Re: [SLE] rkhunter-1.1.7-1.ps.noarch.rpm available
rkhunter-1.1.7-1.ps.noarch.rpm is available for download: http://wahoo.no-ip.org/~pat/rkhunter-1.1.7-1.ps.noarch.rpm Support was added for ADM Worm, MzOzD backdoor, and spwn backdoor. New tests include a LKM filename check and a passwordless user account test. The inetd.conf test was extended. The application version list was updated, and its layout was improved. A bug in the installer has been fixed. Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers. The package contains one shell script, a few text-based databases, and optional Perl modules. It should run on almost every Unix clone. * 1.1.7 (29/08/2004) New: - Added support for ADM Worm - Added support for MzOzD and spwn backdoor - Added LKM filename check (experimental) - Added passwordless user account test Changes: - Updated Mandrake 9.2 hashes. Thanks to Eric Gerbier - Updated application version list - Extended inetd.conf test (searches for shells) - Added total of vulnerable applications at report, if application scan was performed. Bugfixes: - Fixed a major bug in the installer when you install version 1.1.5 or newer. The sample configuration won't be copied and the due to that, the --update function won't work. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos
On Sunday 29 August 2004 10:00 am, Patrick Shanahan wrote:
rkhunter-1.1.7-1.ps.noarch.rpm is available for download: http://wahoo.no-ip.org/~pat/rkhunter-1.1.7-1.ps.noarch.rpm
OK, seems like a great idea to me. Been meaning to do this for quite awhile. Downloaded it and ran it. Gave me a bunch of stuff to look at. Identified problems below. No rootkits thank goodness. Now, some of it is obvious, don't run Apache, or ssh, etc. But what do I do about the other stuff that came up? Stuff that I should probably be investigating. Couldn't find the logfile. Now Patrick, be nice! Read the man page from top to bottom, several times. Just some old guy running SuSE 8.2 as his desktop and having a lot of fun doing it. No formal training or experience whatsoever. Learning "on the fly" as they might say. Here is the error portion from rkhunter: /sbin/checkproc [ BAD ] /sbin/depmod [ BAD ] /sbin/insmod [ BAD ] /sbin/modinfo [ BAD ] /sbin/modprobe [ BAD ] /sbin/rmmod [ BAD ] Checking /etc/rc.d/rc.sysinit [ Not found ] Checking boot.local/rc.local file... - /etc/rc.local [ Not found ] - /etc/rc.d/rc.local [ Not found ] - /usr/local/etc/rc.local [ Not found ] - /usr/local/etc/rc.d/rc.local [ Not found ] - /etc/conf.d/local.start [ Not found ] * Check: SSH Searching for sshd_config... Found /etc/ssh/sshd_config Checking for allowed root login... Watch out Root login possible. Possible risk! MD5 compared: 26 Incorrect MD5 checksums: 6 File scan Scanned files: 320 Possible infected files: 0 Application scan Vulnerable applications: 2 Scanning took 482 seconds ttttttt...ththth...that's all folks!!!! Bob S.
* Bob S.
On Sunday 29 August 2004 10:00 am, Patrick Shanahan wrote:
rkhunter-1.1.7-1.ps.noarch.rpm is available for download: http://wahoo.no-ip.org/~pat/rkhunter-1.1.7-1.ps.noarch.rpm
OK, seems like a great idea to me. Been meaning to do this for quite awhile. Downloaded it and ran it. Gave me a bunch of stuff to look at. Identified problems below. No rootkits thank goodness. Now, some of it is obvious, don't run Apache, or ssh, etc. But what do I do about the other stuff that came up? Stuff that I should probably be investigating. Couldn't find the logfile.
/var/log/rkhunter.log
Now Patrick, be nice! Read the man page from top to bottom, several times. Just some old guy running SuSE 8.2 as his desktop and having a lot of fun doing it. No formal training or experience whatsoever. Learning "on the fly" as they might say.
then we have parity, 63, retired, high school grad, computer hobby, training - IBM KeyPunch operation 1965 (for knowledge only, never used)
Here is the error portion from rkhunter:
/sbin/checkproc [ BAD ] /sbin/depmod [ BAD ] /sbin/insmod [ BAD ] /sbin/modinfo [ BAD ] /sbin/modprobe [ BAD ] /sbin/rmmod [ BAD ]
I do not know about these (above). I have forwarded a copy of your post to the author for comment and will provide a copy to you via the list when he responds unless he posts his response to the list.
