Rootkit Hunter

[linuxdude32]

Also, it says the OS isn't fully supported and skips the MD5 checks.

Let the author know this, Greg. I did for my distro since it said the same thing and he said the next version should support it. I think it's just because different distros have the md5 programs in different places.

[Bruno]

I think Greg tested it on Mandrake 10.0 . . the support of 10.0 was only added on April 11 ( was not in the list before that date ) so will surely be in the next version. Bruno

[jodef]

Was checking out the site noticed as of today's date a new release change log as follows:

New: - Added support for FreeBSD 4.9 and 5.2.1 - Added support for SuSE 9.0 (i386 and i586). Thanks to multiple people - Added support for Trustix. Thanks to Joachim Holst - Added support for Whitebox Enterprise Linux 3.0. Thanks to Fire - Added support for CentOS 3.1. Thanks to Fire - Added support for Mandrake 10 (community release). Thanks to Ted Kline - Added support for CPUBuilders Linux. Thanks to Chris Locke - Added support for Gentoo's 'rc.local' file (local.start) - Added parameter '--bindir' to use another (binary) directory than the default ones (to select which binaries will be used to perform the tests). Requested by Joel. - Added parameter '--configfile' to use another configuration file. - Added parameter '--dbdir' to use another (dynamic) database directory - Added a check when dynamic parameters are used (like --dbdir, --bindir) to check the existance of these paths/files. - Added lsmod check (/proc/modules) for Linux distros. Thanks to Micah Anderson Changes: - Updated hashes for Mandrake 9.2. Thanks to John P. New and others. - Updated hashes for Red Hat Enterprise Linux Update 1. Thanks to Eilko - Added informational message, when 'PermitRootLogin' or SSH protocol 1 is found, into the logfile - Renamed .spec file to rkhunter.spec - Updated installer. Thanks to Uwe Hermann - Improved LKM check. Thanks to Joe Croft - Improved logging - Fixed a problem with ifconfig

[Bruno]

That is the new release Johann . . 1.0.6 . . . . we all have downloaded the 1.0.5 last week . . . Time to upgrade ? Or shall we wait for 1.0.7 that is in development ? Bruno

[SonicDragon]

I got a chance to try this program today and so far so good Everything installed and ran very smoothly and found no rootkits.

The only Distro I can not get it installed was Slackware . . . I need "Perl-Digest-SHA1" to make it install

Strange, i had no problems with it at all.

[Bruno]

UPDATE: I found the Perl-Digest-SHA1 file for slackware ( well the source package in .tar.gz ):http://www.ultramonkey.org/download/2.0.1/...rl-Digest-SHA1/Unpacking is all you have to do :DB) Bruno

Hi Sonic . . . . I did manage to install it . . but it was a few posts later before I did find the file needed B) LOLYep it is a very nice program, and it will be added to the next version of Drake ISO's ( 10.1 ) they are working at it in the cooker. Bruno

[SonicDragon]

Yep it is a very nice program, and it will be added to the next version of Drake ISO's ( 10.1 ) they are working at it in the cooker.

Go Mandrake. I definately think this is something that all distros should include

[SonicDragon]

The screensavers just did a segment on rootkits today.

[jodef]

Just tried this program for the firt time everything looked more or less OK however this little notice did catch my attentionis it something I should be worried about:

Scanning for hidden files...                               [ Warning! ]---------------/dev/.devfsd /etc/.pwd.lock /etc/.qt_plugins_3.2rc.lock---------------Please inspect:  /dev/.devfsd (character special (254/0))

Tried to look at /dev/.devfsd without luck.Help appreciated thx.

[Bruno]

Hi JohannIt shows you the files because it are hidden files in an unusual place ( /dev does usually not harbour hidden files ) . . . . . but, I have /dev/.devfsd too, it is a simple device file, nothing special with it :DB) Bruno

[jodef]

Hi JohannIt shows you the files because it are hidden files in an unusual place ( /dev does usually not harbour hidden files ) . . . . . but,  I have /dev/.devfsd too, it is a simple device file, nothing special with it :DB) Bruno

Thx Bruno once less problem to worry about.

[linuxdude32]

Going to be demonstrating RKhunter at the upcoming PLUG meeting amongst other things. Thanks for letting me know about this little gem, Bruno. Showed my cousin who's an admin and he loved it.

[Bruno]

You' re welcome Jason ! . . . I will tell Michael Boelen that he can expect some major traffic from Canada :DB) Bruno

[linuxdude32]

You' re welcome Jason ! . . . I will tell Michael Boelen that he can expect some major traffic from Canada

Yeah, he'd better setup another server to handle all that extra traffic!

