Jump to content
Scot's Newsletter Forums
Sign in to follow this  
Bruno

Rootkit Hunter

Recommended Posts

Rootkit Hunter Yesterday I was reading an [url="http://software.newsforge.com/article.pl?sid=04/04/05/1929215&mode=thread&tid=78&tid=82"]Article[/url] on NewsForge by Joe Barr on "rkhunter" a new rootkit search program. ( and more ! ) So I went to the website [url="http://www.rootkit.nl"]http://www.rootkit.nl[/url] of the Dutch programmer who made the rkhunter and put it through the test on: Mandrake 9.2 Mandrake 10 Vectorlinux 3.2 SOHO PCLos Very nice program ! Does a lot more then "chkrootkit" the program we have been recommending up till now. I reported back to Michael Boelen ( the maker ) that he could add MDK 10, PCLos and VectorLinux to the list on his site of Distro's where it was reported to work. The only Distro I can not get it installed was Slackware . . . I need "Perl-Digest-SHA1" to make it install ( Did need that in both Mandrakes too, but found it on the CD ) . . . . but am unable to find it, nor on freshmeat, sourceforge, or the usual Slackpackages sites. Also Swaret did give no joy. Anyway: I do recommend this program by my fellow citizen . . . :D Read Joe Barr on how to use it, and get the file ( rpm ) from the ftp :o Bruno

Share this post


Link to post
Share on other sites
You are welcome Nathan !!UPDATE: I found the Perl-Digest-SHA1 file for slackware ( well the source package in .tar.gz ):[url="http://www.ultramonkey.org/download/2.0.1/source/perl-Digest-SHA1/"]http://www.ultramonkey.org/download/2.0.1/...rl-Digest-SHA1/[/url]Unpacking is all you have to do :DB) Bruno

Share this post


Link to post
Share on other sites
Thanks for the link. I'm thinking of going with broadband soon, so I definitely want my computer to be as secure as possible. In Linux, a rootkit scanner is probably a lot more important than a virus scanner.I may even see if the AIX guys at work would care to use it.

Share this post


Link to post
Share on other sites
Bruno,This might be a stupid question, but what does it do??Thanks

Share this post


Link to post
Share on other sites
Extra directions for Slackware:I unpacked rkhunter and the Perl-Digest-SHA1 in /usr/local/bin ( tar -zxvf ). . . then ran "/usr/local/bin/rkhunter/installer.sh" to install it . . . then made a symlink: [code]# ln -s /usr/local/bin/rkhunter/rkhunter /usr/bin/rkhunter[/code] so it was in the "path" . . . Now running: [code]# rkhunter -c --createlogfile[/code] Does the job ! :DWow this is fun !:D Bruno

Share this post


Link to post
Share on other sites
It checks for rootkits. Tools installed by hacker/cracker types to compromise your system. This checks your system for common weak points such as world writable files or the presences of such rootkits on your system. A good cracker will of course move to disable this but even that is a clue to you. If you stop getting reports via email then something is wrong. MSEC in Mandrake performs a simular function. Also see Bastile.(sp?)

Share this post


Link to post
Share on other sites
[quote name='ross549' date='Apr 8 2004, 08:25 PM']Bruno,This might be a stupid question, but what does it do??Thanks[/quote]Hi Adam . . it hunts for "rootkits" and unsafe files and unsafe permissions to files . . also unusual hidden files in / . . . does an MD5 check . . . and a lot more . . . :DJust read the Sites I liked you to :D the Joe Barr article is pretty clear . . ( I thought it was :o )B) Bruno

Share this post


Link to post
Share on other sites
The final results are that PCLos is safer then Mandrake ( In file permissions that is, though far from alarming ) . . and VectorLinux is safer then Slackware . . . The ranking is:1). VectorLinux2). Slackware3). PClos4). Mandrake 105). Mandrake 9.2 ( yep there is a difference between 9.2 and 10 )All systems passed the test, but I did get a few warnings on file permissions on the last 4 distros . . . also they said to check .aumixrc on the Drakes . . it is just a config file for the mixer settings so false alarm :DB) Bruno

