[opensuse] rkhunter related question
I'm getting the following warns from rkhuner. I know you can white list them, etc. My question is: how does the everyday user know if the command script found is a valid warning or a valid change that should be white listed? Thanks for any help. -- Russ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2009-01-25 at 18:55 -0800, Russ Fineman wrote:
I'm getting the following warns from rkhuner. I know you can white list them, etc. My question is: how does the everyday user know if the command script found is a valid warning or a valid change that should be white listed?
I think you forgot to post the warning you got. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkl9K7QACgkQtTMYHG2NR9VkpQCeOOmd9aGLtZIWkxxrtKmMrTCO WNYAnj4bXA5Zf6N11bkWB6CLosOSrV73 =oocW -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 25 January 2009 06:55:39 pm Russ Fineman wrote:
I'm getting the following warns from rkhuner. I know you can white list them, etc. My question is: how does the everyday user know if the command script found is a valid warning or a valid change that should be white listed?
Thanks for any help. -- Russ Forgot to attach messages: Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/ bin/ldd: Bourne-Again shell script text
Warning: The command '/sbin/chkconfig' has been replaced by a script: /s bin/chkconfig: a /usr/bin/perl script text [11:23:37] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/i fup: Bourne-Again shell script text Warning: Suspicious file types found in /dev: [11:24:41] /dev/shm/sysconfig/ifup-eth0: ASCII text [11:24:41] /dev/shm/sysconfig/if-eth0: ASCII text [11:24:41] /dev/shm/sysconfig/ifup-lo: ASCII text [11:24:41] /dev/shm/sysconfig/if-lo: ASCII text [11:24:41] /dev/shm/sysconfig/network: ASCII text [11:24:42] /dev/shm/sysconfig/config-lo: ASCII text [11:24:42] /dev/shm/sysconfig/config-eth0: ASCII text [11:24:42] /dev/shm/sysconfig/new-stamp-2: ASCII text [11:24:42] Checking for hidden files and directories [ Warning ] [11:24:42] Warning: Hidden directory found: /dev/.udev -- Russ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Forgot to attach messages: Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/ bin/ldd: Bourne-Again shell script text
Warning: The command '/sbin/chkconfig' has been replaced by a script: /s bin/chkconfig: a /usr/bin/perl script text
[11:23:37] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/i fup: Bourne-Again shell script text
Warning: Suspicious file types found in /dev: [11:24:41] /dev/shm/sysconfig/ifup-eth0: ASCII text [11:24:41] /dev/shm/sysconfig/if-eth0: ASCII text [11:24:41] /dev/shm/sysconfig/ifup-lo: ASCII text [11:24:41] /dev/shm/sysconfig/if-lo: ASCII text [11:24:41] /dev/shm/sysconfig/network: ASCII text [11:24:42] /dev/shm/sysconfig/config-lo: ASCII text [11:24:42] /dev/shm/sysconfig/config-eth0: ASCII text [11:24:42] /dev/shm/sysconfig/new-stamp-2: ASCII text [11:24:42] Checking for hidden files and directories [ Warning ] [11:24:42] Warning: Hidden directory found: /dev/.udev
Nothing wrong there, move along :) -- "We have art in order not to die of the truth" - Friedrich Nietzsche Cristian Rodríguez R. Software Developer Platform/OpenSUSE - Core Services SUSE LINUX Products GmbH Research & Development http://www.opensuse.org/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2009-01-25 at 19:19 -0800, Russ Fineman wrote:
Forgot to attach messages: Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/ bin/ldd: Bourne-Again shell script text
It's not been replaced, it is a script. You can check the original file on the rpm from the dvd - for instance, on 11.1: /mnt/dvd/suse/i686/glibc-2.9-2.3.i686.rpm#rpm/CONTENTS.cpio#ucpio/usr/bin
Warning: The command '/sbin/chkconfig' has been replaced by a script: /s bin/chkconfig: a /usr/bin/perl script text
same thing.
[11:23:37] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text
same thing.