[Dard]

22 May - Release 1.0.9 availableThis new release fixes some incorrect MD5 hashes and adds support for Mandrake 10 hashes, Fedora Core 2 (with hashes), SuSE 9.1 (with hashes), Balaur Rootkit (rootkit). It also has an improved installer by "Medon".http://www.rootkit.nl/I'm gonna have to try this out.

[linuxdude32]

22 May - Release 1.0.9 availableThis new release fixes some incorrect MD5 hashes and adds support for Mandrake 10 hashes, Fedora Core 2 (with hashes), SuSE 9.1 (with hashes), Balaur Rootkit (rootkit). It also has an improved installer by "Medon".http://www.rootkit.nl/I'm gonna have to try this out. 

Anybody else try this new version with SuSE 9.1 yet? I received several incorrect MD5 hashes but this is a fresh install! I wrote the author. Hate to think somebody hacked me already!

[linuxdude32]

Update: The author, Michael Boelen, replied to my email:

Hi,I know.. I installed my system and didn't patch it and missed the update ;-)If you want you can use the 1.1.0 prerelease (it contains the updated hashes too) ;-)URL: http://downloads.rootkit.nl/rkhunter-test.tar.gzMichaelRootkit.nl

[Bruno]

A great guy; Michael !! Bruno

[Dard]

Anybody else try this new version with SuSE 9.1 yet?

Not yet, but I hope to be installing SuSE 9.1 by the end of the week here. :DActually I still have to try this with mandrake 10.0 official.I had better start reading the instructions and get with the program.

[jodef]

Ran flawlessly on fedora core 2 Only 1 warning :

Check: SSH Searching for sshd_config... Found /etc/ssh/sshd_config Checking for allowed root login... Watch out Root login possible. Possible risk!Hint: see logfile for more information    info:    Hint: See logfile for more information about this issue Checking for allowed protocols...                          [ Warning (SSH v1 allowed) ]

Anything to be worried about?

[nlinecomputers]

Yes. You have a running SSH server that is setup to allow Version 1 connections. If you don't run SSH then uninstall it or you need to reconfigure it to not use version 1 and only version 2. If you don't connect into your box remotely then you shouldn't have this service installed.A good how to on proper setup can be found here. It is mandrake based but the concepts work on any *nix box.http://www.mandrakesecure.net/en/docs/open...display=printer

[jodef]

Thx for the info Nathan will be sure to look at it However ran rkhunter --checkall --createlogfile wrote a logfile to /var/log/rkhunter.log that logfile pointed me to /etc/ssh/sshd_config and even the exact lines I should look at mainly Protocol and PermitRootLogin once I edited those two lines I reran rkhunter no more problems or warnings :w00t:Edit:Nathan you were right SSH daemon was running so I also disabled it.

Edited August 20, 2004 by Bruno

[nlinecomputers]

rkhunter's logs are very nice. Very detailed. I've got to go download that latest version.

[trigggl]

This thread is important enough to fix for the Firefox users, I would say.I just installed this on Slackware 10 without any dependency problems or trouble running.

[rpiz]

I just downloaded and installed 'rootkit version 1.1.6' in MDK 10, and after running the programI received one (1) vulnerability (openSSL 0.9.7c)? Should something be done with thisfile or is it OK??

[Bruno]

I do think you need that package:

The OpenSSL package contains management tools and libraries relating to cryptography. These are useful for providing cryptography functions to other packages, notably OpenSSH and web browsers (for accessing secure https sites).

Bruno

[rpiz]

Thanks for the response. I just wanted to be sure on files that appearafter running rkhunter. Off to install and run it in PCLos.

[trigggl]

I just downloaded and installed version 1.2.0 and ran it. Actually, I ran my old version first and it gave the same warnings. It told me to check two folders:/dev/.udev.tdb/etc/.javaI just checked /etc/.java/.systemPrefs and it had two empty files:root@fangorn:/etc/.java/.systemPrefs# ls -altotal 8drwxr-xr-x 2 root root 4096 2005-01-08 00:03 ./drwxr-xr-x 3 root root 4096 2005-01-08 00:03 ../-rw-r--r-- 1 root root 0 2005-01-08 00:03 .system.lock-rw-r--r-- 1 root root 0 2005-01-08 00:03 .systemRootModFileShould I be alarmed at any of this? Here is a sampling of the condents of /dev/.udev.tdb

