GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  REVEALRK (1)

NAME

revealrk - host based intrusion detection

CONTENTS

Synopsis
Description
Options
Return Value
Warnings
Interoperability
Examples
Files
Reporting Bugs
See Also

SYNOPSIS

revealrk [options] [+/-tests]

DESCRIPTION

revealrk tries to detect running rootkits. It is fast and silent and can be used out of cron or similar services.

OPTIONS

-b Force brute-force tests even if previous tests found hidden PID(s). The brute force tests are skipped by default if the system is already identified as compromised.
-c num Set the maximum number of double checks for suspicious PID(s). The lower the number, the more false positives you get. If you use 0, than the highest possible integer value is used. It stopps automatically after no changes were found between two runs. On low load systems even -c 1000 will just use two rounds.
-f Search for process name fakes more sensitive. This will increase the rate of false positives! This option can be given multiple times.
--fake-hidden
  If used revealrk will output itself as hidden. Most useful in combination with -s to see syslog output.
-h Print help text on stdout with all options and exit.
-l List all tests and exit. Tests with a leading + are activated, with - are disabled and _ are unavailable.
-m num Manually set maximum pids to given number and disable auto detect.
-o Omit the signature check.
-p Set process priority to maximum (nice -20).
-q Do not print any messages to stdout. Useful in combination with -s.
-r System uses random PIDs, more brute force forking is needed. This option can be given multiple times.
-s Log result also to syslog. See -q to suppress output on stdout.
-T secs Set timeout to given number of seconds. This timeout is used for the entire run of revealrk and is disabled by default (see -t).
-t secs Set timeout between checks to given number of seconds. This timeout is used by default to kill hanging revealrk processes or to identify systems where it takes too much time to complete the check. You can’t mix -t with -T, but you can disable the timeout by using 0 seconds.
-v Verbose outupt. This option can be given multiple times.
-w file Write output to file instead of stdout.
-V Print revealrk version and exit.

RETURN VALUE

Returns


0 all ok, nothing found

1-99 number of hidden processes found

100 more than 99 hidden processes found

101 initializing errors

102 can’t open /proc

103 out of memory

104 null pointer to bitmap

105 calling ps command failed

106 fork errors

107 found higher pid number than maxpid

108 timed out

WARNINGS

Don’t expect to find every rootkit with revealrk. So getting an OK doesn’t mean your system is clean.

You may see false positives in some rare cases of zombies. You can avoid this by using -z option.

The brute force tests may cause false positives, too, especially on systems with fast forking processes. Random pids like on OpenBSD are also a source for false positives. You may reduce that by adding one or more -r options, which will slow down the entire check, or by using -c 0.

INTEROPERABILITY

You can compile revealrk on more than Linux systems, but some tests aren’t available on every system. You can check that by calling revealrk with the -l option.

EXAMPLES

revealrk
  Basic call, will do the job in most cases.

revealrk -vv
  Increase verbosity for interactive calls.

revealrk -p -q -rr -s -t 900
  Run with highest priority, write messages to syslog instead of stdout, do two more brute force cycles to reduce false positives and increase timeout.

revealrk -vfork -pthread +fake_name
  Disable brute force tests, but search for process name fakers. Fake process name detection will produce a lot of false positives, but you may find processes running in user space of compromised accounts.

FILES

RevealRK don’t uses any configuration files.

REPORTING BUGS

Report revealrk bugs to Juergen.Kahnert@DESY.de

SEE ALSO

unhide(1), rkhunter(1), chkrootkit(1)

Search for    or go to Top of page |  Section 1 |  Main Index


Reveal RootKit 1.0 REVEALRK (1) 2012-12-13

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.