rkhunter-users Mailing List for Rootkit Hunter (Page 150)
Brought to you by:
dogsbody
You can subscribe to this list here.
2006 |
Jan
(2) |
Feb
(2) |
Mar
(7) |
Apr
(5) |
May
(5) |
Jun
(7) |
Jul
(23) |
Aug
(17) |
Sep
(35) |
Oct
(138) |
Nov
(95) |
Dec
(84) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2007 |
Jan
(140) |
Feb
(78) |
Mar
(28) |
Apr
(17) |
May
(78) |
Jun
(72) |
Jul
(49) |
Aug
(47) |
Sep
(74) |
Oct
(69) |
Nov
(50) |
Dec
(75) |
2008 |
Jan
(43) |
Feb
(80) |
Mar
(30) |
Apr
(29) |
May
(25) |
Jun
(14) |
Jul
(47) |
Aug
(11) |
Sep
(28) |
Oct
(17) |
Nov
(14) |
Dec
(66) |
2009 |
Jan
(54) |
Feb
(21) |
Mar
(22) |
Apr
(8) |
May
(4) |
Jun
(13) |
Jul
(10) |
Aug
(24) |
Sep
(1) |
Oct
(41) |
Nov
(17) |
Dec
(99) |
2010 |
Jan
(53) |
Feb
(19) |
Mar
(30) |
Apr
(28) |
May
(135) |
Jun
(34) |
Jul
(19) |
Aug
(24) |
Sep
(48) |
Oct
(4) |
Nov
(61) |
Dec
(17) |
2011 |
Jan
(23) |
Feb
(18) |
Mar
(14) |
Apr
(12) |
May
(23) |
Jun
(27) |
Jul
(57) |
Aug
(17) |
Sep
(25) |
Oct
(19) |
Nov
(9) |
Dec
(4) |
2012 |
Jan
(19) |
Feb
(5) |
Mar
(5) |
Apr
(17) |
May
(13) |
Jun
(21) |
Jul
(2) |
Aug
(10) |
Sep
(5) |
Oct
(5) |
Nov
(18) |
Dec
(4) |
2013 |
Jan
(23) |
Feb
(13) |
Mar
(5) |
Apr
(48) |
May
(38) |
Jun
(5) |
Jul
(19) |
Aug
(14) |
Sep
(10) |
Oct
(7) |
Nov
(19) |
Dec
(44) |
2014 |
Jan
(11) |
Feb
(11) |
Mar
(38) |
Apr
(36) |
May
(21) |
Jun
(13) |
Jul
(7) |
Aug
(21) |
Sep
(30) |
Oct
(3) |
Nov
|
Dec
(29) |
2015 |
Jan
(5) |
Feb
(5) |
Mar
(12) |
Apr
(5) |
May
(25) |
Jun
(11) |
Jul
(7) |
Aug
(8) |
Sep
(3) |
Oct
(15) |
Nov
(10) |
Dec
|
2016 |
Jan
(5) |
Feb
|
Mar
(6) |
Apr
(12) |
May
(2) |
Jun
(11) |
Jul
(8) |
Aug
(13) |
Sep
(15) |
Oct
(6) |
Nov
(21) |
Dec
(1) |
2017 |
Jan
|
Feb
(2) |
Mar
(2) |
Apr
(3) |
May
(2) |
Jun
(30) |
Jul
(42) |
Aug
(8) |
Sep
(2) |
Oct
(24) |
Nov
(12) |
Dec
(14) |
2018 |
Jan
(7) |
Feb
(22) |
Mar
(8) |
Apr
(11) |
May
(28) |
Jun
(20) |
Jul
(2) |
Aug
(1) |
Sep
(2) |
Oct
(2) |
Nov
(11) |
Dec
|
2019 |
Jan
(5) |
Feb
(11) |
Mar
(6) |
Apr
(5) |
May
(4) |
Jun
(4) |
Jul
(4) |
Aug
(8) |
Sep
(5) |
Oct
(7) |
Nov
(10) |
Dec
(1) |
2020 |
Jan
|
Feb
|
Mar
|
Apr
(2) |
May
(4) |
Jun
(3) |
Jul
(3) |
Aug
(2) |
Sep
|
Oct
(7) |
Nov
(3) |
Dec
(1) |
2021 |
Jan
(1) |
Feb
(3) |
Mar
|
Apr
|
May
(7) |
Jun
(2) |
Jul
(7) |
Aug
(11) |
Sep
|
Oct
|
Nov
|
Dec
|
2022 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
(2) |
Jun
(1) |
Jul
(2) |
Aug
|
Sep
(4) |
Oct
|
Nov
|
Dec
|
2023 |
Jan
|
Feb
|
Mar
(5) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(3) |
Nov
(4) |
Dec
(1) |
2024 |
Jan
|
Feb
(3) |
Mar
(8) |
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Phil C. <pca...@ro...> - 2006-09-14 02:36:47
|
Hi, I frequently get this message when running rkhunter: Performing 'known good' check... -------------------------------------------------------------------------------- Rootkit Hunter found some bad or unknown hashes. This can be happen due replaced binaries or updated packages (which give other hashes). Be sure your hashes are fully updated (rkhunter --update). If you're in doubt about these hashes, contact the author (fill in the contact form). -------------------------------------------------------------------------------- [Press <ENTER> to continue] ---------- What does this mean? This message seems quite mysterious, as it gives NO details as to what might be causing the problem. Sometimes, when I run rkhunter --update, the problem seems to go away if I run a scan immediately afterward. But if I do a scan the next day the problem is back again. Phil -- __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com |
From: Quinn C. <qu...@st...> - 2006-09-13 15:54:43
|
>> --append-log $TMPFILE1 > Which tells me you're either running FC or Aurora... I'm running RHEL 4. > I also overlooked this: > [...] > could be that. I'm aware there is no md5 database for rhel 4. If so, do you know a way to make this warning quiet? I actually have access to a freshly-installed rhel 4 machine, if it would be helpful I could contribute to this database. > What does /etc/sysconfig/rkhunter contain? > Does it include the logfile switch? Here is the output of that: [root@two/0 ~]$cat /etc/sysconfig/rkhunter # System configuration file for Rootkit Hunter which # stores RPM system specifics for cron run, etc. # # MAILTO= <email address to send scan report> # DIAG_SCAN= no - perform normal report scan # yes - perform detailed report scan # (includes application check) MAILTO=root@localhost DIAG_SCAN=no > Could you gzip and attach the logfile? Attached. Thanks for looking into this. Q |
From: Quinn C. <qu...@st...> - 2006-09-13 13:44:25
|
It is the cron job that comes packaged with the latest version of rkhunter. I'll paste it below... Quinn [root@two]$cat /etc/cron.daily/01-rkhunter #!/bin/sh # 01-rkhunter A shell script to update and run rkhunter via CRON XITVAL=0 # Get a secure tempfile TMPFILE1=`/bin/mktemp -p /var/rkhunter/tmp rkhcronlog.XXXXXXXXXX` || exit 1 if [ ! -e /var/lock/subsys/rkhunter ]; then # Try to keep the SysInit boot scan from colliding with us (highly unlikely) /bin/touch /var/lock/subsys/rkhunter # Source system configuration parameters. if [ -e /etc/sysconfig/rkhunter ] ; then . /etc/sysconfig/rkhunter else MAILTO=root@localhost fi # If a diagnostic mode scan was requested, setup the parameters if [ "$DIAG_SCAN" == "yes" ]; then RKHUNTER_FLAGS=" --checkall --run-application-check --skip-keypress --nocolors --quiet --append-log $TMPFILE1 " else RKHUNTER_FLAGS=" --cronjob " fi # Set a few critical parameters RKHUNTER=/usr/bin/rkhunter LOGFILE=/var/log/rkhunter.log # Run RootKit Hunter if available if [ -x $RKHUNTER ]; then /bin/echo -e "\n--------------------- Start Rootkit Hunter Update ---------------------" \ > $TMPFILE1 /bin/nice -n 10 $RKHUNTER --update 2>&1 >> $TMPFILE1 /bin/echo -e "\n---------------------- Start Rootkit Hunter Scan ----------------------" \ >> $TMPFILE1 /bin/nice -n 10 $RKHUNTER $RKHUNTER_FLAGS 2>&1 >> $TMPFILE1 XITVAL=$? /bin/echo -e "\n----------------------- End Rootkit Hunter Scan -----------------------" \ >> $TMPFILE1 /bin/cat $TMPFILE1 | /bin/mail -s 'rkhunter Daily Run' $MAILTO /bin/cat $TMPFILE1 >> $LOGFILE fi # Delete the gating lockfile /bin/rm -f /var/lock/subsys/rkhunter fi # Delete the secure tempfile /bin/rm -f $TMPFILE1 exit $XITVAL ################################ On Wed, 13 Sep 2006 15:36:03 +0200 (CEST), unspawn wrote: > On Wed, 13 Sep 2006, Quinn Comendant wrote: > >> Hello! >> >> I have rkhunter running via cron.daily. Every day I receive a message >> stating "[rkhunter] Warnings found for two.strangecode.com." I can't >> seem to find why it is triggering. > > Me neither, though that doesn't mean I see everything. > What's the contents of the cronjob? > > > Cheers, unSpawn |
From: Quinn C. <qu...@st...> - 2006-09-13 13:26:05
|
Hello! I have rkhunter running via cron.daily. Every day I receive a message stating "[rkhunter] Warnings found for two.strangecode.com." I can't seem to find why it is triggering. Can someone please tell me what is wrong? I've attached the Daily Run output to this email. I assume the warning is not a problem, but it is crying wolf -- how am I suppose to know if it is a *real* warning if I get this eamil every day. Thanks, Quinn ----- Begin forwarded message ----- |
From: Jamie S. <jam...@fe...> - 2006-08-29 10:07:07
|
