Dear all
Any help you can give me will be greatly appreciated. I am new at this so may I
humbly ask your patience.
My OS is Mac OSX 10.5.8, and so far I haven't had any problems. I also have
Parallels 5 with Windows XP installed.
Today I ran the rkhunter-1.3.6, first with the --propupd, and got:
sudo rkhunter --propupd[ Rootkit Hunter version 1.3.6 ]
File updated: searched for 156 files, found 83, missing hashes 83
=> Are the missing hashes a problem for the check?
=> Secondly, I could not use "rkhunter --propupd -- pkgmgr" because I
do not know the name of the package manager in Mac OSX 10.5.8.
When running the check, it found the "Dica-Kit Rootkit", here is an excerpt of
the log file:
[15:01:32] Checking for Dica-Kit Rootkit...
[15:01:32] Checking for file '/lib/.sso' [ Not found ]
[15:01:32] Checking for file '/lib/.so' [ Not found ]
[15:01:32] Checking for file '/var/run/...dica/clean' [ Not found ]
[15:01:32] Checking for file '/var/run/...dica/dxr' [ Not found ]
[15:01:32] Checking for file '/var/run/...dica/read' [ Not found ]
[15:01:32] Checking for file '/var/run/...dica/write' [ Not found ]
[15:01:32] Checking for file '/var/run/...dica/lf' [ Not found ]
[15:01:33] Checking for file '/var/run/...dica/xl' [ Not found ]
[15:01:33] Checking for file '/var/run/...dica/xdr' [ Not found ]
[15:01:33] Checking for file '/var/run/...dica/psg' [ Not found ]
[15:01:33] Checking for file '/var/run/...dica/secure' [ Not found ]
[15:01:33] Checking for file '/var/run/...dica/rdx' [ Not found ]
[15:01:33] Checking for file '/var/run/...dica/va' [ Not found ]
[15:01:33] Checking for file '/var/run/...dica/cl.sh' [ Not found ]
[15:01:33] Checking for file '/var/run/...dica/last.log' [ Not found ]
[15:01:33] Checking for file '/usr/bin/.etc' [ Not found ]
[15:01:33] Checking for file '/etc/sshd_config' [ Found ]
[15:01:33] Checking for file '/etc/ssh_host_key' [ Not found ]
[15:01:33] Checking for file '/etc/ssh_random_seed' [ Not found ]
[15:01:33] Checking for directory '/var/run/...dica' [ Not found ]
[15:01:33] Checking for directory '/var/run/...dica/mh' [ Not found ]
[15:01:34] Checking for directory '/var/run/...dica/scan' [ Not found ]
[15:01:34] Warning: Dica-Kit Rootkit [ Warning ]
[15:01:34] File '/etc/sshd_config' found
I then checked the file '/etc/sshd_config' but did not know what to look for.
Then the test continued and there was warning no 2:
[15:02:38] Performing check for possible rootkit strings
[15:02:38] Info: Starting test name 'possible_rkt_strings'
[15:02:38] Info: Using system startup paths: /etc/rc.d /etc/rc.local
/usr/local/etc/rc.d /usr/local/etc/rc.local /etc/conf.d/local.start /etc/init.d
/etc/inittab
[15:02:38] Warning: Checking for possible rootkit strings [ Warning ]
[15:02:39] No system startup files found.
And warning no 3:
[15:06:08] Performing system boot checks
[15:06:08] Info: Starting test name 'startup_files'
[15:06:08] Checking for local host name [ Found ]
[15:06:08] Info: Starting test name 'startup_malware'
[15:06:08] Checking for system startup files [ Warning ]
[15:06:08] Warning: No system startup files found.
Warning no 4:
[15:06:08] Performing group and account checks
[15:06:08] Info: Starting test name 'group_accounts'
[15:06:08] Checking for passwd file [ Found ]
[15:06:08] Info: Found password file: /etc/passwd
[15:06:08] Checking for root equivalent (UID 0) accounts [ None found ]
[15:06:08] Checking for passwordless accounts [ Warning ]
[15:06:08] Warning: No shadow/password file found.
[15:06:08] Info: Starting test name 'passwd_changes'
[15:06:08] Checking for passwd file changes [ None found ]
[15:06:09] Info: Starting test name 'group_changes'
[15:06:09] Checking for group file changes [ None found ]
[15:06:09] Checking root account shell history files [ None found ]
Several warnings, no 5:
[15:06:09] Performing system configuration file checks
[15:06:09] Info: Starting test name 'system_configs'
[15:06:09] Checking for SSH configuration file [ Found ]
[15:06:09] Info: Found SSH configuration file: /etc/sshd_config
[15:06:09] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[15:06:09] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[15:06:09] Checking if SSH root access is allowed [ Warning ]
[15:06:09] Warning: The SSH configuration option 'PermitRootLogin' has not been
set.
