OS X Rootkit Hunter - 0.2

How to use OSX Rootkit Hunter: Basics

1) The installed folder, with the app and all the subfolders, MUST be left in the Applications folder as is. DO NOT MOVE IT. Why? This is just a bare bones GUI of what is actually a CLI application that runs in the Terminal. In order to work it must be in exactly the location it expects to be in order for it to access all the files it requires when it runs. You also must NOT change the name of anything, including the folder for the app. It's UNIX stuff. It's annoying if you're not used to it.

2) When you run the app and hit the "start rootkit scan" button, the Terminal cranks up and Rootkit Hunter runs a script of stuff to check. You should get a Terminal window with a bunch of tests and results scrolling down. If you have any nasty stuff in your system, it will be listed in the Terminal window. You may well get some innocuous 'warning' listings. Unless you're a UNIX geek, don't worry about them. If you want to save the results you can Print them, from the File menu. I save my test results for everything in a "Reports" folder I keep in my Documents folder. I label what app created the results and the date.

3) When you Quit the app, you'll note that the Terminal windows does NOT Quit, so you have to DIY.

4) There is a FAQ buried in the files inside the folder where the app is located. Go to:
/Applications/OSXrkhunter/share/doc/rkhunter-1.3.0/FAQ . It has some useful stuff about the application. Some of it is geek-speak, but some is of interest to others, including what to do if you get a positive result for a rootkit, lord forbid. There is also another README file buried in there as well. It is for intermediate users and above who want to know more detail or who want to join the rkhunter-users mailing list or visit the rkhunter SourceForge website.

Hope that helps!
:-Derek

For a updated reference and how to install. Check out http://www.vinno.net/linux/server/how-to-install-root-kit-hunter

Simple enough to install and run but after that I am lost.

I can't even find the log file.

This is a free of charge, tiny download, easy to use, quickly self-working scanner. Best of all it lists all kinds of things that could have been wrong with my system and isn't, in a very soothing green color which makes me feel good although I don't actually know what any of those specific rootkits mentioned do.

It's like when the doctor looks at your test result and says, in a friendly voice, that you don't have Multiple Xynoixyosis.

It is a very nice thing to ship a OS X friendly GUI .app for such software with installer.

It is also free.

It just needs some bug reports from OS X users, there are some stuff it "misunderstands" which can be easily fixed via contacting author or ww.rootkit.nl owner contact form.

For example it "thinks" I have sshd_config enabled allowing root access. Very alerting yes? :) Well, I hand checked the file, it is all full of "#" commenting meaning it is completely disabled (of course). Lets not forget that OS X root is DISABLED unless you take manual 3 steps ignoring all warnings.

I reported it to www.rootkit.nl coder. After couple of more reports, we will have a excellent and free security program.