Re: [Rkhunter-users] rkhunter Daily Run: where's the warning?
On Wed, 2006-09-13 at 11:51 -0400, Quinn Comendant wrote: > >>--append-log $TMPFILE1 > > Which tells me you're either running FC or Aurora... > > I'm running RHEL 4. > I still don't see why you get a warning message though. I just tested on my RHEL4 system with the original os.dat but received no warnings (apart from some applications). I can't see anything in your log file which looks suspicious. >> Rootkit Hunter 1.2.8 is running >> Wed, 13 Sep 2006 04:03:32 -0500 >> Determining OS... Unknown >> Warning: This operating system is not fully supported! >> Warning: Cannot find md5_not_known >> All MD5 checks will be skipped! > > could be that. > No, this doesn't set the warning variable in the code (at least that I can see!). John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter Daily Run: where's the warning?
On Thu, 2006-09-14 at 10:44 +0100, John Horne wrote: > > >> Warning: This operating system is not fully supported! > >> Warning: Cannot find md5_not_known > > > > could be that. > > > No, this doesn't set the warning variable in the code (at least that I > can see!). > Oops, my mistake. The warning messages are the cause - looking closer at the code I can now see what is happening. John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Question (Possible rootkit?)
On Sat, 2006-09-16 at 17:53 +0100, Christopher Marks wrote: > > Checking /bin/login/usr/local/bin/rkhunter: line 3463: file: > command not found > Can I ask what operating system you are running? And could you just type in 'file -h' to see what happens. The above seems to indicate you don't have the 'file' command. John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Question (Possible rootkit?)
On Sun, 2006-09-17 at 00:27 +0100, Christopher Marks wrote: > > Thanks for your reply. In my haste I missed out what OS is running, > It's Debian 3.1 (stable). File is not installed, indeed - is there a > package that this comes with? > Package is just called 'file' as far as I can tell: http://packages.debian.org/stable/utils/file > I'm more concerned about the process name containing all the question > marks in, and obviously if something is up then I need to get it > sorted as soon as possible. > > root 1372 0.0 0.2 3444 1728 ?S17:32 0:00 ?\? > \??g??? > > with an 'lsof -p 1373' showing: > Why pid 1373 instead of 1372? John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Warning: Possible LKM
On Sun, 2006-09-24 at 06:29 +1200, Pritesh Chandra wrote: > anyone knows what this means? > > Checking `asp'... not infected > Checking `bindshell'... INFECTED (PORTS: 465) > Checking `lkm'... You have 1 process hidden for readdir command > You have 1 process hidden for ps command > chkproc: Warning: Possible LKM Trojan installed > Checking `rexedcs'... not found > You have the wrong mailing list I think. You are running chkrootkit there, not rkhunter. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Still not sure about release string
On Mon, 2006-09-25 at 14:06 -0500, Dennis Duffner wrote: > > [INFO] "Solaris 10 3/05 s10_74L2a X86" is seq nr 723 > awk: syntax error near line 1 > awk: bailing out near line 1 > This is the first problem. The script uses: awk -F ":" Unfortunately under Solaris this needs to be changed to 'awk -F:'. Fortunately this format seems to work fine under Linux too. > usage: install [options] file [dir1 ...] > I suspect this is caused by the second problem. The script uses the 'stat' command. Again, unfortunately there is no 'stat' command under Solaris. What I don't understand is how come the script got so far in your case! It should have failed much sooner when the stat command was used. Could you just type in 'which stat' and let me know the result please. Thanks, John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] new hashes
On Sun, 2006-10-01 at 01:38 +0300, Nerijus Baliunas wrote: > > rkhunter 1.2.9 finds some unknown/bad hashes on FC5 with all updates, > should I send them here? > No. From the sourceforge site, download the 'hashupd.sh' script and run that. If you still get 'BAD' hash entries then it is a prelinking issue. The problem is described in the README file under section E1. If you are running SELinux, then as root type in 'setenforce 0'. The try running '/etc/cron.daily/prelinking'. After that try running rkhunter again. If you still get 'BAD' entries, then enter '/bin/rm /etc/prelink.cache' and run /etc/cron.daily/prelink again. This may take some time. Finally run rkhunter again. The hashes should be fine then. Don't forget to reset SELinux by typing in 'setenforce 1' - if you normally have it enabled. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] hidden files
On Sun, 2006-10-01 at 01:42 +0300, Nerijus Baliunas wrote: > > I see in rkhunter.conf: > #ALLOWHIDDENDIR=/dev/.udev > #ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz > > Why are these commented out by default? IMHO it is safe to uncomment > them by default. > Under your O/S may be, but what about others - FreeBSD, Solaris, AIX? Under these those files may not exit and therefore indicate something is suspicious. I think it is safer if the user has to consciously configure rkhunter for their own computers. They should know if these files/directories are supposed to be there or not. Hence the values should be commented out by default. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Support for Scientific Linux
On Sun, 2006-10-01 at 08:53 +1000, Michael Mansour wrote: > > I have been using rkhunter since it's inception, so it's good to see it's > being maintained again. > > For at least 18 months I have been asking Michael to add support for > Scientific Linux (www.scientificlinux.org) which is a straight RHEL > derivative. I've provided him with all info he's asked for but he's never > added it. > > Will you guys (the new maintainers) be open to this? as a RHEL derivative it > should be a no brainer. > Sure. Probably best if you can open this as a bug (or support request?) on the sourceforge site (http://sourceforge.net/projects/rkhunter/), and click on 'Submit New'. Some info we will need: 1) Can you download from sourceforge the 'hashupd.sh' script and run that. It should update your os.dat file. In the bug report can you include the output produced, and attach your os.dat and defaulthashes.dat files please. 2) You need to know the name of your O/S 'release' file. Typing 'ls -ld /etc/*release*' should indicate which name is used. 3) Can you include your email address, if you are submitting the bug anonymously. Thanks, John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] new hashes
On Sun, 2006-10-01 at 02:43 +0300, Nerijus Baliunas wrote: > On Sun, 01 Oct 2006 00:17:24 +0100 John Horne <[EMAIL PROTECTED]> wrote: > > > No. From the sourceforge site, download the 'hashupd.sh' script and run > > that. > > I ran rkhunter --update, but it says all mirrors I tried are out of date. > I assume I shouldn't use rkhunter --update for now? > ? Why did you run that? If you have version 1.2.9 of rkhunter installed, then you will have the latest version of the program and data files. Download the hashupd.sh script and follow the instructions previously posted. I should add, that after prelinking you should run hashupd.sh again, to bring the defaulthashes.dat file in-line with the prelinked values. I'll see about updating the README file with a bit more detail on what to do. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] grammar fix
On Sun, 2006-10-01 at 01:48 +0300, Nerijus Baliunas wrote: > Hello, > > Some errors has been found while checking. Please perform a manual check on > this machine > > should be > > Some errors have been found while checking. Please perform a manual check on > this machine > > i.e. has->have. > Noted. Thanks, John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
[Rkhunter-users] White colour and blank lines
Hello, I run rkhunter under 2 different scenarios. The first is from server consoles, or a PC virtual terminal, which has white characters on a black background. The second scenario though is from the desktop, I tend to use KDE Konsole, and this has black characters on a white background. Now the first scenario is not a problem, but when rkhunter is using colours the second scenario causes several blank lines to appear. It took me quite some time to realise that in fact these were white characters on the white background - the text was invisible! Additionally, the 'yellow' text appears as a bright yellow, in fact so bright that it is extremely difficult to read on a white background. I know I could use the '--nocolors' option, but it sort of defeats the point of having colours at all then. As far as I can tell no-one else has mentioned this problem before, so I am wondering if I am the only person who runs rkhunter from the desktop?! As far as I can tell there are 3 possible solutions. One is to change the rkhunter default colours, perhaps white to grey, but I suspect that people would complain about that. Second, is to create a command-line option to use a second colour-set when colours are used. (Again, perhaps grey instead of white, and blue instead of yellow.) Third, is to get rkhunter to 'read' if the background colour is white, and if so to automatically use different colours. The third option sounds best, but may not be possible. I have no idea how to do it, but could perhaps try and find out. The second option is probably the easiest. Anyone have any comments about this? Thanks, John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] quick question
