ROOTKIT HUNTER FREQUENTLY ASKED QUESTIONS (FAQ)===============================================The latest version of this FAQ can be found at the RKH web site.(http://sourceforge.net/docman/?group_id=155034)=========================================================== 1. GENERAL QUESTIONS   1.1) What is Rootkit Hunter?   1.2) What are rootkits?   1.3) Can I help with the development of this project?   1.4) I like your software! How can I thank you? 2. INSTALLATION QUESTIONS   2.1) How do I install Rootkit Hunter?   2.2) How do I create a Rootkit Hunter RPM file? 3. USAGE QUESTIONS   3.1) Rootkit Hunter tells me there is something wrong with        my system. What do I do?   3.2) Rootkit Hunter tells me that I have vulnerable applications        installed. But I have fully patched my server! How is this        possible?   3.3) How can I automatically run Rootkit Hunter every day?   3.4) What is the meaning of the test names?   3.5) Can rkhunter handle filenames with spaces in them?   3.6) What does the following warning mean:          Determining OS... Warning: this operating system is not          fully supported!   3.7) I have just installed Rootkit Hunter, and I am already        getting warning messages. Why is that?   3.8) When I used the '--propupd' option, Rootkit Hunter told me        I had some missing hashes. What does this mean?   3.9) I run rkhunter in cron and in the emailed output I get some        strange characters. Why is this? 4. ERROR AND WARNING MESSAGES   4.1) What does the following warning mean:          The file of stored file properties (rkhunter.dat) is empty,          and so must be created. To do this type in          'rkhunter --propupd'.   4.2) Rootkit Hunter skips some checks, and the logfile indicates        that certain commands are missing. What can I do?   4.3) I get warnings from PHP like:          PHP Warning: Function registration failed - duplicate name          - pg_update in Unknown on line 0. What does this mean?   4.4) After performing some updates, all, or some, binaries in the        file properties checks are marked with a 'Warning'.        What can I do? 5. UPDATING QUESTIONS   5.1) Rootkit Hunter tells me that I have multiple versions        installed. How it this possible?   5.2) Can I be notified when a new release will be available?===========================================================1. GENERAL QUESTIONS====================1.1) What is Rootkit Hunter?A.   Rootkit Hunter (RKH) is an easy-to-use tool which checks     computers running UNIX (clones) for the presence of rootkits     and other unwanted tools.1.2) What are rootkits?A.   Most times they are self-hiding toolkits used by blackhats,     crackers and scriptkiddies, to avoid the eye of the sysadmin.1.3) Can I help with the development of this project?A.   Yes, everyone can help in some way. For example:     Help your fellow Rootkit Hunter users on the rkhunter-users     mailing list;     Send a copy of an undetected rootkit to us so that it can     be added and help others;     Translate RKH messages to your native language. For the     template see the standard language file i18n/en.     Are you a package maintainer? If so, then please submit     your changes to us so that everyone can benefit from them;     Are you an end-user? FOSS, and hence RKH, ultimately depends     upon you. Contributing is your responsibility, not someone     elses. Whatever you contribute is very much welcomed. For     example, contribute or discuss enhancing Rootkit Hunter with     us; submit a patch or discuss enhancements; file a bug     report; or test the application by using it on your servers.1.4) I like your software! How can I thank you?A.   Simple - by contributing. See question 1.3 above.===========================================================2. INSTALLATION QUESTIONS=========================2.1) How do I install Rootkit Hunter?A.   Instructions on installing RKH can be found in the README file.2.2) How do I create a Rootkit Hunter RPM file?A.   The RKH source contains an rkhunter.spec file which will     allow an RPM to be built. To build the RPM run the following     command:            rpmbuild -ta rkhunter-<version>.tar.gz     The last part of the displayed build process should indicate     where the RPM file has been written. However, it will usually     be found in '/usr/src/redhat/RPMS/noarch'.     NOTE: The RKH development team do not support any third-party     RPM files. However, the rkhunter.spec file will be maintained. ===========================================================3. USAGE QUESTIONS==================3.1) Rootkit Hunter tells me there is something wrong with my     system. What do I do?A.   Prior to any incident it is recommended that you have read     "Intruder Detection Checklist". This is available from     http://www.cert.org/tech_tips/intruder_detection_checklist.html     This document will tell you what to check, and makes it easier     for you to find out and answer any questions.     If you are unsure as to whether your system is compromised,     you can get a second opinion from sources such as the     rkhunter-users mailing list, the Linux-oriented forum     LinuxQuestions.org, or even IRC. Please note you need to      subscribe before posting to the rkhunter-users mailing list.     