Think I sent this to the wrong place
On 10/31/10 8:41 AM, "[email protected]" <[email protected]> wrote:
> We're close to releasing a new Rootkit Hunter version. But before
> we can we need you to test it in the coming two weeks. Please spare
> us a few minutes if you care. After testing please reply so we get
> an idea of how many people tested this release.
>
Haven't noticed any Mac OS X testers report in, so I figured I'd better
spend the day getting you something.
Not totally finished, but wanted to give you an almost complete report of
where I am through steps #1-6, 8 & a bit of 7.
Running Mac OS X 10.5.8 on an iMac G5 (PPC). I know I need to buy an Intel
Mac, just haven't decided which one I want next.
1) Install went without a hitch.
2-4) -C, --update & --versioncheck all went fine.
5) --propupd went well, which is a change from the previous versions where I
had to use STAT_CMD=BUILTIN to get it to do anything. Not sure it picked up
changes as I didn't really have a baseline to compare it to.
6) --enable all completed with the following warnings:
[18:02:33] Performing file properties checks
[18:04:08] /usr/bin/fuser [ Warning ]
[18:04:09] Warning: The command '/usr/bin/fuser' has been replaced by a
script: /usr/bin/fuser: perl script text executable
[18:05:33] /usr/bin/whatis [ Warning ]
[18:05:34] Warning: The command '/usr/bin/whatis' has been replaced by a
script: /usr/bin/whatis: Bourne shell script text executable
[18:08:07] /sbin/nologin [ Warning ]
[18:08:08] Warning: The command '/sbin/nologin' has been replaced by a
script: /sbin/nologin: Bourne shell script text executable
[18:10:05] Checking for rootkits...
[18:10:05] Performing check of known rootkit files and directories
[18:11:46] Checking for Dica-Kit Rootkit...
[18:11:56] Checking for file '/etc/sshd_config' [ Found ]
[18:12:01] Warning: Dica-Kit Rootkit [ Warning ]
[18:12:02] File '/etc/sshd_config' found
[18:22:44] Performing check for possible rootkit strings
[18:22:44] Info: Using system startup paths: /etc/rc.d /etc/rc.local
/usr/local/etc/rc.d /usr/local/etc/rc.local /etc/conf.d/local.start
/etc/init.d /etc/inittab
[18:22:44] Warning: Checking for possible rootkit strings [ Warning ]
[18:22:45] No system startup files found.
[18:22:47] Info: Starting test name 'running_procs'
[18:25:42] Checking running processes for suspicious files [ Warning ]
[18:25:43] Warning: The following processes are using suspicious files:
[18:25:44] Command: launchd
[18:25:45] UID: 0 PID: 1
[18:25:46] Pathname: /private/etc/crontab
[18:25:47] Possible Rootkit: Unknown rootkit
[19:03:35] Info: Starting test name 'startup_malware'
[19:03:35] Checking for system startup files [ Warning ]
[19:03:36] Warning: No system startup files found.
[19:03:47] Checking if SSH root access is allowed [ Warning ]
[19:03:48] Warning: The SSH configuration option 'PermitRootLogin' has not
been set.
The default value may be 'yes', to allow root access.
[19:03:56] Checking for hidden files and directories [ Warning ]
[19:03:57] Warning: Hidden file found: /etc/.DS_Store: JVT NAL sequence
[19:03:57] Warning: Hidden file found: /usr/share/man/man5/.rhosts.5.gz:
gzip compressed data, was ".rhosts.5", from Unix, last modified: Tue Sep 9
12:50:09 2008
[19:04:18] Checking application versions...
[19:04:26] Checking version of Bind DNS [ Warning ]
[19:04:27] Warning: Application 'named', version '9.4.3-P3', is out of date,
and possibly a security risk.
[19:04:29] Checking version of OpenSSL [ Warning ]
[19:04:30] Warning: Application 'openssl', version '0.9.7l', is out of date,
and possibly a security risk.
[19:04:35] Checking version of OpenSSH [ Warning ]
[19:04:36] Warning: Application 'sshd', version '5.2p1', is out of date, and
possibly a security risk.
And noted the following skipped:
[18:00:31] Info: All ksyms and kallsyms checks will be skipped - neither
file is present on the system.
[18:02:31] Checking LD_LIBRARY_PATH variable [ Skipped ]
[18:02:32] Info: Unable to find the 'ldd' command
[18:13:07] Checking for kernel symbol 'heroin' [ Skipped ]
[18:13:08] Heroin LKM [ Not found ]
[18:14:02] Checking for IntoXonia-NG Rootkit...
[18:14:02] Checking for kernel symbol 'funces' [ Skipped ]
[18:14:03] Checking for kernel symbol 'ixinit' [ Skipped ]
[18:14:04] Checking for kernel symbol 'tricks' [ Skipped ]
[18:14:05] Checking for kernel symbol 'kernel_unlink' [ Skipped ]
[18:14:06] Checking for kernel symbol 'rootme' [ Skipped ]
[18:14:06] Checking for kernel symbol 'hide_module' [ Skipped ]
[18:14:07] Checking for kernel symbol 'find_sys_call_tbl' [ Skipped ]
[18:14:08] IntoXonia-NG Rootkit [ Not found ]
[18:16:03] Checking for Sebek LKM...
[18:16:03] Checking for kernel symbol 'adore or sebek' [ Skipped ]
[18:16:04] Sebek LKM [ Not found ]
[18:20:16] Checking for Vampire Rootkit...
[18:20:16] Checking for kernel symbol 'new_getdents' [ Skipped ]
[18:20:17] Checking for kernel symbol 'old_getdents' [ Skipped ]
[18:20:18] Checking for kernel symbol 'should_hide_file_name' [ Skipped ]
[18:20:18] Checking for kernel symbol 'should_hide_task_name' [ Skipped ]
[18:20:19] Vampire Rootkit [ Not found ]
[18:25:56] Checking for software intrusions [ Skipped ]
[18:25:57] Info: Check skipped - tripwire not installed
[18:26:02] Performing trojan specific checks
[18:26:02] Checking for enabled inetd services [ Skipped ]
[18:26:03] Info: Check skipped - file '/etc/inetd.conf' does not exist.
[18:26:04] Checking for enabled xinetd services [ Skipped ]
[18:26:04] Info: Check skipped - file '/etc/xinetd.conf' does not exist.
[18:26:05] Info: Apache backdoor check skipped: Apache modules and
configuration directories not found.
[18:26:05] Info: Starting test name 'os_specific'
[18:26:06] Performing Darwin specific checks [ Skipped ]
[18:26:06] Info: No specific tests available
[19:03:29] Checking for hidden ports [ Skipped ]
[19:03:29] Info: Unable to find the 'unhide-tcp' command
Most of the warnings and skips I recognize from previous versions, but I
will have to give them some additional analysis.
7) I forgot to remove rkhunter.conf.local the first time I tried everything,
so I do know that whitelisting worked for the 'sshd_config' file found
above. If I get time I'll try some other items. You've fixed a couple of
things that I previously worked around with rkhunter.conf.local so I'll need
to re-edit it.
8) -c --sk ran with seemingly identical results.
9) You previously told us that RKH does not support any package manager for
OSX, so I'm guessing I can ignore this one.
I've got some thoughts, but I'll save them for a separate email and if I run
into any further issues I'll be back.
-Al-
--
Al Varnell
Mountain View, CA
------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a
Billion" shares his insights and actions to help propel your
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