The default value may be 'yes', to allow root access.
[15:06:09] Checking if SSH protocol v1 is allowed [ Not allowed ]
[15:06:09] Checking for running syslog daemon [ Found ]
[15:06:10] Checking for syslog configuration file [ Found ]
[15:06:10] Info: Found syslog configuration file: /etc/syslog.conf
[15:06:10] Checking if syslog remote logging is allowed [ Warning ]
[15:06:10] Warning: Syslog configuration file allows remote logging: install.*
@127.0.0.1:32376
Several warnings, no 6:
[15:06:32] Checking application versions...
[15:06:32] Info: Starting test name 'apps'
[15:06:34] Info: Application 'exim' not found.
[15:06:34] Checking version of GnuPG [ Warning ]
[15:06:34] Warning: Application 'gpg', version '1.4.8', is out of date, and
possibly a security risk.
[15:06:34] Checking version of Apache [ OK ]
[15:06:34] Info: Application 'httpd' version '2.2.14' found.
[15:06:35] Checking version of Bind DNS [ Warning ]
[15:06:35] Warning: Application 'named', version '9.4.3-P3', is out of date,
and possibly a security risk.
[15:06:35] Checking version of OpenSSL [ Warning ]
[15:06:35] Warning: Application 'openssl', version '0.9.7l', is out of date,
and possibly a security risk.
[15:06:35] Checking version of PHP [ OK ]
[15:06:35] Info: Application 'php' version '5.2.12' found.
[15:06:35] Checking version of Procmail MTA [ OK ]
[15:06:35] Info: Application 'procmail' version '3.22' found.
[15:06:35] Info: Application 'proftpd' not found.
[15:06:35] Checking version of OpenSSH [ Warning ]
[15:06:35] Warning: Application 'sshd', version '5.2p1', is out of date, and
possibly a security risk.
[15:06:35] Info: Applications checked: 7 out of 9
At the beginning of the test, there was a warning for every file it checked, it
started like this:
[14:49:55] Performing file properties checks
[14:49:55] Info: Starting test name 'properties'
[14:49:56] Info: Skipping all immutable-bit checks. This check is only
available for Linux systems.
[14:49:56] Checking for prerequisites [ OK ]
[14:49:56] /bin/bash [ Warning ]
[14:49:56] Warning: No hash value found for file '/bin/bash' in the
rkhunter.dat file.
[14:49:56] Warning: Unable to obtain current properties for file '/bin/bash'
[14:49:57] Warning: Unable to obtain current write permission for file
'/bin/bash'
...
After running rkhunter-1.3.6 I consulted the readme, the FAQ and the CERT
Intruder Detection Checklist. However, neither of them was helpful in finding
irregularities or suspicious files/behaviour, but to put it plainly, I would
probably not have noticed.
I also googled the Dica-Kit rootkit, the Sophos website
http://www.sophos.com/security/analyses/viruses-and-spyware/trojdicakit.html
contains the following information:
"Troj/Dica-Kit is a rootkit for the Linux operating sytem. ... The rootkit
replaces several system binaries such as netstat, tcpd, ls, ps, pstree, top,
read, write and ifconfig with its own versions that hide the files, processes
and network connections of the Trojan. ...
The modified binaries use the hidden configuration files /dev/xdta, /lib/.so,
/lib/.sso. and files under /dev/ptyxx."
=> I cannot find any of the directories or files mentioned above on my system,
possibly because Mac OSX does not have those(?)
"Troj/Dica-Kit also usually replaces the configuration and key files for sshd
below /etc/ and starts the sshd daemon to allow backdoor access to an infected
machine. The Trojan also starts an IRC server."
=> how can I see if the configuration and key files have been replaced? Or if
the the sshd daemon has been started, or an irc server, for that matter?
"The standard installation directory for Troj/Dica-Kit is /var/run/...dica."
=> could not find this directory
"To be started automatically when Linux boots up Troj/Dica-Kit adds an entry to
/etc/rc.d/rc.sysinit."
=> could not find the directy /etc/rc.d/ or the file. However, in the /etc
directory there are the files rc.common and rc.netboot
"If the directory /home/httpd/cgi-bin exists the Trojan drops the files
linux.cgi, psid and void.cgi there."
=> could not find this directory.
"To further hide its presence Troj/Dica-Kit cleans the system log files."
=> ?
My foremost aim is to find out if this is a false positive and, if not, to
eliminate the rootkit from my system.
I am be very grateful for any help you can offer. Again, please excuse my lack
of expertise. Thank you!
Best regards,
Michael
--
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
------------------------------------------------------------------------------
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