If a file property check fails, then it is possible you have     what is called a 'false positive'. Sometimes this will happen     due to package updates, customised configurations or changed     binaries. If so, then please check further:       1. If you run a file integrity checker, for example Aide,          Samhain, or tripwire, consult the results from running those          tools. Note they must be installed directly after the O/S          installation in order to be useful, and you must keep a copy          of the binary, configuration files and databases off-site.          Also note that running those tools, and Rootkit Hunter, is no          substitute for updating software when updates are released,          and proper host and network hardening.       2. If you don't run a file integrity checker you can possibly          use your distributions package management system if it is          configured to deal with verification.       3. Run 'strings <file>' and check the results for untrusted file          paths (for example, /dev/.hiddendir).       4. Check recently updated binaries and their original source.       5. Run 'file <file>' and compare the results with other files,          especially trusted binaries. If some binaries are statically          linked and others are all dynamic, then they could have been          trojaned.     If you have a warning from another part of the checks, then     please subscribe first and then email the rkhunter-users mailing list     and tell us about your system configuration:        the purpose of the server (for example, web server, intranet        fileserver, shell server);        the (aproximate) date of the incident and when you found out;        the running distribution name, release and kernel version;        whether any passwd/shadow file data has changed;        any anomalies you find from reading the system, daemon, IDS        and firewall logs;        if all the installed software was recently updated;        what services are or were running at the time;        if you found setuid root files in directories for temporary        files;        any anomalies you find from reading user shell histories.     If your system is infected with a rootkit, cleaning it up is     not an option. Restoring is also not an option unless you are     skilled, and have autonomous and an independent means of     verifying that the backup is clean, and does not contain     misconfigured or stale software. Never trust a compromised     machine. Period.     Read "Steps for Recovering from a UNIX or NT System Compromise".     This is available from     http://www.cert.org/tech_tips/root_compromise.html     A clean install of the system is recommended after backing up     the full system. To do this follow these steps:       1. Stay calm. Be methodical.       2. From another machine inform users, and the network,          facility or host owner, that the machine is compromised.       3. Get the host offline or make sure the firewall is raised          to only allow network traffic to and from your management          IP address or range.       4. Backup your data. If you do not intend to investigate the          problem, then do not backup any binaries or binary data          which you cannot verify.       5. Verify the integrity of your backup by visual inspection          (authentication data, configurations, log files), or by          using a file integrity checker or your distributions          package management tools.       6. Install your host with a fresh install. Whilst you are          updating and configuring the software and services,          restrict network access to the system using authentication          features like accounts, PAM, firewall, TCP wrappers, and          daemon configurations. Make sure you properly harden the          machine.       7. Investigate the old log files, and the tools used if          possible. Also investigate the services which were          vulnerable at the time of attack.3.2) Rootkit Hunter tells me that I have an out-of-date or unsecure     application installed. But I have fully patched my server!     How is this possible?A.   Some distributions, for example Red Hat and OpenBSD, do patch     old versions of software. However, Rootkit Hunter thinks it is     an old version, and so sees it as being unsecure.     It is possible to whitelist specific applications, or specific     versions of an application. The configuration file contains more     details about this.     If you wish you can skip the application version check completely     by adding the 'apps' test name to the DISABLE_TESTS option in your     rkhunter.conf configuration file.3.3) How can I automatically run Rootkit Hunter every day?A.   There are several ways that rkhunter can be run via cron. However,     it must be remembered that cron will automatically email any output     produced by the program to the root user. Secondly, when the rkhunter     '--cronjob' option is used, the program will generally not produce     any output. It is, therefore, necessary to tell rkhunter what output     should be shown. Typically this will just be any warning messages,     and this can be achieved by using the '--rwo' (report warnings only)     option.     For the first example, the rkhunter command could be added directly     to the root crontab:          30 5 * * * /usr/local/bin/rkhunter --cronjob --update --rwo     This would run rkhunter at 5:30 (AM) every day. If no output is     produced by rkhunter, then nothing is emailed to root. Any output     this is produced, which would only be warning messages, is