Re: [Rkhunter-users] what does this mean?
On 10-09-30 9:39 AM, Nick Fox wrote: I installed rkhunter 3 days ago and I've been getting this message every morning: Please inspect this machine, because it may be infected. When I go to check my log file, I don't see any problem. Why am I getting this message? Without the log file, we'd be guessing. I'm betting there's something in there you aren't seeing. signature.asc Description: OpenPGP digital signature -- Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] what does this mean?
On 10-09-30 10:27 AM, Nick Fox wrote: I have put my rkhunter.log here on 4shared. Click on the blue Download Now button. http://www.4shared.com/file/IGOk7wkP/rkhunter.html Yuck Javascript time delayed download file sharing site? In future, try pastebin.com or similar... I did it for you this time http://pastebin.com/fczK8aB9 Now as to your problem - open that log and just search for the word Warning It's there three times indicating a few things you should look at. I'd install 'lsof' as well. Brian signature.asc Description: OpenPGP digital signature -- Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] white-listing on OpenBSD seems to fail with some characters
On 10-06-04 9:17 AM, Muskoka Auto Parts Limited wrote: On 10-06-04 9:03 AM, Uwe Dippel wrote: On Fri, Jun 4, 2010 at 9:02 PM, Muskoka Auto Parts Limited m...@map-heb.com wrote: FWIW, it does whitelist it if you use 'named:9.4.2' If it did, I had not noticed it, even. That's what was there before, then the upgrade to P2 came, and since then I get the warnings. Not sure your distro - but on Ubuntu 8.04.4 == grep named /etc/rkhunter.conf APP_WHITELIST=openssl:0.9.8g sshd:4.7p1 named:9.4.2 == sudo grep named /var/log/rkhunter.log [sudo] password for administrator: [07:13:37] Info: Found application 'named' version '9.4.2': this version is whitelisted. Ooops - missed this part == named -v BIND 9.4.2-P2.1 So the dash is there... signature.asc Description: OpenPGP digital signature -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] changing MTAs
On 10-05-11 3:06 AM, Robert Holtzman wrote: rkhunter installed with exim4. I would like to switch it to sendmail but can't see how. Can I get some help? Assuming you are running a Debian variant from your mail headers, I'm guessing that rkhunter specified an MTA required, and the default MTA for your distro happens to be exim. To prove that - == aptitude show rkhunter Package: rkhunter State: installed Depends: binutils, debconf (= 0.5) | debconf-2.0, exim4 | postfix | sendmail | mail-transport-agent, file, net-tools, perl See the depends line? Changing to sendmail is easy - == sudo aptitude --simulate install sendmail The following NEW packages will be automatically installed: m4 procmail sendmail-base sendmail-bin sendmail-cf sensible-mda The following packages will be automatically REMOVED: postfix The following NEW packages will be installed: m4 procmail sendmail sendmail-base sendmail-bin sendmail-cf sensible-mda The following packages will be REMOVED: postfix 0 packages upgraded, 7 newly installed, 1 to remove and 0 not upgraded. Need to get 1894kB of archives. After unpacking 3146kB will be used. Do you want to continue? [Y/n/?] In my case I'm running postfix rather than exim, but the results are the same. Installing one will automatically remove the other because they are marked as conflicting with each other. HTH signature.asc Description: OpenPGP digital signature -- ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] OSX passwd file (was eliminate Dica-Kit Rootkit)
On 10-05-09 12:59 PM, John Horne wrote: On Fri, 2010-05-07 at 16:44 +0200, Michael Li wrote: [ Warning ] [15:06:08] Warning: No shadow/password file found. You can set the following option in your config file: PASSWORD_FILE=path to password file RKH will try and determine where the password file is located, but if it cannot then you get the above warning. Use the config file option to tell RKH where your password file is located. (Note: For other OS's this is actually the 'shadow' file, the file which contains the actual passwords. The test is to see if an account has no password, and to do that we need to check the file containing the actual passwords (the shadow file), rather than the file just containing the account names (usually the passwd file.)) If you could let me know the pathname of your file (email me off list preferably) then it may be useful to get RKH to check for that automatically for OSX users (assuming you are using some sort of standard password file for OSX systems). I'll add the pathname into the RKH code. Again a quick google: It seems a /etc/passwd or /etc/master.passwd file may be present. If either is, then set it in the above option. If neither is, then you need to disable the password file checks. To do this add 'group_accounts' to the DISABLE_TESTS list. As I understand it, OSX doesn't use a flat file for the user information (including the actual passwords) From OSX 10.6 == cat /etc/passwd ## # User Database # # Note that this file is consulted directly only when the system is running # in single-user mode. At other times this information is provided by # Open Directory. # # This file will not be consulted for authentication unless the BSD local node # is enabled via /Applications/Utilities/Directory Utility.app # # See the DirectoryService(8) man page for additional information about # Open Directory. ## signature.asc Description: OpenPGP digital signature -- ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] howto requested: eliminate Dica-Kit Rootkit