Hi, Yesterday I noticed that my daily RKHunter scan for one of my servers brought up the following errors: /usr/sbin/prelink: /bin/login: at least one of file's dependencies has changed since prelinking /usr/sbin/prelink: /bin/login: at least one of file's dependencies has changed since prelinking Line: [ BAD ] /usr/sbin/prelink: /bin/su: at least one of file's dependencies has changed since prelinking Line: [ BAD ] [ BAD ] Line: [ BAD ] [ Warning! ] * MD5 scan MD5 compared : 49 Incorrect MD5 checksums : 2 This concerned me at first and I have been checking log files etc. for anything suspicious. However, I cannot find anything and running a full scan reports that everything is fine. Could this be a false positive and, if so, what could have been the cause? Many thanks, -- Jamie Saunders Interactive Developer Featurecreep Ltd. http://www.featurecreep.com 14 Orchard Street, Bristol, BS1 5EH 0117 905 5078 |
From: Trevor L. <tre...@4l...> - 2006-08-21 23:19:12
|
Hi I'm using Redhat ES 3.0 Update 4 - I've updated httpd, chkconfig, openssl and openssh since then and am equivalent to Update 8 for these listed applications. I ran rkhunter --checkall -createlogfile and received the following ... Can i safely ignore the MD5 checksum failure on chkconfig on the grounds that the version in the database is older than the updated version on the server? Can i also ignore the applications that RKHunter thinks is vulnerable and unpatched (even though the applications in question have been updated to the latest and greatest in reality)? Thanks for any help you can provide in this. [13:28:38] ---------------------------- MD5 hash tests --------------------------- [13:28:38] Starting MD5 checksum test (/usr/local/rkhunter/lib/rkhunter/scripts/filehashmd5.pl) [13:28:38] /bin/cat Hash NOT valid (My MD5: adab51f4f506e0736d11f034f9fe7309, expected: 0473f4080d276888e3e78332f250289c) [13:28:38] /bin/cat hash valid, found in database [13:28:39] /bin/chmod Hash NOT valid (My MD5: d92607740f91e4c02cda1a02560636e6, expected: 236994579951e5fd0ff7ef1b04958a38) [13:28:39] /bin/chmod hash valid, found in database [13:28:39] /bin/chown hash valid, found in database [13:28:39] /bin/chown Hash NOT valid (My MD5: 1bb3f528a0001a4ded756e5396ebfc19, expected: ba8f6fd57a8cf507dc6a21fd64191cbe) [13:28:40] /bin/dmesg Hash NOT valid (My MD5: 2ce02f553e119ae67592baab0f09d94b, expected: 118e35b0cd0f3d004ba435330d3e53a9) [13:28:40] /bin/dmesg hash valid, found in database [13:28:40] /bin/dmesg Hash NOT valid (My MD5: 2ce02f553e119ae67592baab0f09d94b, expected: 796f9101cf2eaaeed729038e9039e1a8) [13:28:40] /bin/dmesg Hash NOT valid (My MD5: 2ce02f553e119ae67592baab0f09d94b, expected: a31d1a5eb964b84377055fa0c77f1dcb) [13:28:40] /bin/dmesg Hash NOT valid (My MD5: 2ce02f553e119ae67592baab0f09d94b, expected: ad1008e3b19a32f1353ff8c0f83a4dea) [13:28:41] /bin/egrep Hash NOT valid (My MD5: e41ba09db4d05bb217f679463ebe50e3, expected: 1a1c4e75e82a51bc570350aa22184913) [13:28:41] /bin/egrep Hash NOT valid (My MD5: e41ba09db4d05bb217f679463ebe50e3, expected: 306de2afe6362758025fd642172d0691) [13:28:41] /bin/egrep Hash NOT valid (My MD5: e41ba09db4d05bb217f679463ebe50e3, expected: 3460ad484263fed43fdd4957908a6567) [13:28:41] /bin/egrep hash valid, found in database [13:28:41] /bin/env hash valid, found in database [13:28:42] /bin/env Hash NOT valid (My MD5: 1964039ab5e5e3d3d18e61a4ae3d31c8, expected: af7b476952e3020560574c8733bec6e7) [13:28:42] /bin/fgrep Hash NOT valid (My MD5: e41ba09db4d05bb217f679463ebe50e3, expected: 01b9524c8e60a5e167132a6e85452cd0) [13:28:42] /bin/fgrep Hash NOT valid (My MD5: e41ba09db4d05bb217f679463ebe50e3, expected: 306de2afe6362758025fd642172d0691) [13:28:42] /bin/fgrep Hash NOT valid (My MD5: e41ba09db4d05bb217f679463ebe50e3, expected: 3460ad484263fed43fdd4957908a6567) [13:28:42] /bin/fgrep hash valid, found in database [13:28:43] /bin/grep Hash NOT valid (My MD5: e41ba09db4d05bb217f679463ebe50e3, expected: 306de2afe6362758025fd642172d0691) [13:28:43] /bin/grep Hash NOT valid (My MD5: e41ba09db4d05bb217f679463ebe50e3, expected: 3460ad484263fed43fdd4957908a6567) [13:28:43] /bin/grep Hash NOT valid (My MD5: e41ba09db4d05bb217f679463ebe50e3, expected: 92f09f237afcc6439abd0a864ff5df7d) [13:28:43] /bin/grep hash valid, found in database [13:28:44] /bin/kill Hash NOT valid (My MD5: ef1ddf26df38e26320c633596a1bee39, expected: 0264a1f26eb763add205d162f2a617df) [13:28:44] /bin/kill Hash NOT valid (My MD5: ef1ddf26df38e26320c633596a1bee39, expected: 41b5e952886b953887cad98a4614b8c9) [13:28:44] /bin/kill Hash NOT valid (My MD5: ef1ddf26df38e26320c633596a1bee39, expected: bf3e4bf2a80de3f2759db0d3bc5cffc0) [13:28:44] /bin/kill Hash NOT valid (My MD5: ef1ddf26df38e26320c633596a1bee39, expected: d406293bc378ac87cb3d7540fbe4cfe7) [13:28:44] /bin/kill hash valid, found in database [13:28:45] /bin/login Hash NOT valid (My MD5: da91d5a2e5f8f0968abbcdf1379ab16d, expected: 0dc02fbd7c919903cf3190347440c9d6) [13:28:45] /bin/login Hash NOT valid (My MD5: da91d5a2e5f8f0968abbcdf1379ab16d, expected: 31156deab37843ce664941f25f7188e5) [13:28:45] /bin/login Hash NOT valid (My MD5: da91d5a2e5f8f0968abbcdf1379ab16d, expected: 46a708eef80e3faed92d13783ca3ee4e) [13:28:45] /bin/login Hash NOT valid (My MD5: da91d5a2e5f8f0968abbcdf1379ab16d, expected: 5d9caccc9f89312140dd04835a1721e7) [13:28:45] /bin/login hash valid, found in database [13:28:45] /bin/ls Hash NOT valid (My MD5: 440fff1820cc2c8f2cadb47295e04b50, expected: 1d987a40e6903bc683f1241e196d5fa3) [13:28:46] /bin/ls hash valid, found in database [13:28:46] /bin/mount hash valid, found in database [13:28:46] /bin/mount Hash NOT valid (My MD5: 971a094650968164afd7b18c28421fb2, expected: 9c3f46d8a1d3b7a85a04e7b75a4e5b47) [13:28:46] /bin/mount Hash NOT valid (My MD5: 971a094650968164afd7b18c28421fb2, expected: b0e553bb7bc7db2aa2dcaa9836f86f70) [13:28:46] /bin/mount Hash NOT valid (My MD5: 971a094650968164afd7b18c28421fb2, expected: c20a55a5cf1dce5c90a66d894df21f40) [13:28:46] /bin/mount Hash NOT valid (My MD5: 971a094650968164afd7b18c28421fb2, expected: fd2386b7f69cbfafc4ce625da077dad0) [13:28:47] /bin/netstat Hash NOT valid (My MD5: f94ecf73c1a1374c4e7f3d231fbb3ed9, expected: 39861964a4e6dc35d6d31bc65513eac0) [13:28:47] /bin/netstat Hash NOT valid (My MD5: f94ecf73c1a1374c4e7f3d231fbb3ed9, expected: 46cf84840c1d985568ff85e675f10803) [13:28:47] /bin/netstat Hash NOT valid (My MD5: f94ecf73c1a1374c4e7f3d231fbb3ed9, expected: dbe0bb1484a941355adac67a67d346bf) [13:28:47] /bin/netstat hash valid, found in database [13:28:48] /bin/ps hash valid, found in database [13:28:48] /bin/ps Hash NOT valid (My MD5: 3b128af11b11823fd1c35a3f51f75718, expected: 4e64729be30119a2f755f9d300f460f9) [13:28:48] /bin/ps Hash NOT valid (My MD5: 3b128af11b11823fd1c35a3f51f75718, expected: 82a66bd2883f0ef1b31afe27c7591da8) [13:28:48] /bin/ps Hash NOT valid (My MD5: 3b128af11b11823fd1c35a3f51f75718, expected: 9bd8bf260adc81d3a43a086fce6b430a) [13:28:49] /bin/su hash valid, found in database [13:28:49] /bin/su Hash NOT valid (My MD5: 4c7ff921743dc3bdbb558d37198df658, expected: c0490221e929485b96b8b9a716a35e45) [13:28:49] /sbin/chkconfig Hash NOT valid (My MD5: 904aa87c69326796d6b855fd2310edb5, expected: 02a6770731c79ae3b489bce3a33c55eb) [13:28:49] /sbin/chkconfig Hash NOT valid (My MD5: 904aa87c69326796d6b855fd2310edb5, expected: 