Jump to content


Rootkit Hunter


  • Please log in to reply
121 replies to this topic

#51 OFFLINE   nlinecomputers

nlinecomputers

    Discussion Deity

  • No Longer a Member
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,932 posts

Posted 24 May 2004 - 08:42 PM

Yes.  You have a running SSH server that is setup to allow Version 1 connections.  If you don't run SSH then uninstall it or you need to reconfigure it to not use version 1 and only version 2.  If you don't connect into your box remotely then you shouldn't have this service installed.A good how to on proper setup can be found here.  It is mandrake based but the concepts work on any *nix box.http://www.mandrakes...display=printer
Nathan Williams, N-Line Computers

How to kill a programmer:  Give him a shampoo bottle.  Lather, Rinse, Repeat.

#52 OFFLINE   jodef

jodef

    Multithreader

  • Members
  • PipPipPipPipPipPipPipPip
  • 1,429 posts

Posted 24 May 2004 - 08:58 PM

Thx for the info Nathan will be sure to look at it :thumbsup: However ran rkhunter --checkall --createlogfile wrote a logfile to /var/log/rkhunter.log that logfile pointed me to /etc/ssh/sshd_config and even the exact lines I should look at mainly Protocol and PermitRootLogin once I edited those two lines I reran rkhunter no more problems or warnings :P  :w00t:Edit:Nathan you were right SSH daemon was running so I also disabled it. B)

Edited by Bruno, 20 August 2004 - 03:32 AM.


#53 OFFLINE   nlinecomputers

nlinecomputers

    Discussion Deity

  • No Longer a Member
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,932 posts

Posted 24 May 2004 - 09:18 PM

rkhunter's logs are very nice.  Very detailed.  I've got to go download that latest version.
Nathan Williams, N-Line Computers

How to kill a programmer:  Give him a shampoo bottle.  Lather, Rinse, Repeat.

#54 OFFLINE   trigggl

trigggl

    Forum Fiend

  • Members
  • PipPipPipPipPipPipPipPipPip
  • 1,797 posts

Posted 19 August 2004 - 09:04 AM

This thread is important enough to fix for the Firefox users, I would say.I just installed this on Slackware 10 without any dependency problems or trouble running.
Greg


#55 OFFLINE   rpiz

rpiz

    Thread Head

  • Members
  • PipPipPipPipPipPip
  • 703 posts

Posted 19 August 2004 - 03:52 PM

I just downloaded and installed 'rootkit version 1.1.6' in MDK 10, and after running the programI received one (1) vulnerability (openSSL 0.9.7c)?   Should something be done with thisfile or is it OK?? B)

#56 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 19 August 2004 - 04:06 PM

I do think you need that package:

Quote

The OpenSSL package contains management tools and libraries relating to cryptography. These are useful for providing cryptography functions to other packages, notably OpenSSH and web browsers (for accessing secure https sites).
B) Bruno

#57 OFFLINE   rpiz

rpiz

    Thread Head

  • Members
  • PipPipPipPipPipPip
  • 703 posts

Posted 19 August 2004 - 04:12 PM

Thanks for the response.  I just wanted to be sure on files that appearafter running rkhunter.  Off to install and run it in PCLos.

#58 OFFLINE   trigggl

trigggl

    Forum Fiend

  • Members
  • PipPipPipPipPipPipPipPipPip
  • 1,797 posts

Posted 19 February 2005 - 08:31 AM

I just downloaded and installed version 1.2.0 and ran it.  Actually, I ran my old version first and it gave the same warnings.  It told me to check two folders:/dev/.udev.tdb/etc/.javaI just checked /etc/.java/.systemPrefs and it had two empty files:root@fangorn:/etc/.java/.systemPrefs# ls -altotal 8drwxr-xr-x  2 root root 4096 2005-01-08 00:03 ./drwxr-xr-x  3 root root 4096 2005-01-08 00:03 ../-rw-r--r--  1 root root    0 2005-01-08 00:03 .system.lock-rw-r--r--  1 root root    0 2005-01-08 00:03 .systemRootModFileShould I be alarmed at any of this?  Here is a sampling of the condents of /dev/.udev.tdb

