How to Check your Mac for Rootkits

While there are very few viruses that affect OS X, there are a number of rootkits that can compromise the security of your Mac. This tutorial will guide you through using OS X Rootkit Hunter to check your Mac for any rootkit related problems.

Start out by downloading OS X Rootkit Hunter. Open the .dmg file and run the installer.

Once it’s installed, navigate to Applications -> OSXrkhunter -> Rootkit Hunter and run it.

Click the start rootkit scan button.

You’ll be prompted to enter your password. Do so.

A Terminal window will open and Rootkit Hunter will start.

A bunch of text will fly by – you don’t have to worry to much about making sure you read it all (it’ll probably scroll too fast anyway) – Rootkit Hunter will create a log file for you to review once it has completed the scan.

When it’s done, pressy ctrl+c and then ctrl+d to close the Terminal window (you can skip the ctrl+d if you want to review the log file, you’ll need an open Terminal window).

To review the log file, at the command prompt in a Terminal enter cd /tmp. Then issue the command cp rkhunter.log ~/Desktop – which will copy the log file to your Desktop.

Double-click the rkhunger.log file that’s now on your Desktop.

Scroll to the bottom of the log, and review the System checks summary section. In particular, look for a line that states One or more warnings have been found while checking the system.

If that line exists, press ctrl+f to run a search, and search for the word warning. As seen in the screenshot below, there was a warning about a file on my system. The file in question (/usr/share/man/man5/.rhosts.5.gz was in fact harmless. If you’re unsure if a file is harmful, do a Google search on the file name and see if you can find pages that describe the file.

More posts from the OS X Category

aScreen-Shot-2012-04-30-at-9.37.36-PM.png

Make your Mac’s Dock Transparent with Mirage

Schedule-Power-Settings.png

Schedule Your Mac to Power On or Off Automatically

Download-LimitMonth-Starts.png

Monitoring Data Usage On Your Mac

terminal-os-x.jpeg

How to Open Terminal in OS X

Comments [14]

  1. Chris says:

    Interesting, thanks. How common are rootkit "infections" in OS X? I've never come across this before, but at the same time have never looked into it in any depth…

  2. Leann says:

    I downloaded this but could never even find the program on my Mac, so it didn't work for me.

  3. Ross McKillop says:

    Leann,

    It wasn't in the /Applications/OSXrkhunter/ folder? I just uninstalled it and then re-installed, and that's where it wound up again… (?)

  4. Leann says:

    No, I couldn't find it there. I don't know why. It's puzzling. I even restarted the computer and it still wasn't there.

  5. Rob says:

    Better is to install macports, then install checkrootkit from the command line:

    sudo port install chkrootkit

    which gives the same program, but then from a source known.

    Best,

    Rob

  6. sdf says:

    So how do I know this thing is not a root kit itself :)

  7. Ross McKillop says:

    sdf,

    You'll have to take the authors word for it. That, and the thousands of users :)

    If it was, it would be widely known as bad software.

  8. Paul says:

    Did anyone make progress with rootkit hunter? I couldn't find the program either??

  9. aaron says:

    I followed the instructions and the log file never appeared on the Desktop. Any suggestions?

  10. Danielle Mass&eacute says:

    Hello, I run the application and I have two questions.

    First : I get the message that the command properties text is not supported. Does this means the results of the scan is not accurate ?

    Second : I got two suspects applications, but which one ? How do i find out ?

    Thanks

  11. Joe says:

    How can we be sure, this magnificent program is not going to open a hole in our systems or be itself a rootkit?

  12. Joe says:

    Of course, once you go mac, you never go back… you go forward to Linux ;)

  13. Mauricio says:

    Usage

    —–

    To run Geany just type

    $ geany

    on a console or use the applications menu from your desktop environment.

    There a few command line options. See the manual page of Geany or run

    $ geany –help

    for details. Or look into the documention in the doc/ directory.

    The most important option probably is -c or –config, where you can

    specify an alternate configuration directory.

  14. Jon says:

    So after I google the file name to see if it’s malignant, how do I get rid of it? (I haven’t used this, I’m inquiring for a friend)

Leave a Reply