Re: [Rkhunter-users] Rootkit "NSDAP " detected on Solaris10 sparc.

Wed, 15 Jun 2011 01:38:02 -0700 

On Wed, 2011-06-15 at 15:51 +0900, TAKINO Shunta wrote:
> Hi, All,
> 
> To enforce security on my server (Solaris10 sparc), I installed and ran your 
> rkhunter. Actually it detected Solaris rootkit "NSDAP"
> 
> Warning: SunOS / NSDAP Rootkit                    [ Warning ]
>           File '/usr/bin/mc68000' found
>           File '/usr/bin/mc68010' found
>           File '/usr/bin/mc68020' found
>           File '/usr/bin/m68k' found
>           File '/usr/bin/sun2' found
>           File '/usr/bin/mc68030' found
>           File '/usr/bin/mc68040' found
>           File '/usr/bin/sun3' found
>           File '/usr/bin/sun3x' found
>           File '/usr/bin/u370' found
> 
> I checked the same directory on another Solaris10 server and there are the 
> same files on that. I tried to find out what these are doing. but I could not 
> find any clues.
> 
> Is this bundled with Solaris 10 OS originally ?  
> Does Sun Microsystems create those files for any reason ?
> 
> Please let me know if I can ignore or not.
> If those are malicious, how should I protect ? (Initialize disk and 
> re-install ?)
> 
Hello,

I have the same files on my Solaris 10 systems, they are part of the
core Solaris O/S. You can whitelist them from the rootkit check, but I
also then include them as specific files to be monitored just to be
safe. I added the following to my /etc/rkhunter.conf.local file:

RTKT_FILE_WHITELIST="/usr/bin/mc68000 /usr/bin/mc68010 /usr/bin/mc68020 
/usr/bin/mc68030 /usr/bin/mc68040 /usr/bin/m68k /usr/bin/sun2 /usr/bin/sun3 
/usr/bin/sun3x /usr/bin/u370"
USER_FILEPROP_FILES_DIRS="/usr/bin/mc68000 /usr/bin/mc68010 /usr/bin/mc68020 
/usr/bin/mc68030 /usr/bin/mc68040 /usr/bin/m68k /usr/bin/sun2 /usr/bin/sun3 
/usr/bin/sun3x /usr/bin/u370"

Then run 'rkhunter --propupd'.



John.

-- 
John Horne                   Tel: +44 (0)1752 587287
University of Plymouth, UK   Fax: +44 (0)1752 587001

------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to