Quote

root@fangorn:/dev/.udev.tdb# ls -altotal 2816drwxr-xr-x   2 root root  0 2005-02-19 00:16 ./drwxr-xr-x  17 root root  0 2005-02-19 00:16 ../-rw-r--r--   1 root root 38 2005-02-19 00:16 block\@fd0-rw-r--r--   1 root root 38 2005-02-19 00:16 block\@fd1-rw-r--r--   1 root root 30 2005-02-19 00:16 block\@hda-rw-r--r--   1 root root 36 2005-02-19 00:16 block\@hda\@hda1-rw-r--r--   1 root root 36 2005-02-19 00:16 block\@hda\@hda2-rw-r--r--   1 root root 36 2005-02-19 00:16 block\@hda\@hda5-rw-r--r--   1 root root 36 2005-02-19 00:16 block\@hda\@hda6-rw-r--r--   1 root root 36 2005-02-19 00:16 block\@hda\@hda7-rw-r--r--   1 root root 36 2005-02-19 00:16 block\@hda\@hda8-rw-r--r--   1 root root 36 2005-02-19 00:16 block\@hda\@hda9-rw-r--r--   1 root root 30 2005-02-19 00:16 block\@hdb-rw-r--r--   1 root root 36 2005-02-19 00:16 block\@hdb\@hdb1-rw-r--r--   1 root root 30 2005-02-19 00:16 block\@hdc-rw-r--r--   1 root root 30 2005-02-19 00:16 block\@hdd-rw-r--r--   1 root root 36 2005-02-19 00:16 block\@hdd\@hdd1-rw-r--r--   1 root root 36 2005-02-19 00:16 block\@ram0-rw-r--r--   1 root root 36 2005-02-19 00:16 block\@ram1-rw-r--r--   1 root root 39 2005-02-19 00:16 block\@ram10-rw-r--r--   1 root root 39 2005-02-19 00:16 block\@ram11-rw-r--r--   1 root root 39 2005-02-19 00:16 block\@ram12-rw-r--r--   1 root root 39 2005-02-19 00:16 block\@ram13-rw-r--r--   1 root root 39 2005-02-19 00:16 block\@ram14-rw-r--r--   1 root root 39 2005-02-19 00:16 block\@ram15-rw-r--r--   1 root root 36 2005-02-19 00:16 block\@ram2-rw-r--r--   1 root root 36 2005-02-19 00:16 block\@ram3-rw-r--r--   1 root root 36 2005-02-19 00:16 block\@ram4-rw-r--r--   1 root root 36 2005-02-19 00:16 block\@ram5-rw-r--r--   1 root root 36 2005-02-19 00:16 block\@ram6-rw-r--r--   1 root root 36 2005-02-19 00:16 block\@ram7-rw-r--r--   1 root root 36 2005-02-19 00:16 block\@ram8-rw-r--r--   1 root root 36 2005-02-19 00:16 block\@ram9-rw-r--r--   1 root root 43 2005-02-19 00:16 class\@graphics\@fb0-rw-r--r--   1 root root 48 2005-02-19 00:16 class\@input\@event0-rw-r--r--   1 root root 48 2005-02-19 00:16 class\@input\@event1-rw-r--r--   1 root root 44 2005-02-19 00:16 class\@input\@mice-rw-r--r--   1 root root 48 2005-02-19 00:16 class\@input\@mouse0-rw-r--r--   1 root root 36 2005-02-19 00:16 class\@mem\@full-rw-r--r--   1 root