root@fangorn:/dev/.udev.tdb# ls -altotal 2816drwxr-xr-x 2 root root  0 2005-02-19 00:16 ./drwxr-xr-x  17 root root  0 2005-02-19 00:16 ../-rw-r--r-- 1 root root 38 2005-02-19 00:16 block\@fd0-rw-r--r-- 1 root root 38 2005-02-19 00:16 block\@fd1-rw-r--r-- 1 root root 30 2005-02-19 00:16 block\@hda-rw-r--r-- 1 root root 36 2005-02-19 00:16 block\@hda\@hda1-rw-r--r-- 1 root root 36 2005-02-19 00:16 block\@hda\@hda2-rw-r--r-- 1 root root 36 2005-02-19 00:16 block\@hda\@hda5-rw-r--r-- 1 root root 36 2005-02-19 00:16 block\@hda\@hda6-rw-r--r-- 1 root root 36 2005-02-19 00:16 block\@hda\@hda7-rw-r--r-- 1 root root 36 2005-02-19 00:16 block\@hda\@hda8-rw-r--r-- 1 root root 36 2005-02-19 00:16 block\@hda\@hda9-rw-r--r-- 1 root root 30 2005-02-19 00:16 block\@hdb-rw-r--r-- 1 root root 36 2005-02-19 00:16 block\@hdb\@hdb1-rw-r--r-- 1 root root 30 2005-02-19 00:16 block\@hdc-rw-r--r-- 1 root root 30 2005-02-19 00:16 block\@hdd-rw-r--r-- 1 root root 36 2005-02-19 00:16 block\@hdd\@hdd1-rw-r--r-- 1 root root 36 2005-02-19 00:16 block\@ram0-rw-r--r-- 1 root root 36 2005-02-19 00:16 block\@ram1-rw-r--r-- 1 root root 39 2005-02-19 00:16 block\@ram10-rw-r--r-- 1 root root 39 2005-02-19 00:16 block\@ram11-rw-r--r-- 1 root root 39 2005-02-19 00:16 block\@ram12-rw-r--r-- 1 root root 39 2005-02-19 00:16 block\@ram13-rw-r--r-- 1 root root 39 2005-02-19 00:16 block\@ram14-rw-r--r-- 1 root root 39 2005-02-19 00:16 block\@ram15-rw-r--r-- 1 root root 36 2005-02-19 00:16 block\@ram2-rw-r--r-- 1 root root 36 2005-02-19 00:16 block\@ram3-rw-r--r-- 1 root root 36 2005-02-19 00:16 block\@ram4-rw-r--r-- 1 root root 36 2005-02-19 00:16 block\@ram5-rw-r--r-- 1 root root 36 2005-02-19 00:16 block\@ram6-rw-r--r-- 1 root root 36 2005-02-19 00:16 block\@ram7-rw-r--r-- 1 root root 36 2005-02-19 00:16 block\@ram8-rw-r--r-- 1 root root 36 2005-02-19 00:16 block\@ram9-rw-r--r-- 1 root root 43 2005-02-19 00:16 class\@graphics\@fb0-rw-r--r-- 1 root root 48 2005-02-19 00:16 class\@input\@event0-rw-r--r-- 1 root root 48 2005-02-19 00:16 class\@input\@event1-rw-r--r-- 1 root root 44 2005-02-19 00:16 class\@input\@mice-rw-r--r-- 1 root root 48 2005-02-19 00:16 class\@input\@mouse0-rw-r--r-- 1 root root 36 2005-02-19 00:16 class\@mem\@full-rw-r--r-- 1 root root 36 2005-02-19 00:16 class\@mem\@kmem-rw-r--r-- 1 root root 36 2005-02-19 00:16 class\@mem\@kmsg-rw-r--r-- 1 root root 34 2005-02-19 00:16 class\@mem\@mem-rw-r--r-- 1 root root 36 2005-02-19 00:16 class\@mem\@null-rw-r--r-- 1 root root 36 2005-02-19 00:16 class\@mem\@port-rw-r--r-- 1 root root 40 2005-02-19 00:16 class\@mem\@random-rw-r--r-- 1 root root 42 2005-02-19 00:16 class\@mem\@urandom-rw-r--r-- 1 root root 36 2005-02-19 00:16 class\@mem\@zero-rw-r--r-- 1 root root 55 2005-02-19 00:16 class\@misc\@agpgart-rw-r--r-- 1 root root 47 2005-02-19 00:16 class\@misc\@hw_random-rw-r--r-- 1 root root 49 2005-02-19 00:16 class\@misc\@psaux-rw-r--r-- 1 root root 43 2005-02-19 00:16 class\@misc\@rtc-rw-r--r-- 1 root root 45 2005-02-19 00:16 class\@misc\@watchdog-rw-r--r-- 1 root root 45 2005-02-19 00:16 class\@nvidia\@nvidia0-rw-r--r-- 1 root root 49 2005-02-19 00:16 class\@nvidia\@nvidiactl-rw-r--r-- 1 root root 38 2005-02-19 00:16 class\@printer\@lp0-rw-r--r-- 1 root root 48 2005-02-19 00:17 class\@sound\@adsp-rw-r--r-- 1 root root 51 2005-02-19 00:17 class\@sound\@audio-rw-r--r-- 1 root root 52 2005-02-19 00:16 class\@sound\@controlC0-rw-r--r-- 1 root root 42 2005-02-19 00:16 class\@sound\@dmmidi-rw-r--r-- 1 root root 45 2005-02-19 00:17 class\@sound\@dsp-rw-r--r-- 1 root root 46 2005-02-19 00:16 class\@sound\@hwC0D0-rw-r--r-- 1 root root 38 2005-02-19 00:16 class\@sound\@midi-rw-r--r-- 1 root root 50 2005-02-19 00:16 class\@sound\@midiC0D0-rw-r--r-- 1 root root 51 2005-02-19 00:17 class\@sound\@mixer-rw-r--r-- 1 root root 50 2005-02-19 00:16 class\@sound\@pcmC0D0c-rw-r--r-- 1 root root 50 2005-02-19 00:16 class\@sound\@pcmC0D0p-rw-r--r-- 1 root root 50 2005-02-19 00:16 class\@sound\@pcmC0D1c-rw-r--r-- 1 root root 50 2005-02-19 00:16 class\@sound\@pcmC0D2c-rw-r--r-- 1 root root 50 2005-02-19 00:16 class\@sound\@pcmC0D2p-rw-r--r-- 1 root root 44 2005-02-19 00:16 class\@sound\@timer-rw-r--r-- 1 root root 42 2005-02-19 00:16 class\@tty\@console-rw-r--r-- 1 root root 36 2005-02-19 00:16 class\@tty\@ptmx-rw-r--r-- 1 root root 44 2005-02-19 00:16 class\@tty\@ptya0

