Jump to content

Rootkit Hunter


Bruno

Recommended Posts

Hi ShamgarNext thing you do is make a link to the executable:

# cd /home/shamgar# ln -s  /usr/local/bin/rkhunter/rkhunter  /usr/bin/rkhunter

Now the link /usr/bin/rkhunter is in you path you can run the program:

# rkhunter -c --createlogfile

;) Bruno

Link to comment
Share on other sites

  • Replies 121
  • Created
  • Last Reply

Top Posters In This Topic

  • Bruno

    44

  • Shamgar

    22

  • linuxdude32

    6

  • trigggl

    6

Yep you open a terminal . . . do "su" and give the command . . . that is all . . and you will get a report of the output on your screen . . :DB) Bruno

Link to comment
Share on other sites

Thanks for the reply! This is what I received as a present from my terminal window:Shamgar@linux:~> suPassword:linux:/home/Shamgar # rkhunter -c --createlogfilebash: rkhunter: command not foundlinux:/home/Shamgar #Where am I going wrong?3_4_12.gif

Link to comment
Share on other sites

You might want to do this command again Shamgar: ( the link apparently di not "take" )

ln -s  /usr/local/bin/rkhunter/rkhunter  /usr/bin/rkhunter

And then try again ;):"> Bruno

Link to comment
Share on other sites

First retry:Shamgar@linux:~> suPassword:linux:/home/Shamgar # ln -s /usr/local/bin/rkhunter/rkhunter /usr/bin/rkhunterlinux:/home/Shamgar # rkhunter -c --createlogfilebash: rkhunter: command not foundlinux:/home/Shamgar #Second retry:Shamgar@linux:~> suPassword:linux:/home/Shamgar # ln -s /usr/local/bin/rkhunter/rkhunter /usr/bin/rkhunterln: `/usr/bin/rkhunter': File existslinux:/home/Shamgar # rkhunter -c --createlogfilebash: rkhunter: command not foundlinux:/home/Shamgar # :hmm: :medic:

Link to comment
Share on other sites

Shamgar@linux:~> suPassword:linux:/home/Shamgar # ls -al /usr/bin/rkhunterlrwxrwxrwx 1 root root 32 2005-02-19 14:32 /usr/bin/rkhunter -> /usr/local/bin/rkhunter/rkhunterlinux:/home/Shamgar # For some reason my smiley from Smiley Xtra throwing the computer doesn't show up. :medic: 3_4_12.gif

Link to comment
Share on other sites

LOL !!!Okay now try this:

 /usr/bin/rkhunter -c --createlogfile

That will work :medic: . . . it seems that /usr/bin is not "in the path" of root, but only in that of the user in SUSE . . . so you have to give the full path . . . ;):hmm: Bruno

Link to comment
Share on other sites

actions02.gifac39.giftomaatit.gifIs this what you wanted coded?Shamgar@linux:~> suPassword:linux:/home/Shamgar # cd /usr/binlinux:/usr/bin # rkhunter -c --createlogfilebash: rkhunter: command not foundlinux:/usr/bin #domat_v_ustichkata.gifIsaidNo.giftirade.gifVeryFunny.gif
Link to comment
Share on other sites

Actually, I tried that first before I sent the last one.Shamgar@linux:~> suPassword:linux:/home/Shamgar # /usr/bin/rkhunter -c --createlogfilebash: /usr/bin/rkhunter: Not a directorylinux:/home/Shamgar #Let's see how would I describe my feeling for computers . . . . 1018.gif1018.gif209034.gifcomp06.gifskull.gifm3zskull.gif

Link to comment
Share on other sites

Okay, here it is:Shamgar@linux:~> suPassword:linux:/home/Shamgar # /usr/bin/rkhunter -c --createlogfilebash: /usr/bin/rkhunter: Not a directorylinux:/home/Shamgar # ls -al /usr/local/bin/rkhunter/rkhunter/bin/ls: /usr/local/bin/rkhunter/rkhunter: Not a directorylinux:/home/Shamgar #You cannot win you evil computer!wicked02.gif

Link to comment
Share on other sites

That did something:Shamgar@linux:~> suPassword:linux:/home/Shamgar # /usr/bin/rkhunter -c --createlogfilebash: /usr/bin/rkhunter: Not a directorylinux:/home/Shamgar # ls -al /usr/local/bin/rkhunter/rkhunter/bin/ls: /usr/local/bin/rkhunter/rkhunter: Not a directorylinux:/home/Shamgar # ls -al /usr/local/bin/rkhunter-rwxr-x--- 1 root root 138980 2005-02-19 12:19 /usr/local/bin/rkhunterlinux:/home/Shamgar #1pourwine.gif120103_emA55_prv1.giftrink39.gifd0kcheers.gif

Link to comment
Share on other sites

What a puzzle !now try

/usr/local/bin/rkhunter -c --createlogfile

And if that works we will make another link after removing the old one in /usr/binB) Bruno

Link to comment
Share on other sites

This is what happened. I haven't " Press <ENTER> to continue" so say if you want me to. . . -rwxr-x--- 1 root root 138980 2005-02-19 12:19 /usr/local/bin/rkhunterlinux:/home/nemmers # /usr/local/bin/rkhunter -c --createlogfileRootkit Hunter 1.2.0 is runningDetermining OS... ReadyChecking binaries* Selftests Strings (command) [ OK ]* System tools Performing 'known good' check... /bin/cat [ OK ] /bin/chmod [ OK ] /bin/chown [ OK ] /bin/dmesg [ OK ] /bin/egrep [ OK ] /bin/fgrep [ OK ] /bin/grep [ OK ] /bin/kill [ OK ] /bin/login [ OK ] /bin/ls [ OK ] /bin/mount [ OK ] /bin/netstat [ OK ] /bin/ps [ OK ] /bin/su [ OK ] /sbin/chkconfig [ OK ] /sbin/depmod [ OK ] /sbin/ifconfig [ OK ] /sbin/insmod [ OK ] /sbin/ip [ OK ] /sbin/modinfo [ OK ] /sbin/sysctl [ OK ] /sbin/syslogd [ OK ] /sbin/init [ OK ] /sbin/runlevel [ OK ] /usr/bin/find [ OK ] /usr/bin/file [ OK ] /usr/bin/killall [ OK ] /usr/bin/lsattr [ OK ] /usr/bin/pstree [ OK ] /usr/bin/stat [ OK ] /usr/bin/sha1sum [ OK ] /usr/bin/users [ OK ] /usr/bin/w [ OK ] /usr/bin/watch [ OK ] /usr/bin/who [ OK ] /usr/bin/whoami [ OK ] /usr/sbin/cron [ OK ][Press <ENTER> to continue]Panzers. . . . Fire!uglypanzer.gifuglypanzer.gifcomputer_p2.gif

Link to comment
Share on other sites

No let us interrupt it for a moment and set up proper links first so you can use it the "normal" wayDo:Ctrl+CThen you will get the prompt back and I will post the commandsB) Bruno

Link to comment
Share on other sites

PART 2Here are the commands:

# rm  -rf /usr/bin/rkhunter# ln -s /usr/local/bin/rkhunter /usr/sbin/rkhunter# rkhunter -c --createlogfile

Now it should work in the "normal" way :D . . . . I still wonder why SUSE lets you make a link to a file that dows not exist . . . . crazy ! :PB) Bruno

Link to comment
Share on other sites

Okay this is what happened. Again I have not pressed "Enter" to continue.linux:/home/nemmers # rm -rf /usr/bin/rkhunterlinux:/home/nemmers # ln -s /usr/local/bin/rkhunter /usr/sbin/rkhunterlinux:/home/nemmers # rkhunter -c --createlogfileRootkit Hunter 1.2.0 is runningDetermining OS... ReadyChecking binaries* Selftests Strings (command) [ OK ]* System tools Performing 'known good' check... /bin/cat [ OK ] /bin/chmod [ OK ] /bin/chown [ OK ] /bin/dmesg [ OK ] /bin/egrep [ OK ] /bin/fgrep [ OK ] /bin/grep [ OK ] /bin/kill [ OK ] /bin/login [ OK ] /bin/ls [ OK ] /bin/mount [ OK ] /bin/netstat [ OK ] /bin/ps [ OK ] /bin/su [ OK ] /sbin/chkconfig [ OK ] /sbin/depmod [ OK ] /sbin/ifconfig [ OK ] /sbin/insmod [ OK ] /sbin/ip [ OK ] /sbin/modinfo [ OK ] /sbin/sysctl [ OK ] /sbin/syslogd [ OK ] /sbin/init [ OK ] /sbin/runlevel [ OK ] /usr/bin/find [ OK ] /usr/bin/file [ OK ] /usr/bin/killall [ OK ] /usr/bin/lsattr [ OK ] /usr/bin/pstree [ OK ] /usr/bin/stat [ OK ] /usr/bin/sha1sum [ OK ] /usr/bin/users [ OK ] /usr/bin/w [ OK ] /usr/bin/watch [ OK ] /usr/bin/who [ OK ] /usr/bin/whoami [ OK ] /usr/sbin/cron [ OK ][Press <ENTER> to continue]Open fire!!!!!uglypanzer.gif SUSE 9.1

