Thread: Re: [Rkhunter-users] "Possible GasKit rootkit" ?
Brought to you by:
dogsbody
From: <un...@hu...> - 2008-02-22 11:30:20
|
On Fri, 22 Feb 2008 03:20:10 +0100 Uwe Dippel <ud...@gm...> wrote: >This is what I get at running rkhunter --check: >[10:06:19] Checking system startup files for malware [ Warning ] >[10:06:19] Warning: Found string 'sshdd' in file '/etc/pwd.db'. >Possible rootkit: Possible GasKit rootkit AFAIK GNU/Linux-only (haven't got this kit in my repo) and password entry probably not much use without dev/dev/gaskit/.*. Wrt entry itself, if it is in pwd.db it should be in master.* as well, right? If you stat master and pwd.db, do timestamps match? Any useradd logging and backups to support this? (If any doubts, please do take the box offline before auditing like John suggested). -- Click for free info on online degrees and make up to $150K/ year. http://tagline.hushmail.com/fc/Ioyw6h4eS5zWWjqKbvYK49F2GIz3gSL6aRAniBTdeEm6ar7ZXAYElq/ Regards, unSpawn |
From: <un...@hu...> - 2008-02-22 16:14:06
|
On Fri, 22 Feb 2008 16:45:45 +0100 John Horne <joh...@pl...> wrote: >I suspect you have modified your rkhunter.conf (SYSTEM_RC_DIR) to look in /etc Yes, that's what I thought too. As far as I know if you do password ops "the right way" on BSD everything gets "mkdb_pwd"(?) from the master.pwd. The MAC times of pwd.b and passwd show their modification time aprox 10 hrs earlier compared to the master which is odd. Not that I know OpenBSD but password ops not being logged looks odd to me too. -- Click here to obtain free information on accredited degrees. http://tagline.hushmail.com/fc/Ioyw6h4dDpF0Xww0CKNB4mEZClMFtdEkwVX1eMBLlt9yFbgpCVV70k/ Cheers, unSpawn |
From: Uwe D. <ud...@gm...> - 2008-02-22 14:42:51
|
On Fri, Feb 22, 2008 at 7:30 PM, <un...@hu...> wrote: > AFAIK GNU/Linux-only (haven't got this kit in my repo) and password > entry probably not much use without dev/dev/gaskit/.*. Wrt entry > itself, if it is in pwd.db it should be in master.* as well, right? Not quite. This is what I see in /etc/pwd.db, when I grep for sshdd: 00004fc0 1b 00 00 00 1b 00 00 00 00 00 00 00 00 73 73 68 |.............ssh| 00004fd0 64 20 70 72 69 76 73 65 70 00 2f 76 61 72 2f 65 |d privsep./var/e| 00004fe0 6d 70 74 79 00 2f 73 62 69 6e 2f 6e 6f 6c 6f 67 |mpty./sbin/nolog| 00004ff0 69 6e 00 00 00 00 00 00 00 00 00 31 73 73 68 64 |in.........1sshd| 00005000 64 00 f8 0f aa 0f a2 0f 5b 0f 54 0f 11 0f 0a 0f |d.�.�.�.[.T.....| 00005010 bf 0e b7 0e 76 0e 6c 0e 1e 0e 15 0e d1 0d c8 0d |�.�.v.l.....�.�.| 00005020 87 0d 7e 0d 3d 0d 34 0d f3 0c ea 0c a9 0c a0 0c |..~.=.4.�.�.�.�.| There is no sshdd in master.passwd. The user seems to not exist: # whoami root # su sshdd su: unknown login sshdd # > If you stat master and pwd.db, do timestamps match? # stat /etc/master.passwd 0 3042 -rw------- 1 root wheel 17448 12677 "Feb 22 22:07:15 2008" "Feb 22 22:02:56 2008" "Feb 22 22:02:56 2008" 16384 28 0 /etc/master.passwd # stat /etc/pwd.db 0 3048 -rw-r--r-- 1 root wheel 13344 69632 "Feb 22 22:25:02 2008" "Feb 22 10:42:29 2008" "Feb 22 10:42:29 2008" 16384 136 0 /etc/pwd.db # stat /etc/passwd 0 3049 -rw-r--r-- 1 root wheel 17408 6907 "Feb 22 10:42:29 2008" "Feb 22 10:42:29 2008" "Feb 22 10:42:29 2008" 16384 16 0 /etc/passwd # stat /etc/spwd.db 0 3043 -rw-r----- 1 root _shadow 12200 81920 "Feb 22 22:31:44 2008" "Feb 22 22:02:56 2008" "Feb 22 22:02:56 2008" 16384 160 0 /etc/spwd.db > Any useradd > logging and backups to support this? As far as I can see, none. Uwe |
