On Monday 30 August 2004 8:24 am, Patrick Shanahan wrote:

* Bob S. [08-30-04 01:13]:

...

On Sunday 29 August 2004 10:00 am, Patrick Shanahan wrote:

...

rkhunter-1.1.7-1.ps.noarch.rpm is available for download: http://wahoo.no-ip.org/~pat/rkhunter-1.1.7-1.ps.noarch.rpm

...

Now Patrick, be nice! Read the man page from top to bottom, several times. Just some old guy running SuSE 8.2 as his desktop and having a lot of fun doing it. No formal training or experience whatsoever. Learning "on the fly" as they might say.

Patrick is nice. I just installed and ran rkhunter. It was a piece of cake. If everybody else did as good a job on an app as he did there wouldn't as much need for 'Google is your friend' and RTFM. I did a checkall, and I kept hitting enter when needed and I zipped right through. I'm retired, have no training in computers and no work experience with them. Excellent job Patrick, Thank you. Rich -- C. Richard Matson

On Monday 30 August 2004 11:24 am, Patrick Shanahan wrote:

...

Couldn't find the logfile.

/var/log/rkhunter.log

Nope, no such log listed ....Note: to John, who also replied. Nope not in /var/spool/mail/bob either. And I am updated. Using apt.

...

Just some old guy running SuSE 8.2 as his desktop and having a lot of fun doing it. No formal training or experience whatsoever. Learning "on the fly" as they might say.

then we have parity, 63, retired, high school grad, computer hobby, training - IBM KeyPunch operation 1965 (for knowledge only, never used)

Diff: 5 years older - No keypunch training :-) AND, seems you know what you are doing :-)

...

Here is the error portion from rkhunter:

/sbin/checkproc [ BAD ] etc. etc.

I do not know about these (above). I have forwarded a copy of your post to the author for comment and will provide a copy to you via the list when he responds unless he posts his response to the list.

OK, thanks

...

Checking /etc/rc.d/rc.sysinit [ Not found ]

[ Not found ] = don't exist, no worry (rkhunter works on other distro's which use[d] these files)

Hmmm...OK, If you say so. Seems like these would be important files.

...

Checking for allowed root login... Watch out Root login possible. Possible risk!

this is a false pos, if you look in sshd_config (you said you didn't use ssh), you will find the line '#PermitRootLogin yes' which is

commented out. The author has been advised of this by me:

OK - that is correct about root login.

...

I do not understand the warning/notice ??

Ah, it's because you have both lines in it.. And I have to check a lot of different OpenSSH configs...

Please remove the lines and it will be OK. Nethertheless, I will add it to my ToDo list ;-)

You lost me there. Don't know which two lines you are referring to. Doesn't matter though. Forget it.

...

MD5 compared: 26 Incorrect MD5 checksums: 6

File scan Scanned files: 320 Possible infected files: 0

Application scan Vulnerable applications: 2

Scanning took 482 seconds

NOTE: Your report appears to be from an *old* version of rkhunter. Which version are you using? Later versions have corrections and updated parameters.

Nope. It is the 1.1.7-1.ps which I just downloaded from your url. Ummm.... read with interest your discussion with Danny. Another whole subject. Got to see how I go about doing that. (creating an ro only CD with rkhunter on it) Anyway, Thanks for listening. Bob S.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 30 August 2004 01:13, Bob S. wrote:

On Sunday 29 August 2004 10:00 am, Patrick Shanahan wrote:

...

rkhunter-1.1.7-1.ps.noarch.rpm is available for download: http://wahoo.no-ip.org/~pat/rkhunter-1.1.7-1.ps.noarch.rpm

OK, seems like a great idea to me. Been meaning to do this for quite awhile. Downloaded it and ran it. Gave me a bunch of stuff to look at. Identified problems below. No rootkits thank goodness. Now, some of it is obvious, don't run Apache, or ssh, etc. But what do I do about the other stuff that came up? Stuff that I should probably be investigating. Couldn't find the logfile.

It will be in /var/spool/mail/bob (presuming)

Here is the error portion from rkhunter:

<snip>

Bob S.

Get on YaST and update, update, update! If you're on dialup, start it at night just before you go to bed. Uncheck the kernel...you'll survive fine without that at the moment and it'll take a mess of hours by itself, so do it another night. Either way, update everything else, now. John -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3rc2 (GNU/Linux) iD8DBQFBM0d9H5oDXyLKXKQRAk+IAKC/0MqN7YRJ+xUKQ4COXIlRzgscWwCdGqAP rvE1sRYrHSdsVXonNCSKZho= =sbVy -----END PGP SIGNATURE-----

* Danny Sauer [08-30-04 16:14]:

Not to be a wet blanket, but does it make much sense to have a well-known rootkit hunter on your machine at all times? I ask because, were *I* the type to break into a machine, I'd probably do a 'find' and 'perl -i' to modify the hunter to not find my rootkit. Of course, I'm not that type, but surely someone else has thought that? I know that some of those kits modify top, ls, etc to hide themselves, so rkhunter should really be on their list.

No, it does not

Anyway, for my part, I'm keeping the URL handy and will run it if I suspect something. I don't see a good way to rely on it to run unattended, though. Perhaps checking the MD5sum from the package periodically woudl help, but that's still something that could be compromised...

Maybe this has all been covered before, but since I haven't seen it, I figured this'd be a decent place to mention it. Don't want everyone getting lulled into a false sense of security. The hunter's a good step, but it'd have to be on read-only media to really trust it to run automatically.

True. I burn mine on a cd and leave it mounted for cron to have access when it runs the script. I also have an ls120 floppy disk that would accomplish the same, activating the write-protect. A zip disk would also suffice. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos