rkhunter-users Mailing List for Rootkit Hunter (Page 152)
Brought to you by:
dogsbody
You can subscribe to this list here.
2006 |
Jan
(2) |
Feb
(2) |
Mar
(7) |
Apr
(5) |
May
(5) |
Jun
(7) |
Jul
(23) |
Aug
(17) |
Sep
(35) |
Oct
(138) |
Nov
(95) |
Dec
(84) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2007 |
Jan
(140) |
Feb
(78) |
Mar
(28) |
Apr
(17) |
May
(78) |
Jun
(72) |
Jul
(49) |
Aug
(47) |
Sep
(74) |
Oct
(69) |
Nov
(50) |
Dec
(75) |
2008 |
Jan
(43) |
Feb
(80) |
Mar
(30) |
Apr
(29) |
May
(25) |
Jun
(14) |
Jul
(47) |
Aug
(11) |
Sep
(28) |
Oct
(17) |
Nov
(14) |
Dec
(66) |
2009 |
Jan
(54) |
Feb
(21) |
Mar
(22) |
Apr
(8) |
May
(4) |
Jun
(13) |
Jul
(10) |
Aug
(24) |
Sep
(1) |
Oct
(41) |
Nov
(17) |
Dec
(99) |
2010 |
Jan
(53) |
Feb
(19) |
Mar
(30) |
Apr
(28) |
May
(135) |
Jun
(34) |
Jul
(19) |
Aug
(24) |
Sep
(48) |
Oct
(4) |
Nov
(61) |
Dec
(17) |
2011 |
Jan
(23) |
Feb
(18) |
Mar
(14) |
Apr
(12) |
May
(23) |
Jun
(27) |
Jul
(57) |
Aug
(17) |
Sep
(25) |
Oct
(19) |
Nov
(9) |
Dec
(4) |
2012 |
Jan
(19) |
Feb
(5) |
Mar
(5) |
Apr
(17) |
May
(13) |
Jun
(21) |
Jul
(2) |
Aug
(10) |
Sep
(5) |
Oct
(5) |
Nov
(18) |
Dec
(4) |
2013 |
Jan
(23) |
Feb
(13) |
Mar
(5) |
Apr
(48) |
May
(38) |
Jun
(5) |
Jul
(19) |
Aug
(14) |
Sep
(10) |
Oct
(7) |
Nov
(19) |
Dec
(44) |
2014 |
Jan
(11) |
Feb
(11) |
Mar
(38) |
Apr
(36) |
May
(21) |
Jun
(13) |
Jul
(7) |
Aug
(21) |
Sep
(30) |
Oct
(3) |
Nov
|
Dec
(29) |
2015 |
Jan
(5) |
Feb
(5) |
Mar
(12) |
Apr
(5) |
May
(25) |
Jun
(11) |
Jul
(7) |
Aug
(8) |
Sep
(3) |
Oct
(15) |
Nov
(10) |
Dec
|
2016 |
Jan
(5) |
Feb
|
Mar
(6) |
Apr
(12) |
May
(2) |
Jun
(11) |
Jul
(8) |
Aug
(13) |
Sep
(15) |
Oct
(6) |
Nov
(21) |
Dec
(1) |
2017 |
Jan
|
Feb
(2) |
Mar
(2) |
Apr
(3) |
May
(2) |
Jun
(30) |
Jul
(42) |
Aug
(8) |
Sep
(2) |
Oct
(24) |
Nov
(12) |
Dec
(14) |
2018 |
Jan
(7) |
Feb
(22) |
Mar
(8) |
Apr
(11) |
May
(28) |
Jun
(20) |
Jul
(2) |
Aug
(1) |
Sep
(2) |
Oct
(2) |
Nov
(11) |
Dec
|
2019 |
Jan
(5) |
Feb
(11) |
Mar
(6) |
Apr
(5) |
May
(4) |
Jun
(4) |
Jul
(4) |
Aug
(8) |
Sep
(5) |
Oct
(7) |
Nov
(10) |
Dec
(1) |
2020 |
Jan
|
Feb
|
Mar
|
Apr
(2) |
May
(4) |
Jun
(3) |
Jul
(3) |
Aug
(2) |
Sep
|
Oct
(7) |
Nov
(3) |
Dec
(1) |
2021 |
Jan
(1) |
Feb
(3) |
Mar
|
Apr
|
May
(7) |
Jun
(2) |
Jul
(7) |
Aug
(11) |
Sep
|
Oct
|
Nov
|
Dec
|
2022 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
(2) |
Jun
(1) |
Jul
(2) |
Aug
|
Sep
(4) |
Oct
|
Nov
|
Dec
|
2023 |
Jan
|
Feb
|
Mar
(5) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(3) |
Nov
(4) |
Dec
(1) |
2024 |
Jan
|
Feb
(3) |
Mar
(8) |
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: John P. <jmp...@gm...> - 2006-06-06 01:40:54
|
I'm running rkhunter from the command line on 30+ linux servers. I'd like to be able to pass a command line parameter to tell rkhunter to run the scan and mail the resutls to me...@my.... Is there a flag for this? I thought I saw a config file option but I'm looking for a quick and dirty to get this done. Individual machine configuration will take place in the following week. Thank you, John Purser -- Your motives for doing whatever good deed you may have in mind will be misinterpreted by somebody. |
From: Charles E. M. <ce...@ki...> - 2006-05-29 14:26:13
|
Hi: I'm receiving the following from my cron run and wondering if the hashes that are bad are an issue. I'm current in the version and ran the --update. Any help would be appreciated. Run as follows on a Linux Red Hat box: Rootkit Hunter 1.2.8 is running Determining OS... Ready Checking binaries * Selftests Strings (command) [ OK ] * System tools Performing 'known good' check... /bin/cat [ OK ] /bin/chmod [ OK ] /bin/chown [ OK ] /bin/dmesg [ BAD ] /bin/egrep [ OK ] /bin/env [ OK ] /bin/fgrep [ OK ] /bin/grep [ OK ] /bin/kill [ BAD ] /bin/login [ BAD ] /bin/ls [ OK ] /bin/mount [ BAD ] /bin/netstat [ OK ] /bin/ps [ OK ] /bin/su [ OK ] /sbin/chkconfig [ OK ] /sbin/depmod [ OK ] /sbin/ifconfig [ OK ] /sbin/init [ OK ] /sbin/insmod [ OK ] /sbin/modinfo [ OK ] /sbin/runlevel [ OK ] /sbin/sysctl [ OK ] /sbin/syslogd [ OK ] /usr/bin/file [ OK ] /usr/bin/find [ OK ] /usr/bin/kill [ OK ] /usr/bin/killall [ OK ] /usr/bin/lsattr [ OK ] /usr/bin/pstree [ OK ] /usr/bin/sha1sum [ OK ] /usr/bin/stat [ OK ] /usr/bin/users [ OK ] /usr/bin/w [ OK ] /usr/bin/watch [ OK ] /usr/bin/who [ OK ] /usr/bin/whoami [ OK ] ---------------------------------------------------------------------------- ---- Rootkit Hunter found some bad or unknown hashes. This can be happen due replaced binaries or updated packages (which give other hashes). Be sure your hashes are fully updated (rkhunter --update). If you're in doubt about these hashes, contact the author (fill in the contact form). ---------------------------------------------------------------------------- ---- Check rootkits * Default files and directories Rootkit '55808 Trojan - Variant A'... [ OK ] ADM Worm... [ OK ] Rootkit 'AjaKit'... [ OK ] Rootkit 'aPa Kit'... [ OK ] Rootkit 'Apache Worm'... [ OK ] Rootkit 'Ambient (ark) Rootkit'... [ OK ] Rootkit 'Balaur Rootkit'... [ OK ] Rootkit 'BeastKit'... [ OK ] Rootkit 'beX2'... [ OK ] Rootkit 'BOBKit'... [ OK ] Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ] Rootkit 'Danny-Boy's Abuse Kit'... [ OK ] Rootkit 'Devil RootKit'... [ OK ] Rootkit 'Dica'... [ OK ] Rootkit 'Dreams Rootkit'... [ OK ] Rootkit 'Duarawkz'... [ OK ] Rootkit 'Flea Linux Rootkit'... [ OK ] Rootkit 'FreeBSD Rootkit'... [ OK ] Rootkit 'Fuck`it Rootkit'... [ OK ] Rootkit 'GasKit'... [ OK ] Rootkit 'Heroin LKM'... [ OK ] Rootkit 'HjC Kit'... [ OK ] Rootkit 'ignoKit'... [ OK ] Rootkit 'ImperalsS-FBRK'... [ OK ] Rootkit 'Irix Rootkit'... [ OK ] Rootkit 'Kitko'... [ OK ] Rootkit 'Knark'... [ OK ] Rootkit 'Li0n Worm'... [ OK ] Rootkit 'Lockit / LJK2'... [ OK ] Rootkit 'MRK'... [ OK ] Rootkit 'Ni0 Rootkit'... [ OK ] Rootkit 'RootKit for SunOS / NSDAP'... [ OK ] Rootkit 'Optic Kit (Tux)'... [ OK ] Rootkit 'Oz Rootkit'... [ OK ] Rootkit 'Portacelo'... [ OK ] Rootkit 'R3dstorm Toolkit'... [ OK ] Rootkit 'RH-Sharpe's rootkit'... [ OK ] Rootkit 'RSHA's rootkit'... [ OK ] Sebek LKM [ OK ] Rootkit 'Scalper Worm'... [ OK ] Rootkit 'Shutdown'... [ OK ] Rootkit 'SHV4'... [ OK ] Rootkit 'SHV5'... [ OK ] Rootkit 'Sin Rootkit'... [ OK ] Rootkit 'Slapper'... [ OK ] Rootkit 'Sneakin Rootkit'... [ OK ] Rootkit 'Suckit Rootkit'... [ OK ] Rootkit 'SunOS Rootkit'... [ OK ] Rootkit 'Superkit'... [ OK ] Rootkit 'TBD (Telnet BackDoor)'... [ OK ] Rootkit 'TeLeKiT'... [ OK ] Rootkit 'T0rn Rootkit'... [ OK ] Rootkit 'Trojanit Kit'... [ OK ] Rootkit 'Tuxtendo'... [ OK ] Rootkit 'URK'... [ OK ] Rootkit 'VcKit'... [ OK ] Rootkit 'Volc Rootkit'... [ OK ] Rootkit 'X-Org SunOS Rootkit'... [ OK ] Rootkit 'zaRwT.KiT Rootkit'... [ OK ] * Suspicious files and malware Scanning for known rootkit strings [ OK ] Scanning for known rootkit files [ OK ] Testing running processes... [ OK ] Miscellaneous Login backdoors [ OK ] Miscellaneous directories [ OK ] Software related files [ OK ] Sniffer logs [ OK ] * Trojan specific characteristics shv4 Checking /etc/rc.d/rc.sysinit Test 1 [ Clean ] Test 2 [ Clean ] Test 3 [ Clean ] Checking /etc/inetd.conf [ Clean ] Checking /etc/xinetd.conf [ Clean ] * Suspicious file properties chmod properties Checking /bin/ps [ Clean ] Checking /bin/ls [ Clean ] Checking /usr/bin/w [ Clean ] Checking /usr/bin/who [ Clean ] Checking /bin/netstat [ Clean ] Checking /bin/login [ Clean ] Script replacements Checking /bin/ps [ Clean ] Checking /bin/ls [ Clean ] Checking /usr/bin/w [ Clean ] Checking /usr/bin/who [ Clean ] Checking /bin/netstat [ Clean ] Checking /bin/login [ Clean ] * OS dependant tests Linux Checking loaded kernel modules... Skipped! Checking files attributes [ OK ] Checking LKM module path [ Skipped! ] Networking * Check: frequently used backdoors Port 2001: Scalper Rootkit [ OK ] Port 2006: CB Rootkit [ OK ] Port 2128: MRK [ OK ] Port 14856: Optic Kit (Tux) [ OK ] Port 47107: T0rn Rootkit [ OK ] Port 60922: zaRwT.KiT [ OK ] * Interfaces Scanning for promiscuous interfaces [ OK ] System checks * Allround tests Checking hostname... Found. Hostname is hera.wysard.com Checking for passwordless user accounts... OK Checking for differences in user accounts... OK. No changes. Checking for differences in user groups... OK. No changes. Checking boot.local/rc.local file... - /etc/rc.local [ OK ] - /etc/rc.d/rc.local [ OK ] - /usr/local/etc/rc.local [ Not found ] - /usr/local/etc/rc.d/rc.local [ Not found ] - /etc/conf.d/local.start [ Not found ] - /etc/init.d/boot.local [ Not found ] Checking rc.d files... Processing........................................ ........................................ ........................................ ........................................ ........................................ ........................................ ........................................ . Result rc.d files check [ OK ] Checking history files Bourne Shell [ OK ] * Filesystem checks Checking /dev for suspicious files... [ OK ] Scanning for hidden files... [ OK ] Application advisories * Application scan Checking Apache2 modules ... [ Not found ] Checking Apache configuration ... [ OK ] * Application version scan - Exim MTA 4.52 [ OK ] - GnuPG 1.2.1 [ Old or patched version ] - Apache [unknown] [ OK ] - Bind DNS 9.2.1 [ Unknown ] - OpenSSL 0.9.7a [ Old or patched version ] - PHP 4.3.9 [ Old or patched version ] - PHP 4.3.9 [ Old or patched version ] - Procmail MTA 3.22 [ OK ] - OpenSSH 3.5p1 [ Old or patched version ] Your system contains some unknown version numbers. Please run Rootkit Hunter with the --update parameter or fill in the contact form (www.rootkit.nl) Security advisories * Check: Groups and Accounts Searching for /etc/passwd... [ Found ] Checking users with UID '0' (root)... [ OK ] * Check: SSH Searching for sshd_config... Found /etc/ssh/sshd_config Checking for allowed root login... Watch out Root login possible. Possible risk! info: Hint: See logfile for more information about this issue Checking for allowed protocols... [ Warning (SSH v1 allowed) ] * Check: Events and Logging Search for syslog configuration... [ OK ] Checking for running syslog slave... [ OK ] Checking for logging to remote system... [ OK (no remote logging) ] ---------------------------- Scan results ---------------------------- MD5 MD5 compared: 51 Incorrect MD5 checksums: 4 File scan Scanned files: 342 Possible infected files: 0 Application scan Vulnerable applications: 5 Scanning took 32 seconds ----------------------------------------------------------------------- Do you have some problems, undetected rootkits, false positives, ideas or suggestions? Please e-mail me by filling in the contact form (@http://www.rootkit.nl) ----------------------------------------------------------------- Charles E. Moran ce...@ki... |
From: Carlito - Ps2Fantasy.c. <ca...@ps...> - 2006-05-04 03:52:35
|
This has been a problem for a long time; it happened to me after I patched RH9 with Fedora repository; this long-time running thread might show you are not alone: http://forums.deftechgroup.com/archive/index.php/t-976.html |
From: Jamie S. <jam...@fe...> - 2006-05-03 07:47:30
|
Hi all, A couple of months ago I updated the linux-utils package via yum on my Fedora Core 2 box. Since then I get invalid checksums on several files and I receive the following output when running rkhunter on a cron using report-mode: Line: [ BAD ] Line: [ BAD ] [ BAD ] Line: [ BAD ] [ BAD ] Line: [ BAD ] [ BAD ] Line: [ BAD ] [ BAD ] Can anyone tell me if this is a bug in the software and these are most likely false positives? If so, are there any plans to release updated hashes? Kind regards, -- Jamie Saunders Interactive Developer Featurecreep Ltd http://www.featurecreep.com Tel: +44 (0)117 905 50 47 Fax: +44 (0)117 905 50 96 |
From: ajtiM <aj...@wi...> - 2006-05-02 23:19:20
|
On Tuesday 02 May 2006 08:38, unspawn wrote: > On Tue, 2 May 2006, ajtiM wrote: > > My system: Arch LInux, kernel 2.6.16. > > I installed the last version and I have some problems: > > How did you install it? Distro package or original tarball from > rootkit.nl? Any uncommon locations used? Anything else to add that might > help? Could you run RKH as "sh -x rootkithunter (any args you normally > use) --createlog 2>&1 | tee rkh.debug" and *attach* the log and debug > output? > > > Cheers, unSpawn > > As I wrote before I used distro package. I uninstalled distro package now and installed rkhunter with installer and it works now. I will report an error of distro package on Arch forum. Thanks for help. |
From: ajtiM <aj...@wi...> - 2006-05-02 11:41:48
|