On 10-05-07 10:44 AM, Michael Li wrote: Using rkhunter with OSX correctly is a bigger issue I hope someone else will address. I will comment on a few of these warnings I'm sure are not an issue for you. My OS is Mac OSX 10.5.8 [15:02:38] Info: Using system startup paths: /etc/rc.d /etc/rc.local /usr/local/etc/rc.d /usr/local/etc/rc.local /etc/conf.d/local.start /etc/init.d /etc/inittab [15:02:38] Warning: Checking for possible rootkit strings[ Warning ] [15:02:39] No system startup files found. Those files are not used in Leopard. This is not an issue. [15:06:08] Performing system boot checks [15:06:08] Info: Starting test name 'startup_files' [15:06:08] Checking for local host name[ Found ] [15:06:08] Info: Starting test name 'startup_malware' [15:06:08] Checking for system startup files [ Warning ] [15:06:08] Warning: No system startup files found. Same. Those files are not used in Leopard. This is not an issue. [15:06:08] Checking for passwordless accounts [ Warning ] [15:06:08] Warning: No shadow/password file found. Same. Doesn't apply to Leopard. [15:06:09] Warning: The SSH configuration option 'PermitRootLogin' has not been set. The default value may be 'yes', to allow root access. While true, the root user is not enabled in OSX by default, so this could be considered ok as is. [15:06:10] Info: Found syslog configuration file: /etc/syslog.conf [15:06:10] Checking if syslog remote logging is allowed[ Warning ] [15:06:10] Warning: Syslog configuration file allows remote logging: install.*@127.0.0.1:32376 I could be mistaken, but I think rkhunter is wrong here - allowing logging from localhost is not 'remote logging' as far as I'm concerned. Several warnings, referring to application versions of gpg httpd named openssl php procmail proftp sshd Use Apple's own software update to confirm you are up to date on these. Apple patches existing versions rather than upgrading to new versions for security issues. In summary, most of your issues stem from using rkhunter on OSX, rather than the more traditional *nix systems. Hopefully someone else can step up with suggestions on how to make it work better for you. Brian signature.asc Description: OpenPGP digital signature -- ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Re RKH permissions
On 10-04-28 5:18 PM, Call Me Shane wrote: Some of the things that people do really piss me off. This is one of them. snipped rant Me, I get pissed off when people assume they know exactly what they are doing and everyone else is an idiot. Please review the concepts of ownership and permission on a posix file system - you are missing a few basic concepts here. *nix is not Windows. Brian ps Hint - (making some educated guesses about your OS) - gksu gedit or install nautilus-gksu signature.asc Description: OpenPGP digital signature -- ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Warning: The file properties have changed: File: /usr/bin/sudo
On 10-04-19 12:07 PM, Ralph Seward wrote: Dear All: A couple of days ago I began receiving the following warning from RKHunter from one of my servers running Ubintu: Warning: The file properties have changed: File: /usr/bin/sudo Ubuntu has recently updated the sudo package. e.g. == sudo zgrep sudo dpkg.log* dpkg.log.2.gz:2010-03-05 09:03:45 upgrade sudo 1.6.9p10-1ubuntu3.5 1.6.9p10-1ubuntu3.6 On my machines however rkhunter --propupd is run when that happens, so no intervention is required on my part. Not sure what combination of things would make that not happen for you. It's also interesting your two machines have different hashes for that file. Different releases etc? I'd find a known good one to compare to before I ran --propupd Brian signature.asc Description: OpenPGP digital signature -- Download Intel#174; Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
[Rkhunter-users] Determing what created a block special file
Hi All rkhunter has warned me about /dev/.tmp-11-1 It's a block special file, and judging by creation date and what I know of that system, I have an idea where it came from. The problem is I'm stumped how to 'prove' that. Googling about didn't find anything useful. lsof doesn't show it (but also doesn't show any block special files, so I'm not surprised) Suggestions? Brian signature.asc Description: OpenPGP digital signature -- Download Intel#174; Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Determing what created a block special file
On 31/03/10 11:34 AM, unsp...@hushmail.com wrote: On Wed, 31 Mar 2010 15:33:18 +0200 Muskoka Auto Parts Limited m...@map-heb.com wrote: rkhunter has warned me about /dev/.tmp-11-1 It's a block special file, and judging by creation date and what I know of that system, I have an idea where it came from. Udev (say 'scsi_id')? Yeah, that's roughly what I was thinking - I plugged in an LCD projector at about that time, including it's USB cable which presents itself as a CD-ROM The problem is I'm stumped how to 'prove' that. Googling about didn't find anything useful. lsof doesn't show it (but also doesn't show any block special files, so I'm not surprised) If it's created after boot then you could use file-system notification to try an catch file creation. If it's created on boot then you need to get in before the service or application starts. Then you could use Auditd with a watch rule on /dev/ ('auditctl -w /dev/ -k watch-dev'). OTOH if it's Udev then maybe it has some debug or verbosity switches that enhance reporting. So I mucked around for a bit trying things while looking at the output of sudo udevadm monitor --environment and also inotifywatch -v /dev/.tmp-11-1 and couldn't find anything. I rebooted and of course the darned file is gone and I can't get it recreated :-/ I'll have to shelf this until I get any other bright ideas I guess. Thanks for your suggestions. Brian signature.asc Description: OpenPGP digital signature -- Download Intel#174; Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] [rkhunter-users] Update failed with rkhunter 1.3.0
On 05/03/10 5:11 PM, John Horne wrote: Version 1.3.0 is too old. The language files no longer exist for it, hence you get errors. You need to get the Ubuntu package maintainer to update it. John - perhaps you are not aware of Ubuntu release policy. Once a version is picked for a release - it's static until that release is EOL'd. They only patch security issues, they don't upgrade software in a given release. Brian -- Download Intel#174; Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users