Hallo, Michael, Du meintest am 07.05.10:
> Today I ran the rkhunter-1.3.6, first with the --propupd, and got: > sudo rkhunter --propupd[ Rootkit Hunter version 1.3.6 ] > File updated: searched for 156 files, found 83, missing hashes 83 =>> Are the missing hashes a problem for the check? No problem. (perhaps ...) > When running the check, it found the "Dica-Kit Rootkit", here is an > excerpt of the log file: > [15:01:32] Checking for Dica-Kit Rootkit... > [15:01:33] Checking for file '/etc/sshd_config' [ Found ] [...] > [15:01:34] Warning: Dica-Kit Rootkit [ Warning ] > [15:01:34] File '/etc/sshd_config' found > I then checked the file '/etc/sshd_config' but did not know what to > look for. I don't know how OS-X is organized; under Linux the file "sshd_config" should be in the directory "/etc/ssh". > Then the test continued and there was warning no 2: > [15:02:38] Performing check for possible rootkit strings > [15:02:38] Info: Starting test name 'possible_rkt_strings' > [15:02:38] Info: Using system startup paths: /etc/rc.d /etc/rc.local > /usr/local/etc/rc.d /usr/local/etc/rc.local /etc/conf.d/local.start > /etc/init.d /etc/inittab > [15:02:38] Warning: Checking for possible rootkit strings [ Warning ] > [15:02:39] No system startup files found. Maybe these warnings shine up because "rkhunter" doesn't know that it runs on a Mac. > [14:49:56] /bin/bash [ Warning ] > > [14:49:56] Warning: No hash value found for file '/bin/bash' in the > rkhunter.dat file. Hmmm - what about "missing hashes" ...? > I also googled the Dica-Kit rootkit, the Sophos website > http://www.sophos.com/security/analyses/viruses-and-spyware/trojdicak > it.html contains the following information: > "Troj/Dica-Kit is a rootkit for the Linux operating sytem. ... The > rootkit replaces several system binaries such as netstat, tcpd, ls, > ps, pstree, top, read, write and ifconfig with its own versions that > hide the files, processes and network connections of the Trojan. ... Maybe it's a warning only because you haven't told rkhunter that it runs on a Mac. But it's (as far as I can guess) not impossible that your system is corrupted by a virus; "--propupd" doesn't remove virusses etc, it makes hashes of some existing files and believes they are clean (only if the hash value changes some time later rkhunter warns you). Viele Gruesse! Helmut ------------------------------------------------------------------------------ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
