Hallo, Michael,

Du meintest am 07.05.10:


> Today I ran the rkhunter-1.3.6, first with the --propupd, and got:
> sudo rkhunter --propupd[ Rootkit Hunter version 1.3.6 ]
> File updated: searched for 156 files, found 83, missing hashes 83

=>> Are the missing hashes a problem for the check?

No problem. (perhaps ...)

> When running the check, it found the "Dica-Kit Rootkit", here is an
> excerpt of the log file:

> [15:01:32] Checking for Dica-Kit Rootkit...

> [15:01:33] Checking for file '/etc/sshd_config'        [ Found ]

[...]

> [15:01:34] Warning: Dica-Kit Rootkit                   [ Warning ]
> [15:01:34]    File '/etc/sshd_config' found

> I then checked the file '/etc/sshd_config' but did not know what to
> look for.

I don't know how OS-X is organized; under Linux the file "sshd_config"  
should be in the directory "/etc/ssh".


> Then the test continued and there was warning no 2:

> [15:02:38]   Performing check for possible rootkit strings
> [15:02:38] Info: Starting test name 'possible_rkt_strings'
> [15:02:38] Info: Using system startup paths: /etc/rc.d /etc/rc.local
> /usr/local/etc/rc.d /usr/local/etc/rc.local /etc/conf.d/local.start
> /etc/init.d /etc/inittab
> [15:02:38] Warning: Checking for possible rootkit strings [ Warning ]
> [15:02:39]          No system startup files found.

Maybe these warnings shine up because "rkhunter" doesn't know that it  
runs on a Mac.

> [14:49:56] /bin/bash                               [ Warning ]
>
> [14:49:56] Warning: No hash value found for file '/bin/bash' in the
> rkhunter.dat file.

Hmmm - what about "missing hashes" ...?

> I also googled the Dica-Kit rootkit, the Sophos website
> http://www.sophos.com/security/analyses/viruses-and-spyware/trojdicak
> it.html contains the following information:

> "Troj/Dica-Kit is a rootkit for the Linux operating sytem. ... The
> rootkit replaces several system binaries such as netstat, tcpd, ls,
> ps, pstree, top, read, write and ifconfig with its own versions that
> hide the files, processes and network connections of the Trojan. ...

Maybe it's a warning only because you haven't told rkhunter that it runs  
on a Mac.

But it's (as far as I can guess) not impossible that your system is  
corrupted by a virus; "--propupd" doesn't remove virusses etc, it makes  
hashes of some existing files and believes they are clean (only if the  
hash value changes some time later rkhunter warns you).

Viele Gruesse!
Helmut

------------------------------------------------------------------------------

_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to