On Sun, 2006-10-01 at 23:44 +0200, Mihaly Zachar wrote: > > Is this project still alive ? > Yes, most certainly. It is, however, now 'under new management'. > I could not get any update since may or april .. :( > Version 1.2.9 was put on to sourceforge yesterday, so you may want to grab a copy of that. (http://sourceforge.net/projects/rkhunter) John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] White colour and blank lines
On Mon, 2006-10-02 at 00:32 +0200, unspawn wrote: > On Sun, 1 Oct 2006, John Horne wrote: > > > The third option sounds best, but may not be possible. I have no idea > > how to do it, but could perhaps try and find out. The second option is > > probably the easiest. > > I admit the only terminal I ran RKH off was xterm-color. > Maybe we could using tput as in "tput setab 0; tput setaf 7; clear" > beforehand. Does that work? I don't run KDE. > It works on the local PC (under KDE). However, if I SSH connect to a server, I still have black characters on a white background. It doesn't work when connecting through to another system. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] White colour and blank lines
On Mon, 2006-10-02 at 12:19 +0200, unspawn wrote: > On Mon, 2 Oct 2006, John Horne wrote: > > > On Mon, 2006-10-02 at 00:32 +0200, unspawn wrote: > >> On Sun, 1 Oct 2006, John Horne wrote: > > It works on the local PC (under KDE). However, if I SSH connect to a > > server, I still have black characters on a white background. It doesn't > > work when connecting through to another system. > > Hmm. Did you embed that tput line in RKH, or did you run RKH after > manually executing those commands? > No, I embedded them just before the first application scan statement. Running this on a Solaris system did nothing, although the tput command does exist. Running it on a Fedora Core 4 system, changed the background to black, but as soon as the first statement was shown it appeared as black characters with a white background behind the text (the rest of the screen was still a black background). Then as soon as the screen started to scroll up it went back to black characters with a white background. To keep it black would probably mean a bit of an overhaul of all the output statements. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Update rkh for CentOS
On Tue, 2006-10-03 at 13:17 -0400, Dimitri Yioulos wrote: > > When the opportunity arises, could rkhunter be updated to support the > latest CentOS 3 and 4 releases 3.8 and 4.4, respectively)? I > believe a lot of us are using this fine distro, so it would be a big > help. > 4.4 is already supported. For 3.8 could you raise this as a support request on the sourceforge web site (http://sourceforge.net/projects/rkhunter). Then download the hashupd.sh script (again from sourceforge), and run the program. Once that has been done could you then attach to the support request a copy of your os.dat and defaulthashes.dat files. Thanks, John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] install issues w/installdir option
On Thu, 2006-10-05 at 14:27 -0500, Jeff Sherer wrote: > I attempted to install RKH on a Solaris 9 system. I wanted to try out > RKH without affecting my primary directories, so I used the --installdir > option. I assumed that all RKH files would be contained in that > directory. This appears to not be the case as seen by the follwoing output: > [snipped] > Installing RK Hunter binary... > cp: cannot create /usr/local/bin/rkhunter: Permission denied > -e Failed > cat: cannot open /usr/local/etc/rkhunter.conf > ./installer.sh: /usr/local/etc/rkhunter.conf: cannot create > > > Is this a bug? > Yes it certainly seems so. > Is there documentation that describes where all RKH > files will be installed? > No, not that I know of. > Ideally I would like to build a CD with RKH > installed on it, so that I could take a trusted CD to suspected systems > and run it from CD without installing it on the system. Is this possible? > A couple of points here. First is that the installer is due to be looked at for the next release. Hopefully your bug above will be sorted out, as well as all those '-e' messages. Secondly, as far as I remember, running RKH 'standalone' is on the wishlist, so this type of problem ma ywell be looked at in more detail at some point. Having said that I think you may be able to do it anyway. The steps I did were: 1) Grab a copy of the latest RKH source and put it in to the directory you want to use (I just used /tmp). Unpack the tar.gz file and change directory to 'rkhunter-1.2.9/files'. 2) Type in: echo "INSTALLDIR=." >>rkhunter.conf mkdir -p ./lib/rkhunter/scripts cp *.pl ./lib/rkhunter/scripts 3) Then run RKH using: ./rkhunter --tmpdir . --dbdir . --configfile ./rkhunter.conf -c I ran this (under Linux) and RKH ran through fine except for a load of MD5 hash errors. However, if you use an os.dat and defaulthashes.dat file from a known good system, and put them in to this directory, then your hashes should be okay. Another problem is that if something is found you will usually want to record it in a log file, so you may want to use the '--createlogfile' option to create a log file somewhere. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Problem with MD5 hash on Fedora Core 5
On Sat, 2006-10-07 at 15:47 +0300, Nerijus Baliunas wrote: > On Sat, 7 Oct 2006 10:46:37 +0200 Andy Esten <[EMAIL PROTECTED]> wrote: > > > Yesterday I received an update (2006100500) of the file defaulthashes.dat. > > This file now contains hashes for Fedora Core 5. But almost every hash is > > BAD. I know for sure my system is not compromised and the files are correct. > > > > Can somebody confirm that there are problems with the Fedora Core 5 hashes? > > Yes, I can confirm. I had about 40 bad hashes before, after update I have at > least > one more (wget), and a few messages "at least one of file's dependencies has > changed since prelinking" for these files: > /bin/date > /bin/ls > /usr/bin/wget > > Although I don't see anything wrong in /var/log/prelink.log. > I wonder whether hashes I send a week ago were incorporated. > Yes they were. However they were for FC5 x86_64, and the OP didn't say whether he used a 64 or 32-bit machine. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Problem with MD5 hash on Fedora Core 5
On Sat, 2006-10-07 at 10:46 +0200, Andy Esten wrote: > Yesterday I received an update (2006100500) of the file defaulthashes.dat. > This file now contains hashes for Fedora Core 5. But almost every hash is > BAD. I know for sure my system is not compromised and the files are correct. > > Can somebody confirm that there are problems with the Fedora Core 5 hashes? > What can I do to correct these false negative? > Download the hashupd.sh script from the sourceforge site. Then read this section of the README file: = On RedHat/Fedora, it is necessary to carry out the following procedure: 1) If you are running SELinux then temporarily disable it by typing in 'setenforce 0'; Note: If you are unsure whther you are running SELinux or not, then type in 'sestatus'. A line containing 'Current mode: enforcing' indicates that you are running SELinux. If it says 'permissive', then you are not currently running SELinux, and can ignore the steps about SELinux. 2) Run the daily prelink update script - to do this type in '/etc/cron.daily/prelink'; 3) Run the hashupd.sh script to update your local hash values; 4) Run rkhunter; 5) If rkhunter still shows 'BAD' hash entries, then type in 'rm /etc/prelink.cache' and repeat the procedure from step 2. Note: Step 2 may now take some time to complete. 6) Re-enable SELinux, if you disabled it, by typing in 'setenforce 1'. Hopefully rkhunter will now work without any problems with hash values. For other Linux distributions you will need to determine if and how prelinking takes place, and whether SELinux is present or not. It is possible that the above sequence will work for other distributions, but it is for the user to check this. = It may be that you need to leave SELinux disabled will RKH runs. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
[Rkhunter-users] Fedora MD5 hash problem
