Top

How to check your Mac for Rootkits

November 27, 2008 by Ross McKillop 

While there are very few viruses that affect OS X, there are a number of rootkits that can compromise the security of your Mac. This tutorial will guide you through using OS X Rootkit Hunter to check your Mac for any rootkit related problems.

  1. Start out by downloading OS X Rootkit Hunter. Open the .dmg file and run the installer.

  2. Once it’s installed, navigate to Applications -> OSXrkhunter -> Rootkit Hunter and run it.


    3. click to enlarge

  3. Click the start rootkit scan button.

  4. You’ll be prompted to enter your password. Do so.


    5. click to enlarge

  5. A Terminal window will open and Rootkit Hunter will start.


    6. click to enlarge

  6. A bunch of text will fly by - you don’t have to worry to much about making sure you read it all (it’ll probably scroll too fast anyway) - Rootkit Hunter will create a log file for you to review once it has completed the scan.


    7. click to enlarge

  7. When it’s done, pressy ctrl+c and then ctrl+d to close the Terminal window (you can skip the ctrl+d if you want to review the log file, you’ll need an open Terminal window).


    8. click to enlarge

  8. To review the log file, at the command prompt in a Terminal enter cd /tmp. Then issue the command cp rkhunter.log ~/Desktop - which will copy the log file to your Desktop.


    9. click to enlarge

  9. Double-click the rkhunger.log file that’s now on your Desktop.

  10. Scroll to the bottom of the log, and review the System checks summary section. In particular, look for a line that states One or more warnings have been found while checking the system.


    11. click to enlarge

  11. If that line exists, press ctrl+f to run a search, and search for the word warning. As seen in the screenshot below, there was a warning about a file on my system. The file in question (/usr/share/man/man5/.rhosts.5.gz was in fact harmless. If you’re unsure if a file is harmful, do a Google search on the file name and see if you can find pages that describe the file.


    12. click to enlarge

Random Posts

Filed Under: OS X, Tutorials

To receive articles like this one delivered directly to your inbox, enter your email address in the field below. You can always opt out of these updates at any time.

Share/Save/Bookmark

Comments

7 Responses to “How to check your Mac for Rootkits”

  1. Chris on November 27th, 2008 4:00 am

    Interesting, thanks. How common are rootkit “infections” in OS X? I’ve never come across this before, but at the same time have never looked into it in any depth…

  2. Leann on November 27th, 2008 1:58 pm

    I downloaded this but could never even find the program on my Mac, so it didn’t work for me.

  3. Ross McKillop on November 27th, 2008 3:46 pm

    Leann,

    It wasn’t in the /Applications/OSXrkhunter/ folder? I just uninstalled it and then re-installed, and that’s where it wound up again… (?)

  4. Leann on November 27th, 2008 4:44 pm

    No, I couldn’t find it there. I don’t know why. It’s puzzling. I even restarted the computer and it still wasn’t there.

  5. Rob on March 1st, 2009 4:23 pm

    Better is to install macports, then install checkrootkit from the command line:

    sudo port install chkrootkit

    which gives the same program, but then from a source known.

    Best,

    Rob

  6. sdf on June 6th, 2009 2:06 am

    So how do I know this thing is not a root kit itself :)

  7. Ross McKillop on June 6th, 2009 5:42 am

    sdf,

    You’ll have to take the authors word for it. That, and the thousands of users :)

    If it was, it would be widely known as bad software.

Feel free to leave a comment...
and oh, if you want a pic to show with your comment, go get a gravatar!





Bottom