Jump to content

Rootkit Hunter


Bruno

Recommended Posts

Rootkit Hunter Yesterday I was reading an Article on NewsForge by Joe Barr on "rkhunter" a new rootkit search program. ( and more ! ) So I went to the website http://www.rootkit.nl of the Dutch programmer who made the rkhunter and put it through the test on: Mandrake 9.2 Mandrake 10 Vectorlinux 3.2 SOHO PCLos Very nice program ! Does a lot more then "chkrootkit" the program we have been recommending up till now. I reported back to Michael Boelen ( the maker ) that he could add MDK 10, PCLos and VectorLinux to the list on his site of Distro's where it was reported to work. The only Distro I can not get it installed was Slackware . . . I need "Perl-Digest-SHA1" to make it install ( Did need that in both Mandrakes too, but found it on the CD ) . . . . but am unable to find it, nor on freshmeat, sourceforge, or the usual Slackpackages sites. Also Swaret did give no joy. Anyway: I do recommend this program by my fellow citizen . . . :D Read Joe Barr on how to use it, and get the file ( rpm ) from the ftp :o Bruno

Link to comment
Share on other sites

  • Replies 121
  • Created
  • Last Reply

Top Posters In This Topic

  • Bruno

    44

  • Shamgar

    22

  • linuxdude32

    6

  • trigggl

    6

Thanks for the link. I'm thinking of going with broadband soon, so I definitely want my computer to be as secure as possible. In Linux, a rootkit scanner is probably a lot more important than a virus scanner.I may even see if the AIX guys at work would care to use it.

Link to comment
Share on other sites

Extra directions for Slackware:I unpacked rkhunter and the Perl-Digest-SHA1 in /usr/local/bin ( tar -zxvf ). . . then ran "/usr/local/bin/rkhunter/installer.sh" to install it . . . then made a symlink:

# ln -s /usr/local/bin/rkhunter/rkhunter /usr/bin/rkhunter

so it was in the "path" . . . Now running:

# rkhunter -c --createlogfile

Does the job ! :DWow this is fun !:D Bruno

Link to comment
Share on other sites

nlinecomputers

It checks for rootkits. Tools installed by hacker/cracker types to compromise your system. This checks your system for common weak points such as world writable files or the presences of such rootkits on your system. A good cracker will of course move to disable this but even that is a clue to you. If you stop getting reports via email then something is wrong. MSEC in Mandrake performs a simular function. Also see Bastile.(sp?)

Link to comment
Share on other sites

Bruno,This might be a stupid question, but what does it do??Thanks
Hi Adam . . it hunts for "rootkits" and unsafe files and unsafe permissions to files . . also unusual hidden files in / . . . does an MD5 check . . . and a lot more . . . :DJust read the Sites I liked you to :D the Joe Barr article is pretty clear . . ( I thought it was :o )B) Bruno
Link to comment
Share on other sites

The final results are that PCLos is safer then Mandrake ( In file permissions that is, though far from alarming ) . . and VectorLinux is safer then Slackware . . . The ranking is:1). VectorLinux2). Slackware3). PClos4). Mandrake 105). Mandrake 9.2 ( yep there is a difference between 9.2 and 10 )All systems passed the test, but I did get a few warnings on file permissions on the last 4 distros . . . also they said to check .aumixrc on the Drakes . . it is just a config file for the mixer settings so false alarm :DB) Bruno

Link to comment
Share on other sites

nlinecomputers
The final results are that PCLos is safer then Mandrake ( In file permissions that is, though far from alarming ) . . and VectorLinux is safer then Slackware . . . The ranking is:1). VectorLinux2). Slackware3). PClos4). Mandrake 105). Mandrake 9.2 ( yep there is a difference between 9.2 and 10 )All systems passed the test, but I did get a few warnings on file permissions on the last 4 distros . . . also they said to check .aumixrc on the Drakes . . it is just a config file for the mixer settings so false alarm :DB) Bruno
Drakes file permissions depend on what setting MSEC is at. Set it to paranoid and I bet alot of those warning go away. Useabilty of the system suffers at that level as it is setup to be a VERY secure server. So secure that you have to open holes in it to get to vital services. Can't even logon as root at the console only via SSH or su.
Link to comment
Share on other sites

Hi NathanAll my test were done on a default install with default settings, but with securing along the lines in This thread.Because I am behind a hardware firewall, and not running a server my MSEC settings are set to default = "normal" B) . . I like the usabillity of my system too much to alter that ;)B) Bruno

Link to comment
Share on other sites

Problem Solved used the tarball instead of the rpmMel:D Anyone have any luck installing this in SuSE 9.0 ? I downloaded the rpm and went to install but there are some unmet dependencies in perl. I have the perl-digest sh-1 but don't have the MD5 or the perl Strict whatever that is. Also the sh-1 is not recognized by the program. checked my dvd installation source and install disk but no joy. B) could not find them on SuSE FTP site either.Mel B)

Link to comment
Share on other sites

I have the perl-digest sh-1
Hi Mel . . is this a typo ? . . . All I needed was "Perl-Digest-SHA1" and it included all the missing dependencies the installer of rkhunter showed before . . . "Perl-Digest-SHA1" is available in many rpm's on the net: http://rpmfind.net/linux/rpm2html/search.p.....ubmit=Search+...B) Bruno
You are right Bruno it is a typo. my Problem is solved I downloaded the Tarball and installed it and it met all dependencies and installed all of the necessary files. program runs great and my system is clean, :lol: Of course I am also behind a hardware firewall too. :D It appears that the RPM does not have all of the needed files. B) I would suggest that anyone wanting to install the program to download and use the Tarball and not the RPM. :w00t: I am running SuSE 9.0 Pro for those who don't know so it works with it too. :w00t: Mel B)
Link to comment
Share on other sites

Well can add Mandrake 10 rc1 for AMD64 on the list of distro it works with..had 1 QT file it did like..but other than that,,we be cool..ummm secure

Link to comment
Share on other sites

Well, I installed it and ran on my system.... only came up with three alerts from what I could tell:

Need to check /etc/.aumixrcinfo: Users can use SSH1-protocolCannot find syslog/syslog-ng daemon

Link to comment
Share on other sites

linuxdude32

Cool. Funny thing though, I get this error when I try to run the install script:

-bash: ./installer.sh: /bin/sh: bad interpreter: Permission denied

I checked permissions and paths and all appeared fine. Googled the entire error message and nothing came up and then googled just '/bin/sh: bad interpreter: Permission denied' and as usual the first result had the answer. My download partition was set to noexec and I had tried executing the script with only it's name (./installer.sh). Even though this solution wasn't suggested, I also found that running it like this worked, too:

sheridan:/home/jason/downloads/rkhunter # sh installer.sh

I LOVE Google! :) Very cool program. Found that I need to fix in my SSH config. Not a big deal since this machine blocks everything but some ports for DCC, but still good to know! ;)

Link to comment
Share on other sites

Well, I installed it and ran on my system.... only came up with three alerts from what I could tell:
Need to check /etc/.aumixrcinfo: Users can use SSH1-protocolCannot find syslog/syslog-ng daemon

Hi AdamThose messages are not unusual . . . let me try to shed some light:1). The /etc/.aumixrc file is mentioned because it is an hidden file outside of /home. Usually there are no hidden files outside /home ( also /root the "home" for root ).Have a look at the file ( cat /etc/.aumixrc ) and you will see that it are just the mixer settings :)
Although 'hidden' files can be usefull, sometimes they are an unwanted part of the system. By scanning for hidden files on places where they are not supposed to be (like in /tmp), we can track down some possible evil files.
2). The "Users can use SSH1-protocol" is very simple to fix:
# vi /etc/ssh/sshd_config

And either change the existing line "Protocol 2,1" to "Protocol 2" . . or if the line is completeely missing just add that line. This will solve the problem :D ( run rkhunter again and you will se that the line is gone ;) )Read about it: http://lwn.net/2001/0215/a/fb-openssh.php33). "Cannot find syslog/syslog-ng daemon" . . . this is no real problem, because syslog is written to anyway . . . but if you want to read about "syslog:syslog-ng" go here: http://www.linuxgazette.com/issue43/scheidler.htmlGlad your system is secure Adam ! ;)B) Bruno

Link to comment
Share on other sites

Well can add Mandrake 10 rc1 for AMD64 on the list of distro it works with..had 1 QT file it did like..but other than that,,we be cool..ummm secure
Hi BarryI know about the QT files . . . it is because some of them are hidden files and rkhunter does not like that . . ( This goes mainly for the developpement libs of QT, if you have the full development kit for QT you will see a lot more of those ) . . . nothing to worry about, see "1)." of my answer to Adam here above ;);) Bruno
Link to comment
Share on other sites

Sounds like a great program! I can't wait to give it a try.Thanks for the extra slack directions Bruno!
Hi Sonic . . . . . the Slacker Friends have a special place in my heart . . . . ;) . . . . LOLB) Bruno
Link to comment
Share on other sites

Thanks, Bruno! It also works great in "DaNix" (Debian-based). ;)
Hi QuintGlad to know it works for you too . . . will you send a report to Michael Boelen that he can add DaNix to the list of distos where rkhunter is reported to work ?:) Bruno
Link to comment
Share on other sites

2). The "Users can use SSH1-protocol" is very simple to fix:
# vi /etc/ssh/sshd_config

And either change the existing line "Protocol 2,1" to "Protocol 2" . . or if the line is completeely missing just add that line. This will solve the problem :D ( run rkhunter again and you will se that the line is gone :) )Read about it: http://lwn.net/2001/0215/a/fb-openssh.php3

Hi, Bruno...I figured that aumixrc had something to do with the mixer. I listed it because the rootkit humter mentioned it. Now the SSHd thing is a bit more confusing. I already have that line in the config file! It may be complaining about it because sshd is a service on my computer. LilBambi's husband jim uses SSH to get into my system (when I unblock the port in my router) occasionally to help me with various problems. I also figured that syslog was not really that important, because it is logging stuff....... when have I ever needed that?? ;)
Link to comment
Share on other sites

I get the following:

* Filesystem checks Checking /dev for suspicious files...                      [ OK ] Scanning for hidden files...                            [ Warning! ]---------------/dev/.devfsd /etc/.pwd.lock /etc/.qt_plugins_3.2rc.lock /etc/.qtrc.lock---------------Please inspect:  /dev/.devfsd (character special (254/0))
Also, it says the OS isn't fully supported and skips the MD5 checks.
Link to comment
Share on other sites

I get the following:
* Filesystem checks Checking /dev for suspicious files...                      [ OK ] Scanning for hidden files...                            [ Warning! ]---------------/dev/.devfsd /etc/.pwd.lock /etc/.qt_plugins_3.2rc.lock /etc/.qtrc.lock---------------Please inspect:  /dev/.devfsd (character special (254/0))
Also, it says the OS isn't fully supported and skips the MD5 checks.
Hi GregThose are hidden files the program does not have in it's database to recognize as okay . . . . . the QT ones are harmless because QT has a whole bunch of them in the development libs . . the /dev/.devfsd is specific for Mandrake 10 and not to worry about either nor should you worry about the /etc/.pwd.lock.See the rkhunter is made to run on all distro's so you can not prevent it showing some files as suspect that are in fact quiet okay . . . I think when we come at version 5.0 those things will be ironed out.:thumbsup: Bruno
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...