root 36 2005-02-19 00:16 class\@mem\@kmem-rw-r--r--   1 root root 36 2005-02-19 00:16 class\@mem\@kmsg-rw-r--r--   1 root root 34 2005-02-19 00:16 class\@mem\@mem-rw-r--r--   1 root root 36 2005-02-19 00:16 class\@mem\@null-rw-r--r--   1 root root 36 2005-02-19 00:16 class\@mem\@port-rw-r--r--   1 root root 40 2005-02-19 00:16 class\@mem\@random-rw-r--r--   1 root root 42 2005-02-19 00:16 class\@mem\@urandom-rw-r--r--   1 root root 36 2005-02-19 00:16 class\@mem\@zero-rw-r--r--   1 root root 55 2005-02-19 00:16 class\@misc\@agpgart-rw-r--r--   1 root root 47 2005-02-19 00:16 class\@misc\@hw_random-rw-r--r--   1 root root 49 2005-02-19 00:16 class\@misc\@psaux-rw-r--r--   1 root root 43 2005-02-19 00:16 class\@misc\@rtc-rw-r--r--   1 root root 45 2005-02-19 00:16 class\@misc\@watchdog-rw-r--r--   1 root root 45 2005-02-19 00:16 class\@nvidia\@nvidia0-rw-r--r--   1 root root 49 2005-02-19 00:16 class\@nvidia\@nvidiactl-rw-r--r--   1 root root 38 2005-02-19 00:16 class\@printer\@lp0-rw-r--r--   1 root root 48 2005-02-19 00:17 class\@sound\@adsp-rw-r--r--   1 root root 51 2005-02-19 00:17 class\@sound\@audio-rw-r--r--   1 root root 52 2005-02-19 00:16 class\@sound\@controlC0-rw-r--r--   1 root root 42 2005-02-19 00:16 class\@sound\@dmmidi-rw-r--r--   1 root root 45 2005-02-19 00:17 class\@sound\@dsp-rw-r--r--   1 root root 46 2005-02-19 00:16 class\@sound\@hwC0D0-rw-r--r--   1 root root 38 2005-02-19 00:16 class\@sound\@midi-rw-r--r--   1 root root 50 2005-02-19 00:16 class\@sound\@midiC0D0-rw-r--r--   1 root root 51 2005-02-19 00:17 class\@sound\@mixer-rw-r--r--   1 root root 50 2005-02-19 00:16 class\@sound\@pcmC0D0c-rw-r--r--   1 root root 50 2005-02-19 00:16 class\@sound\@pcmC0D0p-rw-r--r--   1 root root 50 2005-02-19 00:16 class\@sound\@pcmC0D1c-rw-r--r--   1 root root 50 2005-02-19 00:16 class\@sound\@pcmC0D2c-rw-r--r--   1 root root 50 2005-02-19 00:16 class\@sound\@pcmC0D2p-rw-r--r--   1 root root 44 2005-02-19 00:16 class\@sound\@timer-rw-r--r--   1 root root 42 2005-02-19 00:16 class\@tty\@console-rw-r--r--   1 root root 36 2005-02-19 00:16 class\@tty\@ptmx-rw-r--r--   1 root root 44 2005-02-19 00:16 class\@tty\@ptya0
I wouldn't even be looking if my internet activity light wasn't constantly flashing.  I did try to set up ntp.  Perhaps there's something odd going on with it.
Greg


#59 OFFLINE   trigggl

trigggl

    Forum Fiend

  • Members
  • PipPipPipPipPipPipPipPipPip
  • 1,797 posts

Posted 19 February 2005 - 08:46 AM

Well, nevermind on the .udev folder.  I found it's location specified in udev.conf.  The .java file is probably ok, also.
Greg


#60 OFFLINE   Shamgar

Shamgar

    Thread Head

  • Members
  • PipPipPipPipPipPip
  • 545 posts

Posted 19 February 2005 - 02:39 PM

Okay, I have downloaded this tar:  rkhunter-1.2.0.tar.gzThis is what I have done so far with the install instructions.  Is this thing installed?  How do I get a button on my toolbar or added to my system? Posted ImageShamgar@linux:~/RootKitHunter> suPassword:linux:/home/Shamgar/RootKitHunter # tar zxf rkhunter-1.2.0.tar.gzlinux:/home/Shamgar/RootKitHunter # ls.  ..  rkhunter  rkhunter-1.2.0.tar.gzlinux:/home/Shamgar/RootKitHunter # cd rkhunterlinux:/home/Shamgar/RootKitHunter/rkhunter # ls.  ..  files  installer.shlinux:/home/Shamgar/RootKitHunter/rkhunter # ./installer.shRootkit Hunter installer 1.1.9 (Copyright 2003-2004, Michael Boelen)---------------Starting installation/updateChecking UID... OKChecking  /usr/local... OKChecking file retrieval tools... /usr/bin/wgetChecking installation directories...- Checking /usr/local/rkhunter...Exists- Checking /usr/local/rkhunter/etc...Exists- Checking /usr/local/rkhunter/bin...Exists- Checking /usr/local/rkhunter/lib/rkhunter/db...Exists- Checking /usr/local/rkhunter/lib/rkhunter/docs...Exists- Checking /usr/local/rkhunter/lib/rkhunter/scripts...Exists- Checking /usr/local/rkhunter/lib/rkhunter/tmp...Exists- Checking /usr/local/etc...ExistsChecking system settings...    - Perl... OKInstalling files...Installing  Perl module checker... OKInstalling  Database updater... OKInstalling  Portscanner... OKInstalling  MD5 Digest generator... OKInstalling  SHA1 Digest generator... OKInstalling  Directory viewer... OKInstalling  Database Backdoor ports... OKInstalling  Database Update mirrors... OKInstalling  Database Operating Systems... OKInstalling  Database Program versions... OKInstalling  Database Program versions... OKInstalling  Database Default file hashes... OKInstalling  Database MD5 blacklisted files... OKInstalling  Changelog... OKInstalling  Readme and FAQ... OKInstalling  Wishlist and TODO... OKInstalling  RK Hunter configuration file... Skipped (no overwrite)Installing  RK Hunter binary... OKConfiguration already updated.Installation ready.See /usr/local/rkhunter/lib/rkhunter/docs for more information. Run 'rkhunter' (                                   /usr/local/bin/rkhunter)linux:/home/Shamgar/RootKitHunter/rkhunter # ls.  ..  files  installer.shlinux:/home/Shamgar/RootKitHunter/rkhunter #linux:/home/Shamgar/RootKitHunter/rkhunter # ls.  ..  files  installer.shlinux:/home/Shamgar/RootKitHunter/rkhunter # cd /usr/local/bin/linux:/usr/local/bin # dirtotal 148drwxr-xr-x   2 root root   4096 2005-02-19 12:19 .drwxr-xr-x  12 root root   4096 2005-02-19 08:44 ..-rwxr-x---   1 root root 138980 2005-02-19 12:19  rkhunter

#61 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 19 February 2005 - 02:48 PM

Hi ShamgarNext thing you do is make a link to the executable:
# cd /home/shamgar# ln -s  /usr/local/bin/rkhunter/rkhunter  /usr/bin/rkhunter
Now the link /usr/bin/rkhunter is in you path you can run the program:
# rkhunter -c --createlogfile
;) Bruno

#62 OFFLINE   Shamgar

Shamgar

    Thread Head

  • Members
  • PipPipPipPipPipPip
  • 545 posts

Posted 19 February 2005 - 03:51 PM

Thanks!I lost my terminal info after creating the link.  Where I am supposed to be to add the command :(Where in under su?)# rkhunter -c --createlogfile?

#63 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 19 February 2005 - 03:55 PM

Yep you open a terminal . . . do "su" and give the command . . . that is all . . and you will get a report of the output on your screen  . . :DB) Bruno

#64 OFFLINE   Shamgar

Shamgar

    Thread Head

  • Members
  • PipPipPipPipPipPip
  • 545 posts

Posted 19 February 2005 - 04:10 PM

Thanks for the reply! This is what I received as a present from my terminal window:Shamgar@linux:~> suPassword:linux:/home/Shamgar # rkhunter -c --createlogfilebash: rkhunter: command not foundlinux:/home/Shamgar #Where am I going wrong?Posted Image

#65 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 19 February 2005 - 04:12 PM

You might want to do this command again Shamgar: ( the link apparently di not "take" )
ln -s  /usr/local/bin/rkhunter/rkhunter  /usr/bin/rkhunter
And then try again ;):"> Bruno

