Jump to content


Rootkit Hunter


  • Please log in to reply
121 replies to this topic

#1 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 08 April 2004 - 02:59 PM

Rootkit Hunter   Yesterday I was reading an Article on NewsForge by Joe Barr on "rkhunter" a new rootkit search program. ( and more ! ) So I went to the website http://www.rootkit.nl of the Dutch programmer who made the rkhunter and put it through the test on:  Mandrake 9.2 Mandrake 10 Vectorlinux 3.2 SOHO PCLos  Very nice program ! Does a lot more then "chkrootkit" the program we have been recommending up till now.  I reported back to Michael Boelen ( the maker ) that he could add MDK 10, PCLos and VectorLinux to the list on his site of Distro's where it was reported to work.  The only Distro I can not get it installed was Slackware . . . I need "Perl-Digest-SHA1" to make it install ( Did need that in both Mandrakes too, but found it on the CD ) . . . . but am unable to find it, nor on freshmeat, sourceforge, or the usual Slackpackages sites. Also Swaret did give no joy.  Anyway: I do recommend this program by my fellow citizen . . . :D Read Joe Barr on how to use it, and get the file ( rpm ) from the ftp   :o Bruno

#2 OFFLINE   nlinecomputers

nlinecomputers

    Discussion Deity

  • No Longer a Member
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,932 posts

Posted 08 April 2004 - 03:30 PM

Bookmarked.  I'll give a test drive.  Thanks for the link.
Nathan Williams, N-Line Computers

How to kill a programmer:  Give him a shampoo bottle.  Lather, Rinse, Repeat.

#3 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 08 April 2004 - 03:32 PM

You are welcome Nathan !!UPDATE: I found the Perl-Digest-SHA1 file for slackware ( well the source package in .tar.gz ):http://www.ultramonk...rl-Digest-SHA1/Unpacking is all you have to do :DB) Bruno

#4 OFFLINE   trigggl

trigggl

    Forum Fiend

  • Members
  • PipPipPipPipPipPipPipPipPip
  • 1,797 posts

Posted 08 April 2004 - 03:36 PM

Thanks for the link.  I'm thinking of going with broadband soon, so I definitely want my computer to be as secure as possible.  In Linux, a rootkit scanner is probably a lot more important than a virus scanner.I may even see if the AIX guys at work would care to use it.
Greg


#5 ONLINE   ross549

ross549

    I live here.

  • Forum Admins
  • 9,108 posts

Posted 08 April 2004 - 03:38 PM

Bruno,This might be a stupid question, but what does it do??Thanks
I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#6 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 08 April 2004 - 03:42 PM

Extra directions for Slackware:I unpacked rkhunter and the Perl-Digest-SHA1 in /usr/local/bin ( tar -zxvf ). . . then ran "/usr/local/bin/rkhunter/installer.sh" to install it . . . then made a symlink:
# ln -s /usr/local/bin/rkhunter/rkhunter /usr/bin/rkhunter
so it was in the "path"  . . . Now running:
# rkhunter -c --createlogfile
Does the job ! :DWow this is fun !:D Bruno

#7 OFFLINE   nlinecomputers

nlinecomputers

    Discussion Deity

  • No Longer a Member
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,932 posts

Posted 08 April 2004 - 03:46 PM

It checks for rootkits.  Tools installed by hacker/cracker types to compromise your system.  This checks your system for common weak points such as world writable files or the presences of such rootkits on your system.  A good cracker will of course move to disable this but even that is a clue to you.  If you stop getting reports via email then something is wrong.  MSEC in Mandrake performs a simular function.  Also see Bastile.(sp?)
Nathan Williams, N-Line Computers

How to kill a programmer:  Give him a shampoo bottle.  Lather, Rinse, Repeat.

#8 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 08 April 2004 - 03:46 PM

ross549, on Apr 8 2004, 08:25 PM, said:

Bruno,This might be a stupid question, but what does it do??Thanks
Hi Adam . . it hunts for "rootkits" and unsafe files and unsafe permissions to files . . also unusual hidden files in / . . . does an MD5 check . . . and a lot more . . . :DJust read the Sites I liked you to :D the Joe Barr article is pretty clear . .  ( I thought it was :o )B) Bruno

#9 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 08 April 2004 - 03:54 PM

The final results are that PCLos is safer then Mandrake ( In file permissions that is, though far from alarming ) . . and VectorLinux is safer then Slackware . . . The ranking is:1). VectorLinux2). Slackware3). PClos4). Mandrake 105). Mandrake 9.2 ( yep there is a difference between 9.2 and 10 )All systems passed the test, but I did get a few warnings on file permissions on the last 4 distros . . . also they said to check .aumixrc on the Drakes . . it is just a config file for the mixer settings so false alarm :DB) Bruno