Hello, I have looked into this problem and it seems to be an issue between prelink and SELinux. At this moment I cannot get prelink to verify a file unless I disable SELinux. The problem may have just started or it is intermittent. The FC5 hashes were previously added to RKH because both prelinking and SELinux worked fine in testing file hashes. This subsequently 'broke', and it seemed that disabling SELinux during rebuilding the prelink database solved that. Hence I updated the CVS README file to reflect this at the time. However, this latest problem seems irresolvable without disabling SELinux. We cannot, of course, get RKH to disable and enable SELinux as this could potentially leave a system vulnerable. In investigating this problem I gather that the upcoming FC6 version of prelink works better with SELinux. I have built a pre-FC6 prelink command and that worked fine (with the FC5 still not working). I have, therefore, reported this to RedHat, asking that they backport the FC6 prelink to FC5. As far as I can determine other applications are also experiencing a problem with prelink/SELinux. So it is hopeful that RedHat will backport prelink. As a workaround RKH users can use the '--disable-md5-check' (or '--dmc') option to disable the MD5 hash check. Note: To disable SELinux you can either enter the 'setenforce 0' command to temporarily disable it. 'setenforce 1' will re-enable it. Or you can edit /etc/sysconfig/selinux and include the line 'SELINUX=permissive' (or 'SELINUX=disabled' to fully disable it). This will permanently disable SELinux once the system has been rebooted. RedHat bug report: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209951 Regards, John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Rkhunter-users Digest, Vol 5, Issue 9
On Sun, 2006-10-08 at 12:48 -0700, Mark Ness wrote: > > > > > Download the hashupd.sh script from the sourceforge site. Then read > > this section of the README file: > > = On > > RedHat/Fedora, it is necessary to carry out the following procedure: > > 1) If you are running SELinux then temporarily disable it by typing > > in 'setenforce 0'; Note: If you are unsure whther you are running > > SELinux or not, then type in 'sestatus'. A line containing 'Current > > mode: enforcing' indicates that you are running SELinux. If it says > > 'permissive', then you are not currently running SELinux, and can > > ignore the steps about SELinux. 2) Run the daily prelink update > > script - to do this type in '/etc/cron.daily/prelink'; 3) Run the > > hashupd.sh script to update your local hash values; 4) Run rkhunter; > > 5) If rkhunter still shows 'BAD' hash entries, then type in > > 'rm /etc/prelink.cache' and repeat the procedure from step 2. Note: > > Step 2 may now take some time to complete. 6) Re-enable SELinux, if > > you disabled it, by typing in 'setenforce 1'. Hopefully rkhunter > > will now work without any problems with hash values. For other Linux > > distributions you will need to determine if and how prelinking takes > > place, and whether SELinux is present or not. It is possible that > > the above sequence will work for other distributions, but it is for > > the user to check this. > > = It > > may be that you need to leave SELinux disabled will RKH runs. John. > I tried this procedure and unfortunately it did not work. I went back > and did the 'rm /etc/prelink.cache' and there was no > '/etc/prelink.cache'. > Sorry, you are running FC5 and there was no prelinking cache? Is there one now? If so can you repeat the whole test please. Thanks, John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] False Positives on RHEL3
On Wed, 2006-10-11 at 00:43 -0700, Bill Salak wrote: > It appears chkconfig-1.3.13.4-0.3 and findutils-4.1.7-9.1 need to be added > to the hash db. What a scary combination of false positives! This got my > attention real quick when I saw it show up on one of my production hosting > machines. Hope this helps... > What version of RKH are you running? And what version of RHEL3? I have just checked the supplied hashes of Taroon update 8 with 1.2.9, and they are up to date. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Bad MD5 for /bin/kill
On Sun, 2006-10-15 at 13:35 +0100, Enyo wrote: > Look's like this is caused because /bin/kill is pre-linked. I assume > RKHunter is not checking the pre-link MD5... > No, it does use prelink for the hash check. If it didn't then a lot of peoples checksums would always be wrong. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Exit codes for --versioncheck and --update
On Sun, 2006-10-15 at 20:44 +0100, Dogsbody wrote: > > ... it wasn't until 1.2.9 that I realised that this doesn't actually work > because both --versioncheck and --update return 0 even if there is an update > or > an error. > > Please could this be fixed. Thank you. > Hi, I've submitted this as a bug for you (number 159). Well spotted, and thanks for reporting it to us. The update and versioncheck code is to be looked at, so hopefully this will be fixed at that time. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Centos 4 not recognised (fixed)
On Mon, 2006-10-16 at 10:41 +0100, Dave R wrote: > Rootkit Hunter 1.2.8 is running > Suggest you upgrade to 1.2.9 as well. (Your '--update' worked because the data files are aware of Centos 4.) John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Centos 4 not recognised (fixed)
On Mon, 2006-10-16 at 13:10 +0300, Nerijus Baliunas wrote: > Hello, > > Could it be possible to remove non working mirrors? We are getting such > messages almost every day... > As far as I am aware they have been. Only sourceforge is the current mirror to be used. You may need to manually run through 'rkhunter --update' a few times till the sourceforge mirror is selected. Then it should download the latest mirror file which only contains the sourceforge mirror. John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
[Rkhunter-users] Solaris users
Hello, If anyone is running Rootkit Hunter on a Sun Solaris system, and it does NOT have the bash shell installed as well, could they let me know please. Email me directly, and let me know the Solaris version. To test if you have bash installed simply type in 'bash --version'. You'll either get an error or a couple of lines stating the bash shell version. Thanks, John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] modutils BAD files: depmod, insmod and modinfo
On Thu, 2006-10-19 at 06:40 +, alexander s wrote: > > I run Red Hat Linux 3.2.3-49... > ? > > [08:22:10] /sbin/modinfo Hash NOT valid (My MD5: > 230c86cb4dbd256bb1cd9b1e5848358 > 6, expected: d7eb96316ff82ff3313ba3aa1a877c01) > Those are the latest hash values for RHEL3 update 8. Run 'rpm -qV --noscripts modutils' to verify the package. If it looks okay, then run 'rpm -q modutils' to see what version you have. The hash values were taken from version 'modutils-2.4.25-14.EL'. John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] archives, root access & Apache
On Fri, 2006-10-20 at 15:52 +0200, Richard Rainsford wrote: > > being very new to this list, > Welcome :-) > i just wanted to ask if there are searchable archives of this list? > Yes, go to the web site (http://sourceforge.net/projects/rkhunter) and click on 'Mail'. There is a link to the archives there. > > I am looking to find out a way to, turn off this: > > > Checking for allowed root login... Watch out Root login possible. > Possible risk! > Edit your rkhunter.conf file (by default at /usr/local/etc/rkhunter.conf). You'll see in it: #ALLOW_SSH_ROOT_USER=0 Uncomment this and change the 0 to a 1. HOWEVER. The test is there for a reason. Make sure that you really do want to allow root to log in directly via ssh, and that there is no other way to achieve whatever it is you need root for. Check the sshd_config man page for possible alternatives to letting root log in. > > Rootkit Hunter 1.2.8 is running > You may want to upgrade - 1.2.9 has been out for a little while now. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] centos 4.4
On Mon, 2006-10-23 at 16:31 -0500, Benny Butler wrote: > I have a machine that's running centos 4.4x86_64, after installing it > ALL of the files in /bin/usr/bin and /sbin show up as bad. > > I freaked, went and downloaded a new RPM for coreutils. updated it, > and thankfully, they still showed as bad. I trust the source of the > RPM, so I'm pretty confident I haven't been hacked. > > Could it be choking on the 64bit issue? > No, there is currently a combined prelink and selinux problem. Try the following (it applies to centos as well as redhat/fedora): http://www.mail-archive.com/rkhunter-users@lists.sourceforge.net/msg00116.html John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] OpenSuSE 10.0 support (or lack of it)
On Mon, 2006-10-23 at 21:50 +0100, Ian wrote: > Hi > I am still getting the following message on my daily run of rkhunter: > > Rootkit Hunter 1.2.8 is running > Version 1.2.9 has been out for some time now. > Determining OS... Unknown > Warning: This operating system is not fully supported! > Can you log this on the RKH sourceforge web site please as a support request. Include the output from 'uname -a', and the contents of /etc/release or /etc/SuSE-release (if it exists). You may need to hunt around /etc to find the relevant 'release' file. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] BAD?
