Installing Rootkit Hunter on CentOS 5

Actually, it is pretty much the same for any other Linux.
Download it, untar it, cd' inside it, and then:

[root@webs10 rkhunter-1.3.2]# ./installer.sh --layout default --install
Checking system for:
 Rootkit Hunter installer files: found. OK
 Available file retrieval tools:
    wget: found. OK
Starting installation/update

Checking PREFIX /usr/local: exists, and is writable. OK
Checking installation directories:
 Directory /usr/local/share/doc/rkhunter-1.3.2: creating: OK.
 Directory /usr/local/share/man/man8: exists, and is writable. OK
 Directory /etc: exists, and is writable. OK
 Directory /usr/local/bin: exists, and is writable. OK
 Directory /usr/local/lib: exists, and is writable. OK
 Directory /var/lib: exists, and is writable. OK
 Directory /usr/local/lib/rkhunter/scripts: creating: OK.
 Directory /var/lib/rkhunter/db: creating: OK.
 Directory /var/lib/rkhunter/tmp: creating: OK.
 Directory /var/lib/rkhunter/db/i18n: creating: OK.
 Installing check_modules.pl: OK.
 Installing check_update.sh: OK.
 Installing check_port.pl: OK.
 Installing filehashmd5.pl: OK.
 Installing filehashsha1.pl: OK.
 Installing showfiles.pl: OK.
 Installing stat.pl: OK.
 Installing readlink.sh: OK.
 Installing backdoorports.dat: OK.
 Installing mirrors.dat: OK.
 Installing os.dat: OK.
 Installing programs_bad.dat: OK.
 Installing programs_good.dat: OK.
 Installing defaulthashes.dat: OK.
 Installing md5blacklist.dat: OK.
 Installing suspscan.dat: OK.
 Installing rkhunter.8: OK.
 Installing ACKNOWLEDGMENTS: OK.
 Installing CHANGELOG: OK.
 Installing FAQ: OK.
 Installing LICENSE: OK.
 Installing README: OK.
 Installing WISHLIST: OK.
 Installing language support files: OK.
 Installing rkhunter: OK.
 Installing rkhunter.conf: OK.
Installation finished.

After installing it, the first thing you have to do is update it:

[root@webs10 rkhunter-1.3.2]# rkhunter --update

Now, you have to edit the Root Kit Hunter config file -on the newer Rootkit Hunter versions, it is the /etc/rkhunter.conf file, the older ones, /usr/local/etc/rkhunter.conf- in order to use the Package Manager of your Linux distro, for Redhatish distros, use:

PKGMGR=RPM

And now, you must create the rkhunter.dat file, it is very important to create and only create this file if you know for a fact that the box you are installing Root Kit Hunter has not been compromised.

[root@webs10 rkhunter-1.3.2]# rkhunter --propupd

You can now test it, like this:

[root@webs10 rkhunter-1.3.2]# rkhunter -c

And then, when you are thru playing with it, create a shell script like the one below, so you can invoke it from a cronjob, it will send an email to the root account on the server, if problems arise when executed (root's emails are forwarded, right?):

#!/bin/sh

/usr/local/bin/rkhunter --update
/bin/nice -n +19 /usr/local/bin/rkhunter --cronjob --report-warnings-only --createlogfile | /bin/mail -s "RKH daily run `/bin/hostname`" root

# EoF #

Then, make it executable:

chmod 0700 /path/to/script/script.sh

If you get an email with a message like this:

Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

You can actually add that file to the Root Kit Hunter config file, so you won't get that same notification via email every day (of course, make sure it is a valone data and that it is not reportin
g you that your server got 0wned :p )

ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz