Jump to content


Rootkit Hunter


  • Please log in to reply
121 replies to this topic

#26 OFFLINE   ross549

ross549

    I live here.

  • Forum MVP
  • 9,185 posts

Posted 09 April 2004 - 09:18 AM

Bruno, on Apr 9 2004, 04:25 AM, said:

2). The "Users can use SSH1-protocol" is very simple to fix:
# vi /etc/ssh/sshd_config
And either change the existing line "Protocol 2,1" to "Protocol 2" . . or if the line is completeely missing just add that line. This will solve the problem :D ( run rkhunter again and you will se that the line is gone :) )Read about it: http://lwn.net/2001/...fb-openssh.php3
Hi, Bruno...I figured that aumixrc had something to do with the mixer. I listed it because the rootkit humter mentioned it. Now the SSHd thing is a bit more confusing. I already have that line in the config file! It may be complaining about it because sshd is a service on my computer. LilBambi's husband jim uses SSH to get into my system (when I unblock the port in my router) occasionally to help me with various problems. I also figured that syslog was not really that important, because it is logging stuff....... when have I ever needed that?? ;)
I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#27 OFFLINE   rolanaj

rolanaj

    Board Bigwig

  • Forum MVP
  • 2,647 posts

Posted 09 April 2004 - 07:55 PM

This worked fine with Mandrake 9.1 too, neat program.  Thanks Bruno
Registered Linux User #554733

#28 OFFLINE   trigggl

trigggl

    Forum Fiend

  • Members
  • PipPipPipPipPipPipPipPipPip
  • 1,797 posts

Posted 10 April 2004 - 04:26 PM

I get the following:

Quote

* Filesystem checks   Checking /dev for suspicious files...                      [ OK ]   Scanning for hidden files...                               [ Warning! ]---------------/dev/.devfsd /etc/.pwd.lock /etc/.qt_plugins_3.2rc.lock /etc/.qtrc.lock---------------Please inspect:  /dev/.devfsd (character special (254/0))
Also, it says the OS isn't fully supported and skips the MD5 checks.
Greg


#29 OFFLINE   ross549

ross549

    I live here.

  • Forum MVP
  • 9,185 posts

Posted 10 April 2004 - 04:32 PM

Which distro are you using??
I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#30 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 10 April 2004 - 06:39 PM

trigggl, on Apr 10 2004, 09:13 PM, said:

I get the following:

Quote

* Filesystem checks   Checking /dev for suspicious files...                      [ OK ]   Scanning for hidden files...                               [ Warning! ]---------------/dev/.devfsd /etc/.pwd.lock /etc/.qt_plugins_3.2rc.lock /etc/.qtrc.lock---------------Please inspect:  /dev/.devfsd (character special (254/0))
Also, it says the OS isn't fully supported and skips the MD5 checks.
Hi GregThose are hidden files the program does not have in it's database to recognize as okay . . . . . the QT ones are harmless because QT has a whole bunch of them in the development libs . .  the /dev/.devfsd is specific for Mandrake 10 and not to worry about either nor  should you worry about the  /etc/.pwd.lock.See the rkhunter is made to run on all distro's so you can not prevent it showing some files as suspect that are in fact quiet okay . . . I think when we come at version 5.0 those things will be ironed out.:thumbsup: Bruno

#31 OFFLINE   linuxdude32

linuxdude32

    Board Bigwig

  • Members
  • PipPipPipPipPipPipPipPipPipPipPip
  • 2,702 posts

Posted 11 April 2004 - 09:24 PM

trigggl, on Apr 10 2004, 03:13 PM, said:

Also, it says the OS isn't fully supported and skips the MD5 checks.
Let the author know this, Greg. I did for my distro since it said the same thing and he said the next version should support it. I think it's just because different distros have the md5 programs in different places.
Jason Wallwork

#32 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 12 April 2004 - 04:20 AM

I think Greg tested it on Mandrake 10.0 . . the support of 10.0 was only added on April 11 ( was not in the list before that date ) so will surely be in the next version.B) Bruno

#33 OFFLINE   jodef

jodef

    Multithreader

  • Members
  • PipPipPipPipPipPipPipPip
  • 1,429 posts

Posted 13 April 2004 - 07:07 PM

Was checking out the site noticed as of today's date a new release change log as follows:

Quote

New: - Added support for FreeBSD 4.9 and 5.2.1 - Added support for SuSE 9.0 (i386 and i586). Thanks to multiple people - Added support for Trustix. Thanks to Joachim Holst - Added support for Whitebox Enterprise Linux 3.0. Thanks to Fire - Added support for CentOS 3.1. Thanks to Fire - Added support for Mandrake 10 (community release). Thanks to Ted Kline - Added support for CPUBuilders Linux. Thanks to Chris Locke - Added support for Gentoo's 'rc.local' file (local.start) - Added parameter '--bindir' to use another (binary) directory than the default   ones (to select which binaries will be used to perform the tests). Requested   by Joel. - Added parameter '--configfile' to use another configuration file. - Added parameter '--dbdir' to use another (dynamic) database directory - Added a check when dynamic parameters are used (like --dbdir, --bindir) to   check the existance of these paths/files. - Added lsmod check (/proc/modules) for Linux distros. Thanks to Micah Anderson Changes: - Updated hashes for Mandrake 9.2. Thanks to John P. New and others. - Updated hashes for Red Hat Enterprise Linux Update 1. Thanks to Eilko - Added informational message, when 'PermitRootLogin' or SSH protocol 1 is found,   into the logfile - Renamed .spec file to rkhunter.spec - Updated installer. Thanks to Uwe Hermann - Improved LKM check. Thanks to Joe Croft - Improved logging - Fixed a problem with ifconfig


#34 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 13 April 2004 - 07:16 PM

That is the new release Johann . . 1.0.6 . . . . we all have downloaded the 1.0.5 last week ;) . . . Time to upgrade ? Or shall we wait for 1.0.7 that is in development ?B) Bruno

#35 OFFLINE   SonicDragon

SonicDragon

    Discussion Deity

  • Forum MVP
  • 4,188 posts

Posted 22 April 2004 - 04:08 PM

I got a chance to try this program today and so far so good B) Everything installed and ran very smoothly and found no rootkits.

Quote

The only Distro I can not get it installed was Slackware . . . I need "Perl-Digest-SHA1" to make it install
Strange, i had no problems with it at all.

#36 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 22 April 2004 - 04:12 PM

Bruno, on Apr 8 2004, 08:34 PM, said:

UPDATE: I found the Perl-Digest-SHA1 file for slackware ( well the source package in .tar.gz ):http://www.ultramonk...rl-Digest-SHA1/Unpacking is all you have to do :DB) Bruno
Hi Sonic . . . . I did manage to install it . . but it was a few posts later before I did find the file needed B) B) LOLYep it is a very nice program, and it will be added to the next version of Drake ISO's ( 10.1 ) they are working at it in the cooker.:D Bruno

#37 OFFLINE   SonicDragon

SonicDragon

    Discussion Deity

  • Forum MVP
  • 4,188 posts

Posted 22 April 2004 - 04:15 PM

Quote

Yep it is a very nice program, and it will be added to the next version of Drake ISO's ( 10.1 ) they are working at it in the cooker.
Go Mandrake. I definately think this is something that all distros should include  B)

#38 OFFLINE   SonicDragon

SonicDragon

    Discussion Deity

  • Forum MVP
  • 4,188 posts

Posted 22 April 2004 - 08:34 PM

The screensavers just did a segment on rootkits today.

#39 OFFLINE   jodef

jodef

    Multithreader

  • Members
  • PipPipPipPipPipPipPipPip
  • 1,429 posts

Posted 03 May 2004 - 09:50 PM

Just tried this program for the firt time everything looked more or less OK however this little notice did catch my attentionis it something I should be worried about:
Scanning for hidden files...                               [ Warning! ]---------------/dev/.devfsd /etc/.pwd.lock /etc/.qt_plugins_3.2rc.lock---------------Please inspect:  /dev/.devfsd (character special (254/0))
Tried to look at /dev/.devfsd without luck.Help appreciated thx. :)

#40 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 04 May 2004 - 04:07 AM

Hi JohannIt shows you the files because it are hidden files in an unusual place ( /dev does usually not harbour hidden files ) . . . . . but,  I have /dev/.devfsd too, it is a simple device file, nothing special with it :DB) Bruno

#41 OFFLINE   jodef

jodef

    Multithreader

  • Members
  • PipPipPipPipPipPipPipPip
  • 1,429 posts

Posted 04 May 2004 - 07:27 AM

Bruno, on May 4 2004, 04:09 AM, said:

Hi JohannIt shows you the files because it are hidden files in an unusual place ( /dev does usually not harbour hidden files ) . . . . . but,  I have /dev/.devfsd too, it is a simple device file, nothing special with it :DB) Bruno
Thx Bruno once less problem to worry about. :D

#42 OFFLINE   linuxdude32

linuxdude32

    Board Bigwig

  • Members
  • PipPipPipPipPipPipPipPipPipPipPip
  • 2,702 posts

Posted 04 May 2004 - 02:49 PM

Going to be demonstrating RKhunter at the upcoming PLUG meeting amongst other things. Thanks for letting me know about this little gem, Bruno. Showed my cousin who's an admin and he loved it.
Jason Wallwork

#43 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 04 May 2004 - 03:03 PM

You' re welcome Jason ! . . . I will tell Michael Boelen that he can expect some major traffic from Canada :thumbsdown: :DB) Bruno

#44 OFFLINE   linuxdude32

linuxdude32

    Board Bigwig

  • Members
  • PipPipPipPipPipPipPipPipPipPipPip
  • 2,702 posts

Posted 04 May 2004 - 10:23 PM

Bruno, on May 4 2004, 02:05 PM, said:

You' re welcome Jason ! . . . I will tell Michael Boelen that he can expect some major traffic from Canada :rolleyes: :clap:
Yeah, he'd better setup another server to handle all that extra traffic!  :whistling:
Jason Wallwork

#45 OFFLINE   Dard

Dard

    Thread Head

  • Members
  • PipPipPipPipPipPip
  • 626 posts

Posted 24 May 2004 - 12:51 AM

22 May - Release 1.0.9 availableThis new release fixes some incorrect MD5 hashes and adds support for Mandrake 10 hashes, Fedora Core 2 (with hashes), SuSE 9.1 (with hashes), Balaur Rootkit (rootkit). It also has an improved installer by "Medon".http://www.rootkit.nl/I'm gonna have to try this out.  B)

#46 OFFLINE   linuxdude32

linuxdude32

    Board Bigwig

  • Members
  • PipPipPipPipPipPipPipPipPipPipPip
  • 2,702 posts

Posted 24 May 2004 - 08:09 AM

Dard, on May 23 2004, 11:53 PM, said:

22 May - Release 1.0.9 availableThis new release fixes some incorrect MD5 hashes and adds support for Mandrake 10 hashes, Fedora Core 2 (with hashes), SuSE 9.1 (with hashes), Balaur Rootkit (rootkit). It also has an improved installer by "Medon".http://www.rootkit.nl/I'm gonna have to try this out.  B)
Anybody else try this new version with SuSE 9.1 yet? I received several incorrect MD5 hashes but this is a fresh install! I wrote the author. Hate to think somebody hacked me already!
Jason Wallwork

#47 OFFLINE   linuxdude32

linuxdude32

    Board Bigwig

  • Members
  • PipPipPipPipPipPipPipPipPipPipPip
  • 2,702 posts

Posted 24 May 2004 - 03:23 PM

Update: The author, Michael Boelen, replied to my email:

Quote

Hi,I know.. I installed my system and didn't patch it and missed the update ;-)If you want you can use the 1.1.0 prerelease (it contains the updated hashes too) ;-)URL: http://downloads.roo...ter-test.tar.gzMichaelRootkit.nl

Jason Wallwork

#48 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 24 May 2004 - 03:36 PM

A great guy; Michael !! B):huh: Bruno

#49 OFFLINE   Dard

Dard

    Thread Head

  • Members
  • PipPipPipPipPipPip
  • 626 posts

Posted 24 May 2004 - 05:32 PM

Quote

Anybody else try this new version with SuSE 9.1 yet?
Not yet, but I hope to be installing SuSE 9.1 by the end of the week here.   :DActually I still have to try this with mandrake 10.0 official.I had better start reading the instructions and get with the program.  :thumbsup:

#50 OFFLINE   jodef

jodef

    Multithreader

  • Members
  • PipPipPipPipPipPipPipPip
  • 1,429 posts

Posted 24 May 2004 - 08:07 PM

Ran flawlessly on fedora core 2  :thumbsup:  :P Only 1 warning :

Quote

Check: SSH   Searching for sshd_config...   Found /etc/ssh/sshd_config   Checking for allowed root login... Watch out Root login possible. Possible risk!Hint: see logfile for more information    info:    Hint: See logfile for more information about this issue   Checking for allowed protocols...                          [ Warning (SSH v1 allowed) ]
Anything to be worried about? B)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users