Link to comment
Share on other sites

medium-smiley-064.gifOkay, this is what happened. Do you want me to keep hitting enter?Check rootkits* Default files and directories Rootkit '55808 Trojan - Variant A'... [ OK ] ADM Worm... [ OK ] Rootkit 'AjaKit'... [ OK ] Rootkit 'aPa Kit'... [ OK ] Rootkit 'Apache Worm'... [ OK ] Rootkit 'Ambient (ark) Rootkit'... [ OK ] Rootkit 'Balaur Rootkit'... [ OK ] Rootkit 'BeastKit'... [ OK ] Rootkit 'BOBKit'... [ OK ] Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ] Rootkit 'Danny-Boy's Abuse Kit'... [ OK ] Rootkit 'Devil RootKit'... [ OK ] Rootkit 'Dica'... [ OK ] Rootkit 'Dreams Rootkit'... [ OK ] Rootkit 'Duarawkz'... [ OK ] Rootkit 'Flea Linux Rootkit'... [ OK ] Rootkit 'FreeBSD Rootkit'... [ OK ] Rootkit '****`it Rootkit'... [ OK ] Rootkit 'GasKit'... [ OK ] Rootkit 'Heroin LKM'... [ OK ] Rootkit 'HjC Kit'... [ OK ] Rootkit 'ignoKit'... [ OK ] Rootkit 'ImperalsS-FBRK'... [ OK ] Rootkit 'Irix Rootkit'... [ OK ] Rootkit 'Kitko'... [ OK ] Rootkit 'Knark'... [ OK ] Rootkit 'Li0n Worm'... [ OK ] Rootkit 'Lockit / LJK2'... [ OK ] Rootkit 'MRK'... [ OK ] Rootkit 'Ni0 Rootkit'... [ OK ] Rootkit 'RootKit for SunOS / NSDAP'... [ OK ] Rootkit 'Optic Kit (Tux)'... [ OK ] Rootkit 'Oz Rootkit'... [ OK ] Rootkit 'Portacelo'... [ OK ] Rootkit 'R3dstorm Toolkit'... [ OK ] Rootkit 'RH-Sharpe's rootkit'... [ OK ] Rootkit 'RSHA's rootkit'... [ OK ] Sebek LKM [ OK ] Rootkit 'Scalper Worm'... [ OK ] Rootkit 'Shutdown'... [ OK ] Rootkit 'SHV4'... [ OK ] Rootkit 'SHV5'... [ OK ] Rootkit 'Sin Rootkit'... [ OK ] Rootkit 'Slapper'... [ OK ] Rootkit 'Sneakin Rootkit'... [ OK ] Rootkit 'Suckit Rootkit'... [ OK ] Rootkit 'SunOS Rootkit'... [ OK ] Rootkit 'Superkit'... [ OK ] Rootkit 'TBD (Telnet BackDoor)'... [ OK ] Rootkit 'TeLeKiT'... [ OK ] Rootkit 'T0rn Rootkit'... [ OK ] Rootkit 'Trojanit Kit'... [ OK ] Rootkit 'Tuxtendo'... [ OK ] Rootkit 'URK'... [ OK ] Rootkit 'VcKit'... [ OK ] Rootkit 'Volc Rootkit'... [ OK ] Rootkit 'X-Org SunOS Rootkit'... [ OK ] Rootkit 'zaRwT.KiT Rootkit'... [ OK ]* Suspicious files and malware Scanning for known rootkit strings [ OK ] Scanning for known rootkit files [ OK ] Testing running processes... [ OK ] Miscellaneous Login backdoors [ OK ] Miscellaneous directories [ OK ] Software related files [ OK ] Sniffer logs [ OK ][Press <ENTER> to continue]
Link to comment
Share on other sites