Share this post


Link to post
Share on other sites
[quote name='Bruno' date='Apr 8 2004, 02:41 PM']The final results are that PCLos is safer then Mandrake ( In file permissions that is, though far from alarming ) . . and VectorLinux is safer then Slackware . . . The ranking is:1). VectorLinux2). Slackware3). PClos4). Mandrake 105). Mandrake 9.2 ( yep there is a difference between 9.2 and 10 )All systems passed the test, but I did get a few warnings on file permissions on the last 4 distros . . . also they said to check .aumixrc on the Drakes . . it is just a config file for the mixer settings so false alarm :DB) Bruno[/quote]Drakes file permissions depend on what setting MSEC is at. Set it to paranoid and I bet alot of those warning go away. Useabilty of the system suffers at that level as it is setup to be a VERY secure server. So secure that you have to open holes in it to get to vital services. Can't even logon as root at the console only via SSH or su.

Share this post


Link to post
Share on other sites
Hi NathanAll my test were done on a default install with default settings, but with securing along the lines in [url="http://forums.scotsnewsletter.com/index.php?act=ST&f=14&t=6400"]This[/url] thread.Because I am behind a hardware firewall, and not running a server my MSEC settings are set to default = "normal" B) . . I like the usabillity of my system too much to alter that ;)B) Bruno

Share this post


Link to post
Share on other sites
Problem Solved used the tarball instead of the rpmMel:D Anyone have any luck installing this in SuSE 9.0 ? I downloaded the rpm and went to install but there are some unmet dependencies in perl. I have the perl-digest sh-1 but don't have the MD5 or the perl Strict whatever that is. Also the sh-1 is not recognized by the program. checked my dvd installation source and install disk but no joy. B) could not find them on SuSE FTP site either.Mel B)

Share this post


Link to post
Share on other sites
[quote name='mhbell' date='Apr 8 2004, 10:32 PM']I have the perl-digest sh-1[/quote]Hi Mel . . is this a typo ? . . . All I needed was "Perl-Digest-SHA1" and it included all the missing dependencies the installer of rkhunter showed before . . . "Perl-Digest-SHA1" is available in many rpm's on the net: [url="http://rpmfind.net/linux/rpm2html/search.php?query=+++Perl-Digest-SHA1&submit=Search+"]http://rpmfind.net/linux/rpm2html/search.p...ubmit=Search+[/url]...B) Bruno

Share this post


Link to post
Share on other sites
[quote name='Bruno' date='Apr 8 2004, 02:39 PM'][quote name='mhbell' date='Apr 8 2004, 10:32 PM'] I have the perl-digest sh-1[/quote]Hi Mel . . is this a typo ? . . . All I needed was "Perl-Digest-SHA1" and it included all the missing dependencies the installer of rkhunter showed before . . . "Perl-Digest-SHA1" is available in many rpm's on the net: [url="http://rpmfind.net/linux/rpm2html/search.php?query=+++Perl-Digest-SHA1&submit=Search+"]http://rpmfind.net/linux/rpm2html/search.p.....ubmit=Search+[/url]...B) Bruno [/quote]You are right Bruno it is a typo. my Problem is solved I downloaded the Tarball and installed it and it met all dependencies and installed all of the necessary files. program runs great and my system is clean, :lol: Of course I am also behind a hardware firewall too. :D It appears that the RPM does not have all of the needed files. B) I would suggest that anyone wanting to install the program to download and use the Tarball and not the RPM. :w00t: I am running SuSE 9.0 Pro for those who don't know so it works with it too. :w00t: Mel B)

Share this post


Link to post
Share on other sites
Well can add Mandrake 10 rc1 for AMD64 on the list of distro it works with..had 1 QT file it did like..but other than that,,we be cool..ummm secure

Share this post


Link to post
Share on other sites
Well, I installed it and ran on my system.... only came up with three alerts from what I could tell:[code]Need to check /etc/.aumixrcinfo: Users can use SSH1-protocolCannot find syslog/syslog-ng daemon[/code]