Hi! My system: Arch LInux, kernel 2.6.16. I installed the last version and I have some problems:=20 =20 rkhunter --update=20 Running updater...=20 =20 /usr/bin/rkhunter: line 5002: /usr: is a directory=20 =20 When I run rkhunter -c I got:=20 Rootkit Hunter 1.2.8 is running=20 =20 Determining OS... Unknown=20 Warning: This operating system is not fully supported!=20 Warning: Cannot find Location of md5=20 All MD5 checks will be skipped!=20 /usr/bin/rkhunter: line 2114: [: /usr: binary operator expected=20 /usr/bin/rkhunter: line 2136: /usr: is a directory=20 /usr/bin/rkhunter: line 2137: /usr: is a directoryChecking binaries=20 * Selftests=20 Strings (command)/usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat:= =20 ambiguous redirect=20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 /usr/bin/rkhunter: line 2202: ${TMPDIR}/stringstest.dat: ambiguous redirect= =20 strings: '/usr/lib/rkhunter/tmp/stringstest.dat': No such file=20 [ BAD ]=20 =20 =2D------------------------------------------------------------------------= =2D---------=20 Expected (but not found) strings:=20 /usr/sbin/ntpsx /usr/lib/.../ls /usr/lib/.../netstat /usr/lib/.../lsof /us= r/lib/.../bkit-ssh/bkit-shdcfg /usr/lib/.../bkit-ssh/bkit-shhk /usr/lib/...= /bkit-ssh/bkit-pw /usr/lib/.../bkit-ssh/bkit-shrs /usr/lib/.../uconf.inv /u= sr/lib/.../psr /usr/lib/.../find /usr/lib/.../pstree /usr/lib/.../slocate /= usr/lib/.../du /usr/lib/.../top /usr/lib/... /usr/lib/.../bkit-ssh /usr/lib= /.bkit- /tmp/.bkp /tmp/.cinik /tmp/.font-unix/.cinik /lib/.sso /lib/.so /va= r/run/...dica/clean /var/run/...dica/xl /var/run/...dica/xdr /var/run/...di= ca/psg /var/run/...dica/secure /var/run/...dica/rdx /var/run/...dica/va /va= r/run/...dica/cl.sh /usr/bin/.etc /usr/lib/.fx/sched_host.2 /usr/lib/.fx/ra= ndom_d.2 /usr/lib/.fx/set_pid.2 /usr/lib/.fx/cons.saver /usr/lib/.fx/adore/= adore/adore.ko /bin/sysback /usr/local/bin/sysback /usr/lib/.tbd /dev/.lib/= lib/lib/t0rns /dev/.lib/lib/lib/du /dev/.lib/lib/lib/ls /dev/.lib/lib/lib/t= 0rnsb /dev/.lib/lib/lib/ps /dev/.lib/lib/lib/t0rnp /dev/.lib/lib/lib/find /= dev/.lib/lib/lib/ifconfig /dev/.lib/lib/lib/pg /dev/.lib/lib/lib/ssh.tgz /d= ev/.lib/lib/lib/top /dev/.lib/lib/lib/sz /dev/.lib/lib/lib/login /dev/.lib/= lib/lib/in.fingerd /dev/.lib/lib/lib/1i0n.sh /dev/.lib/lib/lib/pstree /dev/= =2Elib/lib/lib/in.telnetd /dev/.lib/lib/lib/mjy /dev/.lib/lib/lib/sush /dev= /.lib/lib/lib/tfn /dev/.lib/lib/lib/name /dev/.lib/lib/lib/getip.sh /usr/in= fo/.torn/sh* /usr/src/.puta/ /usr/src/.puta/.1addr /usr/src/.puta/.1file /u= sr/src/.puta/.1proc /usr/src/.puta/.1logz /usr/info/.t0rn/ /dev/.lib/ /dev/= =2Elib/lib/ /dev/.lib/lib/lib/ /dev/.lib/lib/lib/dev/ /dev/.lib/lib/scan/ /= usr/src/.puta/ /usr/man/man1/man1/ /usr/man/man1/man1/lib/ /usr/man/man1/ma= n1/lib/.lib/ /usr/man/man1/man1/lib/.lib/.backup/=20 =2D------------------------------------------------------------------------= =2D---------=20 =20 /usr/bin/rkhunter: line 2236: [: /usr: binary operator expected=20 =20 |
From: John H. <joh...@pl...> - 2006-04-19 14:21:33
|
On Wed, 2006-03-29 at 21:48 +0200, unspawn wrote: > > Purpose: update RKH's defaulthashes.dat database when --update doesn't > provide updates. Can be used to add new Linux distributions/releases to > the os.dat database. If you do, please use "-m", review and post the info > to this list and the maintainer. > URI: http://www.rootshell.be/~unspawn/hashupd-1.2.sh.gz > License: GPL > > Needs testing, any constructive feedback and "diff -u" welcome. > Hello, Attached is a 'diff -u' patch, against the hashupd-1.3.sh file. I have tested this on FC5 and it works fine. I'll see about trying it on FC4 and FC3 later on. The patch includes changes which you may well have already done by now, so you may need to go through it bit by bit to make sure. The patch fixes some minor bugs, caters for prelinked files, and corrects the os.dat file output to include the system model. John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: Joh...@pl... Fax: +44 (0)1752 233839 |
From: Mark N. <ma...@no...> - 2006-04-17 22:17:13
|
