Mark Misulich wrote:
> Hi,
> Actually, the system looks pretty clean to me. The four files
> /usr/bin/groups, /usr/bin/ldd, /sbin/chkconfig, and /sbin/ifup
> are very slightly concerning. As I mentioned, they may simply
> be scripts on your system, and informing rkhunter about your
> package manager may make those go away.
>
> The four scripts mentioned in your reply have been replace by
> scripts, as determined by reading the log file.
I didn't say that they are scripts. What I said is that, on
your system, they may be scripts. "Hiding" behind scripts is
one technique used by root kits. The script first does some
funky thing, then also invokes the "real" program. This may
or may not be normal for your system.
Maybe I'm misreading what you intended. Do you mean to say
that those four files actually are scripts? If so, then
rkhunter will complain. As I mentioned above, that may or
may not be a problem on your system.
> The /dev file readout
> /dev/shm/sysconfig/config-lo: ASCII text
> [23:28:37] /dev/shm/sysconfig/config-eth1: ASCII text
> [23:28:37] /dev/shm/sysconfig/config-eth0: ASCII text
> [23:28:37] /dev/shm/sysconfig/new-stamp-3: ASCII text
> [23:28:37] /dev/shm/sysconfig/new-stamp-2: ASCII text
This is interesting, but I don't know how to advise you on this.
It may be normal for your system. I suggest you join a mail echo
which caters to your version of Linux, and ask whether the existence
of these ASCII files is normal on your system. My system does not
have a /dev/shm entry.
> I don't know what these particular readouts mean.
>
> As regards telling rkhunter that I have an rpm manager, I will need
> some instruction as to how do that.
Do you use RPM, the Red Hat Package Manager? That helps me somewhat, if
so, since I also use a system with that. You can query RPM for the
files listed above, and find out where they come from, and what
they should be. You can also tell rkhunter to use the information
RPM can provide. If you run rkhunter like this
# rkhunter -c --pkgmgr RPM
then rkhunter will get some extra information from RPM and use it
to reduce false positives. If you do use RPM, then I suggest that
you use this means to invoke it now. That may make the /dev and
/usr/bin /usr/sbin warnings go away, as rkhunter may be able to
ascertain that it is normal for your system. I have some scripts
in /usr/bin which rkhunter complains about unless I tell it about
RPM.
You can also modify your configuration file /etc/rkhunter.conf
to have the line
PKGMGR=RPM
in it. Look for a line like
#PKGMGR=NONE
and add the new one just below that.
Only do this if you actually use RPM.
You can also find out what package supplies those files. For example,
$ rpm -qf /dev/shm/sysconfig/config-eth1
$ rpm -qf /usr/bin/ldd
etc. Then, if you're concerned, you can get copies of the RPMs which
contain those, download them, and do a forced install, and see
whether they change. You can find lots of RPMs on rpm.pbone.net,
perhaps the ones you need.
Be sure to save off copies first.
In fact, I recommend you to do a full backup of your system
right away.
> You are right, there is no readout of a key logger in the present
> rkhunter readout. It was only present in the readout immediately
> after I had performed the system update. It went away with about 20
> or so other warnings when I did the propupdate. I don't know how to
> access previous logs, so if it is pertinent you will need to tell me
> how to access the log. It seems that the rkhunter log only contains
> the most current log.
Yes, that's correct. What you can do is uninstall and then reinstall
rkhunter. That should give you a "virgin" copy and report.
> I am not an IT guy, as most linux users are. I got into linux when
> microsoft stopped supporting the OS on my old computer some years
> ago. I have a reasonable user's understanding of linux, but I don't
> have the understanding of a professional IT guy.
I am not sure why you would think that most Linux users are IT guys.
I'm certainly not. I also don't see what the relevance is. No matter
what OS you run, you will have to do system maintenance. The fact
that most users of various versions of Windows don't know how,
and never do any (except complete system reloads) doesn't mean
that it doesn't need to be done. If Windows users knew to do,
and how to do, system maintenance, they'd have far fewer times
when they have to do system reloads.
If you come from a Windows background, you probably don't know
much if anything about doing backups. If that is the case,
then I strongly recommend you to educate yourself about Linux
backups and strategy. I educated myself on this matter and
wrote my own scripts, but you may prefer to use a "pre done"
package like bacula or amanda. Installing one of them may get
you rolling sooner. I'm not familiar with either of them,
but people I respect use them.
While backups are not particularly related to rkhunter, rkhunter
is one part of a strategy for keeping your precious data
safe. Another part is doing backups. If you find your machine
compromised, then the easiest way to recover may be to start
with a clean install, and then recover data from backup.
A reasonable backup strategy is to do backups on a regular
basis. Infrequently, do a full system backup. Relatively
frequently, do a differential or incremental backup. Keep
the most recent backup at your site, for recovery of accidentally
deleted files. Keep the others distant from your computer.
That way, if your house burns down, you don't lose your data.
What constitutes "infrequent" and "frequent" depends on how
much data you are willing to lose. I do full backups about
every month or so, and do incrementals about once a week.
If I generate lots of data, then I do a backup. Also, before
doing "tweaks" to my system, I do a backup.
Don't trust your backup strategy until you have verified that
you can reliably recover your system.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
