Is there any significant difference between chkrootkit and rkhunter? Let me rephrase to clarify my question: Is there enough of a difference between the two programs to favor one over the other?
Yes. But before I get there I must remark they are both passive diagnostic
tools that look for symptoms
In short this means that their output can not be trusted on a system that is not properly hardened, audited, maintained. In case of doubt you better run audit tools from a Live CD distro like KNOPPIX-STD, HELIX or equivalent. With hardening
I do not only mean 1) the regular steps you must take to protect your investment but also 2) installing a file integrity checker (right after OS install) like Aide, Samhain or tripwire and saving a copy of the binary, config and database off-site, preferably on read-only media. These can be used as authoritative means of verification if your audit tools or package manager fail or if your distro's package manager has weak or nonexistant verification functionality. And to top it of 3) running "preventive measures" (lets call it that for now) like SELinux or GRSecurity if possible. But enough of this.
In the scripted area there are only three applications: Chkrootkit (abbrev CRT), Rootkit Hunter (RKH), OSSEC Rootcheck (ORC) (and FindKit but it is deprecated, see http://mirror.trouble-free.net/killall/findkit)
. Chkrootkit (CRT) has been around since aprox 2000 and was an natural evolution of another tool of the same developer. Rootkit Hunter (RKH) entered the arena a few years later. All are shell based, run on GNU/Linux, BSDs and other OSes and CRT, RKH and ORC are more or less actively developed and maintained.
There are differences and some are more obvious (the amount of malicious tools detected) that others (maintainer stubbornness ;-p). For instance for detecting ethernet device promiscuous mode CRT still relies on the deprecated "ifconfig" binary (I pointed it out to Nelson oh, two years ago) while RKH uses "ip" from the iproute2 package. On the other hand CRT has "chkproc" to try and detect the Adore LKM but if you look at the code you'll see it isn't that hard to circumvent: just change one digit in Adore. RKH (CVS) uses external "unhide" to try and detect hidden processes, which works well with Adore. CRT uses the unhide method of using setpriority() (but only after I pointed it out to Nelson, heh). ORC is much worse (last time I checked) trying to detect Adore simply by looking for a binary named "ava" (the Adore "interface") in two locations.
Leaving ORC out of the equation here's some other methods CRT and RKH use for detecting rootkits are:
- Hidden directories
- Hidden processes
- Wtmp/Utmp deletion
- Lastlog deletion
- Suspicious names and locations
- Trojan strings
- Process details
- Backdoor ports
- Network interface promiscuous mode
- Auth info (passwd/group, multiple root users)
- Extended attributes
- SysV and boot files
- Port scan (nmap, flawed: localhost)
- Open files (lsof)
- Common binary MD5sums
- Application versions and Apache conf+so's
- OpenSSH root login and SSHv1 protocol
- Running Syslog(-ng)
- Can scan prelinked binaries
- Hash blacklist
- Exclude common dotfiles and false positives
I hope this gives you an objective overview of some of the differences. Please conclude its not a bad thing to run both of them, but running both of them can *not* be considered enough to make a box "safe" in any way.