Hi, John-san
Thank you very much for your prompt reply!
I feel a bit relieved that these files may not be malicious.
Per your suggestion, I did the following.
Step:
1) copy /etc/rkhunter.conf to /etc/rkhunter.conf.local.
2) configure the two lines below on /etc/rkhunter.conf.local.
* Note: I included "/etc/rkhunter.conf" as well on
"USER_FILEPROP_FILES_DIRS".
------------------------------------------------------------------------
RTKT_FILE_WHITELIST="/usr/bin/mc68000 /usr/bin/mc68010 /usr/bin/mc68020
/usr/bin/mc68030 /usr/bin/mc68040 /usr/bin/m68k /usr/bin/sun2
/usr/bin/sun3 /usr/bin/sun3x /usr/bin/u370"
USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf /usr/bin/mc68000
/usr/bin/mc68010 /usr/bin/mc68020 /usr/bin/mc68030 /usr/bin/mc68040
/usr/bin/m68k /usr/bin/sun2 /usr/bin/sun3 /usr/bin/sun3x /usr/bin/u370"
------------------------------------------------------------------------
3) run "rkhunter --propupd"
bash-3.00# rkhunter --propupd
[ Rootkit Hunter version 1.3.8 ]
File created: searched for 206 files, found 184
bash-3.00#
4) run "rkhunter -c -sk"
Those 10 files are regarded as known rootkits.
[19:04:44] Info: Found file '/usr/bin/mc68000': it is whitelisted for the
'known_rkts' check.
[19:04:44] Checking for file '/usr/bin/mc68000' [ Found ]
[19:04:45] Info: Found file '/usr/bin/mc68010': it is whitelisted for the
'known_rkts' check.
[19:04:45] Checking for file '/usr/bin/mc68010' [ Found ]
[19:04:46] Info: Found file '/usr/bin/mc68020': it is whitelisted for the
'known_rkts' check.
[19:04:47] Checking for file '/usr/bin/mc68020' [ Found ]
[19:04:48] Info: Found file '/usr/bin/m68k': it is whitelisted for the
'known_rkts' check.
[19:04:48] Checking for file '/usr/bin/m68k' [ Found ]
[19:04:49] Info: Found file '/usr/bin/sun2': it is whitelisted for the
'known_rkts' check.
[19:04:49] Checking for file '/usr/bin/sun2' [ Found ]
[19:04:50] Info: Found file '/usr/bin/mc68030': it is whitelisted for the
'known_rkts' check.
[19:04:51] Checking for file '/usr/bin/mc68030' [ Found ]
[19:04:51] Info: Found file '/usr/bin/mc68040': it is whitelisted for the
'known_rkts' check.
[19:04:52] Checking for file '/usr/bin/mc68040' [ Found ]
[19:04:52] Info: Found file '/usr/bin/sun3': it is whitelisted for the
'known_rkts' check.
[19:04:53] Checking for file '/usr/bin/sun3' [ Found ]
[19:04:54] Info: Found file '/usr/bin/sun3x': it is whitelisted for the
'known_rkts' check.
[19:04:54] Checking for file '/usr/bin/sun3x' [ Found ]
[19:04:56] Info: Found file '/usr/bin/u370': it is whitelisted for the
'known_rkts' check.
[19:04:56] Checking for file '/usr/bin/u370' [ Found ]
#####################################################
Here is an additional question.
i) [ Warning ] - file properties check
While running rkhunter, "Performing file properties check"
indicated [ Warning ] messages for the commands below.
/usr/sbin/dmesg [ Warning ]
/usr/bin/dmesg [ Warning ]
/usr/bin/kill [ Warning ]
/usr/bin/test [ Warning ]
/usr/bin/which [ Warning ]
/usr/ucb/df [ Warning ]
/usr/ucb/du [ Warning ]
/usr/ucb/file [ Warning ]
Even after I did "rkhunter --update" and "rkhunter --propupd",
I got the same result..
Are those commands affected by anything ? How should I
react those messages or check ? Please advise.
Tnanks!
Shunta Takino
On Wed, 15 Jun 2011 09:18:25 +0100
John Horne <john.ho...@plymouth.ac.uk> wrote:
> On Wed, 2011-06-15 at 15:51 +0900, TAKINO Shunta wrote:
> > Hi, All,
> >
> > To enforce security on my server (Solaris10 sparc), I installed and ran
> > your rkhunter. Actually it detected Solaris rootkit "NSDAP"
> >
> > Warning: SunOS / NSDAP Rootkit [ Warning ]
> > File '/usr/bin/mc68000' found
> > File '/usr/bin/mc68010' found
> > File '/usr/bin/mc68020' found
> > File '/usr/bin/m68k' found
> > File '/usr/bin/sun2' found
> > File '/usr/bin/mc68030' found
> > File '/usr/bin/mc68040' found
> > File '/usr/bin/sun3' found
> > File '/usr/bin/sun3x' found
> > File '/usr/bin/u370' found
> >
> > I checked the same directory on another Solaris10 server and there are the
> > same files on that. I tried to find out what these are doing. but I could
> > not find any clues.
> >
> > Is this bundled with Solaris 10 OS originally ?
> > Does Sun Microsystems create those files for any reason ?
> >
> > Please let me know if I can ignore or not.
> > If those are malicious, how should I protect ? (Initialize disk and
> > re-install ?)
> >
> Hello,
>
> I have the same files on my Solaris 10 systems, they are part of the
> core Solaris O/S. You can whitelist them from the rootkit check, but I
> also then include them as specific files to be monitored just to be
> safe. I added the following to my /etc/rkhunter.conf.local file:
>
> RTKT_FILE_WHITELIST="/usr/bin/mc68000 /usr/bin/mc68010 /usr/bin/mc68020
> /usr/bin/mc68030 /usr/bin/mc68040 /usr/bin/m68k /usr/bin/sun2 /usr/bin/sun3
> /usr/bin/sun3x /usr/bin/u370"
> USER_FILEPROP_FILES_DIRS="/usr/bin/mc68000 /usr/bin/mc68010 /usr/bin/mc68020
> /usr/bin/mc68030 /usr/bin/mc68040 /usr/bin/m68k /usr/bin/sun2 /usr/bin/sun3
> /usr/bin/sun3x /usr/bin/u370"
>
> Then run 'rkhunter --propupd'.
>
>
>
> John.
>
> --
> John Horne Tel: +44 (0)1752 587287
> University of Plymouth, UK Fax: +44 (0)1752 587001
>
------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