On Sun, 2006-10-22 at 16:02 -0400, Daniel McAlonan wrote: > > My last scan with 1.2.8 reported everything as [OK], what changed > here? > See the message to the list I just sent (subject line 'centos 4.4'). > (and why was it killed?) > No idea. RKH doesn't use kill at all, so something else must have done that. John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Feature Request
On Sun, 2006-10-22 at 12:15 -0700, Jon wrote: > Kindly requesting a feature to explicitly whitelist a know mount under > /dev. > > We mount /tmp to /dev/tmpMnt via loop, without exec permissions. > Can you enter this as a feature request on the RKH sourceforge web site please. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Warning pwd.lock
On Tue, 2006-10-24 at 15:10 +0100, Dr. Peter L R Smith wrote: > Rkhunter gives me the following warning: > > /dev/.udev.tdb /usr/share/man/man1/..1.gz /etc/.pwd.lock > --- > Please inspect: /usr/share/man/man1/..1.gz (gzip compressed > data, from Unix, max compression) > > Any ideas what this means and what I should do to rectify this. > On my FC5 system the file belongs to the bash package. Look in your rkhunter.conf file, and you will see that it is already there but commented out. Just uncomment it. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] centos 4.4/FC4 prelink/selinux issue
On Tue, 2006-10-24 at 15:24 -0700, Mark Ness wrote: > For me, on FC5, ever since I got prelink running I've been getting the bad > hashes. > I went through the procedure outlined in many recent posts. setenforce 0 > > run prelink > > run hashupd > got good hashes. setenforce 1, and the hashes are bad again. > I followed through with the setenforce 0 > rm prelink.cache > run prelink > > run hashupd > > good hashes > setenforce 1 bad hashes. Is this indicative of the prelink > > and selinux > problem you mention or am I supposed to get good hashes with selinux enabled > after > following that procedure? > > In other words, as long as I'm getting bad hashes with rkhunter cron.daily > run (selinux > enabled), should I be running rkhunter manually with setenforce 0 to verify > the hashes? > -or- Does this indicate a problem with my machine? > Ideally Fedora would release the selinux update that they say they have prepared. However they have not done so yet, so you will get bad hashes while the problem exists. If you want to modify your rkhunter script until the selinux update then you can do so: 1) Edit rkhunter and locate the line 'PRELINKING=1' 2) Either before or after that line insert: PRELINKBINARY="runcon -t unconfined_t -- ${PRELINKBINARY}" 3) Save the file. Then try running RKH. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] centos 4.4/FC4 prelink/selinux issue (John Horne)
On Wed, 2006-10-25 at 14:54 -0700, Mark Ness wrote: > > > I can live with this. I just needed that clarification, and you have > eased my mind quite a bit. I am also glad to here there > is a "fix" on the way. By the time it gets here, I'll may be running FC6 > (and opening a new can of worms). ;) > FC6 seems to have the fixed selinux on it. A quick test on a work PC shows that prelink works fine with selinux. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
[Rkhunter-users] Fedora Core 6
Hi, It seems that FC6 does still have the selinux/prelink problem. So we're still waiting on Fedora really. I have submitted updates for RKH to support the O/S and file hashes, although being a new release it is possible that files may change quickly until the O/S settles down a bit. As such, RKH could report BAD files; you'll need to run the hashupd.sh utility to keep up to date. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
[Rkhunter-users] BSD users
Hi, If anyone is running any sort of BSD out there, could they have a look and see if there is an /etc/release file, or any file in /etc of that sort of name. And if one exists, could they just email me the contents please. I can't really determine from the 'net whether such a file exists or not, and I'm trying to sort out a problem in RKH. Thanks, John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] MD5 hashes
On Fri, 2006-10-27 at 10:35 +0100, Al Fleming wrote: > Hi, > I've been running rkhunter 1.2.8 daily on an FC4 machine for several > months. > A couple of days ago I started seeing the following in the rkhunter.log: > ... I checked on our FC4 systems and there have been no updates pushed out for some time. I would suggest verifying the relevant packages using something like 'rpm -V --noscripts '. You can find the package name by doing 'rpm -qf '. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Rkhunter on FC5
On Fri, 2006-10-27 at 11:48 +0100, Keith Duncan wrote: > > Can someone explain the difference between "Known bad" check for > System tools and "Known Good" test? > Known bad checks the files hash value against a database of known bad values. The good check uses the database of hash values RKH provides, or you generate yourself. > Why should "/sbin/ip" have shown as being "[OK]" when testing as > "known bad", then subsequently shown as being "[BAD]" for "known good" > ?? > It passes the known bad because it is not infected and giving a known bad hash value. It fails the known good because the file has changed, and hence the hash value has changed. So the known good comparison fails. Check the package the file belongs to using 'rpm -V --noscripts '. > Perhaps all these problems will "disappear" with FC6 ;-) > Nope. Hopefully the next version of RKH will make things a bit easier though. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] MD5 hashes
On Fri, 2006-10-27 at 13:10 +0100, Al Fleming wrote: > Thanks John, > I got all the package names from rkhunter.log and ran rpm -V -- > noscripts against them > There was no problems reported. > However, I had (probably stupidly!) already run hashupd.sh - I'm not > sure what affect this would have. > If no problem was found then I would have said run hashupd.sh to update your local hash database. RKH should then run with no problem. John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] MD5 hashes
On Fri, 2006-10-27 at 13:36 +0100, Al Fleming wrote: > > RKH now runs without any problems. I take it from your comments that > running hashupd.sh before I checked the packages wasnt a problem. > No, you should be able to run it as often as you want. It shouldn't cause any problems. > ... any idea why RKH suddenly reported MD5 errors if the files in > question had not be modified and the server hadnt been upgraded at all? > Not really, as said our FC4 system has had no updates and RKH reports no problems with it. Since rpm verified the package I can only assume something with the prelinking may have caused it. I did, however, think that someone reported about a final update to FC4 a short while ago. If that was true then that may have caused it, but doesn't explain why our systems weren't affected. Odd I admit, but I would tend to go by the 'rpm -V' output. John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Error when running hashupd.sh on Sol 10_x86
On Fri, 2006-10-27 at 15:17 -0500, Dennis Duffner wrote: > I responded to John earlier with info that he wanted on Sol 10 boxes. > > However, when I tried to run hashupd.sh to eliminate the unknown > system error, it got a > syntax error at line 38 "perm=$ unexpected" > I would suspect a corrupt file. If you edit hashupd.sh and go to line 38, the next line down should start 'sum_md5() { case "$MUNGED" in 0'. If, in your case, line 38 has become corrupt your next line would probably be 'stat -c %a "$2"'. Can you check this please. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Files marked as BAD
On Tue, 2006-10-31 at 11:29 -0600, Benny Butler wrote: > any chance of having what hashupd.sh does integrated into the parent > program? > Yes, it's being worked on. However hashupdp only really works for Linux, so we need to get it to work with *nix as well. John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Application Version Scan Diagnostic
On Tue, 2006-10-31 at 10:37 -0800, Fred Krogh wrote: > First note that although a contact form is mentioned in the program > output, and the RKHunter homepage, I was not able to find it. > That sounds like to old web site. You need to go to the new site on sourceforge. > Here are results of a scan on a Gentoo system, I have no reason to > suspect the version numbers as being bad. > > * Application version scan >- GnuPG 1.4.5 [ Unknown ] > It just means it doesn't know if it is a bad version or not. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] No forms to fill out
On Fri, 2006-11-03 at 15:50 -0600, Michael wrote: > Please use the contact form (http://www.rootkit.nl/contact/) and fill in > which operating system you're using (include system architecture!). > That's the old web site. RKH has moved to sourceforge now - http://rkhunter.sourceforge.net/ If you have a problem with RKH either send it to this list, or submit it to the tracker system (via the SF project page link). John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] some queries on hash checks
On Tue, 2006-11-07 at 00:01 +1100, Gordon wrote: > > Does the md5blacklist.dat mean some person has had to run a rootkit > on a sandboxed or emulated etc system to get the hash (with a live cd) > etc? > > In other words, how confident can we be , that if there are no false > positives that the lack of hits on known bad hashes is good sign? > (Without forgetting all the other security checks we are advised to > take) > I think the way to read the result is that RKH is simply saying that the given file does not match a known bad MD5 hash value. That in itself is good. However, the fact that the file could well have been infected by something or just plain modified, is perfectly possible. You are checking what the file "isn't" rather than what it is - i.e. you are cheking that it is not this hash value, rather than checking if the hash value has changed. The file hash check - the 'known good' check - will detect if the file hash has changed. Hence, I would rather prefer to know that a file has not changed than to know that it simply does not match a specific bad hash value. I would also rather that both tests are run just to be extra sure though :-) John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
[Rkhunter-users] Version check problem?
Hi, Is anyone else having problems with the version check? I'm getting the following HTML output. I assume the problem is with sourceforge. == rkhunter --versioncheck http://rkhunter.sourceforge.net/rkhunter_latest.dat Rootkit Hunter 1.2.9, copyright Michael Boelen This version: 1.2.9 Latest version: == If I run the version check again, it works fine. I've had this occur on several servers today. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] OpenBSD problems
On Sat, 2006-11-11 at 23:37 +0800, Uwe Dippel wrote: > > # rkhunter --checkall > > > > > > Rootkit Hunter 1.2.9 is running > > > > /usr/local/bin/rkhunter[5286]: [: -n: unexpected operator/operand > > -n > > Unknown > > Warning: This operating system is not fully supported! > > All MD5 checks will be skipped! > > > > > > Checking binaries > > * Selftests > > /usr/local/bin/rkhunter[5286]: [: -n: unexpected operator/operand > > -n > > [ OK ] > > > > > ... and so forth, on OpenBSD. It probably has to do with the ksh; though > 1.2.8 was working properly. > Wow. It looks like your shell doesn't like the '-n' operator. I would have thought it was pretty standard. Can you run a simle test for me please? Using your default root shell just type in at the command line: if [ -n "abc" ]; then echo "ok"; fi And let me know if it produces 'ok' or not. > And obviously the md5-problem remains unsolved on OpenBSD: > Warning: Cannot find md5_not_known was the daily warning with 1.2.8. > Hmm, well either you don't have an md5 type command on your system or it isn't being detected. Can you send me a copy of your rkhunter.log please. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Unkown application versions..