I wouldn't even be looking if my internet activity light wasn't constantly flashing. I did try to set up ntp. Perhaps there's something odd going on with it.

[trigggl]

Well, nevermind on the .udev folder. I found it's location specified in udev.conf. The .java file is probably ok, also.

[Shamgar]

Okay, I have downloaded this tar: rkhunter-1.2.0.tar.gzThis is what I have done so far with the install instructions. Is this thing installed? How do I get a button on my toolbar or added to my system? Shamgar@linux:~/RootKitHunter> suPassword:linux:/home/Shamgar/RootKitHunter # tar zxf rkhunter-1.2.0.tar.gzlinux:/home/Shamgar/RootKitHunter # ls. .. rkhunter rkhunter-1.2.0.tar.gzlinux:/home/Shamgar/RootKitHunter # cd rkhunterlinux:/home/Shamgar/RootKitHunter/rkhunter # ls. .. files installer.shlinux:/home/Shamgar/RootKitHunter/rkhunter # ./installer.shRootkit Hunter installer 1.1.9 (Copyright 2003-2004, Michael Boelen)---------------Starting installation/updateChecking UID... OKChecking /usr/local... OKChecking file retrieval tools... /usr/bin/wgetChecking installation directories...- Checking /usr/local/rkhunter...Exists- Checking /usr/local/rkhunter/etc...Exists- Checking /usr/local/rkhunter/bin...Exists- Checking /usr/local/rkhunter/lib/rkhunter/db...Exists- Checking /usr/local/rkhunter/lib/rkhunter/docs...Exists- Checking /usr/local/rkhunter/lib/rkhunter/scripts...Exists- Checking /usr/local/rkhunter/lib/rkhunter/tmp...Exists- Checking /usr/local/etc...ExistsChecking system settings... - Perl... OKInstalling files...Installing Perl module checker... OKInstalling Database updater... OKInstalling Portscanner... OKInstalling MD5 Digest generator... OKInstalling SHA1 Digest generator... OKInstalling Directory viewer... OKInstalling Database Backdoor ports... OKInstalling Database Update mirrors... OKInstalling Database Operating Systems... OKInstalling Database Program versions... OKInstalling Database Program versions... OKInstalling Database Default file hashes... OKInstalling Database MD5 blacklisted files... OKInstalling Changelog... OKInstalling Readme and FAQ... OKInstalling Wishlist and TODO... OKInstalling RK Hunter configuration file... Skipped (no overwrite)Installing RK Hunter binary... OKConfiguration already updated.Installation ready.See /usr/local/rkhunter/lib/rkhunter/docs for more information. Run 'rkhunter' ( /usr/local/bin/rkhunter)linux:/home/Shamgar/RootKitHunter/rkhunter # ls. .. files installer.shlinux:/home/Shamgar/RootKitHunter/rkhunter #linux:/home/Shamgar/RootKitHunter/rkhunter # ls. .. files installer.shlinux:/home/Shamgar/RootKitHunter/rkhunter # cd /usr/local/bin/linux:/usr/local/bin # dirtotal 148drwxr-xr-x 2 root root 4096 2005-02-19 12:19 .drwxr-xr-x 12 root root 4096 2005-02-19 08:44 ..-rwxr-x--- 1 root root 138980 2005-02-19 12:19 rkhunter