Checking /etc/rc.d/rc.sysinit [ Not found ] Checking boot.local/rc.local file... - /etc/rc.local [ Not found ] - /etc/rc.d/rc.local [ Not found ] - /usr/local/etc/rc.local [ Not found ] - /usr/local/etc/rc.d/rc.local [ Not found ] - /etc/conf.d/local.start [ Not found ]
[ Not found ] = don't exist, no worry (rkhunter works on other distro's which use[d] these files)
* Check: SSH Searching for sshd_config... Found /etc/ssh/sshd_config Checking for allowed root login... Watch out Root login possible. Possible risk!
this is a false pos, if you look in sshd_config (you said you didn't use ssh), you will find the line '#PermitRootLogin yes' which is commented out. The author has been advised of this by me:
/etc/ssh/sshd_config #Protocol 2,1 #PermitRootLogin yes
I do not understand the warning/notice ??
Ah, it's because you have both lines in it.. And I have to check a lot of different OpenSSH configs... Please remove the lines and it will be OK. Nethertheless, I will add it to my ToDo list ;-)
MD5 compared: 26 Incorrect MD5 checksums: 6
File scan Scanned files: 320 Possible infected files: 0
Application scan Vulnerable applications: 2
Scanning took 482 seconds
NOTE: Your report appears to be from an *old* version of rkhunter. Which version are you using? Later versions have corrections and updated parameters. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos
On Monday 30 August 2004 8:24 am, Patrick Shanahan wrote:
* Bob S.
[08-30-04 01:13]: On Sunday 29 August 2004 10:00 am, Patrick Shanahan wrote:
rkhunter-1.1.7-1.ps.noarch.rpm is available for download: http://wahoo.no-ip.org/~pat/rkhunter-1.1.7-1.ps.noarch.rpm
Now Patrick, be nice! Read the man page from top to bottom, several times. Just some old guy running SuSE 8.2 as his desktop and having a lot of fun doing it. No formal training or experience whatsoever. Learning "on the fly" as they might say.
Patrick is nice. I just installed and ran rkhunter. It was a piece of cake. If everybody else did as good a job on an app as he did there wouldn't as much need for 'Google is your friend' and RTFM. I did a checkall, and I kept hitting enter when needed and I zipped right through. I'm retired, have no training in computers and no work experience with them. Excellent job Patrick, Thank you. Rich -- C. Richard Matson
* C. Richard Matson
Patrick, Thank you. Rich
:^) -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos
On Monday 30 August 2004 11:24 am, Patrick Shanahan wrote:
Couldn't find the logfile.
/var/log/rkhunter.log
Nope, no such log listed ....Note: to John, who also replied. Nope not in /var/spool/mail/bob either. And I am updated. Using apt.
Just some old guy running SuSE 8.2 as his desktop and having a lot of fun doing it. No formal training or experience whatsoever. Learning "on the fly" as they might say.
then we have parity, 63, retired, high school grad, computer hobby, training - IBM KeyPunch operation 1965 (for knowledge only, never used)
Diff: 5 years older - No keypunch training :-) AND, seems you know what you are doing :-)
Here is the error portion from rkhunter:
/sbin/checkproc [ BAD ] etc. etc.
I do not know about these (above). I have forwarded a copy of your post to the author for comment and will provide a copy to you via the list when he responds unless he posts his response to the list.
OK, thanks
Checking /etc/rc.d/rc.sysinit [ Not found ]
[ Not found ] = don't exist, no worry (rkhunter works on other distro's which use[d] these files)
Hmmm...OK, If you say so. Seems like these would be important files.
Checking for allowed root login... Watch out Root login possible. Possible risk!
this is a false pos, if you look in sshd_config (you said you didn't use ssh), you will find the line '#PermitRootLogin yes' which is
commented out. The author has been advised of this by me:
OK - that is correct about root login.
I do not understand the warning/notice ??
Ah, it's because you have both lines in it.. And I have to check a lot of different OpenSSH configs...
Please remove the lines and it will be OK. Nethertheless, I will add it to my ToDo list ;-)
You lost me there. Don't know which two lines you are referring to. Doesn't matter though. Forget it.
MD5 compared: 26 Incorrect MD5 checksums: 6
File scan Scanned files: 320 Possible infected files: 0
Application scan Vulnerable applications: 2
Scanning took 482 seconds
NOTE: Your report appears to be from an *old* version of rkhunter. Which version are you using? Later versions have corrections and updated parameters.