#10 OFFLINE   zox

zox

    Multithreader

  • Forum MVP
  • 1,234 posts

Posted 08 April 2004 - 03:54 PM

Thanks.You can never be secure enough. :D

#11 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 08 April 2004 - 03:55 PM

You''re welcome Zox . . . is a fun little program :DB) Bruno

#12 OFFLINE   nlinecomputers

nlinecomputers

    Discussion Deity

  • No Longer a Member
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,932 posts

Posted 08 April 2004 - 04:30 PM

Bruno, on Apr 8 2004, 02:41 PM, said:

The final results are that PCLos is safer then Mandrake ( In file permissions that is, though far from alarming ) . . and VectorLinux is safer then Slackware . . . The ranking is:1). VectorLinux2). Slackware3). PClos4). Mandrake 105). Mandrake 9.2 ( yep there is a difference between 9.2 and 10 )All systems passed the test, but I did get a few warnings on file permissions on the last 4 distros . . . also they said to check .aumixrc on the Drakes . . it is just a config file for the mixer settings so false alarm :DB) Bruno
Drakes file permissions depend on what setting MSEC is at.  Set it to paranoid and I bet alot of those warning go away.  Useabilty of the system suffers at that level as it is setup to be a VERY secure server.  So secure that you have to open holes in it to get to vital services.  Can't even logon as root at the console only via SSH or su.
Nathan Williams, N-Line Computers

How to kill a programmer:  Give him a shampoo bottle.  Lather, Rinse, Repeat.

#13 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 08 April 2004 - 05:01 PM

Hi NathanAll my test were done on a default install with default settings, but with securing along the lines in This thread.Because I am behind a hardware firewall, and not running a server my MSEC settings are set to default = "normal" B) . . I like the usabillity of my system too much to alter that ;)B) Bruno

#14 OFFLINE   mhbell

mhbell

    Forum Fiend

  • Members
  • PipPipPipPipPipPipPipPipPip
  • 1,922 posts

Posted 08 April 2004 - 05:45 PM

Problem Solved used the tarball instead of the rpmMel:D Anyone have any luck installing this in SuSE 9.0 ? I downloaded the rpm and went to install but there are some unmet dependencies in perl. I have the perl-digest sh-1 but don't have the MD5 or the perl Strict whatever that is. Also the sh-1 is not recognized by the program. checked my dvd installation source and install disk but no joy. B)  could not find them on SuSE FTP site either.Mel B)
Registered Linux User #239772
Open Suse 12.1 Gnome, Xfce, Cairo Dock, Cinnimon
Windows 7, Windows 8 Beta
Blogger: http://melpctec.blogspot.com/

#15 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 08 April 2004 - 05:52 PM

mhbell, on Apr 8 2004, 10:32 PM, said:

I have the perl-digest sh-1
Hi Mel . . is this a typo ?  . . . All I needed was "Perl-Digest-SHA1" and it included all the missing dependencies the installer of rkhunter showed before . . .  "Perl-Digest-SHA1" is available in many rpm's on the net: http://rpmfind.net/l.....ubmit=Search...B) Bruno

#16 OFFLINE   mhbell

mhbell

    Forum Fiend

  • Members
  • PipPipPipPipPipPipPipPipPip
  • 1,922 posts

Posted 08 April 2004 - 07:57 PM

Bruno, on Apr 8 2004, 02:39 PM, said:

mhbell, on Apr 8 2004, 10:32 PM, said:

I have the perl-digest sh-1
Hi Mel . . is this a typo ?  . . . All I needed was "Perl-Digest-SHA1" and it included all the missing dependencies the installer of rkhunter showed before . . .  "Perl-Digest-SHA1" is available in many rpm's on the net: http://rpmfind.net/l.....ubmit=Search...B) Bruno
You are right Bruno it is a typo. my Problem is solved I downloaded the Tarball and installed it and it met all dependencies and installed all of the necessary files. program runs great and my system is clean, :lol:  Of course I am also behind a hardware firewall too. :D  It appears that the RPM does not have all of the needed files. B)  I would suggest that anyone wanting to install the program to download and use the Tarball and not the RPM.     :w00t:  I am running SuSE 9.0 Pro for those who don't know so it works with it too.  :w00t: Mel B)
Registered Linux User #239772
Open Suse 12.1 Gnome, Xfce, Cairo Dock, Cinnimon
Windows 7, Windows 8 Beta
Blogger: http://melpctec.blogspot.com/

#17 OFFLINE   BarryB

BarryB

    Prince Distro

  • Forum Moderators
  • 2,903 posts

Posted 08 April 2004 - 07:59 PM

Well can add Mandrake 10 rc1 for AMD64 on the list of distro it works with..had 1 QT file it did like..but other than that,,we be cool..ummm secure
Barry

Right when you think you know the answers..somebody goes and changes the questions
Registered Linux user #303103

#18 OFFLINE   SonicDragon

SonicDragon

    Discussion Deity

  • Forum MVP
  • 4,188 posts

Posted 08 April 2004 - 09:27 PM

Sounds like a great program! I can't wait to give it a try.Thanks for the extra slack directions Bruno!