9bf498af39ca4dbbd8849fb475032ff7) [13:28:49] /sbin/chkconfig Hash NOT valid (My MD5: 904aa87c69326796d6b855fd2310edb5, expected: ccbe212e76cb2b2f550cf277c86f7be0) [13:28:49] Using whitelists to compare MD5 hash (searching for 904aa87c69326796d6b855fd2310edb5) [13:28:49] No whitelisted MD5 hash found for /sbin/chkconfig [13:28:49] MD5 hash for my file (/sbin/chkconfig) is 904aa87c69326796d6b855fd2310edb5, but is not in database [13:28:49] End of whitelist compare [13:28:49] Checking /sbin/chkconfig against hashes in database (02a6770731c79ae3b489bce3a33c55eb 9bf498af39ca4dbbd8849fb475032ff7 ccbe212e76cb2b2f550cf277c86f7be0) failed [13:28:50] RPM info: your package 'chkconfig-1.3.13.4-0.3' [13:28:50] RPM info: packages in database: chkconfig-1.3.8-3 chkconfig-1.3.11-0.3 chkconfig-1.3.13.2-0.3 [13:28:50] --- [13:28:50] 125:/sbin/chkconfig:904aa87c69326796d6b855fd2310edb5:-:-:chkconfig-1.3.13.4- 0.3 [13:28:50] --- [13:28:50] /sbin/depmod Hash NOT valid (My MD5: e04bb50fa4b356e6a8ad67d9b2db70d6, expected: 1d0e78d33a8c49414dff94ae65c5cc11) [13:28:50] /sbin/depmod Hash NOT valid (My MD5: e04bb50fa4b356e6a8ad67d9b2db70d6, expected: 3ee8e8b380f7c2d61a92058d893c026b) [13:28:50] /sbin/depmod hash valid, found in database [13:28:50] /sbin/depmod Hash NOT valid (My MD5: e04bb50fa4b356e6a8ad67d9b2db70d6, expected: f22674a73db6a1b68bd929b427338821) [13:28:51] /sbin/depmod Hash NOT valid (My MD5: e04bb50fa4b356e6a8ad67d9b2db70d6, expected: f67d966ebf39ac884e99a60ed29f451a) [13:28:51] /sbin/ifconfig Hash NOT valid (My MD5: 256a3fcc0aba710a67c25e0d6bd5ac4a, expected: 0116198d1a5d499cd4d9e78d9fae8384) [13:28:51] /sbin/ifconfig hash valid, found in database [13:28:51] /sbin/ifconfig Hash NOT valid (My MD5: 256a3fcc0aba710a67c25e0d6bd5ac4a, expected: 956f4ea0a7d47da7e0de2bc28e2982bd) [13:28:51] /sbin/ifconfig Hash NOT valid (My MD5: 256a3fcc0aba710a67c25e0d6bd5ac4a, expected: d42e51b5488c266d1b067b1071c5cb49) [13:28:52] /sbin/init Hash NOT valid (My MD5: c635c3c8778596be4a83593b26c27cec, expected: 3a7f0f828e6c0f625dd5619400192cfc) [13:28:52] /sbin/init Hash NOT valid (My MD5: c635c3c8778596be4a83593b26c27cec, expected: 90888c9fc0d9968b7d338740bb00122c) [13:28:52] /sbin/init hash valid, found in database [13:28:53] /sbin/insmod Hash NOT valid (My MD5: ad098e1d882b841b88a2fc817ea7cbd1, expected: 262664a94cccc7ea3acc95c4ed6cf65b) [13:28:53] /sbin/insmod Hash NOT valid (My MD5: ad098e1d882b841b88a2fc817ea7cbd1, expected: 3978a5ac9070563276e83016d32282c4) [13:28:53] /sbin/insmod Hash NOT valid (My MD5: ad098e1d882b841b88a2fc817ea7cbd1, expected: 3ea3cbafcd7db7595969beb2043536f5) [13:28:53] /sbin/insmod hash valid, found in database [13:28:53] /sbin/insmod Hash NOT valid (My MD5: ad098e1d882b841b88a2fc817ea7cbd1, expected: f998c3e41531ade97b2c7d7933687da8) [13:28:54] /sbin/modinfo Hash NOT valid (My MD5: 77b7b07cdd4aab7867129ce298b4a06c, expected: 500ea6824d2810f133b3949a42a3ad50) [13:28:54] /sbin/modinfo hash valid, found in database [13:28:54] /sbin/modinfo Hash NOT valid (My MD5: 77b7b07cdd4aab7867129ce298b4a06c, expected: 7cf43bb904863baa740566b73bef836d) [13:28:54] /sbin/modinfo Hash NOT valid (My MD5: 77b7b07cdd4aab7867129ce298b4a06c, expected: 8934944c5ce4742fa91801fea2721d4d) [13:28:54] /sbin/modinfo Hash NOT valid (My MD5: 77b7b07cdd4aab7867129ce298b4a06c, expected: c7302e0b33375b3f968ce8f8e7674667) [13:28:54] /sbin/runlevel Hash NOT valid (My MD5: 8175cc96f3a2cd134fc35c6739a6b4c3, expected: 01b9c173c26d89b66e485ce124669c16) [13:28:55] /sbin/runlevel Hash NOT valid (My MD5: 8175cc96f3a2cd134fc35c6739a6b4c3, expected: 1ee5df34d0b75cf7b3fca7a82a4b6184) [13:28:55] /sbin/runlevel hash valid, found in database [13:28:55] /sbin/sysctl Hash NOT valid (My MD5: fef29c540b2a7813f8b74b47ce976040, expected: 2115eb229dc7378a4dcc60875ec1cf3f) [13:28:55] /sbin/sysctl Hash NOT valid (My MD5: fef29c540b2a7813f8b74b47ce976040, expected: 425f95a6465587aa08918a914c2324d0) [13:28:55] /sbin/sysctl Hash NOT valid (My MD5: fef29c540b2a7813f8b74b47ce976040, expected: 82a525c3d126171354210f87a5c9995a) [13:28:56] /sbin/sysctl hash valid, found in database [13:28:56] /sbin/syslogd Hash NOT valid (My MD5: 75a7302bae84528783e510cd82e84374, expected: 0664e45906c107fc0856ca8a2c40ab0a) [13:28:56] /sbin/syslogd Hash NOT valid (My MD5: 75a7302bae84528783e510cd82e84374, expected: 3d3d77f77a76c7362b24a8b07051b098) [13:28:56] /sbin/syslogd Hash NOT valid (My MD5: 75a7302bae84528783e510cd82e84374, expected: 4f1c0a24761deb8fd95e467add18a97f) [13:28:56] /sbin/syslogd hash valid, found in database [13:28:56] /sbin/syslogd Hash NOT valid (My MD5: 75a7302bae84528783e510cd82e84374, expected: 784cac9348ad6d899c536d6e256707ce) [13:28:57] /usr/bin/file hash valid, found in database [13:28:57] /usr/bin/file Hash NOT valid (My MD5: 0fc8cd768e8ed57c5406c5f4e788492f, expected: cecb4e2c282d20c85b85464154453653) [13:28:57] /usr/bin/find hash valid, found in database [13:28:58] /usr/bin/groups hash valid, found in database [13:28:58] /usr/bin/kill Hash NOT valid (My MD5: ccf1e8d08898f4df6660353f1ffde513, expected: 4029b1bef36b1c035b93160e1053877f) [13:28:58] /usr/bin/kill hash valid, found in database [13:28:58] /usr/bin/killall Hash NOT valid (My MD5: f8f08fe5f5c1c76f1c29e097c0258c90, expected: deebbf7265582b22478b932b5d581697) [13:28:59] /usr/bin/killall hash valid, found in database [13:28:59] /usr/bin/lsattr hash valid, found in database [13:28:59] /usr/bin/lsattr Hash NOT valid (My MD5: 1c0e39488fdca9787cbbaf3280cbe026, expected: 3815a58e9a5ca6f9d44b95ca29809005) [13:28:59] /usr/bin/pstree Hash NOT valid (My MD5: b3304fad243e8826d1f336695041686e, expected: 6e2becbb0b34a20cdb6a0574720f53a0) [13:29:00] /usr/bin/pstree hash valid, found in database [13:29:00] /usr/bin/sha1sum hash valid, found in database [13:29:00] /usr/bin/sha1sum Hash NOT valid (My MD5: 1758734b93ef845999c0f2f76841944e, expected: 9aba745b2e2d1d1ad6b1a62e53ced195) [13:29:00] /usr/bin/stat Hash NOT valid (My MD5: d31ed49b57e7dad63fa96563fe82775f, expected: 8965db34b2586c6739330ba57ed7dedf) [13:29:01] /usr/bin/stat hash valid, found in database [13:29:01] /usr/bin/users Hash NOT valid (My MD5: d676fadc6371f6f0d68833ba51beade5, expected: 5c747d4d41fa0611a5f0165bab5a8877) [13:29:01] /usr/bin/users hash valid, found in database [13:29:01] /usr/bin/w Hash NOT valid (My MD5: f19a52aefdfd929efda4467172ca1ceb, expected: 780585d4459338aa5e6745b7f13bfe62) [13:29:02] /usr/bin/w Hash NOT valid (My MD5: f19a52aefdfd929efda4467172ca1ceb, expected: ba79babee73417dd35074f15dc69d311) [13:29:02] /usr/bin/w Hash NOT valid (My MD5: f19a52aefdfd929efda4467172ca1ceb, expected: ef428d61e99a1263bb0bfc35eaffaea9) [13:29:02] /usr/bin/w hash valid, found in database [13:29:02] /usr/bin/watch Hash NOT valid (My MD5: 95fabf9105647430fd040f964f56ab57, expected: 041f940e8a9753460978e32634a31af5) [13:29:02] /usr/bin/watch Hash NOT valid (My MD5: 95fabf9105647430fd040f964f56ab57, expected: 47da5050adc6907ae8c3adf9535def58) [13:29:03] /usr/bin/watch Hash NOT valid (My MD5: 95fabf9105647430fd040f964f56ab57, expected: 625d436d2ce7b0915529c1bd04fc6902) [13:29:03] /usr/bin/watch hash valid, found in database [13:29:03] /usr/bin/who Hash NOT valid (My MD5: feb52bd67ed6c6fd8c8b07577e4796f8, expected: 5e456c0bb307fb8b01a3d57f780dde3e) [13:29:03] /usr/bin/who hash valid, found in database [13:29:04] /usr/bin/whoami Hash NOT valid (My MD5: 51880372d1c5cd99ed81105346ff1236, expected: 2b25ede140e2ab888356c40c39b9406d) [13:29:04] /usr/bin/whoami hash valid, found in database [13:31:49] ------------------------ Application advisories ----------------------- [13:31:50] ---------------------- Application version check ---------------------- [13:31:50] ---------------------------------------------------------- [13:31:50] Scanning Exim%%MTA... [13:31:50] Application not found [13:31:50] ---------------------------------------------------------- [13:31:50] Scanning GnuPG... [13:31:50] /usr/bin/gpg found [13:31:50] Version 1.2.1 seems to be vulnerable (if unpatched)! [13:31:50] ---------------------------------------------------------- [13:31:50] Scanning Apache... [13:31:50] /usr/sbin/httpd found [13:31:50] Version 2.0.46 seems to be vulnerable (if unpatched)! [13:31:50] ---------------------------------------------------------- [13:31:50] Scanning Bind%%DNS... [13:31:50] Debug: [13:31:50] /usr/sbin/named found [13:31:50] Version 9.2.4 is available in non-vulnerable group and seems to be OK! [13:31:50] ---------------------------------------------------------- [13:31:50] Scanning OpenSSL... [13:31:50] /usr/bin/openssl found [13:31:51] Version 0.9.7a seems to be vulnerable (if unpatched)! [13:31:51] ---------------------------------------------------------- [13:31:51] Scanning PHP... [13:31:51] /usr/bin/php found [13:31:51] Version 4.3.2 seems to be vulnerable (if unpatched)! [13:31:51] ---------------------------------------------------------- [13:31:51] Scanning Procmail%%MTA... [13:31:51] /usr/bin/procmail found [13:31:51] Version 3.22 is available in non-vulnerable group and seems to be OK! [13:31:51] ---------------------------------------------------------- [13:31:51] Scanning ProFTPd... [13:31:51] Application not found [13:31:51] ---------------------------------------------------------- [13:31:51] Scanning OpenSSH... [13:31:51] /usr/sbin/sshd found [13:31:51] Version 3.6.1p2 seems to be vulnerable (if unpatched)! Trevor Lee |
From: Hack H. <hac...@gm...> - 2006-08-17 21:09:53
|
Well, the last action i did was add a new client and domain in plesk. I think thats the user and password it is talking about. but i dont understand why rkhunter shows red lines when i used plesk to create the accounts. hmmm HH On 8/18/06, Chuck Amadi Systems Administrator <ch...@sm...> wrote: > Hi List > > Cheers for the reply I have digested the reply I do follow and use the > said procedures. > > Cheers > > Chuck > > On Thu, 2006-08-17 at 13:39 +0200, unspawn wrote: > > ervice hardening like remove unused SW, services and accounts, access > > restrictions and monitoring, update when updates come out, a good > > enough > > logging trail, a working backup scheme and regularly auditing the box. > -- > Unix/ Linux Systems Administrator > Chuck Amadi > The Surgical Material Testing Laboratory (SMTL), > Princess of Wales Hospital > Coity Road > Bridgend, > United Kingdom, CF31 1RQ. > Email chuck.smtl.co.uk > Tel: +44 1656 752820 > Fax: +44 1656 752830 > > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Rkhunter-users mailing list > Rkh...@li... > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > |
From: Boyd L. G. <ge...@ze...> - 2006-08-17 16:43:44
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Hi Boyd Lynn Gerber > > My shell scripting a bit rusty but I got it to work. > your hack snippet: I posted it because it works as is for me. I know that on some version os SUSE Linux people had problems after running the update. This has worked flawlessly for me on all OpenSUSE versions. SUSE Linux 10.0 and 10.1. So any one should have been able to just cut between the lines and past it in a file like 001rkhunter in /etc/cron.daily and it should have just ran and done the update. The only problem is when a site is down. You get the error message. rkhunter still works, just the update failed for that day. The script runs just fine till it hits a site that is down. I never get the error 2 days in a row. I doubt that this adversily affects rkhunter. Thanks for your work, but I will stay with my version for SUSE Linux 10.x. > **************************** Start of Script > ******************************* > #!/bin/sh > > MY_VERSION="`grep -i ^suse /etc/SuSE-release`" > DBDIR="/share/store/rkhunter/rkhunter/files" > > > if [ -e /usr/local/etc/rkhunter.conf ]; then > . /usr/local/etc/rkhunter.conf > else > exit 1 > fi > > /usr/local/bin/rkhunter --update | /bin/mail -s 'rkhunter Daily update > script' admin > > if [ `grep -c "${MY_VERSION}" ${DBDIR}/os.dat` == 0 ]; then > echo "999:${MY_VERSION}:/usr/bin/md5sum:/bin:" >> ${DBDIR}/os.dat > fi > > > ***************************** End of script ************************* > > Cheers > > On Wed, 2006-08-16 at 12:54 -0600, Boyd Lynn Gerber wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > Hello Chuck, > > > On Tue, 15 Aug 2006, Chuck Amadi Systems Administrator wrote: > > > > I have create the /etc/cron.daily/rkhunter > > > Is this cronjob your own concoction or part of SuSE's rpm or a modified > > > Rootkit Hunter contrib? > > > > Fatal error: Problem while fetching file > > > > > > Doesn't indicate a path issue to me, more like an inaccessable mirror (at > > > least mirror11 doesn't respond right now). > > > > > > > > > * If you still think it's a path issue I could suggest checking it in > > > detail by adding a debug flag within the cronjob for 1 run (set -x), > > > prefix the rkhunter command with "sh -x" as well as adding 2>&1 error > > > output redirection, this all for one cronjob run (don't run manually). > > > Output will go to whichever account you configured with MAILTO=. > > > > > > If you are sure this isn't your own doing but a flaw in Rootkit Hunter and > > > you can't find the error and fix it yourself (we do accept patches, TIA) > > > then please *attach* the output and the cronjob. > > > > Below is the job I use. I get a similar error message when a site in the > > rotation is down, other wise everything works just fine. > > > > - ---------------------------Cut-Here------------------------------------ > > #!/bin/sh > > > > MY_VERSION="`grep -i ^suse /etc/SuSE-release`" > > > > if [ -e /etc/rkhunter.conf ]; then > > . /etc/rkhunter.conf > > else > > exit 1 > > fi > > > > /usr/bin/rkhunter --update | /bin/mail -s 'rkhunter Daily update' root > > > > if [ `grep -c "${MY_VERSION}" ${DBDIR}/os.dat` -eq 0 ]; then > > echo "999:${MY_VERSION}:/usr/bin/md5sum:/bin:" >> ${DBDIR}/os.dat > > fi > > - ---------------------------Cut-Here------------------------------------ > > > > > > - -- > > Boyd Gerber <ge...@ze...> > > ZENEZ 1042 East Fort Union #135, Midvale Utah 84047 > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.2 (GNU/Linux) > > Comment: For info see http://quantumlab.net/pine_privacy_guard/ > > > > iD8DBQFE42nhVtBjDid73eYRAiU1AJ4o6sVbfPmXa3QUGhe6UyogrrEMsgCghHPy > > gbl23xvbiIzjPJwwIfpnLe0= > > =ogfU > > -----END PGP SIGNATURE----- > > > > ------------------------------------------------------------------------- > > Using Tomcat but need to do more? Need to support web services, security? > > Get stuff done quickly with pre-integrated technology to make your job easier > > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > _______________________________________________ > > Rkhunter-users mailing list > > Rkh...@li... > > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > > > - -- Boyd Gerber <ge...@ze...> ZENEZ 1042 East Fort Union #135, Midvale Utah 84047 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQFE5Jy9VtBjDid73eYRAh5FAJ9beAiHnBW15CPd5OVXLHEBvZfjnACcDLW8 vyWjrTHZaob/ok3cSaToZ9o= =DT9c -----END PGP SIGNATURE----- |