Nope. It is the 1.1.7-1.ps which I just downloaded from your url. Ummm.... read with interest your discussion with Danny. Another whole subject. Got to see how I go about doing that. (creating an ro only CD with rkhunter on it) Anyway, Thanks for listening. Bob S.
On Tue, 2004-08-31 at 08:04, Bob S. wrote:
Couldn't find the logfile.
/var/log/rkhunter.log
Nope, no such log listed ....Note: to John, who also replied. Nope not in /var/spool/mail/bob either. erm, sorry, but to quote another member of this list
"man rkhunter" You can specify these parameters in /etc/rkhunter.conf David (runs for cover......)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 30 August 2004 01:13, Bob S. wrote:
On Sunday 29 August 2004 10:00 am, Patrick Shanahan wrote:
rkhunter-1.1.7-1.ps.noarch.rpm is available for download: http://wahoo.no-ip.org/~pat/rkhunter-1.1.7-1.ps.noarch.rpm
OK, seems like a great idea to me. Been meaning to do this for quite awhile. Downloaded it and ran it. Gave me a bunch of stuff to look at. Identified problems below. No rootkits thank goodness. Now, some of it is obvious, don't run Apache, or ssh, etc. But what do I do about the other stuff that came up? Stuff that I should probably be investigating. Couldn't find the logfile.
It will be in /var/spool/mail/bob (presuming)
Here is the error portion from rkhunter:
<snip>
Bob S.
Get on YaST and update, update, update! If you're on dialup, start it at night just before you go to bed. Uncheck the kernel...you'll survive fine without that at the moment and it'll take a mess of hours by itself, so do it another night. Either way, update everything else, now. John -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3rc2 (GNU/Linux) iD8DBQFBM0d9H5oDXyLKXKQRAk+IAKC/0MqN7YRJ+xUKQ4COXIlRzgscWwCdGqAP rvE1sRYrHSdsVXonNCSKZho= =sbVy -----END PGP SIGNATURE-----
Patrick wrote regarding 'Re: [SLE] rkhunter-1.1.7-1.ps.noarch.rpm available' on Sun, Aug 29 at 09:01: [...]
Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers. The package contains one shell script, a few text-based databases, and optional Perl modules. It should run on almost every Unix clone. [...]
Not to be a wet blanket, but does it make much sense to have a well-known rootkit hunter on your machine at all times? I ask because, were *I* the type to break into a machine, I'd probably do a 'find' and 'perl -i' to modify the hunter to not find my rootkit. Of course, I'm not that type, but surely someone else has thought that? I know that some of those kits modify top, ls, etc to hide themselves, so rkhunter should really be on their list. Anyway, for my part, I'm keeping the URL handy and will run it if I suspect something. I don't see a good way to rely on it to run unattended, though. Perhaps checking the MD5sum from the package periodically woudl help, but that's still something that could be compromised... Maybe this has all been covered before, but since I haven't seen it, I figured this'd be a decent place to mention it. Don't want everyone getting lulled into a false sense of security. The hunter's a good step, but it'd have to be on read-only media to really trust it to run automatically. --Danny, burning a CD later on ;)
* Danny Sauer
Not to be a wet blanket, but does it make much sense to have a well-known rootkit hunter on your machine at all times? I ask because, were *I* the type to break into a machine, I'd probably do a 'find' and 'perl -i' to modify the hunter to not find my rootkit. Of course, I'm not that type, but surely someone else has thought that? I know that some of those kits modify top, ls, etc to hide themselves, so rkhunter should really be on their list.
No, it does not
Anyway, for my part, I'm keeping the URL handy and will run it if I suspect something. I don't see a good way to rely on it to run unattended, though. Perhaps checking the MD5sum from the package periodically woudl help, but that's still something that could be compromised...
Maybe this has all been covered before, but since I haven't seen it, I figured this'd be a decent place to mention it. Don't want everyone getting lulled into a false sense of security. The hunter's a good step, but it'd have to be on read-only media to really trust it to run automatically.
True. I burn mine on a cd and leave it mounted for cron to have access when it runs the script. I also have an ls120 floppy disk that would accomplish the same, activating the write-protect. A zip disk would also suffice. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos
participants (6)
-
Bob S.
-
C. Richard Matson
-
Danny Sauer
-
David Robertson
-
John
-
Patrick Shanahan