#19 OFFLINE   quint

quint

    Linux Miner

  • Forum MVP
  • 3,898 posts

Posted 08 April 2004 - 11:17 PM

Thanks, Bruno! It also works great in "DaNix" (Debian-based). ;)
~ Linux User # 314972 ~ Ubuntu User # 12930 ~

If you tell the truth you don't have to remember anything.
                -- Mark Twain



#20 ONLINE   ross549

ross549

    I live here.

  • Forum Admins
  • 9,108 posts

Posted 09 April 2004 - 12:18 AM

Well, I installed it and ran on my system.... only came up with three alerts from what I could tell:
Need to check /etc/.aumixrcinfo: Users can use SSH1-protocolCannot find syslog/syslog-ng daemon

I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#21 OFFLINE   linuxdude32

linuxdude32

    Board Bigwig

  • Members
  • PipPipPipPipPipPipPipPipPipPipPip
  • 2,702 posts

Posted 09 April 2004 - 04:08 AM

Cool. Funny thing though, I get this error when I try to run the install script:
-bash: ./installer.sh: /bin/sh: bad interpreter: Permission denied
I checked permissions and paths and all appeared fine. Googled the entire error message and nothing came up and then googled just '/bin/sh: bad interpreter: Permission denied' and as usual the first result had the answer. My download partition was set to noexec and I had tried executing the script with only it's name (./installer.sh). Even though this solution wasn't suggested, I also found that running it like this worked, too:
sheridan:/home/jason/downloads/rkhunter # sh installer.sh
I LOVE Google! :) Very cool program. Found that I need to fix in my SSH config. Not a big deal since this machine blocks everything but some ports for DCC, but still good to know! ;)
Jason Wallwork

#22 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 09 April 2004 - 04:38 AM

ross549, on Apr 9 2004, 05:05 AM, said:

Well, I installed it and ran on my system.... only came up with three alerts from what I could tell:
Need to check /etc/.aumixrcinfo: Users can use SSH1-protocolCannot find syslog/syslog-ng daemon
Hi AdamThose messages are not unusual . . . let me try to shed some light:1). The /etc/.aumixrc file is mentioned because it is an hidden file outside of /home. Usually there are no hidden files outside /home ( also /root the "home" for root ).Have a look at the file ( cat /etc/.aumixrc ) and you will see that it are just the mixer settings :)

rkhunter, on site, said:

Although 'hidden' files can be usefull, sometimes they are an unwanted part of the system. By scanning for hidden files on places where they are not supposed to be (like in /tmp), we can track down some possible evil files.
2). The "Users can use SSH1-protocol" is very simple to fix:
# vi /etc/ssh/sshd_config
And either change the existing line "Protocol 2,1" to "Protocol 2" . . or if the line is completeely missing just add that line. This will solve the problem :D ( run rkhunter again and you will se that the line is gone ;) )Read about it: http://lwn.net/2001/...fb-openssh.php33). "Cannot find syslog/syslog-ng daemon" . . . this is no real problem, because syslog is written to anyway . . . but if you want to read about "syslog:syslog-ng" go here:  http://www.linuxgaze.../scheidler.htmlGlad your system is secure Adam ! ;)B) Bruno

#23 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 09 April 2004 - 04:42 AM

BarryB, on Apr 9 2004, 12:46 AM, said:

Well can add Mandrake 10 rc1 for AMD64 on the list of distro it works with..had 1 QT file it did like..but other than that,,we be cool..ummm secure
Hi BarryI know about the QT files . . . it is because some of them are hidden files and rkhunter does not like that . . ( This goes mainly for the developpement libs of QT, if you have the full development kit for QT you will see a lot more of those ) . . . nothing to worry about, see "1)." of my answer to Adam here above ;);) Bruno

#24 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 09 April 2004 - 04:56 AM

SonicDragon, on Apr 9 2004, 02:14 AM, said:

Sounds like a great program! I can't wait to give it a try.Thanks for the extra slack directions Bruno!
Hi Sonic . . . . . the Slacker Friends have a special place in my heart . . . . ;) . . . . LOLB) Bruno

#25 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 09 April 2004 - 04:58 AM

quint, on Apr 9 2004, 04:04 AM, said:

Thanks, Bruno! It also works great in "DaNix" (Debian-based). ;)
Hi QuintGlad to know it works for you too . . . will you send a report to Michael Boelen that he can add DaNix to the list of distos where rkhunter is reported to work ?:) Bruno




1 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


    Bing (1)