From: Chuck A. S. A. <ch...@sm...> - 2006-08-17 12:39:59
|
Hi List Cheers for the reply I have digested the reply I do follow and use the said procedures. Cheers Chuck On Thu, 2006-08-17 at 13:39 +0200, unspawn wrote: > ervice hardening like remove unused SW, services and accounts, access > restrictions and monitoring, update when updates come out, a good > enough > logging trail, a working backup scheme and regularly auditing the box. -- Unix/ Linux Systems Administrator Chuck Amadi The Surgical Material Testing Laboratory (SMTL), Princess of Wales Hospital Coity Road Bridgend, United Kingdom, CF31 1RQ. Email chuck.smtl.co.uk Tel: +44 1656 752820 Fax: +44 1656 752830 |
From: Chuck A. S. A. <ch...@sm...> - 2006-08-17 10:52:56
|
Hi Boyd Lynn Gerber My shell scripting a bit rusty but I got it to work. your hack snippet: **************************** Start of Script ******************************* #!/bin/sh MY_VERSION="`grep -i ^suse /etc/SuSE-release`" DBDIR="/share/store/rkhunter/rkhunter/files" if [ -e /usr/local/etc/rkhunter.conf ]; then . /usr/local/etc/rkhunter.conf else exit 1 fi /usr/local/bin/rkhunter --update | /bin/mail -s 'rkhunter Daily update script' admin if [ `grep -c "${MY_VERSION}" ${DBDIR}/os.dat` == 0 ]; then echo "999:${MY_VERSION}:/usr/bin/md5sum:/bin:" >> ${DBDIR}/os.dat fi ***************************** End of script ************************* Cheers On Wed, 2006-08-16 at 12:54 -0600, Boyd Lynn Gerber wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Hello Chuck, > > On Tue, 15 Aug 2006, Chuck Amadi Systems Administrator wrote: > > > I have create the /etc/cron.daily/rkhunter > > Is this cronjob your own concoction or part of SuSE's rpm or a modified > > Rootkit Hunter contrib? > > > Fatal error: Problem while fetching file > > > > Doesn't indicate a path issue to me, more like an inaccessable mirror (at > > least mirror11 doesn't respond right now). > > > > > > * If you still think it's a path issue I could suggest checking it in > > detail by adding a debug flag within the cronjob for 1 run (set -x), > > prefix the rkhunter command with "sh -x" as well as adding 2>&1 error > > output redirection, this all for one cronjob run (don't run manually). > > Output will go to whichever account you configured with MAILTO=. > > > > If you are sure this isn't your own doing but a flaw in Rootkit Hunter and > > you can't find the error and fix it yourself (we do accept patches, TIA) > > then please *attach* the output and the cronjob. > > Below is the job I use. I get a similar error message when a site in the > rotation is down, other wise everything works just fine. > > - ---------------------------Cut-Here------------------------------------ > #!/bin/sh > > MY_VERSION="`grep -i ^suse /etc/SuSE-release`" > > if [ -e /etc/rkhunter.conf ]; then > . /etc/rkhunter.conf > else > exit 1 > fi > > /usr/bin/rkhunter --update | /bin/mail -s 'rkhunter Daily update' root > > if [ `grep -c "${MY_VERSION}" ${DBDIR}/os.dat` -eq 0 ]; then > echo "999:${MY_VERSION}:/usr/bin/md5sum:/bin:" >> ${DBDIR}/os.dat > fi > - ---------------------------Cut-Here------------------------------------ > > > - -- > Boyd Gerber <ge...@ze...> > ZENEZ 1042 East Fort Union #135, Midvale Utah 84047 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: For info see http://quantumlab.net/pine_privacy_guard/ > > iD8DBQFE42nhVtBjDid73eYRAiU1AJ4o6sVbfPmXa3QUGhe6UyogrrEMsgCghHPy > gbl23xvbiIzjPJwwIfpnLe0= > =ogfU > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Rkhunter-users mailing list > Rkh...@li... > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > -- Unix/ Linux Systems Administrator Chuck Amadi The Surgical Material Testing Laboratory (SMTL), Princess of Wales Hospital Coity Road Bridgend, United Kingdom, CF31 1RQ. Email chuck.smtl.co.uk Tel: +44 1656 752820 Fax: +44 1656 752830 |
From: Chuck A. S. A. <ch...@sm...> - 2006-08-17 09:58:26
|
Hi I am new to the list I would guess that somewhere along the line a system or new user may have been added, deleted or modified I assume if your the gate keeper you will have log for your particular Network and be able to work back wards and see what has changed. I hope this helps as I am also new to running rkhunter I also run chkrootkit which is very similar and also east to setup So I would also advise you to goto to chkrootkit.org - http://chrootkit.org version 46a is now available and run in it's great app and best run together for tighter security. Cheers On Thu, 2006-08-17 at 11:50 +1200, Hack was here wrote: > I ran my rkhunter today and found this > > System checks > * Allround tests > Checking hostname... Found. Hostname is localhost.localdomain > Checking for passwordless user accounts... OK > Checking for differences in user accounts... Found differences > Info: > > What does found differences mean and what do i have to do to remove > that red line. > > thanks > HH > > > This email and any attachments may contain privileged and confidential > information and are intended for the addressee only. If you have > received this email in error, please notify the sender and delete this > e-mail immediately. Any confidentiality, privilege or copyright is not > waived or lost because this email has been sent to you in error. It is > your responsibility to check this email and any attachments for > viruses. No warranty is made that this material is free from any > computer virus or any error. Any loss/damage incurred by using this > material is not the sender's responsibility. > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ Rkhunter-users mailing list Rkh...@li... https://lists.sourceforge.net/lists/listinfo/rkhunter-users -- Unix/ Linux Systems Administrator Chuck Amadi The Surgical Material Testing Laboratory (SMTL), Princess of Wales Hospital Coity Road Bridgend, United Kingdom, CF31 1RQ. Email chuck.smtl.co.uk Tel: +44 1656 752820 Fax: +44 1656 752830 |
From: thierry.kisoka <thi...@la...> - 2006-08-17 07:24:28
|
From: Hack w. h. <hac...@gm...> - 2006-08-16 23:51:00
|
I ran my rkhunter today and found this System checks * Allround tests Checking hostname... Found. Hostname is localhost.localdomain Checking for passwordless user accounts... OK Checking for differences in user accounts... Found differences Info:=20 What does found differences mean and what do i have to do to remove that = red line. thanks HH =20 This email and any attachments may contain privileged and confidential = information and are intended for the addressee only. If you have = received this email in error, please notify the sender and delete this = e-mail immediately. Any confidentiality, privilege or copyright is not = waived or lost because this email has been sent to you in error. It is = your responsibility to check this email and any attachments for viruses. = No warranty is made that this material is free from any computer virus = or any error. Any loss/damage incurred by using this material is not the = sender's responsibility. |
