On Wed, 2011-06-15 at 15:51 +0900, TAKINO Shunta wrote: > Hi, All, > > To enforce security on my server (Solaris10 sparc), I installed and ran your > rkhunter. Actually it detected Solaris rootkit "NSDAP" > > Warning: SunOS / NSDAP Rootkit [ Warning ] > File '/usr/bin/mc68000' found > File '/usr/bin/mc68010' found > File '/usr/bin/mc68020' found > File '/usr/bin/m68k' found > File '/usr/bin/sun2' found > File '/usr/bin/mc68030' found > File '/usr/bin/mc68040' found > File '/usr/bin/sun3' found > File '/usr/bin/sun3x' found > File '/usr/bin/u370' found > > I checked the same directory on another Solaris10 server and there are the > same files on that. I tried to find out what these are doing. but I could not > find any clues. > > Is this bundled with Solaris 10 OS originally ? > Does Sun Microsystems create those files for any reason ? > > Please let me know if I can ignore or not. > If those are malicious, how should I protect ? (Initialize disk and > re-install ?) > Hello,
I have the same files on my Solaris 10 systems, they are part of the core Solaris O/S. You can whitelist them from the rootkit check, but I also then include them as specific files to be monitored just to be safe. I added the following to my /etc/rkhunter.conf.local file: RTKT_FILE_WHITELIST="/usr/bin/mc68000 /usr/bin/mc68010 /usr/bin/mc68020 /usr/bin/mc68030 /usr/bin/mc68040 /usr/bin/m68k /usr/bin/sun2 /usr/bin/sun3 /usr/bin/sun3x /usr/bin/u370" USER_FILEPROP_FILES_DIRS="/usr/bin/mc68000 /usr/bin/mc68010 /usr/bin/mc68020 /usr/bin/mc68030 /usr/bin/mc68040 /usr/bin/m68k /usr/bin/sun2 /usr/bin/sun3 /usr/bin/sun3x /usr/bin/u370" Then run 'rkhunter --propupd'. John. -- John Horne Tel: +44 (0)1752 587287 University of Plymouth, UK Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users