John Horne wrote: > On Mon, 2006-04-17 at 12:01 -0700, Mark Ness wrote: > >> I suspect this has been covered, but my archive search only turned up 2 >> "related" >> posts, and both were "RE's". >> Since I upgraded from Fedora core 3 to 5, I've been getting this message. >> >> Warning: Cannot find md5_not_known >> All MD5 checks will be skipped! >> >> The 2 posts I read said that skipping the hash check is not a good idea. >> I found a thread (I believe on fedoraforum.org that suggested to wait >> for updates. >> Perhaps rkhunter was not quite up to speed yet for fc5 (paraphrasing). >> >> > Hello, > > Correct, rkhunter does not support FC5 yet. The script that > has been talking about on the mailing list should make life easier, and > more secure for unsupported O/S's, by allowing you to generate your own > list of hashes for your new O/S. However, the script as initially > written won't work with FC5. I have several patches for it which I will > post to the list shortly. It will then work with FC5. > > > > John. > > Thank you for the prompt reply. I suspected that this is what 'unspawn' was referring to, but the threads were not specific (I found no link to the original post). There is however no mention of where to FIND the script. Do you (or anybody else) have a link to it. A decent how-to would also be of great help. I am "growing", but I am still a Linux infant and know even less about scripts. Otherwise, I'll patiently await an update for FC5 support. Thanks again MN |
From: Mark N. <ma...@no...> - 2006-04-17 19:01:52
|
I suspect this has been covered, but my archive search only turned up 2 "related" posts, and both were "RE's". Since I upgraded from Fedora core 3 to 5, I've been getting this message. Warning: Cannot find md5_not_known All MD5 checks will be skipped! The 2 posts I read said that skipping the hash check is not a good idea. I found a thread (I believe on fedoraforum.org that suggested to wait for updates. Perhaps rkhunter was not quite up to speed yet for fc5 (paraphrasing). I would like to know if this is correct (that updates are just not available yet) or if this is in fact a problem on my machine? Thanks in advance MN -- Rootkit Hunter 1.2.8 Running rkhunter updater... Mon, 17 Apr 2006 04:01:53 -0700 Mirrorfile /var/rkhunter/db/mirrors.dat rotated Using mirror http://mirror14.mirror.rkhunter.org [DB] Mirror file : Up to date [DB] MD5 hashes system binaries : Up to date [DB] Operating System information : Up to date [DB] MD5 blacklisted tools/binaries : Up to date [DB] Known good program versions : Up to date [DB] Known bad program versions : Up to date |
From: John H. <joh...@pl...> - 2006-04-15 19:20:43
|
On Wed, 2006-03-29 at 21:48 +0200, unspawn wrote: > > Since disabling hash check in RKH aint good and I see people complaining > about this regularly I thought I'd throw in a wee helper app until there's > a better solution (couldn't find anything like this, if it *is* there > just tell me OK). > Hello, The script is a good idea, and I'll produce a diff patch for some of the problems I've found with it. However, I've been thinking more about the actual problem of keeping machines up todate. As soon as the os.dat file is released again I would need to run the script again. Would it not be better if the script produced 2 different files, for example, os.dat.local and defaulthashes.local, which contain just the data for the local host. Also, if the script is run again the files would just be overwritten; the os id number (field 1) could be set to -1 so as to avoid the need to generate a unique id that isn't used in the os.dat file. The main rkhunter program would also need to be modified. It would run as normal using the os.dat/defaulthashes files, but if no records could be found for the local host then the '.local' files would be looked at. If they don't exist, have no data or can't be read, then rkhunter can just ignore them. It would then produce the usual 'unsupported O/S' error message and the sysadmin can sort out the problem. Taking this even further though, I started to wonder why do we need an os.dat file? The only data I am interested in are the hashes of my local host and I should be able to produce those automatically from the script. All the other data in the os.dat file is irrelevant for my host. To that extent would it not be better to scrap the os.dat and defaulthashes files altogether? The rkhunter '--update' option is still required for the other data files though. So to use rkhunter all that is required is to install the software (which has no os.dat/defaulthashes files); run the script to create the os.dat/defaulthashes files for the local host; then run rkhunter. The script then only needs to be run when the local host changes. There is no need to register new Linux versions or distributions, and the '--update' option is still required but only for the other data files. Regards, John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: Joh...@pl... Fax: +44 (0)1752 233839 |
From: Mark G. S. <spe...@gm...> - 2006-04-10 16:21:30
|
Can it be effective to run Rootkit Hunter against a slave drive? I pulled out a drive that I suspect has been rootkitted and hooked it up as a slave to another workstation read-only. So the compromised OS is not "live." Thanks! |
From: Kent O. <fo...@ds...> - 2006-03-27 20:17:58
|
I found the problem. It was in /etc/sysconfig/rkhunter I removed the "@localhost" from MAILTO=root@localhost Thanks unspawn wrote: > On Sun, 26 Mar 2006, Kent Olsen wrote: > >> I changed the email in the rkhunter.conf and it did not change >> anything. I >> then changed the email address in the /etc/cron.daily/01-rkhunter >> file and >> it still dosnt work. > > > OK. Then we've got to check some other things. > > How is RKH run on your system? Only from /etc/cron.daily/01-rkhunter > or are there any other scripts that access it? > > How did you upgrade RKH, from tarball or an RPM? If from RPM, did you > build it yourself or was it apt/yum/autoupdated from a repository? If > you built it yourself, did you customise it or did you "rpm -tb > tarball"? If the RPM was from a repo, what's the exact location of the > package? > > The last thing to check is if we can find any "mail=" strings: > grep -i .*mail.*= -r /etc /var/spool 2>/dev/null|tee /tmp/tee.$$ > Either spot it OTF or wade through /tmp/tee.$$ for clues. Can be a > rather large list depending on your system (200 to 500 lines). If this > doesn't turn up anything useful you could expand greps scope to other > parts of your FS like /usr or the search string to anything in the > subject of the email (except dates of course). > > Finally, I'm still willing to help, but this isn't std RKH behaviour > as far as I know, so please look around your system yourself > (especially if grep didn't bring any good clues) and share any > constructive comments, hints or clues you can come up with. > > > Cheers, unSpawn > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language > that extends applications into web and mobile media. Attend the live > webcast > and join the prime developer group breaking into this new coding > territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Rkhunter-users mailing list > Rkh...@li... > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > > |
From: Kent O. <fo...@ds...> - 2006-03-26 22:44:05
|
I changed the email in the rkhunter.conf and it did not change anything. I then changed the email address in the /etc/cron.daily/01-rkhunter file and it still dosnt work. > > ----- Original Message ----- > From: "unspawn" <un...@ro...> > To: <rkh...@li...> > Sent: Thursday, March 23, 2006 2:18 PM > Subject: Re: [Rkhunter-users] Re:Email problem after upgade > > >> On Thu, 23 Mar 2006, Kent Olsen wrote: >>>> grep -i ^mail.*= /path/to/rkhunter.conf /etc/cron.daily/01-rkhunter >>>> /etc/cron.d/run_rkhunter >>> >>> When I run the command I get: grep: /etc/cron.d/run_rkhunter: No such >>> file or directory >> >> Just means you didn't use the contributed run_rkhunter script, no >> problem. >> Where you able to locate the email address in the config and/or cronjob? >> >> >> Cheers, unSpawn >> >> >> >> ------------------------------------------------------- >> This SF.Net email is sponsored by xPML, a groundbreaking scripting >> language >> that extends applications into web and mobile media. Attend the live >> webcast >> and join the prime developer group breaking into this new coding >> territory! >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 >> _______________________________________________ >> Rkhunter-users mailing list >> Rkh...@li... >> https://lists.sourceforge.net/lists/listinfo/rkhunter-users >> >> > |
From: Max W. <dav...@fa...> - 2006-03-25 00:47:10
|
