On Mon, 2009-12-14 at 08:19 +0100, Gouin Patrick wrote:
> Hi,
>
> I've looked thru the code of rkhunter 1.3.6 and it seems to me that
> pre-processing is too much aggressive in do_system_startup_file_checks() :
>
[snipped]
>
> In the computation of FOUNDSTRINGS, I believe that ${STR} and ${INFO}
> are always evaluated to the last element of RCLOCAL_STRINGS
> (/usr/bin/.etc:Dica-Kit Rootkit for 1.3.6) and not to the values related
> to STRING.
>
Thanks for reporting this. You are right. It seems to have been a bug
introduced in the 1.3.4 version (and hence carried through).
Users will get a warning if something is found - which is at least a
good thing - but it will report the wrong string and the wrong possible
rootkit. The file it is found in will be correct though.
> Furthermore, I think the white list should be a
> RTKT_RCFILE_STRING_WHITELIST : suppose a file is white listed because it
> is known to contain a innocuous "sshdd", for example. If, then, it's
> infected with "/usr/bin/.etc", the result of the test will be "None
> found" in green on the screen.
> In my mind, the RTKT_RCFILE_STRING_WHITELIST should contains couples of
> RCfile:String.
>
Hmm, I see what you are saying. Yes, your suggestion would be better. I
will see about putting this into the sourceforge bug tracker, or you can
do it, so that it doesn't get forgotten about.
It is worth reminding users that we do suggest that any whitelisted
rootkit file is added to the file properties check (via the
USER_FILEPROP_FILES_DIRS option in the config file). In the instance
described above, the rootkit file may well pass the malware test
(because it is whitelisted), but should then fail on the file properties
test if it does subsequently become part of an actual rootkit.
John.
--
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001
------------------------------------------------------------------------------
Return on Information:
Google Enterprise Search pays you back
Get the facts.
http://p.sf.net/sfu/google-dev2dev
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