Warning: Suspicious file types found in /dev: [11:24:41] /dev/shm/sysconfig/ifup-eth0: ASCII text [11:24:41] /dev/shm/sysconfig/if-eth0: ASCII text
My guess is that rkhunter is seriously flawed if it can not recognize normal files on a suse install. Further more, it should know when some thing has been replaced or has been a certain way always. :-/ - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkl9MgkACgkQtTMYHG2NR9WoqACgi7VyGduz6SdIVk6cmuoq+Yh4 eD0AnRR1F0RreHsXm5FNHqDiF0q1OQ9L =fKvw -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* Russ Fineman <russbucket@nwi.net> [01-25-09 22:31]:
On Sunday 25 January 2009 06:55:39 pm Russ Fineman wrote:
I'm getting the following warns from rkhuner. I know you can white list them, etc. My question is: how does the everyday user know if the command script found is a valid warning or a valid change that should be white listed?
Forgot to attach messages: Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/ bin/ldd: Bourne-Again shell script text
Warning: The command '/sbin/chkconfig' has been replaced by a script: /s bin/chkconfig: a /usr/bin/perl script text
[11:23:37] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/i fup: Bourne-Again shell script text
Warning: Suspicious file types found in /dev: [11:24:41] /dev/shm/sysconfig/ifup-eth0: ASCII text [11:24:41] /dev/shm/sysconfig/if-eth0: ASCII text [11:24:41] /dev/shm/sysconfig/ifup-lo: ASCII text [11:24:41] /dev/shm/sysconfig/if-lo: ASCII text [11:24:41] /dev/shm/sysconfig/network: ASCII text [11:24:42] /dev/shm/sysconfig/config-lo: ASCII text [11:24:42] /dev/shm/sysconfig/config-eth0: ASCII text [11:24:42] /dev/shm/sysconfig/new-stamp-2: ASCII text [11:24:42] Checking for hidden files and directories [ Warning ] [11:24:42] Warning: Hidden directory found: /dev/.udev
rkhunter is not suse'fied, it does not appreciate the opensuse file locations. /sbin/chkconfig has not been "replaced by a script" but has been a script on SuSE/openSUSE for many distributions as has ldd and have the "ascii text" files below /dev/shm/sysconfig, etc., etc., etc. So, you may whitelist them, but then, if a rootkit did change one of the you would not know. But rootkit will not tell you either way on an openSUSE box :^(,. -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Russ Fineman wrote:
On Sunday 25 January 2009 06:55:39 pm Russ Fineman wrote:
I'm getting the following warns from rkhuner. I know you can white list them, etc. My question is: how does the everyday user know if the command script found is a valid warning or a valid change that should be white listed?
Thanks for any help. -- Russ Forgot to attach messages: Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/ bin/ldd: Bourne-Again shell script text
Warning: The command '/sbin/chkconfig' has been replaced by a script: /s bin/chkconfig: a /usr/bin/perl script text
[11:23:37] Warning: The command '/sbin/ifup' has been replaced by a [script: /sbin/i fup: Bourne-Again shell script text
Warning: Suspicious file types found in /dev: [11:24:41] /dev/shm/sysconfig/ifup-eth0: ASCII text [11:24:41] /dev/shm/sysconfig/if-eth0: ASCII text [11:24:41] /dev/shm/sysconfig/ifup-lo: ASCII text [11:24:41] /dev/shm/sysconfig/if-lo: ASCII text [11:24:41] /dev/shm/sysconfig/network: ASCII text [11:24:42] /dev/shm/sysconfig/config-lo: ASCII text [11:24:42] /dev/shm/sysconfig/config-eth0: ASCII text [11:24:42] /dev/shm/sysconfig/new-stamp-2: ASCII text [11:24:42] Checking for hidden files and directories [ Warning ] [11:24:42] Warning: Hidden directory found: /dev/.udev
Thanks, I'll add the check method to my list of tech tips I keep. Patrick mentioned that rootkit will not detect some of these problems. Is there another program you would recommend instead of rkhunter to to supplement it?? Thanks to all who responded. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (5)
-
Carlos E. R. -
Cristian Rodríguez -
Patrick Shanahan -
Russ Fineman -
upscope