Warning: RH-Sharpe’s Rootkit

Problem: You ran rkhunter -c on your CentOS powered web server and it found something called “RH-Sharpe’s Rootkit”.

I was cleaning up a minor infection on a WordPress site that wordfence identified. (The irony is not lost on me.) Once I’d verified all the files in wordpress and checked logs to see if the files had been accessed, I also ran clamav and rkhunter just to make sure. rkhunter alerted me to something called “RH-Sharpe’s Rootkit”. 💩 💩 💩

keep calm and check the logs
Always good advice.

rkhunter logs are usually found at “/var/log/rkhunter/rkhunter.log”.
It offers more detail on why a specific alert was generated.

 ....
 [08:15:25] Checking for RH-Sharpe's Rootkit…
 [08:15:25]   Checking for file '/bin/lps'                    [ Not found ]
 [08:15:25]   Checking for file '/usr/bin/lpstree'            [ Not found ]
 [08:15:25]   Checking for file '/usr/bin/ltop'               [ Not found ]
 [08:15:25]   Checking for file '/usr/bin/lkillall'           [ Not found ]
 [08:15:25]   Checking for file '/usr/bin/ldu'                [ Not found ]
 [08:15:25]   Checking for file '/usr/bin/lnetstat'           [ Not found ]
 [08:15:25]   Checking for file '/usr/bin/wp'                 [ Found ]
 [08:15:26]   Checking for file '/usr/bin/shad'               [ Not found ]
 [08:15:26]   Checking for file '/usr/bin/vadim'              [ Not found ]
 [08:15:26]   Checking for file '/usr/bin/slice'              [ Not found ]
 [08:15:26]   Checking for file '/usr/bin/cleaner'            [ Not found ]
 [08:15:26]   Checking for file '/usr/include/rpcsvc/du'      [ Not found ]
 [08:15:26] Warning: RH-Sharpe's Rootkit                      [ Warning ]
 [08:15:26]          File '/usr/bin/wp' found
....

So in this case; it alerted because it found an executable called “wp”. If your a wordpress user; stand down. This is the wordpress command line tool.
It’s a text file. Have a look at it and make sure, but it’s like not something to freak out about.

When I googled for this error; almost nothing came up except for this. Appears “/usr/bin/slice” is also an often found trigger for this warning.

Hopefully this will be useful to the next person who googles for this term mid-panic as I did earlier today.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.