On Thu, 2009-02-26 at 09:58 -0700, Jeff Poole wrote: > So a server I maintain got broken into a few days ago, and I ran > rkhunter as part of my attempt to figure out what the attackers actually > did. It didn't find anything. The next day, I discover that sshd was > clearly modified with a backdoor. The problem I have is that I realized > I was running rkhunter 1.3.0 (which was the current version in the > Ubuntu repository), not the newest 1.3.4. I've installed 1.3.4 in a > directory, but is there any way to run it on the compromised file > without actually having to copy the compromised sshd back to > /usr/sbin/sshd? > > If someone tells me how to run it on that file, and rkhunter does NOT > detect it, is there a process to submit the file so that it can be > detected in the future? > Hello,
RKH doesn't really work that way. First of all you cannot specify it to work on a single file. It (currently) works on a static list of files as part of the file properties check. Secondly, RKH checks a file against a previously known good state. RKH will tell you if a file has 'changed', but, as said, that requires it comparing the file to something else. In telling you that the file has changed it means the files' attributes - its size, checksum, permissions, dates/times etc have changed in some way. You don't actually mention it, but were you running RKH on the server before it was broken into? If so, then you should have your baseline of the file attributes in the rkhunter.dat file. Alternatively, if you are using ubuntu then you could check your files using the package manager (see the '--pkgmgr dpkg' option), however you have to be sure that the package manager itself has not been corrupted. John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: john.ho...@plymouth.ac.uk Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