On Sun, 2006-11-12 at 20:36 +, Dick Gevers wrote: > On Sun, 12 Nov 2006 20:02:12 +0100, Jacob Willig wrote about > [Rkhunter-users] Unkown application versions..: > > > - OpenSSH 4.2p1[ OK ] > > I got an even funnier log entry: > Scanning OpenSSH... > Application not found > > $ which ssh > /usr/bin/ssh > The test looks for sshd, not ssh, since that is what will decide if someone can access your system or not. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Unkown application versions..
On Sun, 2006-11-12 at 20:52 +, Dick Gevers wrote: > On Sun, 12 Nov 2006 20:45:35 +0000, John Horne wrote about Re: > [Rkhunter-users] Unkown application versions..: > > >On Sun, 2006-11-12 at 20:36 +, Dick Gevers wrote: > >> On Sun, 12 Nov 2006 20:02:12 +0100, Jacob Willig wrote about > >> [Rkhunter-users] Unkown application versions..: > >> > >> > - OpenSSH 4.2p1[ OK ] > >> > >> I got an even funnier log entry: > >> Scanning OpenSSH... > >> Application not found > >> > >> $ which ssh > >> /usr/bin/ssh > >> > >The test looks for sshd, not ssh, since that is what will decide if > >someone can access your system or not. > > Thanks for the answer. I had a suspicion it would be that, but then I think > the log should show a bit different wording (for example "sshd not found"). > > Just my 2 cents... > Yup, that's a fair point. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] usage and picture server questions
On Sun, 2006-11-19 at 15:10 +1100, Gordon wrote: > > 1) Any chance after John updates hashupd he included a version number > in the comments of the file itself? > The hashupd script has been incorporated into RKH iteself (available in CVS if you want to try it). For the next RKH release the hashupd script will be redundant, as such hashupd is not being worked on anymore. The copy on sourceforge is the latest version, the only exception being I have a separate version for Solaris users. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Full scan result on Fedora 6
On Fri, 2006-11-17 at 21:52 +0200, Nerijus Baliunas wrote: > Why have you posted these results here? Did anyone ask you? > I suspect it was posted because of this: Rootkit Hunter 1.2.9 is running Determining OS... Unknown Warning: This operating system is not fully supported! All MD5 checks will be skipped! RKH supports FC6 (i386), so I suspect the user has an x86_64 system. If so then please download the hashupd.sh script our web site on sourceforge (http://sourceforge.net/project/showfiles.php?group_id=155034) Run the program. It should update your local database with your O/S name and the file hash values. Then re-run rkhunter. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] usage and picture server questions
On Mon, 2006-11-20 at 06:08 +1000, Michael Mansour wrote: > > Any ideas when the next version will be available? > No, lots to do yet :-) John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Some questions for RKHunter newbie
On Thu, 2006-11-23 at 23:08 +, John wrote: > > I have just installed the latest RKHunter on openSuse 10.1. > No you haven't. > Rootkit Hunter 1.2.8 is running > Version 1.2.9 is the latest. Check the sourceforge web site - http://sourceforge.net/projects/rkhunter John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Apache configuration absent but ...[ OK ]
On Sat, 2006-11-25 at 07:59 +, Dick Gevers wrote: > >From rkscan or *log: > >Application advisories > >* Application scan > > Checking Apache2 modules ... [ Not found ] > > Checking Apache configuration ... [ OK ] > > In rkhunter script line 4598 of v. 1.2.9 it says > " logtext --nodate "OK" > > but that's due to not finding /etc/apa*, I think. > No, wrong line. The above line relates to the modules check, you want line 4640 :-) > However, since I do not have apache(2) installed at all, wouldn't "Not > found" be a better displaystring? > Yes, point taken. Would you submit this as a bug on the sourceforge web page please. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Reguarding bad hashes on RH based distros with SELinux enabled
On Thu, 2006-11-30 at 12:59 -0800, Mark Ness wrote: > Not to sound impatient, but is there any word from RH devel about > updates to fix this problem? > I know you said before that Fedora was supposed to provide an update > for selinux, and they either changed their minds or haven't gotten > around to it yet (sorry I don't have the thread to qyote but > I'm sure you recall mentioning "something" along those lines). > The problem seems to have been fixed in FC6, but for FC5 it has been released in selinux-policy-2.3.7-4.fc5. At present FC5 runs selinux-policy-2.3.7-2.fc5, so it is probably still in updates-testing. I have attached a small patch which you can apply to rkhunter 1.2.9 to see if it helps. John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 --- rkhunter.orig 2006-09-30 03:14:26.0 +0100 +++ rkhunter 2006-11-30 22:50:51.0 + @@ -2367,7 +2367,7 @@ for J in ${FILEHASHES}; do if [ "$PRELINKING" -eq "1" -a "$PRELINKFOUND" -eq "1" ] then - PRELINKVERIFY=`${PRELINKBINARY} --verify ${file} > ${TMPDIR}/prelink.tst` + PRELINKVERIFY=`runcon -t unconfined_t -- ${PRELINKBINARY} --verify ${file} > ${TMPDIR}/prelink.tst 2>/dev/null` myhash=`${md5} ${TMPDIR}/prelink.tst | cut -d " " -f 1` else myhash=`${md5} ${file} | cut -d " " -f 1` - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] (no subject)
On Wed, 2006-12-06 at 10:30 +1200, Hack was here wrote: > i tried to run this command but it didn't do much. > > # /usr/sbin/prelink > /usr/sbin/prelink: no files given and --all not used > > and when i run the scan, i still get the BAD link. Do i need to install > something to fix this issue. > You may want to check why you are getting a 'BAD' entry first of all. Has the file recently been updated for example? Perhaps through automatic nightly updates? If you are using an rpm-based system, then perhaps using something like 'rpm --verify' on the relevant package will confirm that the file is okay. (Sorry, I haven't got the earlier messages, so I don't know which file(s) are giving you the 'BAD' entries, so I can't be more specific.) If you have the bash shell available, then I would suggest downloading the hashupd.sh script from the rkhunter sourceforge web site, and run that. It will update your local os.dat file with the current hashes. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] warnings but no problems reported
On Thu, 2006-11-30 at 14:19 -0700, JT Moree wrote: > > I have rkhunter running on a system where I get a warning email even > though when I run the report nothing seems to be wrong. > [snipped] > Running rkhunter updater... Thu, 30 Nov 2006 04:02:02 -0700 > > Mirrorfile /var/rkhunter/db/mirrors.dat rotated > Using mirror http://rkhunter.sourceforge.net > [DB] Mirror file : Up to date > [DB] MD5 hashes system binaries : ERROR > Fatal error: no valid version tag in filename > Well, I would have said that this is the cause. You probably have a corrupt file there. I would suggest deleting your defaulthashes.dat file and downloading it again. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] warnings but no problems reported
On Fri, 2006-12-08 at 11:57 -0700, JT Moree wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > John Horne wrote: > > On Thu, 2006-11-30 at 14:19 -0700, JT Moree wrote: > >> I have rkhunter running on a system where I get a warning email even > >> though when I run the report nothing seems to be wrong. > >> > > [snipped] > > > >> Running rkhunter updater... Thu, 30 Nov 2006 04:02:02 -0700 > >> > >> Mirrorfile /var/rkhunter/db/mirrors.dat rotated > >> Using mirror http://rkhunter.sourceforge.net > >> [DB] Mirror file : Up to date > >> [DB] MD5 hashes system binaries : ERROR > >> Fatal error: no valid version tag in filename > >> > > Well, I would have said that this is the cause. You probably have a > > corrupt file there. I would suggest deleting your defaulthashes.dat file > > and downloading it again. > > > I copied defaulthashes.dat from a machine that does work but it still > does the same thing. > Okay, but that should have sorted out the update problem. I suspect then that you're O/S genuinely isn't supported in the os.dat file, and hence you would (still) get an email message. What O/S are you using? If you are using a bash shell, then try downloading the hashupd.sh file from the sourceforge web site and running that. It will update your local os.dat file with your O/S and file hashes. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] re running hashupd then not running --update
On Tue, 2006-12-12 at 23:59 +1100, Gordon wrote: > > Recently John wrote > Yes. Run the hashupd.sh script but do not run rkhunter with the > --update option again. It will mess up your local hashes. This has all been > sorted out in the next release, but for the moment using hashupd.sh > is the only way to get good hashes working. > > Question > > Until the rkh version is updated what is wrong with > 1 running hashupd to get hash support for unsupported os > 2 running rkh --update > 3 redoing the hashupd? > Nothing wrong with that. > Would this not ensure at some stage the other data files > are up-to-date and just require an overwrite of the defaulthashes.dat file > in /usr/local/rkhunter/lib/rkhunter/db? > Yes. The situation is confusing enough as it is, I just didn't want to confuse things even more by suggesting running hashupd/rkh --update/hashupd. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] RKH CVS tarball available: testers wanted
On Tue, 2006-12-12 at 10:21 +, Dick Gevers wrote: > > I wonder if it would be possible to add a warning that "--hashupd" should > only be run when one is sure that the files to be hashed are safe and have > been installed from a reliable source? Otherwise the whole exercise of > running rkh could become ambiguous? > Good suggestion, it will be done. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] RKH CVS tarball available: testers wanted
On Tue, 2006-12-12 at 10:21 +, Dick Gevers wrote: > > "rkhunter -c" gives: > The language specified is not available: en > Use the '--list languages' option to see the list of available languages. > Okay, you told the installer to install into /root/rkhtest, but the above command isn't telling RKH where any of its files are located. If you have anything in the rkhtest directory then delete it, and try this (as root): 1) ./installer.sh --install --layout custom /root/rkhtest (Note: the directory /root/rkhtest must exist before installation) 2) cd /root/rkhtest/var/rkhunter 3) mv i18n db 4) cd /root/rkhtest 5) ./bin/rkhunter --configfile etc/rkhunter.conf --dbdir var/rkhunter/db --tmpdir var/rkhunter/tmp --logfile ./rkhunter.log -c -sk This now tells RKH where its config file, database directory, etc are located (all in /root/rkhtest). Using 'rkhunter --help' will tell you what options are available. Note, references in the logfile to '-- hashupd' should of course be '--hashupd'. Step 3 is an installer bug. Oops. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] system checks
On Fri, 2006-12-15 at 08:41 -0700, JT Moree wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Would it be possible to have the system checks run first since the > hostname is printed in that section? > Changing the order of the tests is not easy. However, next release by default includes the hostname in the subject for the mail-on-warnings setting. The log file also includes the hostname at the top (if a hostname has been set). John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] noob here, should I be worried about these?