medium-smiley-095.gifLooks like another enter:* Trojan specific characteristics shv4 Checking /etc/rc.d/rc.sysinit [ Not found ] Checking /etc/inetd.conf [ Not found ] Checking /etc/xinetd.conf [ Clean ]* Suspicious file properties chmod properties Checking /bin/ps [ Clean ] Checking /bin/ls [ Clean ] Checking /usr/bin/w [ Clean ] Checking /usr/bin/who [ Clean ] Checking /bin/netstat [ Clean ] Checking /bin/login [ Clean ] Script replacements Checking /bin/ps [ Clean ] Checking /bin/ls [ Clean ] Checking /usr/bin/w [ Clean ] Checking /usr/bin/who [ Clean ] Checking /bin/netstat [ Clean ] Checking /bin/login [ Clean ]* OS dependant tests Linux Checking loaded kernel modules... [ OK ] Checking files attributes [ OK ] Checking LKM module path [ OK ]Networking* Check: frequently used backdoors Port 2001: Scalper Rootkit [ OK ] Port 2006: CB Rootkit [ OK ] Port 2128: MRK [ OK ] Port 14856: Optic Kit (Tux) [ OK ] Port 47107: T0rn Rootkit [ OK ] Port 60922: zaRwT.KiT [ OK ]* Interfaces Scanning for promiscuous interfaces [ OK ][Press <ENTER> to continue]
Link to comment
Share on other sites

More "Enters"* Trojan specific characteristics shv4 Checking /etc/rc.d/rc.sysinit [ Not found ] Checking /etc/inetd.conf [ Not found ] Checking /etc/xinetd.conf [ Clean ]* Suspicious file properties chmod properties Checking /bin/ps [ Clean ] Checking /bin/ls [ Clean ] Checking /usr/bin/w [ Clean ] Checking /usr/bin/who [ Clean ] Checking /bin/netstat [ Clean ] Checking /bin/login [ Clean ] Script replacements Checking /bin/ps [ Clean ] Checking /bin/ls [ Clean ] Checking /usr/bin/w [ Clean ] Checking /usr/bin/who [ Clean ] Checking /bin/netstat [ Clean ] Checking /bin/login [ Clean ]* OS dependant tests Linux Checking loaded kernel modules... [ OK ] Checking files attributes [ OK ] Checking LKM module path [ OK ]Networking* Check: frequently used backdoors Port 2001: Scalper Rootkit [ OK ] Port 2006: CB Rootkit [ OK ] Port 2128: MRK [ OK ] Port 14856: Optic Kit (Tux) [ OK ] Port 47107: T0rn Rootkit [ OK ] Port 60922: zaRwT.KiT [ OK ]* Interfaces Scanning for promiscuous interfaces [ OK ][Press <ENTER> to continue]System checks* Allround tests Checking hostname... Found. Hostname is linux Checking for passwordless user accounts... OK Checking for differences in user accounts... [ NA ] Checking for differences in user groups... Creating file It seems this is your first time. Checking boot.local/rc.local file... - /etc/rc.local [ Not found ] - /etc/rc.d/rc.local [ Not found ] - /usr/local/etc/rc.local [ Not found ] - /usr/local/etc/rc.d/rc.local [ Not found ] - /etc/conf.d/local.start [ Not found ] - /etc/init.d/boot.local [ OK ] Checking rc.d files... Processing........................................ ........................................ ........................................ ........................................ ........................................ ........................................ ................................... Result rc.d files check [ OK ] Checking history files Bourne Shell [ OK ]* Filesystem checks Checking /dev for suspicious files... [ Warning! (unusual files found) ]---------------------------------------------Unusual files:/dev/null.2005-02-12.0: ASCII text/dev/null.2005-02-13.0: ASCII text/dev/null.2005-02-14.0: ASCII English text/dev/null.2005-02-15.0: ASCII text--------------------------------------------- Scanning for hidden files... [ Warning! ]--------------- /dev/.udev.tdb /etc/.java/etc/.pwd.lock---------------Please inspect: /etc/.java (directory)[Press <ENTER> to continue]a4nvictory.gif

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...