On Tue, 2014-03-11 at 10:34 -0500, Wally wrote:
> Greetings. I've recently installed openssh 6.5p1, openssl 1.0.1f and
> rkhunter 1.4.2.
>
>
> Rkunter issues the following warning:
> Warning: Checking for possible rootkit strings [ Warning ]Found
> string 'aion' in file '/usr/sbin/sshd'. Possible rootkit: Trojaned SSH
> daemon
>
>
>
>
> $ strings sshd | grep aion
>
> Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg (Stanford
> University)
>
>
> The string "aion" is found in the openssl distribution.
>
>
>
> I was able to find two perl files in the openssl source directory that
> contain these strings:
>
>
> ./crypto/aes/asm/vpaes-x86_64.pl on line 1063
>
> 1063 .asciz "Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg
> (Stanford University)"
>
>
>
> ./crypto/aes/asm/vpaes-x86.pl on line 156
>
> 156 &asciz ("Vector Permutation AES for x86/SSSE3, Mike Hamburg
> (Stanford University)");
>
>
> I'm contemplating editing the string out and recompiling, but perhaps
> there is a better way.
>
You can whitelist certain rootkit files. Look in the RKH configuration
file (something like RTKT_WHITELIST).
John.
--
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK Fax: +44 (0)1752 587001
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