On Mon, 2006-12-18 at 15:18 -0500, Dimitri Yioulos wrote: > On Monday 18 December 2006 3:10 pm, [EMAIL PROTECTED] wrote: > > hey Im a noob to linux, Im using simply Mepis 6.0 and love it so much I > > havent used windows again yet > > > > > > someone on the mepislovers forum told me rkhunter was a command tool and I > > got it working > > > > do I have to be worried about these? > > > > > > rkhunter turned up these two > > > > * Filesystem checks > >Checking /dev for suspicious files... [ OK ] > >Scanning for hidden files... [ Warning! ] > > --- > > /etc/.java > > /etc/.pwd.lock /dev/.udev > > /dev/.static > > --- > > Please inspect: /etc/.java (directory) /dev/.udev (directory) > > /dev/.static (directory) > > > > - > > or this? > > * Check: SSH > >Searching for sshd_config... > >Found /etc/ssh/sshd_config > >Checking for allowed root login... Watch out Root login possible. > > Possible risk! > > info: "PermitRootLogin yes" found in file /etc/ssh/sshd_config > > Hint: See logfile for more information about this issue > >Checking for allowed protocols... [ Warning > > (SSH v1 allowed) ] > > > > > > P.S. I have a bit of a problem with a friend I had who's a genius cracker, > > so I want to be secure as possible > > > > P.P.S. hope Im not bothering you, thanks for any help, > > > > -Eric: ) > > > > It's never a both; we were all noobs once :-) > > About the first few lines having to do w/ java, I wouldn't worry about those. > > I believe those are files which rkhunter simply doesn't know about. > Look in the rkhunter.conf file, you can whitelist entries you are happy with. (Look for ALLOWHIDDENDIR and ALLOWHIDDENFILE). > As to the last, it is true that allowing root ssh access can be a security > risk. To "fix" that, locate the file sshd_config. Use any text editor; find > the line "PermitRootLogin". Change from yes to no and save the file. You're > good to go. > Also disable protocol 1 support, it is unsecure. To your shhd_config file add 'Protocol 2' to the bottom, then restart sshd. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter CVS
On Mon, 2006-12-18 at 22:32 +, Colin J Thomson - G6AVK wrote: > > and I have this small error that I cannot work out when trying an > rkhunter --update: > Er, no, I wouldn't do that :-) This is CVS, things have changed. You can run and test the CVS version but don't try an update. Sorry, should have mentioned that. John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Suggestion and Thank You
On Tue, 2006-12-19 at 21:27 -0800, j hurley wrote: > > One suggestion. Your results presentation is excellent but if you > could change the yellow hi-lighted text to red or some other color it > may be better. I couldn't read it and it scrolled-by pretty quick. > Well we can't change it to red since that would indicate some serious error. However, next release has a 'second colour set' option. The red and green should not be so bright, and the yellow is now a sort of purple (!). The ansi colour set is limited to about 8 colours if I remember so there wasn't much choice :-) I should add that by default the current colour set (red/yellow/green) will still be used, so users won't notice a difference unless they specify to use the second colour set. John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Fresh install FC6
On Fri, 2006-12-22 at 19:28 -0800, Mark Ness wrote: > I just installed FC6 and ran RKH (1.2.9) and got no default hashes. > [Performing 'known good' check... > Info: Check skipped - no hashes available] > I didn't know if the same rules applied as for FC5, but I tried > #setenforce 0 > #/etc/crond.daily/prelink > #./hashupd.sh > and I check /usr/local/rkhunter/lib/rkhunter/db, and the os.dat get's > updated but the defaulthashes.dat remains the original timestamp, and > I still get 0 hashes checked. > > Also, RKH --update returns > [Mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated > Using mirror http://rkhunter.sourceforge.net > [DB] Mirror file : Up to date > [DB] MD5 hashes system binaries : Up to date > [DB] Operating System information : ERROR > Fatal error: no valid version tag in filename > There's the problem. With no os.dat data RKH cannot check the file hashes. I would suggest you modify your os.dat file to make the first line something like 'version=00', and then run 'rkhunter --update' to get the latest version. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Solaris fingerprint DB ?
On Sun, 2006-12-24 at 02:36 -0500, Ricardo M. Stella wrote: > I asked this long time ago but never got an answer... > > How about using the Solaris fingerprint Db ? > This sounds a reasonable idea to consider. Could you open a rkhunter tracker ticket (on the sourceforge web site) about it. It won't then get missed :-) John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] RE FC6 fresh install. GOT IT :D
On Fri, 2006-12-29 at 12:07 -0800, Mark Ness wrote: > > > > Thanks for the followup. Good to hear you fixed it. > > > > If it was something in RKH, or running RKH, that did not conform to > > your current ruleset and you think it's something we should look > > at, could you please open a SF ticket and attach the related AVC > > messages? > > TIA > Sorry to say I am not well enough versed in Linux to determine the > exact cause myself. > > I discovered audit wasn't installed. The first cron.daily run after > installing audit returned a mess of denials for prelink. I would have > thought this should be allowed by default and that I should not have > to run the autorelabel to get prelink to work. The problem Is I don't > know if it was a problem with SELinux and prelink or a problem with > my installation/configuration. > > Any help you can give me so that I can help you would be appreciated. > Otherwise I guess it will have to wait... > Hi, >From what you described I would say that the 'problem' was to do with your specific system. In particular an SElinux problem. The prelink command, and hence RKH, may well have had problems accessing certain files and as such RKH was simply showing that a problem existed. The problem though was not with (or within) RKH. You should not have to autorelabel a system unless you have some SElinux problem with it. (Even then it is a bit drastic since it works on the entire file system.) I cannot say what the problem was, but I guess it is possible that the initial installation didn't complete successfully or had some problem causing SElinux to fail. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Update as a cronjob
On Wed, 2007-01-03 at 09:41 +0100, Andreas Fassl wrote: > Hello, > > when I try to update rkhunter via cronjob anythings fine. > The option --quiet doesn't remove the output, the adding of --cronjob > leads into > # rkhunter --update --cronjob > Yup, already fixed in the next release. The use of '-quiet' assumes that the user will check the return code of RKH to determine if there was a problem or not. (Again, this doesn't work too well with the current version, but works better at least for the next release.) Additionally, in your case using --update and --cronjob together, the '-update' will be performed first to ensure the latest files are being used. The current release does it the other wrong way round - the system check first and then it updates the files. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter update
On Thu, 2007-01-04 at 14:47 -0600, Andy Alt wrote: > I downloaded rkhunter from CVS last week. Seems to be working just fine, > Hurrah! :-) > but when I do an update it fails a version check for backdoorpoorts.dat > > What other info can I provide to remedy this? > Hmm, there was a hickup with the '.dat' files versioning a short while ago, so the problem might be nothing. However, the CVS version will by default create a log file (rkhunter.log). So, either look in there to see what the problem was, or send it to me and I'll take a peek. John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter update
On Thu, 2007-01-04 at 16:11 -0600, Andy Alt wrote: > [14:45:35] Info: Executing download command '/usr/bin/wget -q -O > /var/rkhunter/tmp/rkhunter.upd.jHUK2O > http://rkhunter.sourceforge.net/backdoorports.dat.ver' > [14:45:35] Warning: Checking file backdoorports.dat [ Version > check failed ] > Okay, there's the problem :-) Previous versions of RKH did not check if there was an update for the backdoorports file. (In fact it had no version number and was not in the download area.) The CVS version now checks for an update, but, as mentioned, the file was not in the download area. It should now work okay. I have put a version in the download area. Unfortunately because RKH supports several download commands (wget, lynx etc), and some do or do not return an error code, which may vary for each command, all that RKH can really do is say if the download worked or not. Hence, it says the version check failed but cannot say exactly why. John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Issue with mirror file on sourceforge
On Thu, 2007-01-04 at 16:38 -0600, Dennis Duffner wrote: > > There appears to be an issue with the mirror file on sourceforge. I > ran the --update function and got something but an stdin error - > unexpected end of file - appeared at the end of the transfer. All > other files came down properly. > I have just checked the file on sourceforge and it looks fine: {john}28: cat mirrors.dat version=2006121200 mirror=http://rkhunter.sourceforge.net mirror=http://rkhunter.sourceforge.net John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] os.dat and defaulthashes.dat not installing
On Fri, 2007-01-05 at 09:53 -0600, Andy Alt wrote: > Again, I'm using a CVS version from about a week ago. Can you put a CVS > release version number in so a person can report exactly which cvs > version he or she is using? > Sorry, but you are mixing this up. The CVS version does not use os.dat or defaulthashes.dat at all. They are not needed anymore. The changelog file does mention this. Secondly, the cvs installer will use /var (can't remember if it is /var/lib/ or /var/rkhunter) by default for the data files. The old version used /usr/local. If you are using cvs then and want to maintain your existing RKH, then I would suggest installing the cvs version entirely in a separate directory (that is all the dat files, rkhunter command, config file, etc). Otherwise you will end up with one config file and the new and old RKH trying to use it. That will cause problems. Finally the '.dat' files that remained have an incompatability between version 1.2.9 and the cvs version. So again, trying to mix them will cause problems. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] os.dat and defaulthashes.dat not installing
On Fri, 2007-01-05 at 20:58 -0600, Andy Alt wrote: > > I'll be sure to read more of the docs before I ask questions on the > list. I typically only read ChangeLogs if I'm upgrading a program that > I've already installed. Only been using rkhunter for a week. Friend of > mine told me I should check it out. Doesn't seem to detect a > passwordless login though. I've one set up for my 5 year old nephew. > /var/log/rkhunter.log show it's checking for passwordless user accounts, > but no warning is issued, and no mention is made of it in rkhunter.log > Okay, that's interesting. I haven't looked at that part of the code in any detail. However, I suspect that only root passwordless accounts are checked. We should probably at least log a warning for any passwordless account. Thanks. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] CentOS release 4.4 (Final)
On Tue, 2007-01-09 at 09:31 -0500, Dimitri Yioulos wrote: > > Let's help the developers out and let them spend their valuable time coding > rather than constantly answering the same questions - search the list > archive! > :-) Many thanks for that. I have to admit that I tend not to answer these types of questions now because the subject has been discussed a lot and, as you say, it is all in the archives. It is always a good idea to try and resolve problems yourselves, and searching the mailing list archives to see if the same problem has already been discussed is a good start. We are hoping the next release of rkhunter will ease this problem of hash values suddenly changing, and it is something that we have already to a large extent coded in the cvs version. There are some aspects of the hash test which we are still debating, but once we have resolved them hopefully we will be closer to getting that all elusive next release out to you people :-) John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Running Processes
On Fri, 2007-01-12 at 17:16 +0100, Daniel Wolpert wrote: > > Testing running processes... [ Skipped ] > > I do not have to activate a switch found these. Someone can help me > further? > The test will be skipped if you do not have the 'lsof' command on your system. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] question about file's dependencies
On Sat, 2007-01-13 at 07:27 -0600, Mike Blezien wrote: > After reading through the FAQ's, found and corrected the problem :) Had to > resync the prelink as outlined in the FAQ's. > Hmm, we need to go through the FAQ again. Prelinking is no verification of a file's integrity. As such I would run 'rpm -Vf /bin/more' to ensure that the file and its package are correct (no output indicates that it is okay). Although it can, and has been, argued that even that does not *guarantee* that the file is genuine! It is for you to satisfy yourself that the file/package is valid; RKH can only indicate that something has changed. John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] question about file's dependencies
On Sat, 2007-01-13 at 10:38 -0600, Mike Blezien wrote: > Hello John, > > after running the following: > - > $> rpm -Vf /bin/more > # OUTPUT > .M../bin/mount > .M../bin/umount > .M../usr/bin/chfn > .M../usr/bin/chsh > .M../usr/bin/newgrp > .M../usr/bin/write > - > so I assume all is ok here. > I would say not. The 'M' indicates that the files mode have changed. >From an RHEL4 system I get: # ls -l /bin/mount /bin/umount /usr/bin/chfn /usr/bin/chsh /usr/bin/newgrp /usr/bin/write -rwsr-xr-x 1 root root 84232 May 24 2006 /bin/mount -rwsr-xr-x 1 root root 54412 May 24 2006 /bin/umount -rws--x--x 1 root root 17708 May 24 2006 /usr/bin/chfn -rws--x--x 1 root root 18392 May 24 2006 /usr/bin/chsh -rws--x--x 1 root root 7700 May 24 2006 /usr/bin/newgrp -rwxr-sr-x 1 root tty 10124 May 24 2006 /usr/bin/write Can you do the same to see if the output is the same (in particular the permissions and ownership) please. > I followed the instruction from the FAQ's regarding this prelink problem, > which > seems to have solved the issue earlier noted with the following steps: > Yes, I cannot argue against what you have done since it is in the FAQ. However, perhaps the FAQ should point out that running prelink (or /etc/cron.daily/prelink) 'gets around' this error message. It does not verify that the files have not been corrupted in some way. Running 'rpm -V', as your ouput shows, indicates that some files, albeit that /bin/more is not included!, have indeed changed. Whilst prelinking may well cause the MD5 checksum to change ('rpm -V' shows this as a '5' and was the main reason for adding the prelink section to the FAQ), the fact that the files mode has changed is more serious. Prelinking wouldn't have caused that change, but running prelink prevents the error from appearing again (or until something else changes). John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] question about file's dependencies