On Fri, 17 Mar 2006 13:01:44 +0100 (CET), "unspawn" <un...@ro...> said: > On Fri, 17 Mar 2006, Max Waterman wrote: > > Mirrorfile /var/rkhunter/db/mirrors.dat rotated > > Using mirror http://mirror01.mirror.rkhunter.org > > [DB] Mirror file : ERROR > > Fatal error: Problem while fetching file > > RKH choose to use mirror01.mirror.rkhunter.org for the update, and as I > check now that's the only mirror site that's unavailable. Try > making a backup of mirrors.dat, grep -v mirror01 backup > mirrors.dat and > try updating. > > > > * Filesystem checks > > Checking /dev for suspicious files... [ OK ] > > Scanning for hidden files... [ Warning! ] > > --------------- > > /dev/.udevdb /usr/share/man/man1/..1.gz /etc/.pwd.lock /etc/.java > > --------------- > > Please inspect: /dev/.udevdb (directory) /usr/share/man/man1/..1.gz > > (gzip compressed data, from Unix, max compression) /etc/.java > > (directory) > > 2) I inspected the files/directories and they look 'ok', but I'm not > > sure. What should I be looking for? > > Dot-files are called "hidden" files because you need to add extra flags > to > say ls to see them. Most of those dot-files are legitimate, but since > it's > also a common and simple way to make stuff a wee bit harder to find RKH > alerts you for those. > > What you should be looking for is location, name, package. With location > and suspicious names I mean any names you can't relate (using your > distro's package mgmt tools) to any application as device, data > directory, > resource or preferences file. For instance /dev/.udevdb looks related to > UDEV (but please check yourself), I found this : <http://linux.derkeiler.com/Mailing-Lists/Fedora/2005-11/1978.html> > but dirname /usr/share/...sk definately > wouldn't be right. gunzip -c ..1.gz .so man1/builtins.1 The others were empty directories/files, so I removed them. > > That doesn't mean that a cracker couldn't use known names, so the best > way > is to have installed a file integrity checker like Aide, Samhain or even > tripwire right after installation of the O.S. (save copy of the db > off-site). Configured right and periodically used you'll have a separate, > independant and more verbose report of changed files, a second opinion if > you will. I thought rkhunter did this...was i wrong? Too late for that now, unfortunately. I suppose I could install it on a different machine though...would that work? Max. > > If you didn't install a file integrity checker then use "rpm -qf > /some/file" to see what package it is in and verify the package contents. > Note with rpm you can also use rpm's located at mirror sites for > verification giving you more flexibility and certainty (unless mirror was > subverted). > > > HTH > > Cheers, unSpawn > |
From: Kent O. <fo...@ds...> - 2006-03-23 20:22:23
|
> On Wed, 22 Mar 2006, Kent Olsen wrote: > >> Where do I change the email address that the daily report is sent to? > > grep -i ^mail.*= /path/to/rkhunter.conf /etc/cron.daily/01-rkhunter > /etc/cron.d/run_rkhunter > > > Cheers, unSpawn When I run the command I get: grep: /etc/cron.d/run_rkhunter: No such file or directory |
From: Kent O. <fo...@ds...> - 2006-03-22 15:21:42
|
I upgraded to the latest version of rkhunter. Now the daily emails I = receive are sent to a different email address. Where do I change the = email address that the daily report is sent to? I'm running Fedora 4. Thanks |
From: pi <zi...@al...> - 2006-03-19 12:01:38
|
Hi. Running rkhunter with the latest updates on my fc4-fully updated system, gives me nothing unusual at all. But in mail-log this shows up: Date: Sun, 19 Mar 2006 11:37:42 +0100 From: root <root@tilda.localdomain> To: root@tilda.localdomain Subject: [rkhunter] Warnings found for tilda.localdomain Please inspect this machine, because it can be infected Anyone who can help? chkhrootkit doesnt show anyting unusual either. Regards pi |
From: Max W. <dav...@fa...> - 2006-03-17 01:43:58
|
After a recent update (using smartpm configured to use atrpms), I'm running Rootkit Hunter 1.2.8 on fc4 on an x86_64 (AMD). I've recently been getting these messages in my reports : " Running rkhunter updater... Thu, 16 Mar 2006 04:02:25 +0800 Mirrorfile /var/rkhunter/db/mirrors.dat rotated Using mirror http://mirror01.mirror.rkhunter.org [DB] Mirror file : ERROR Fatal error: Problem while fetching file Finished rkhunter updater.. Thu, 16 Mar 2006 04:02:27 +0800 Ready. " ... " * Filesystem checks Checking /dev for suspicious files... [ OK ] Scanning for hidden files... [ Warning! ] --------------- /dev/.udevdb /usr/share/man/man1/..1.gz /etc/.pwd.lock /etc/.java --------------- Please inspect: /dev/.udevdb (directory) /usr/share/man/man1/..1.gz (gzip compressed data, from Unix, max compression) /etc/.java (directory) " 1) I'm not sure why the updater is failing - any ideas? 2) I inspected the files/directories and they look 'ok', but I'm not sure. What should I be looking for? Max. |