From: Hack w. h. <hac...@gm...> - 2006-08-16 23:34:04
|
i think mirror11 is not working. This email and any attachments may contain privileged and confidential information and are intended for the addressee only. If you have received this email in error, please notify the sender and delete this e-mail immediately. Any confidentiality, privilege or copyright is not waived or lost because this email has been sent to you in error. It is your responsibility to check this email and any attachments for viruses. No warranty is made that this material is free from any computer virus or any error. Any loss/damage incurred by using this material is not the sender's responsibility. ----- Original Message ----- From: "Chuck Amadi Systems Administrator" <ch...@sm...> To: "rkhunter" <rkh...@li...> Sent: Wednesday, August 16, 2006 2:21 AM Subject: [Rkhunter-users] Fatal error: Problem while fetching file > Hi List > > I have installed and configured rkhunter 1.2.8 on three SuSE linux > Enterprise (SLES9) servers Mail, Web and File/Document servers. > > I have create the /etc/cron.daily/rkhunter cron job which works but I > get a the following output error. > This version: 1.2.8 > Latest version: > Can't fetch latest version number. > [1;37m Please check manually for updates[0;39m > > Running updater... > > Mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated > Using mirror http://mirror11.mirror.rkhunter.org > [DB] Mirror file : ERROR > Fatal error: Problem while fetching file > > Thus if I run from CLI command line ./rkhunter it works a treat. > > I have checked my path using echo $PATH and /usr/local/bin is there. > > I assume it's a path issue > > Please point me in the right direction. > > Cheers > -- > Unix/ Linux Systems Administrator > Chuck Amadi > The Surgical Material Testing Laboratory (SMTL), > Princess of Wales Hospital > Coity Road > Bridgend, > United Kingdom, CF31 1RQ. > Email chuck.smtl.co.uk > Tel: +44 1656 752820 > Fax: +44 1656 752830 > > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Rkhunter-users mailing list > Rkh...@li... > https://lists.sourceforge.net/lists/listinfo/rkhunter-users |
From: Boyd L. G. <ge...@ze...> - 2006-08-16 18:54:32
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Hello Chuck, > On Tue, 15 Aug 2006, Chuck Amadi Systems Administrator wrote: > > I have create the /etc/cron.daily/rkhunter > Is this cronjob your own concoction or part of SuSE's rpm or a modified > Rootkit Hunter contrib? > > Fatal error: Problem while fetching file > > Doesn't indicate a path issue to me, more like an inaccessable mirror (at > least mirror11 doesn't respond right now). > > > * If you still think it's a path issue I could suggest checking it in > detail by adding a debug flag within the cronjob for 1 run (set -x), > prefix the rkhunter command with "sh -x" as well as adding 2>&1 error > output redirection, this all for one cronjob run (don't run manually). > Output will go to whichever account you configured with MAILTO=. > > If you are sure this isn't your own doing but a flaw in Rootkit Hunter and > you can't find the error and fix it yourself (we do accept patches, TIA) > then please *attach* the output and the cronjob. Below is the job I use. I get a similar error message when a site in the rotation is down, other wise everything works just fine. - ---------------------------Cut-Here------------------------------------ #!/bin/sh MY_VERSION="`grep -i ^suse /etc/SuSE-release`" if [ -e /etc/rkhunter.conf ]; then . /etc/rkhunter.conf else exit 1 fi /usr/bin/rkhunter --update | /bin/mail -s 'rkhunter Daily update' root if [ `grep -c "${MY_VERSION}" ${DBDIR}/os.dat` -eq 0 ]; then echo "999:${MY_VERSION}:/usr/bin/md5sum:/bin:" >> ${DBDIR}/os.dat fi - ---------------------------Cut-Here------------------------------------ - -- Boyd Gerber <ge...@ze...> ZENEZ 1042 East Fort Union #135, Midvale Utah 84047 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQFE42nhVtBjDid73eYRAiU1AJ4o6sVbfPmXa3QUGhe6UyogrrEMsgCghHPy gbl23xvbiIzjPJwwIfpnLe0= =ogfU -----END PGP SIGNATURE----- |
From: Chuck A. S. A. <ch...@sm...> - 2006-08-15 13:24:55
|
Hi List I have installed and configured rkhunter 1.2.8 on three SuSE linux Enterprise (SLES9) servers Mail, Web and File/Document servers. I have create the /etc/cron.daily/rkhunter cron job which works but I get a the following output error. This version: 1.2.8 Latest version: Can't fetch latest version number. [1;37m Please check manually for updates[0;39m Running updater... Mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated Using mirror http://mirror11.mirror.rkhunter.org [DB] Mirror file : ERROR Fatal error: Problem while fetching file Thus if I run from CLI command line ./rkhunter it works a treat. I have checked my path using echo $PATH and /usr/local/bin is there. I assume it's a path issue Please point me in the right direction. Cheers -- Unix/ Linux Systems Administrator Chuck Amadi The Surgical Material Testing Laboratory (SMTL), Princess of Wales Hospital Coity Road Bridgend, United Kingdom, CF31 1RQ. Email chuck.smtl.co.uk Tel: +44 1656 752820 Fax: +44 1656 752830 |
From: Robin B. <rob...@ro...> - 2006-08-08 11:41:59
|
unspawn wrote: > Hello Robin, > > On Tue, 8 Aug 2006, Robin Bowes wrote: >> Anyway, I find that I'm getting a false positive on Fedora Core 5: > >> How would I go about modifying rkhunter to not report these files as +ve >> tests? > > Here's a hint if that's enough for you: locate your rkhunter.conf and > run grep -i hidden /some/dir/rkhunter.conf. Heh, thanks. Actually, after posting, I was looking in rkhunter.conf for other reasons and I saw the relevant lines. For future reference, the answer to my question is: Q. How do I tell rkhunter to ignore specific hidden directories and files which are reported as false positives? A. Add lines to rkhunter.conf (in /etc/ on Fedora Core 5) as follows: # Allow hidden directory # One directory per line (use multiple ALLOWHIDDENDIR lines) # ALLOWHIDDENDIR=/dev/.udevdb # Allow hidden file # One file per line (use multiple ALLOWHIDDENFILE lines) # ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz R. |
From: Robin B. <rob...@ro...> - 2006-08-08 11:10:20
|
Hi, I've just started using rkhunter, unfortunatley just *after* getting root-kitted :( Anyway, I find that I'm getting a false positive on Fedora Core 5: * Filesystem checks Checking /dev for suspicious files... [ OK ] Scanning for hidden files... [ Warning! ] --------------- /dev/.udev /usr/share/man/man1/..1.gz /etc/.pwd.lock --------------- Please inspect: /dev/.udev (directory) /usr/share/man/man1/..1.gz (gzip compressed data, from Unix, max compression) /dev/.udev appears to be a bona fide directory containing device info for the udev subsystem. /usr/share/man/man1/..1.gz is from the bash RPM: # rpm -qf /usr/share/man/man1/..1.gz bash-3.1-6.2 .pwd.lock was an empty file - I've deleted it: -rw------- 1 root root 0 Apr 21 14:02 .pwd.lock How would I go about modifying rkhunter to not report these files as +ve tests? Thanks, R. |
From: Tim J. <jac...@ho...> - 2006-08-07 14:35:25
|
Hi and welcome to the rkhunter mailing list! As far as I know, the 2 vulnerable applications refer to the application scan in the log: >* Application scan > Checking Apache2 modules ... [ Not found >] > Checking Apache configuration ... [ OK ] > >* Application version scan > - GnuPG 1.4.1 [ Old or >patched version ] > - Apache 2.0.54 [ OK ] > - Bind DNS 9.3.1 [ OK ] > - OpenSSL 0.9.7f [ Old or >patched version ] > - PHP 5.0.4 [ OK ] > - Procmail MTA 3.22 [ OK ] > - ProFTPd 1.2.10 [ OK ] > - OpenSSH 4.0p1 [ OK ] As you can see, there are 2 applications that were scanned but not OK, since there versions are not the latest ones (which can indicate that you've applied a patch or you should upgrade them). In your case, it involves GnuPG and OpenSSL. As for your other question: rkhunter has specific options to make it work without having to press enter (ie -sk, which is the same as --skip-keypress). Best regards, Tim > >Today's Topics: > > 1. Vulnerable applications: 2 (Pritesh Chandra) > > >---------------------------------------------------------------------- > >Message: 1 >Date: Sat, 8 Jul 2006 12:14:38 +1200 >From: "Pritesh Chandra" <pri...@gm...> >Subject: [Rkhunter-users] Vulnerable applications: 2 >To: <Rkh...@li...> >Message-ID: <055e01c6a223$87f4a4b0$c901000a@pritesh> >Content-Type: text/plain; charset="iso-8859-1" > >Hi there. I am new to rkhunter. I got it installed and running on my >server. > >I got "Vulnerable applications: 2" but i am not sure what its talking >about. can someone help me on this. also how can i aviod pressing th >enter button after very step. i mean i type -rkhunter -c and it does all >the test without me having to press the enter button about 5 times. > >thanks > |
From: Hack w. h. <hac...@gm...> - 2006-08-02 20:35:33
|
Documento sin t=EDtuloEnglish pleases thanks This email and any attachments may contain privileged and confidential = information and are intended for the addressee only. If you have = received this email in error, please notify the sender and delete this = e-mail immediately. Any confidentiality, privilege or copyright is not = waived or lost because this email has been sent to you in error. It is = your responsibility to check this email and any attachments for viruses. = No warranty is made that this material is free from any computer virus = or any error. Any loss/damage incurred by using this material is not the = sender's responsibility. ----- Original Message -----=20 From: IART=20 To: rkh...@li...=20 Sent: Wednesday, August 02, 2006 4:33 PM Subject: [Rkhunter-users] Pregunte como mejorar su imagen. =20 =20 Dise=F1o Publicitario Atr=E1s quedo la vieja idea de comunicaci=F3n que afirmaba que = tan solo exist=EDa un emisor-mensaje-receptor. Ahora, las nuevas = tecnolog=EDas permiten acceder a la l=F3gica de la interactividad en la = cual no somos tan solo los espectadores de un acontecimiento sino que = tambi=E9n somos los creadores de este.=20 Los multimedios abren los campos de alimentaci=F3n y = retroalimentaci=F3n para una buena comunicaci=F3n porque con la = vertiginosa rapidez de la actividad humana los antiguos esquemas de = comunicaci=F3n cada vez se vuelven m=E1s ineficaces. La mezcla de audio, = video, animaci=F3n, navegaci=F3n e impacto visual hace de la multimedia = un nuevo elemento con un sin numero de cualidades que pueden ayudar al = proceso de aprendizaje, desarrollo intelectual y entrete =20 =20 Boletin Informativo =20 =20 I-magen.net Lanza su nuevo sitio web Agosto 1 lanzamiento del nuevo sitio Web de i-magen.net, = este nuevo sitio estar=E1 enfocado al servicio en l=EDnea para sus = clientes, contara con nuevos productos y servicios para cada necesidad, = con un dise=F1o l=F3gico y novedoso con el cual lograra ser uno de los = sitio mas =FAtiles para las empresas que requieren servicios = publicitarios y gr=E1ficos. I-magen.net nuevo nombre nueva imagen iart es el nuevo nombre con el cual pretendemos = posicionarnos en el mercado, con el lanzamiento del sitio Web se = iniciara una campa=F1a electr=F3nica de posicionamiento de marca, = i-magen.net con un nuevo nombre y una nueva imagen pretende tener mayor = recordaci=F3n y diferenciales espec=EDficos dentro del medio, logrando = mayor penetraci=F3n en el mercado. =20 Telefono: 526-0867 Cel.316 357-8997 e-mail: = in...@im... =20 =A9 2006 i-magen.net (iart) Todos los derechos reservados =20 -------------------------------------------------------------------------= ----- = -------------------------------------------------------------------------= Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to = share your opinions on IT & business topics through brief surveys -- and earn = cash = http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3D= DEVDEV -------------------------------------------------------------------------= ----- _______________________________________________ Rkhunter-users mailing list Rkh...@li... https://lists.sourceforge.net/lists/listinfo/rkhunter-users |
From: IART <in...@im...> - 2006-08-02 09:33:20
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Documento sin título</title> <link href="www.imagenarte.net/templates/md_macphoria/css/template_css.css" rel="stylesheet" type="text/css" /> <style type="text/css"> <!-- .Estilo3 { font-size: 18px; font-weight: bold; } .Estilo8 {width: 100%; padding: 0px 0px 0px 0px; vertical-align: bottom; color: #CC0000; text-align: left;} .Estilo9 {font-size: 18px; font-weight: bold; color: #CC0000; } .Estilo12 { font-size: 10px; color: #CC0000; font-weight: bold; } --> </style> <link href="http://www.imagenarte.net/templates/md_macphoria/css/template_css.css" rel="stylesheet" type="text/css" /> </head> <body><div style="BORDER-RIGHT: #ccc 1px solid; BORDER-TOP: #ccc 1px solid; BORDER-LEFT: #ccc 1px solid; WIDTH: 465px; BORDER-BOTTOM: #ccc 1px solid; TEXT-ALIGN: center"> <table width="464" border="0" align="center" cellpadding="4" cellspacing="5" bordercolor="#cccccc"> <tr> <td><a href="http://www.imagenarte.net/"><IMG height=99 alt=cabezote_iart src="http://www.imagenarte.net/images/boletines/cabezote.jpg" width=464 border=0 ></a></td> </tr> <tr> <td><a href="http://www.imagenarte.net/"><IMG height=191 alt=imagen_prin src="http://www.imagenarte.net/images/boletines/imagen_princ.jpg" width=464 border=0 ></a></td> </tr> <tr> <td><span class="contentheading Estilo3"><span class="Estilo8">Diseño Publicitario</span></span><br > <p align="justify">Atrás quedo la vieja idea de comunicación que afirmaba que tan solo existía un emisor-mensaje-receptor. Ahora, las nuevas tecnologías permiten acceder a la lógica de la interactividad en la cual no somos tan solo los espectadores de un acontecimiento sino que también somos los creadores de este. </p> <p align="justify">Los multimedios abren los campos de alimentación y retroalimentación para una buena comunicación porque con la vertiginosa rapidez de la actividad humana los antiguos esquemas de comunicación cada vez se vuelven más ineficaces. La mezcla de audio, video, animación, navegación e impacto visual hace de la multimedia un nuevo elemento con un sin numero de cualidades que pueden ayudar al proceso de aprendizaje, desarrollo intelectual y entrete</p></td> </tr> <tr> <td><a href="http://www.imagenarte.net/index.php?option=com_magazine&func=show_article&id=2"><IMG height=99 alt=banner_cms src="http://www.imagenarte.net/images/boletines/banner.jpg" width=464 border=0 ></a></td> </tr> <tr> <td height="291" align="middle"><table width="464" border="0" align="center" cellpadding="0" cellspacing="0"> <tr> <td width="232"><p align="center" class="Estilo9">Boletin Informativo</p> </td> <td width="232"><p class="componentheading"> </p> <p class="componentheading"> </p> </td> </tr> <tr> <td><p align="center" class="componentheading">I-magen.net Lanza su nuevo sitio web</p> <p align="justify">Agosto 1 lanzamiento del nuevo sitio Web de i-magen.net, este nuevo sitio estará enfocado al servicio en línea para sus clientes, contara con nuevos productos y servicios para cada necesidad, con un diseño lógico y novedoso con el cual lograra ser uno de los sitio mas útiles para las empresas que requieren servicios publicitarios y gráficos.