On 12/27/2017 08:35 PM, Ms. Eva wrote: > Hello, > Hello, first of all, please don't panic!
> Could anyone help me? I'm new.. just learning ethical hacking for
> beginners, and I was afraid to download Kali and Metasploitable environment
> because I suspected I had intrusion on my system. I've taken the system in
> to Apple and consulted Apple, but they deny they see anything wrong. Yet, I
> see suspicious things. Research lead me to RK hunter with a tutorial on how
> to download and enable it and the terminal commands to use.
>
Kali Linux and Metasploit as far as I know don't have a direct
connection to rkhunter. You might find rkhunter on kali Linux
installations as an installed program but that's all.
(Note: correct me if I am wrong here)
> I've now DOD-level- erased, repartitioned disks, downloaded and reinstalled
> my operating system 7 times on my Mac over the course of 3 days, but I
> think rootkit or string injection is rebuilding itself. Here are my
> suspicious results. I have summarized below the suspicious findings that
> appear exactly the same each time, regardless of how fresh the OSX High
> Sierra refresh: Can anyone Kindly tell me what they think, and how to go
> about cleaning this up?
>
I am not familiar with MacOS as I don't trust the operating system. But
if you trust apple in general to deliver non-compromised software in
factory default you should be fine. The most difficult part of rkhunter
is the configuration. If you have a fresh installation it's a good
starting point to accept all warnings as trusted changes to rkhunter's
defaults.
To verify the authority of the installed software binaries is your
responsibility.
To accept changes to rkhunter defaults and trust the installed version
you have to run
rkhunter --propupd[0]
> Checking if SSH root access is allowed [ *Warning* ]
>
> Checking if SSH protocol v1 is allowed [ *Warning* ]
>
As you have a fresh installation I would propose to change the defaults
here. SSHD configuration is (at east for Linux) straight forward to
change those mentioned options. If you don't know what ssh is it might
be worth to disable the service. A service not running is still the most
secure option.
Regards,
Thomas
[0] --propupd [{filename | directory | package name},...]
One of the checks rkhunter performs is to com‐
pare various current file properties of vari‐
ous commands, against those it has previously
stored. This command option causes rkhunter to
update its data file of stored values with the
current values.
If the filename option is used, then it must
either be a full pathname, or a plain file
name (for example, 'awk'). When used, then
only the entry in the file properties database
for that file will be updated. If the direc‐
tory option is used, then only those files
listed in the database that are in the given
directory will be updated. Similarly, if the
package name option is used, then only those
files in the database which are part of the
specified package will be updated. The package
name must be the base part of the name, no
version numbers should be included - for exam‐
ple, 'coreutils'. Package names will, of
course, only be stored in the file properties
database if a package manager is being used.
If a package name is the same as a file name -
for example, 'file' could refer to the 'file'
command or to the RPM 'file' package (which
contains the 'file' command) - the package
name will be used. If no specific option is
given, then the entire database is updated.
WARNING: It is the users responsibility to
ensure that the files on the system are gen‐
uine and from a reliable source. rkhunter can
only report if a file has changed, but not on
what has caused the change. Hence, if a file
has changed, and the --propupd command option
is used, then rkhunter will assume that the
file is genuine.
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