From: John H. <joh...@pl...> - 2006-02-17 16:43:07
|
On Fri, 2006-02-17 at 17:18 +0100, unspawn wrote: > > On Fri, 17 Feb 2006, John Horne wrote: > > Using RKhunter 1.2.8 on Solaris 9, with the --report-warnings-only > > option gives an error: > > expr: non-numeric argument > > Since Ksh does have variable $SECONDS, changing line 4846 > > if [ ${OPERATING_SYSTEM} = "AIX" ] ; then > to read > if [ ${OPERATING_SYSTEM} = "AIX" -o ${OPERATING_SYSTEM} = "SunOS" ]; then > should do it, right? > Yes. I have tried this and it works fine. > > > This last test fails. Under Solaris 'date +%s' does nothing, ENDTIME > > gets set to '%s', and subsequently the expr fails because '%s' is not > > numeric. > > Under Linux and BSD 'date +%s' shows seconds since start of epoch, > how does Solaris show that? > As far as I can tell it doesn't. I can see nothing in the date/strftime man pages saying anything about a format for the seconds from the start of epoch. John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: Joh...@pl... Fax: +44 (0)1752 233839 |
From: John H. <joh...@pl...> - 2006-02-17 14:49:42
|
Hello, Using RKhunter 1.2.8 on Solaris 9, with the --report-warnings-only option gives an error: expr: non-numeric argument The problem seems to be that the code detects Solaris and switches to using the KSH shell. It then checks (line 311): case `uname` in AIX|SunOS) BEGINTIME=$SECONDS which is fine, but at the end (line 4846) it does: if [ ${OPERATING_SYSTEM} = "AIX" ] ; then ENDTIME=$SECONDS else ENDTIME=`date +%s` fi TOTALTIME=`expr ${ENDTIME} - ${BEGINTIME}` This last test fails. Under Solaris 'date +%s' does nothing, ENDTIME gets set to '%s', and subsequently the expr fails because '%s' is not numeric. Regards, John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: Joh...@pl... Fax: +44 (0)1752 233839 |
From: Carlito - Ps2Fantasy.c. <ca...@ps...> - 2006-01-29 14:54:19
|
Hello unSpawn, thanks for the feedback. Unfortunately, just before we run rkhunter and got those positives we also had installed r-fx network "les" tool, a tool that changes the attributes of the main executables to make them available only to root. So, tripwire reported positives, since it checks for files attributes, on all those executables affected by the tool, which included those I am getting positives for. Rpm -V returns ".M...... /usr/bin/write", file mode change... Thanks > > > ----- Original Message ----- > From: "unspawn" <un...@ro...> > To: "Carlito - Ps2Fantasy.com" <ca...@ps...> > Cc: <rkh...@li...> > Sent: Sunday, January 29, 2006 2:51 PM > Subject: Re: [Rkhunter-users] RkHunter reports positives after patches > > >> Hello Carlito, >> >> On Sun, 29 Jan 2006, Carlito - Ps2Fantasy.com wrote: >>> We have a report on one server of some positives; the machine has rh9 >>> patched every time a new fedora legacy update comes out. >>> >>> These are the positives we are getting: >>> >>> /bin/dmesg [ BAD ] >>> /bin/kill [ BAD ] >>> /bin/login [ BAD ] >>> /bin/mount [ BAD ] >> >> See if the util-linux rpm itself checks out fine (use "rpm -V util-linux" >> or with -p and RPM from mirror). >> >> * If you already run a filesystem integrity checker like Aide, Samhain or >> even tripwire (and you keep a copy of the database off-site) it would be >> good to check, just to be sure. >> >> >> Cheers, unSpawn >> >> >> -- >> Internal Virus Database is out-of-date. >> Checked by AVG Free Edition. >> Version: 7.1.371 / Virus Database: 267.14.17/227 - Release Date: >> 1/11/2006 >> >> > |
From: Carlito - Ps2Fantasy.c. <ca...@ps...> - 2006-01-29 05:20:22
|
Hello all. We have a report on one server of some positives; the machine has rh9 = patched every time a new fedora legacy update comes out. These are the positives we are getting: /bin/dmesg [ BAD ] /bin/kill [ BAD ] /bin/login [ BAD ] /bin/mount [ BAD ] What should we do? Thanks. |