#66 OFFLINE   Shamgar

Shamgar

    Thread Head

  • Members
  • PipPipPipPipPipPip
  • 545 posts

Posted 19 February 2005 - 04:43 PM

First retry:Shamgar@linux:~> suPassword:linux:/home/Shamgar # ln -s  /usr/local/bin/rkhunter/rkhunter  /usr/bin/rkhunterlinux:/home/Shamgar # rkhunter -c --createlogfilebash: rkhunter: command not foundlinux:/home/Shamgar #Second retry:Shamgar@linux:~> suPassword:linux:/home/Shamgar # ln -s  /usr/local/bin/rkhunter/rkhunter  /usr/bin/rkhunterln: `/usr/bin/rkhunter': File existslinux:/home/Shamgar # rkhunter -c --createlogfilebash: rkhunter: command not foundlinux:/home/Shamgar # :hmm:  :medic:

#67 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 19 February 2005 - 04:46 PM

???   strangelet me see:
 ls -al /usr/bin/rkhunter
I want to check if it is executable ;):medic: Bruno

#68 OFFLINE   Shamgar

Shamgar

    Thread Head

  • Members
  • PipPipPipPipPipPip
  • 545 posts

Posted 19 February 2005 - 05:00 PM

Shamgar@linux:~> suPassword:linux:/home/Shamgar #  ls -al /usr/bin/rkhunterlrwxrwxrwx  1 root root 32 2005-02-19 14:32 /usr/bin/rkhunter -> /usr/local/bin/rkhunter/rkhunterlinux:/home/Shamgar # For some reason my smiley from Smiley Xtra throwing the computer doesn't show up.  :medic: Posted Image

#69 OFFLINE   Shamgar

Shamgar

    Thread Head

  • Members
  • PipPipPipPipPipPip
  • 545 posts

Posted 19 February 2005 - 05:05 PM

Good computer, good boy! Shamgar has a present for you . . . a 3 pound sledge hammer.Posted Image

Edited by Shamgar, 19 February 2005 - 05:12 PM.


#70 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 19 February 2005 - 05:11 PM

LOL !!!Okay now try this:
 /usr/bin/rkhunter -c --createlogfile
That will work :medic: . . . it seems that /usr/bin is not "in the path"  of root, but only in that of the user in SUSE . . . so you have to give the full path . . . ;):hmm: Bruno

#71 OFFLINE   Shamgar

Shamgar

    Thread Head

  • Members
  • PipPipPipPipPipPip
  • 545 posts

Posted 19 February 2005 - 05:21 PM

Posted ImagePosted ImagePosted ImageIs this what you wanted coded?Shamgar@linux:~> suPassword:linux:/home/Shamgar # cd /usr/binlinux:/usr/bin # rkhunter -c --createlogfilebash: rkhunter: command not foundlinux:/usr/bin #Posted ImagePosted ImagePosted ImagePosted Image

#72 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 19 February 2005 - 05:25 PM

Nope . . do not CD first . . . . . . just:/usr/bin/rkhunter -c --createlogfileB) Bruno

#73 OFFLINE   Shamgar

Shamgar

    Thread Head

  • Members
  • PipPipPipPipPipPip
  • 545 posts

Posted 19 February 2005 - 05:34 PM

Actually, I tried that first before I sent the last one.Shamgar@linux:~> suPassword:linux:/home/Shamgar #  /usr/bin/rkhunter -c --createlogfilebash: /usr/bin/rkhunter: Not a directorylinux:/home/Shamgar #Let's see how would I describe my feeling for computers . . . . Posted ImagePosted ImagePosted ImagePosted ImagePosted ImagePosted Image

#74 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 19 February 2005 - 05:37 PM

This is getting stranger by the minute . . . let me see
ls -al /usr/local/bin/rkhunter/rkhunter
:medic: Bruno

#75 OFFLINE   Shamgar

Shamgar

    Thread Head

  • Members
  • PipPipPipPipPipPip
  • 545 posts

Posted 19 February 2005 - 05:45 PM

Okay, here it is:Shamgar@linux:~> suPassword:linux:/home/Shamgar #  /usr/bin/rkhunter -c --createlogfilebash: /usr/bin/rkhunter: Not a directorylinux:/home/Shamgar # ls -al /usr/local/bin/rkhunter/rkhunter/bin/ls: /usr/local/bin/rkhunter/rkhunter: Not a directorylinux:/home/Shamgar #You cannot win you evil computer!Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users