Share this post


Link to post
Share on other sites
Cool. Funny thing though, I get this error when I try to run the install script:[code]-bash: ./installer.sh: /bin/sh: bad interpreter: Permission denied[/code]I checked permissions and paths and all appeared fine. Googled the entire error message and nothing came up and then googled just '/bin/sh: bad interpreter: Permission denied' and as usual the [url="http://forums.gentoo.org/viewtopic.php?p=873840"]first result[/url] had the answer. My download partition was set to noexec and I had tried executing the script with only it's name (./installer.sh). Even though this solution wasn't suggested, I also found that running it like this worked, too:[code]sheridan:/home/jason/downloads/rkhunter # sh installer.sh[/code]I LOVE Google! :) Very cool program. Found that I need to fix in my SSH config. Not a big deal since this machine blocks everything but some ports for DCC, but still good to know! ;)

Share this post


Link to post
Share on other sites
[quote name='ross549' date='Apr 9 2004, 05:05 AM']Well, I installed it and ran on my system.... only came up with three alerts from what I could tell:[code]Need to check /etc/.aumixrcinfo: Users can use SSH1-protocolCannot find syslog/syslog-ng daemon[/code][/quote]Hi AdamThose messages are not unusual . . . let me try to shed some light:[b]1).[/b] The /etc/.aumixrc file is mentioned because it is an hidden file outside of /home. Usually there are no hidden files outside /home ( also /root the "home" for root ).Have a look at the file ( cat /etc/.aumixrc ) and you will see that it are just the mixer settings :) [quote name='rkhunter' date='site']Although 'hidden' files can be usefull, sometimes they are an unwanted part of the system. By scanning for hidden files on places where they are not supposed to be (like in /tmp), we can track down some possible evil files.[/quote][b]2).[/b] The "Users can use SSH1-protocol" is very simple to fix: [code]# vi /etc/ssh/sshd_config[/code] And either change the existing line "Protocol 2,1" to "Protocol 2" . . or if the line is completeely missing just add that line. This will solve the problem :D ( run rkhunter again and you will se that the line is gone ;) )Read about it: [url="http://lwn.net/2001/0215/a/fb-openssh.php3"]http://lwn.net/2001/0215/a/fb-openssh.php3[/url][b]3).[/b] "Cannot find syslog/syslog-ng daemon" . . . this is no real problem, because syslog is written to anyway . . . but if you want to read about "syslog:syslog-ng" go here: [url="http://www.linuxgazette.com/issue43/scheidler.html"]http://www.linuxgazette.com/issue43/scheidler.html[/url]Glad your system is secure Adam ! ;)B) Bruno

Share this post


Link to post
Share on other sites
[quote name='BarryB' date='Apr 9 2004, 12:46 AM']Well can add Mandrake 10 rc1 for AMD64 on the list of distro it works with..had 1 QT file it did like..but other than that,,we be cool..ummm secure[/quote]Hi BarryI know about the QT files . . . it is because some of them are hidden files and rkhunter does not like that . . ( This goes mainly for the developpement libs of QT, if you have the full development kit for QT you will see a lot more of those ) . . . nothing to worry about, see "[b]1).[/b]" of my answer to Adam here above ;);) Bruno

Share this post


Link to post
Share on other sites
[quote name='SonicDragon' date='Apr 9 2004, 02:14 AM']Sounds like a great program! I can't wait to give it a try.Thanks for the extra slack directions Bruno![/quote]Hi Sonic . . . . . the Slacker Friends have a special place in my heart . . . . ;) . . . . LOLB) Bruno

Share this post


Link to post
Share on other sites
[quote name='quint' date='Apr 9 2004, 04:04 AM']Thanks, Bruno! It also works great in "DaNix" (Debian-based). ;)[/quote]Hi QuintGlad to know it works for you too . . . will you send a report to Michael Boelen that he can add DaNix to the list of distos where rkhunter is reported to work ?:) Bruno

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...