Re: [Rkhunter-users] "Possible GasKit rootkit" ?

Fri, 22 Feb 2008 06:42:54 -0800 

On Fri, Feb 22, 2008 at 7:30 PM,  <[EMAIL PROTECTED]> wrote:

>  AFAIK GNU/Linux-only (haven't got this kit in my repo) and password
>  entry probably not much use without dev/dev/gaskit/.*. Wrt entry
>  itself, if it is in pwd.db it should be in master.* as well, right?

Not quite.
This is what I see in /etc/pwd.db, when I grep for sshdd:
00004fc0  1b 00 00 00 1b 00 00 00  00 00 00 00 00 73 73 68  |.............ssh|
00004fd0  64 20 70 72 69 76 73 65  70 00 2f 76 61 72 2f 65  |d privsep./var/e|
00004fe0  6d 70 74 79 00 2f 73 62  69 6e 2f 6e 6f 6c 6f 67  |mpty./sbin/nolog|
00004ff0  69 6e 00 00 00 00 00 00  00 00 00 31 73 73 68 64  |in.........1sshd|
00005000  64 00 f8 0f aa 0f a2 0f  5b 0f 54 0f 11 0f 0a 0f  |d.�.�.�.[.T.....|
00005010  bf 0e b7 0e 76 0e 6c 0e  1e 0e 15 0e d1 0d c8 0d  |�.�.v.l.....�.�.|
00005020  87 0d 7e 0d 3d 0d 34 0d  f3 0c ea 0c a9 0c a0 0c  |..~.=.4.�.�.�.�.|
There is no sshdd in master.passwd.
The user seems to not exist:
# whoami
root
# su sshdd
su: unknown login sshdd
#

>  If you stat master and pwd.db, do timestamps match?
# stat /etc/master.passwd
0 3042 -rw------- 1 root wheel 17448 12677 "Feb 22 22:07:15 2008" "Feb
22 22:02:56 2008" "Feb 22 22:02:56 2008" 16384 28 0 /etc/master.passwd
# stat /etc/pwd.db
0 3048 -rw-r--r-- 1 root wheel 13344 69632 "Feb 22 22:25:02 2008" "Feb
22 10:42:29 2008" "Feb 22 10:42:29 2008" 16384 136 0 /etc/pwd.db
# stat /etc/passwd
0 3049 -rw-r--r-- 1 root wheel 17408 6907 "Feb 22 10:42:29 2008" "Feb
22 10:42:29 2008" "Feb 22 10:42:29 2008" 16384 16 0 /etc/passwd
# stat /etc/spwd.db
0 3043 -rw-r----- 1 root _shadow 12200 81920 "Feb 22 22:31:44 2008"
"Feb 22 22:02:56 2008" "Feb 22 22:02:56 2008" 16384 160 0 /etc/spwd.db

>  Any useradd
>  logging and backups to support this?

As far as I can see, none.

Uwe
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to