From: John H. <joh...@pl...> - 2008-02-22 15:45:55
|
On Fri, 2008-02-22 at 22:42 +0800, Uwe Dippel wrote: > On Fri, Feb 22, 2008 at 7:30 PM, <un...@hu...> wrote: > > > AFAIK GNU/Linux-only (haven't got this kit in my repo) and password > > entry probably not much use without dev/dev/gaskit/.*. Wrt entry > > itself, if it is in pwd.db it should be in master.* as well, right? > > Not quite. > This is what I see in /etc/pwd.db, when I grep for sshdd: > 00004fc0 1b 00 00 00 1b 00 00 00 00 00 00 00 00 73 73 68 |.............ssh| > 00004fd0 64 20 70 72 69 76 73 65 70 00 2f 76 61 72 2f 65 |d privsep./var/e| > 00004fe0 6d 70 74 79 00 2f 73 62 69 6e 2f 6e 6f 6c 6f 67 |mpty./sbin/nolog| > 00004ff0 69 6e 00 00 00 00 00 00 00 00 00 31 73 73 68 64 |in.........1sshd| > 00005000 64 00 f8 0f aa 0f a2 0f 5b 0f 54 0f 11 0f 0a 0f |d.�.�.�.[.T.....| > I'm wondering if this is just a false-positive caused by looking in a binary file. As unSpawn has said the /dev/dev directory should be present as well. I suspect you have modified your rkhunter.conf (SYSTEM_RC_DIR) to look in /etc, whereas usually RKH only looks for startup files (scripts) typically in /etc/rc.d or /etc/init.d - not actual system/db files in /etc. John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: Joh...@pl... Fax: +44 (0)1752 233839 |
From: Uwe D. <ud...@gm...> - 2008-02-22 16:13:16
|
On Fri, Feb 22, 2008 at 11:45 PM, John Horne <joh...@pl...> wrote: > I'm wondering if this is just a false-positive caused by looking in a > binary file. As unSpawn has said the /dev/dev directory should be > present as well. I suspect you have modified your rkhunter.conf > (SYSTEM_RC_DIR) to look in /etc, whereas usually RKH only looks for > startup files (scripts) typically in /etc/rc.d or /etc/init.d - not > actual system/db files in /etc. John, yes we discussed this earlier. (Open)BSD has its start files in plain /etc/. in order to check, one has to check /etc/. In the end, I wonder how and why rkhunter looks into a binary file (okay, not really binary, partially); but by looking at the source, I will understand. Maybe rkhunter should add another check before opening a file, to see if it is 'binary', and eventually just skip it. No wait, that's also not good. Maybe at the preliminary run, it could display the file name of any binary and ask, if it may skip it in future (whitelist)? I might have reacted even more calmly, had we not had the problem with the 'update', plus I found out that it hadn't run for ages. My mistake, I had added the option '--nocolour'. Since then, it didn't run, for the misspelled option. Actually, I had really preferred the earlier version of sending a mail irrespective. At least, then I could know rkhunter had been run. The current default of not sending, and if sending, then (default) just a general warning, does not make me very happy. Any chance to revert to a default of sending mails, including the warnings, and rather add options for not sending in case of no warnings, and one option more to suppress the warning itself instead of an extra option to display it? My 2 sen, and thanks for the heads-up, Uwe > > > > > > John. > > -- > --------------------------------------------------------------- > John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 > E-mail: Joh...@pl... Fax: +44 (0)1752 233839 > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Rkhunter-users mailing list > Rkh...@li... > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > |