Think I sent this to the wrong place On 10/31/10 8:41 AM, "unsp...@hushmail.com" <unsp...@hushmail.com> wrote:
> We're close to releasing a new Rootkit Hunter version. But before > we can we need you to test it in the coming two weeks. Please spare > us a few minutes if you care. After testing please reply so we get > an idea of how many people tested this release. > Haven't noticed any Mac OS X testers report in, so I figured I'd better spend the day getting you something. Not totally finished, but wanted to give you an almost complete report of where I am through steps #1-6, 8 & a bit of 7. Running Mac OS X 10.5.8 on an iMac G5 (PPC). I know I need to buy an Intel Mac, just haven't decided which one I want next. 1) Install went without a hitch. 2-4) -C, --update & --versioncheck all went fine. 5) --propupd went well, which is a change from the previous versions where I had to use STAT_CMD=BUILTIN to get it to do anything. Not sure it picked up changes as I didn't really have a baseline to compare it to. 6) --enable all completed with the following warnings: [18:02:33] Performing file properties checks [18:04:08] /usr/bin/fuser [ Warning ] [18:04:09] Warning: The command '/usr/bin/fuser' has been replaced by a script: /usr/bin/fuser: perl script text executable [18:05:33] /usr/bin/whatis [ Warning ] [18:05:34] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable [18:08:07] /sbin/nologin [ Warning ] [18:08:08] Warning: The command '/sbin/nologin' has been replaced by a script: /sbin/nologin: Bourne shell script text executable [18:10:05] Checking for rootkits... [18:10:05] Performing check of known rootkit files and directories [18:11:46] Checking for Dica-Kit Rootkit... [18:11:56] Checking for file '/etc/sshd_config' [ Found ] [18:12:01] Warning: Dica-Kit Rootkit [ Warning ] [18:12:02] File '/etc/sshd_config' found [18:22:44] Performing check for possible rootkit strings [18:22:44] Info: Using system startup paths: /etc/rc.d /etc/rc.local /usr/local/etc/rc.d /usr/local/etc/rc.local /etc/conf.d/local.start /etc/init.d /etc/inittab [18:22:44] Warning: Checking for possible rootkit strings [ Warning ] [18:22:45] No system startup files found. [18:22:47] Info: Starting test name 'running_procs' [18:25:42] Checking running processes for suspicious files [ Warning ] [18:25:43] Warning: The following processes are using suspicious files: [18:25:44] Command: launchd [18:25:45] UID: 0 PID: 1 [18:25:46] Pathname: /private/etc/crontab [18:25:47] Possible Rootkit: Unknown rootkit [19:03:35] Info: Starting test name 'startup_malware' [19:03:35] Checking for system startup files [ Warning ] [19:03:36] Warning: No system startup files found. [19:03:47] Checking if SSH root access is allowed [ Warning ] [19:03:48] Warning: The SSH configuration option 'PermitRootLogin' has not been set. The default value may be 'yes', to allow root access. [19:03:56] Checking for hidden files and directories [ Warning ] [19:03:57] Warning: Hidden file found: /etc/.DS_Store: JVT NAL sequence [19:03:57] Warning: Hidden file found: /usr/share/man/man5/.rhosts.5.gz: gzip compressed data, was ".rhosts.5", from Unix, last modified: Tue Sep 9 12:50:09 2008 [19:04:18] Checking application versions... [19:04:26] Checking version of Bind DNS [ Warning ] [19:04:27] Warning: Application 'named', version '9.4.3-P3', is out of date, and possibly a security risk. [19:04:29] Checking version of OpenSSL [ Warning ] [19:04:30] Warning: Application 'openssl', version '0.9.7l', is out of date, and possibly a security risk. [19:04:35] Checking version of OpenSSH [ Warning ] [19:04:36] Warning: Application 'sshd', version '5.2p1', is out of date, and possibly a security risk. And noted the following skipped: [18:00:31] Info: All ksyms and kallsyms checks will be skipped - neither file is present on the system. [18:02:31] Checking LD_LIBRARY_PATH variable [ Skipped ] [18:02:32] Info: Unable to find the 'ldd' command [18:13:07] Checking for kernel symbol 'heroin' [ Skipped ] [18:13:08] Heroin LKM [ Not found ] [18:14:02] Checking for IntoXonia-NG Rootkit... [18:14:02] Checking for kernel symbol 'funces' [ Skipped ] [18:14:03] Checking for kernel symbol 'ixinit' [ Skipped ] [18:14:04] Checking for kernel symbol 'tricks' [ Skipped ] [18:14:05] Checking for kernel symbol 'kernel_unlink' [ Skipped ] [18:14:06] Checking for kernel symbol 'rootme' [ Skipped ] [18:14:06] Checking for kernel symbol 'hide_module' [ Skipped ] [18:14:07] Checking for kernel symbol 'find_sys_call_tbl' [ Skipped ] [18:14:08] IntoXonia-NG Rootkit [ Not found ] [18:16:03] Checking for Sebek LKM... [18:16:03] Checking for kernel symbol 'adore or sebek' [ Skipped ] [18:16:04] Sebek LKM [ Not found ] [18:20:16] Checking for Vampire Rootkit... [18:20:16] Checking for kernel symbol 'new_getdents' [ Skipped ] [18:20:17] Checking for kernel symbol 'old_getdents' [ Skipped ] [18:20:18] Checking for kernel symbol 'should_hide_file_name' [ Skipped ] [18:20:18] Checking for kernel symbol 'should_hide_task_name' [ Skipped ] [18:20:19] Vampire Rootkit [ Not found ] [18:25:56] Checking for software intrusions [ Skipped ] [18:25:57] Info: Check skipped - tripwire not installed [18:26:02] Performing trojan specific checks [18:26:02] Checking for enabled inetd services [ Skipped ] [18:26:03] Info: Check skipped - file '/etc/inetd.conf' does not exist. [18:26:04] Checking for enabled xinetd services [ Skipped ] [18:26:04] Info: Check skipped - file '/etc/xinetd.conf' does not exist. [18:26:05] Info: Apache backdoor check skipped: Apache modules and configuration directories not found. [18:26:05] Info: Starting test name 'os_specific' [18:26:06] Performing Darwin specific checks [ Skipped ] [18:26:06] Info: No specific tests available [19:03:29] Checking for hidden ports [ Skipped ] [19:03:29] Info: Unable to find the 'unhide-tcp' command Most of the warnings and skips I recognize from previous versions, but I will have to give them some additional analysis. 7) I forgot to remove rkhunter.conf.local the first time I tried everything, so I do know that whitelisting worked for the 'sshd_config' file found above. If I get time I'll try some other items. You've fixed a couple of things that I previously worked around with rkhunter.conf.local so I'll need to re-edit it. 8) -c --sk ran with seemingly identical results. 9) You previously told us that RKH does not support any package manager for OSX, so I'm guessing I can ignore this one. I've got some thoughts, but I'll save them for a separate email and if I run into any further issues I'll be back. -Al- -- Al Varnell Mountain View, CA ------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users