Re: [Rkhunter-users] rkhunter does not check /bin/ping ?
Brought to you by:
dogsbody
From: <ba...@pk...> - 2010-12-02 11:34:19
|
Am 29.11.2010, 22:52 Uhr, schrieb John Horne <joh...@pl...>: > On Mon, 2010-11-29 at 12:10 +0100, Florian Barth wrote: >> Hello, >> >> my question follows from a security-issue. A machines was attacked >> and /bin/ping was substituted. Why did rkhunter not recognize this >> substitution? It seems to me that /bin/ping is never checked whether >> it was substituted or not. What is the reason for this behavior? From >> my point of view it is important to check all files, where the >> SUID-Bit is set. >> > Originally only commands which were known to have been used in attacks > were checked. We have expanded this a bit, but it does not check all > commands and does not search out for suid commands. > > Since RKH can be quite slow checking a lot of commands, I would suggest > using something actually designed for this purpose such as Aide, > Tripwire or Samhain (if I remember correctly). > > If you really want RKH to monitor it then use the > USER_FILEPROP_FILES_DIR option. > As i said there was an attack with /bin/ping on one of our machines. (Max-Planck-Gesellschaft) We were not able to analyze it exactly, yet. But it looks similar to the known ping-rootkit[1] from 2006. I guess it's already known much longer, because i read an article about it, in a "hackin9"-magazine from 2004! Maybe these issues are important enough to think about checking /bin/ping. Florian [1] http://dl.packetstormsecurity.net/UNIX/penetration/rootkits/pingrootkit.tar.bz2 |