Rootkit Hunter v1.4.0 Released

Rootkit Hunter¬†is scanning tool to ensure you for about 99.9%* you’re clean of nasty tools.¬†Rootkit Hunter is released as GPL licensed project and free for everyone to use.

This tool scans for rootkits, backdoors and local exploits by running tests like:

  • MD5 hash compare
  • Look for default files used by rootkits
  • Wrong file permissions for binaries
  • Look for suspected strings in LKM and KLD modules
  • Look for hidden files
  • Optional scan within plaintext and binary files

* No, not really 99.9%.. It’s just another security layer

Changelog v1.4.0


  • Added the ‘–list propfiles’ command-line option. This will dump out the list of filenames that will be searched for when building the file properties database. By default the list is not shown if just ‘–list’ is used.
  • Added Jynx rootkit check.
  • Added Turtle/Turtle2 rootkit check.
  • Added KBeast rootkit check.
  • The installer now supports the Slackware TXZ package layout option.


  • Avoid checking exclamation points in ALLOWDEVFILE checks (this was caught on 01/05/2012 causing a reissue of the 1.4.0 release).
  • Allow the ALLOWDEVFILE, ALLOWHIDDENFILE and ALLOWHIDDENDIR options to use ‘%’ as the space character. (Note: This is a temporary fix).
  • The ALLOWPROCDELFILE option can now use wildcards in the file names.
  • The ‘–list perl’ command-line option now shows whether the perl command itself is installed or not.
  • The ‘shared_libs’ test now allows whitelisting of the preloading environment variables.
  • The ‘-r/–rootdir’ command-line options, and the ROOTDIR configuration option are now deprecated. If they are used then an error message will be displayed. The options will have no effect, but rkhunter will continue. The options will be completely removed at the next release.
  • The ‘hidden_ports’ test will now show if a found port is TCP or UDP.
  • It is now possible to whitelist ports in the ‘hidden_ports’ test using the PORT_WHITELIST configuration option.


  • Allow the ALLOWPROCDELFILE option to work again.
  • Correct the check of the ProFTPD version number.
  • Fix the FreeBSD ‘sockstat’ command check to ensure that the correct fields are used.
  • Fix for newer version of the ‘file’ command when reporting scripts.
  • Fix the ALLOWHIDDENFILE option to allow hidden symbolic links.
  • The ‘filesystem’ check now handles files and directories with spaces in their names correctly.
  • The ‘startup_files’ test was displaying file names with spaces in them incorrectly. Also the test was not checking files which were in hidden directories.
  • Ensure that the ALLOWDEVFILE, ALLOWHIDDENFILE and ALLOWHIDDENDIR options re-evaluate their whitelisting lists to ensure that any wildcard entries are the most recent. (A time window previously existed which meant that the list was processed, but new files could be created before the test was run. As such they were reported as false-positive warnings, when they should have been whitelisted.)
  • Allow the EXISTWHITELIST option to work with symbolic links.
  • The test of whether prelinking is being used or not was sometimes causing the file properties hash test to be skipped, without the real reason being stated. Now the hash test will proceed but the user will still get a warning (because it detects that prelinking was used and is not now, or vice-versa).
  • Rkhunter will now check to see if the ‘head’ and ‘tail’ commands understand the ‘-n’ option. If they do, then it will be used. If they do not, then the older ‘head -1’ and ‘tail -1’ commands will be used.

System requirements:

  • Compatible operating system (see ‘Supported operating systems’)
  • Bourne Again Shell (BASH)

Supported operating systems


  • Most Linux distributions
  • Most *BSD distributions

Currently unsupported:

  • NetBSD

Tested on:

  • AIX 4.1.5 / 4.3.3
  • ALT Linux
  • Aurora Linux
  • CentOS 3.1 / 4.0
  • Conectiva Linux 6.0
  • Debian 3.x
  • FreeBSD 4.3 / 4.4 / 4.7 / 4.8 / 4.9 / 4.10
  • FreeBSD 5.0 / 5.1 / 5.2 / 5.2.1 / 5.3
  • Fedora Core 1 / Core 2 / Core 3
  • Gentoo 1.4, 2004.0, 2004.1
  • Macintosh OS 10.3.4-10.3.8
  • Mandrake 8.1 / 8.2 / 9.0-9.2 / 10.0 / 10.1
  • OpenBSD 3.4 / 3.5
  • Red Hat Linux 7.0-7.3 / 8 / 9
  • Red Hat Enterprise Linux 2.1 / 3.0
  • Slackware 9.0 / 9.1 / 10.0 / 10.1
  • SME 6.0
  • Solaris (SunOS)
  • SuSE 7.3 / 8.0-8.2 / 9.0-9.2
  • Ubuntu
  • Yellow Dog Linux 3.0 / 3.01

Confirmed to work also on:

  • CLFS
  • DaNix (Debian clone)
  • PCLinuxOS
  • VectorLinux SOHO 3.2 / 4.0
  • CPUBuilders Linux
  • Virtuozzo (VPS)

More Information: here

Download RKHunter v1.4.0

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.