rkhunter-users

[Rkhunter-users] two problems...

[Max W. <dav...@fa...>]

After a recent update (using smartpm configured to use atrpms), I'm
running Rootkit Hunter 1.2.8 on fc4 on an x86_64 (AMD).

I've recently been getting these messages in my reports :

"
Running rkhunter updater... Thu, 16 Mar 2006 04:02:25 +0800

Mirrorfile /var/rkhunter/db/mirrors.dat rotated
Using mirror http://mirror01.mirror.rkhunter.org
[DB] Mirror file                      : ERROR
Fatal error: Problem while fetching file
Finished rkhunter updater.. Thu, 16 Mar 2006 04:02:27 +0800
Ready.
"

...

"
* Filesystem checks
   Checking /dev for suspicious files...   [ OK ]
   Scanning for hidden files...  [ Warning! ]
---------------
/dev/.udevdb  /usr/share/man/man1/..1.gz  /etc/.pwd.lock /etc/.java
---------------
Please inspect:  /dev/.udevdb (directory)  /usr/share/man/man1/..1.gz
(gzip compressed data, from Unix, max compression)  /etc/.java
(directory)
"

1) I'm not sure why the updater is failing - any ideas?

2) I inspected the files/directories and they look 'ok', but I'm not
sure. What should I be looking for?

Max.

Re: [Rkhunter-users] two problems...

[Max W. <dav...@fa...>]

On Fri, 17 Mar 2006 13:01:44 +0100 (CET), "unspawn"
<un...@ro...> said:
> On Fri, 17 Mar 2006, Max Waterman wrote:
> > Mirrorfile /var/rkhunter/db/mirrors.dat rotated
> > Using mirror http://mirror01.mirror.rkhunter.org
> > [DB] Mirror file                      : ERROR
> > Fatal error: Problem while fetching file
> 
> RKH choose to use mirror01.mirror.rkhunter.org for the update, and as I 
> check now that's the only mirror site that's unavailable. Try 
> making a backup of mirrors.dat, grep -v mirror01 backup > mirrors.dat and 
> try updating.
> 
> 
> > * Filesystem checks
> >   Checking /dev for suspicious files...   [ OK ]
> >   Scanning for hidden files...  [ Warning! ]
> > ---------------
> > /dev/.udevdb  /usr/share/man/man1/..1.gz  /etc/.pwd.lock /etc/.java
> > ---------------
> > Please inspect:  /dev/.udevdb (directory)  /usr/share/man/man1/..1.gz
> > (gzip compressed data, from Unix, max compression)  /etc/.java
> > (directory)
> > 2) I inspected the files/directories and they look 'ok', but I'm not
> > sure. What should I be looking for?
> 
> Dot-files are called "hidden" files because you need to add extra flags
> to 
> say ls to see them. Most of those dot-files are legitimate, but since
> it's 
> also a common and simple way to make stuff a wee bit harder to find RKH 
> alerts you for those.
> 
> What you should be looking for is location, name, package. With location 
> and suspicious names I mean any names you can't relate (using your 
> distro's package mgmt tools) to any application as device, data
> directory, 
> resource or preferences file. For instance /dev/.udevdb looks related to 
> UDEV (but please check yourself),

I found this :

<http://linux.derkeiler.com/Mailing-Lists/Fedora/2005-11/1978.html>

> but dirname /usr/share/...sk definately 
> wouldn't be right.

gunzip -c ..1.gz 
.so man1/builtins.1

The others were empty directories/files, so I removed them.

> 
> That doesn't mean that a cracker couldn't use known names, so the best
> way 
> is to have installed a file integrity checker like Aide, Samhain or even 
> tripwire right after installation of the O.S. (save copy of the db 
> off-site). Configured right and periodically used you'll have a separate, 
> independant and more verbose report of changed files, a second opinion if 
> you will.

I thought rkhunter did this...was i wrong? Too late for that now,
unfortunately. I suppose I could install it on a different machine
though...would that work?

Max.

> 
> If you didn't install a file integrity checker then use "rpm -qf 
> /some/file" to see what package it is in and verify the package contents. 
> Note with rpm you can also use rpm's located at mirror sites for 
> verification giving you more flexibility and certainty (unless mirror was 
> subverted).
> 
> 
> HTH
> 
> Cheers, unSpawn
>