkhunter.conf file and the man page.
The log file permissions and owner/group settings will now be copied
to each new log file, rather than a new log file, with default
permissions, being created each time. This will allow users to
modify the permissions/owner/group of the log file, without them
being lost when a new log file is created. If no log file exists,
then, as before, one will be created with permissions of 600 and
with the owner/group of the root user.
For OS X users the test of root-equivalent accounts now works
with directory services as well as with the password files.
The check of the syslog configuration file will now check all
the files found, not just the first one.
Bugfixes:
Corrected test of ProFTPD version number in apps test.
Make the apps test version number check case-independent.
Ensure the promiscuous interface whitelisting is applied to both
parts of the test. Corrected and tidied up the displayed output.
Correct the test of rkhunter itself being changed to a non-script
file.
Ensure the suspscan test removes any files it creates. (Again!)
The --rootdir/ROOTDIR configuration option now works correctly if
specified as '/'. Previously it caused the file properties file
entries to become a bit messed up.
The file properties immutable test checked the 'lsattr' command
against the rkhunter configuration file. However, if the file was
a symbolic link, then the test failed. Now the test checks 'lsattr'
against several of the rkhunter installed files, looking for a
regular, non-link, file. These include the configuration file, the
rkhunter database files, and the language files.
The ALLOWDEVFILE whitelisting now allows filenames to contain
colon (:) characters.
The rootkit summary could list detected rootkit names more than once.
This has now been corrected, each rootkit name will only be
displayed once. The rootkit count will also now only show the number
of unique rootkits found.
It was possible for part of the summary to be displayed twice. This
has now been corrected so that it only displays once.
For system startup files (rc files), the rootkit strings check now
ignores comment lines (lines starting with '#'). For Solaris systems,
the 'gstrings' command is used rather than 'strings' if it exists.
Allow *BSD 'grep' to work correctly with binary (i18n) files.
Removed the configuration file option use of a comma as an option
separator. Now only spaces and tabs can be used. Use of a comma would
prevent known rootkit files and directories, as well as RCS files, from
being whitelisted correctly.
When the German language is selected rkhunter will now try to display
messages using the correct encoding.
The test of rootkit strings in the startup files could display the
wrong string and rootkit. It now displays the correct information.
The 'filesystem' check now correctly identifies non-standard
directories (e.g. setgid directory), and allows them to be whitelisted.
The UPDT_ON_OS_CHANGE option was defaulting to 1 rather than 0.
The result of the libsafe check, a prelink command check, and a prelink
hash function check were not being reported.
The 'filesystem' check would ignore files with spaces in their name if
the default setting of SCAN_MODE_DEV was used. This has now been
corrected, filenames with spaces in them are checked regardless of the
configuration option setting.
If the installer is used with the RPM, TGZ or DEB layout options,
and '/' is the build root, then this will now build correctly.
NetBSD, FreeBSD and OS X would print out an error regarding the 'print'
command. They would also display the locking messages incorrectly. Both
of these have now been corrected.
The sockstat/netstat output check for *BSD systems gave a spurious
error message because FreeBSD/OpenBSD sockstat did not support the '-n'
option. This has been fixed, but NetBSD systems will still use it.
The installer option '--layout custom /' now works correctly.
The SHA256 perl module was not being called correctly.

New in Rootkit Hunter 1.3.6 (Mar 25, 2010)

New in Rootkit Hunter 1.3.4 (Apr 6, 2009)

New:
Added IntoXonia-NG rootkit check.
Added Vampire rootkit check.
Added support for TCB shadow files.
Added Phalanx2 rootkit check.
Changes:
The MAIL-ON-WARNING option must now exist in the configuration file. This avoids it being accidentally misspelt, and rkhunter then not notifying the user of any warnings.
The DBDIR directory can now be read-only, after installation, provided that neither of the '--propupd' or '--update' options are specified, and that the '--versioncheck' option is not specified if ROTATE_MIRRORS is set to 1 in the configuration file.
Renamed the cron job file created by the RPM spec file from '01-rkhunter' to 'rkhunter'. This will then run 'rkhunter' after a prelink cron job (if one exists), and avoid some of the 'run prelink' errors.
The system startup file and directory tests have now been merged. The configuration file options LOCAL_RC_PATH and SYSTEM_RC_DIR have been replaced by the STARTUP_PATHS option, but, for compatability, they will still be recognised.
The ALLOWPROCDELFILE configuration option, used to whitelist specific processes from the deleted files test, can now be followed by a colon-separated list of pathnames. The given process will then only be whitelisted if it is using one of the given pathnames.
The '--propupd' option can now take an optional file, directory or package name after it. The argument can be a list of names. When used, then only the given file names will be updated in the rkhunter.dat file. Hopefully this will make things a bit quicker on slower machines. See the man page for more details. If using a package manager, then you must run 'rkhunter --propupd' first.
The Linux 'os_specific' test has now been split into two separate tests - 'loaded_modules' and 'avail_modules'. The tests, however, are the same as before, they check the currently loaded kernel modules and the names of the available modules. A new configuration file option has been added, called MODULES_DIR, so that users can specify which directory, and sub-directories, are checked for bad module names, should rkhunter be unable to work out the correct location.
The pathname of the debug file, if used, is now written to the log file.
Bugfixes:
Cater for when ROOTDIR is explicitly set to '/'.
Added an infinite loop check to the readlink.sh supplied scriptonly 64 levels of symbolic links are allowed now. Also cater better for top-level names and links, and file names with spaces.
Improved the rsyslog remote logging check.
The wrong error message was shown if the English (en) language file was missing.
The hidden files and directories check wasn't checking for directories!
Improved the O/S name detection. Previously the lsb-release file would have preference to any other file. This could result in some gibberish being given as the O/S name, rather than continuing to look for other release files. This has now been fixed.
The tests against the SSH configuration file now accept the key/value pair to be separated by an equals sign as well as spaces and/or tabs.
The file properties inode check did not work correctly when used on non-prelinked systems with the RPM package manager. The test is now only performed when prelinking is not being used, and the inode data is always obtained from the disk. This is a partial fix, as the test should run for scripts regardless of whether prelinking is used or not.
The debug file is now created with a random name, and the file permissions are set to 600.