</p></td> <td><p class="componentheading">I-magen.net nuevo nombre nueva imagen</p> <p>iart es el nuevo nombre con el cual pretendemos posicionarnos en el mercado, con el lanzamiento del sitio Web se iniciara una campaña electrónica de posicionamiento de marca, i-magen.net con un nuevo nombre y una nueva imagen pretende tener mayor recordación y diferenciales específicos dentro del medio, logrando mayor penetración en el mercado.</p></td> </tr> <tr> <td> </td> <td><div align="center"><span class="Estilo12">Telefono: 526-0867 Cel.316 357-8997 e-mail: in...@im...</span><br > </div></td> </tr> </table> <p>© 2006 i-magen.net (iart) Todos los derechos reservados</p></td> </tr> </table></div> </body> </html> |
From: Clodoaldo P. <clo...@gm...> - 2006-07-30 14:12:56
|
I'm using FC5 and rkhunter 1.2.8-3.fc5. It is showing two warnings: Determining OS... Unknown Warning: This operating system is not fully supported! Warning: Cannot find md5_not_known All MD5 checks will be skipped! Running rkhunter updater... Sat, 29 Jul 2006 04:02:08 +0000 Mirrorfile /var/rkhunter/db/mirrors.dat rotated Using mirror http://www.rootkit.nl/rkhunter [DB] Mirror file : Update available Action: Database updated (current version: 2005050700, new version 2006041300)[DB] MD5 hashes system binaries : Update available Action: Database updated (current version: 2006021400, new version 2006022800)[DB] Operating System information : Update available Action: Database updated (current version: 2005102800, new version 2006051200)[DB] MD5 blacklisted tools/binaries : Up to date [DB] Known good program versions : Update available Action: Database updated (current version: 2006021400, new version 2006031400)[DB] Known bad program versions : Update available Action: Database updated (current version: 2006021400, new version 2006031400) Finished rkhunter updater.. Sat, 29 Jul 2006 04:02:14 +0000 Ready. ---------------------- Start Rootkit Hunter Scan ---------------------- Rootkit Hunter 1.2.8 is running Sat, 29 Jul 2006 04:02:15 +0000 Determining OS... Unknown Warning: This operating system is not fully supported! Warning: Cannot find md5_not_known All MD5 checks will be skipped! Regards, Clodoaldo Pinto |
From: Dennis D. <ddu...@ha...> - 2006-07-29 23:42:56
|
I get that all the time. Usually, I chalk it up to that route being too busy and I go to another mirror. ________________________________ From: rkh...@li... [mailto:rkh...@li...] On Behalf Of Hack was here Sent: Wednesday, July 26, 2006 4:56 PM To: Rkh...@li... Subject: [Rkhunter-users] problems in mirror11 site There might be some problems in mirror11 site. i tried to update and i got this. =20 Running updater... =20 Mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated Using mirror http://mirror11.mirror.rkhunter.org [DB] Mirror file : ERROR Fatal error: Problem while fetching file =20 Ready. [root@localhost hackwashere]# rkhunter --update Running updater... =20 Mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated Using mirror http://mirror14.mirror.rkhunter.org [DB] Mirror file : Up to date [DB] MD5 hashes system binaries : Up to date [DB] Operating System information : Up to date [DB] MD5 blacklisted tools/binaries : Up to date [DB] Known good program versions : Up to date [DB] Known bad program versions : Up to date =20 =20 =20 Ready. =20 This email and any attachments may contain privileged and confidential information and are intended for the addressee only. If you have received this email in error, please notify the sender and delete this e-mail immediately. Any confidentiality, privilege or copyright is not waived or lost because this email has been sent to you in error. It is your responsibility to check this email and any attachments for viruses. No warranty is made that this material is free from any computer virus or any error. Any loss/damage incurred by using this material is not the sender's responsibility. |
From: Hack w. h. <hac...@gm...> - 2006-07-28 19:44:46
|
There might be some problems in mirror11 site. i tried to update and i = got this. Running updater... Mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated Using mirror http://mirror11.mirror.rkhunter.org [DB] Mirror file : ERROR Fatal error: Problem while fetching file Ready. [root@localhost hackwashere]# rkhunter --update Running updater... Mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated Using mirror http://mirror14.mirror.rkhunter.org [DB] Mirror file : Up to date [DB] MD5 hashes system binaries : Up to date [DB] Operating System information : Up to date [DB] MD5 blacklisted tools/binaries : Up to date [DB] Known good program versions : Up to date [DB] Known bad program versions : Up to date Ready. =20 This email and any attachments may contain privileged and confidential = information and are intended for the addressee only. If you have = received this email in error, please notify the sender and delete this = e-mail immediately. Any confidentiality, privilege or copyright is not = waived or lost because this email has been sent to you in error. It is = your responsibility to check this email and any attachments for viruses. = No warranty is made that this material is free from any computer virus = or any error. Any loss/damage incurred by using this material is not the = sender's responsibility. |
From: <un...@hu...> - 2006-07-26 13:21:46
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fellow list members, I am pleased to announce that Rootkit Hunter, the well-known security application, has a new project leader. Michael, the RKH developer and maintainer, steps down due to excessive time constraints. Having worked with him on RKH for some time now for me this is a natural progression. My first priority will be to make sure the much needed maintenance release is done RSN (aprox three weeks time) and getting a dev/test team together. In the near future the team will be working on rewriting and enhancing RKH as well as exploring a possible conversion to C++. If you would like to support RKH as (medior or seasoned) shellscripter, (multi-arch) tester or whatever else you think the project could need, feel free to email me directly. Cheers, unSpawn -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkTHbSIACgkQ0ATLJGfCzcEF5QP/W9AHlcOTC2XTsItcYeVDifR8odkm rVcOBaX/Uy9EGoGL63sZT2fey9+rqDFxNpeLDI6/rxh1ujT32noYmrb7E11++grNsdQb E0c/zqqbg1X7wpdtCwLPDaBTrgwfDHMC3Rppr9bD9rl2Fh1/FxCXVWITb2c9gHsVpq9l tac+8Uc= =c11/ -----END PGP SIGNATURE----- Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 |