On Sat, 2007-01-13 at 11:10 -0600, Mike Blezien wrote: > here is the output: > > -rwxr-xr-x 1 root root 84232 May 24 2006 /bin/mount* > -rwxr-xr-x 1 root root 54412 May 24 2006 /bin/umount* > -rwx--x--x 1 root root 17708 May 24 2006 /usr/bin/chfn* > -rwx--x--x 1 root root 18392 May 24 2006 /usr/bin/chsh* > -rwx--x--x 1 root root 7700 May 24 2006 /usr/bin/newgrp* > -rwxr-xr-x 1 root tty 10124 May 24 2006 /usr/bin/write* > Quick glance seems to indicate that your files have lost the suid bit ('rws'); guid for the 'write' command ('r-s'). No idea why. John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] question about file's dependencies
On Sat, 2007-01-13 at 11:24 -0600, Mike Blezien wrote: > > Ok, I see that know. We do run this on a Cpanel/WebHost Mgr system. Not sure > that would make a difference. > This is the problem - why have they changed? Neither me nor RKH can answer that. Perhaps other files have changed as well (you would need to run 'rpm -Va' for that and then go through the output to see if the changed files (usually config files) are known to you). > What is the specific chmod commands to reset suid bits, isn't > something like "chmod 4755" or similar ? > Personally I would reinstall the whole package (util-linux I think - 'rpm -qf /bin/more' will tell you the name), and then re-verify it. Yes, 4755 will reset the suid bit. 2755 for the guid bit on the write command. Note though that reinstalling or resetting the suid/guid bits may cause the problem to happen again. cpanel/whatever may change the bits again. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] question about file's dependencies
On Sat, 2007-01-13 at 17:04 +, John Horne wrote: > On Sat, 2007-01-13 at 10:38 -0600, Mike Blezien wrote: > > Hello John, > > > > after running the following: > > - > > $> rpm -Vf /bin/more > > # OUTPUT > > .M../bin/mount > > .M../bin/umount > > .M../usr/bin/chfn > > .M../usr/bin/chsh > > .M../usr/bin/newgrp > > .M../usr/bin/write > > - > > so I assume all is ok here. > > It may be worth pointing out something here before anyone says anything. The question could be asked, why did RKH find a change with /bin/more, but nothing with /bin/mount, /bin/umount etc? RKH version 1.2.9 checks the files MD5 hash values. In the case of /bin/more that had changed; probably by prelinking since running prelink solved that. However, the above 'rpm -V' command shows that the above files have indeed changed but not their hash value (this would be indicated by a '5'). Other tests check if the files have had their permissions changed to '777', or have been replaced by a shell script. The next release of RKH goes a bit further and performs better testing. It will detected all the above problems. For each file checked, the uid/gid, permissions, dtm, inode and hash value are checked. A check if the 'other' permission has become writeable is done (hence 'rwxr-xrwx' is detected, whereas 1.2.9 does not do this), and a check if the file type is a 'script' is done - hence replacements by perl/awk/whatever scripts are detected (1.2.9 only checks for shell scripts). Next release will also use SHA1 hash checking by default, but this is configurable to MD5 or any other hash function the user has available (sha512, etc). Okay, back to the coding I guess... :-) John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] External Database
On Sun, 2007-01-14 at 13:35 -0700, Korthrun wrote: > > > No, I haven't tried this yet. Is there a certain naming scheme or the > like? I have my list (gentoo.dat) in the default db directory, and > rkhunter doesn't seem to pick up on it. Do I need to call it > defaulthashes3.dat, or is it that rkhunter will read all *.dat files > if --dbdir is specified? > The dbdir option only specifies the directory name. You will need to copy all the RKH '.dat' files in to there. Then copy your hash file over the defaulthashes.dat file. Running --update may give problems though unless you have a version line in the file as the first line. Also ensure that your O/S name in the os.dat has the same index number as that in your defaulthashes.dat file (this is what ties the O/S to the hashes). Next release, all user will have to create their own hash file (there is a cli option to do this). There is no point us (RKH maintainers) trying to keep a list of hashes of all O/S variations. It is, obviously, better that each system has and maintains its own file of hashes. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Updating grep breaks RKHunter?
On Sun, 2007-01-14 at 09:57 -0600, Chris wrote: > I saw this in my cronjob output folder this morning. > > Cron <[EMAIL PROTECTED]> /usr/local/bin/rkhunter --cronjob --createlogfile -c > Date: Sun Jan 14 05:00:00 2007 > From: Cron Daemon <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > > No logfile given: using default. > /usr/local/bin/rkhunter: line 3239: syntax error near unexpected token `(' > /usr/local/bin/rkhunter: line 3239: > ` if [ -z "`echo ${WHITEPROC} | > egrep \"${lproc}( |$)\"`" ]; then' > Interesting. Can you tell me your O/S please (prefereably a copy of the /etc/release file. You may have to hunt for this file in /etc). Ah, sudden thought. If your 'egrep' is actually grep then that would cause a problem. grep doen't understand about parentheses. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter error msg
On Thu, 2007-01-18 at 08:08 -0500, Robert Davenport wrote: > I'm not sure to do about this. > Where can I learn more? > Read the FAQ on the web site. (Basically you will need to download and run the hashupd.sh utility to resolve the problem.) What O/S are you running? John. -- ------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] FC6 / haldaemon tripping rkhunter
On Sun, 2007-01-21 at 10:56 -0800, Jim Miller wrote: > > * one throws an info message about my allowing root logins with SSH > (I've set ALLOW_SSH_ROOT_USER = 1 in the config file) and reports > this in the cron e-mail > If there are spaces around the '=' then it would cause a problem. > > * the same machine complains / warns about the presence of a > passwordless account for haldaemon > The /etc/shadow file should just have '!!' for the haldaemon. It is just one of those system accounts that cannot be logged in to. If you have anything else for the password then you may want to verify the hal rpm (rpm -V hal). John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] FC6 / haldaemon tripping rkhunter
On Sun, 2007-01-21 at 13:41 -0800, Jim Miller wrote: > On Jan 21, 2007, at 12:00 PM, John Horne wrote: > > >> > >>* the same machine complains / warns about the presence of a > >> passwordless account for haldaemon > >> > > The /etc/shadow file should just have '!!' for the haldaemon. It is > > just one of those system accounts that cannot be logged in to. If you have > > anything else for the password then you may want to verify the hal rpm > > (rpm -V hal). > > Bingo --the '!!' was missing from /etc/shadow. I put it in manually, > and the messages are no longer produced. Thanks much! > Okay, but the question then is why weren't they there before? Did 'rpm -V hal' show anything (if all is okay then there will be no output). John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] CRON warning
On Tue, 2007-01-23 at 07:45 +, steve wrote: > Hello, > Can anyone tell me what this means, the SME e-mail server gives this > error regularly > > /etc/cron.daily/01-rkhunter: > > Line: > [ Warning ] > - > > Found warnings: > > - > I suspect it's a bug in the code. It thinks that there has been a warning, but cannot find it in the log file. It is possible that some sort of 'warning' did occur but was not flagged as such - hence you get the above. I would suggest looking through your log file to see what may have happened. (Default location is /var/log/rkhunter.log). Perhaps running rkhunter interactively will show want went wrong too (just use 'rkhunter -c -sk'). John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] CRON warning
On Tue, 2007-01-23 at 19:02 +, Dick Gevers wrote: > On Tue, 23 Jan 2007 10:37:48 +0000, John Horne wrote about Re: > [Rkhunter-users] CRON warning: > > >On Tue, 2007-01-23 at 07:45 +, steve wrote: > >> Hello, > >> Can anyone tell me what this means, the SME e-mail server gives this > >> error regularly > >> > >> /etc/cron.daily/01-rkhunter: > >> > >> Line: > >> [ Warning ] > >> - > >> > >> Found warnings: > >> > >> - > >> > >I suspect it's a bug in the code. It thinks that there has been a > >warning, but cannot find it in the log file. It is possible that some > >sort of 'warning' did occur but was not flagged as such - hence you get > >the above. > > > >I would suggest looking through your log file to see what may have > >happened. (Default location is /var/log/rkhunter.log). Perhaps running > >rkhunter interactively will show want went wrong too (just use 'rkhunter > >-c -sk'). > > > > > > > >John. > > > Or could it ph be generated by 'logcheck' package or similar? > No, the lines you have shown come from the rkhunter 1.2.8 code. I would however, and I should have mentioned this before, upgrade to version 1.2.9. This has been out for some time, and version 1.2.8 is not supported any more. Latest RKH version can be found on the sourceforge web site: http://www.sourceforge.net/projects/rkhunter John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Recommend Cron
On Tue, 2007-01-23 at 18:20 -0600, Mike Blezien wrote: > > how often is it recommend to run the Rkhunter daily checks, via crons? We > currently runs ours twice a day. Is this OK or is once a day OK? > Good question! However, it depends a bit on what you mean by 'daily checks'. If you mean the '--versioncheck' or '--update' options, then I run these once a day. I think running them any more often will just be a waste of resources. For the system checks (the '-c' option), this is really going to depend on your server (or whatever it is you are running RKH on), and how paranoid you feel! For myself I run RKH once every hour on about 15 or so servers. It is tied in with some other of our own in-house security checks, and the whole lot is monitored by a monitoring system. So I can easily see if something has happened. It could be argued, why don't we run RKH say every half-hour, or every 15 minutes even? Personally, if something happens to one of my systems, then I want to know as soon as possible. However I feel that running RKH too often may start to impact on the system load - some of these servers are already quite loaded. Hence I feel that running RKH once per hour is about right - for me and the servers I run it on. I would say that running RKH less than once per day might not be a good idea. The main point being that if someone has broken in to one of your systems, then ideally you want to know about it as soon as possible. The longer they have to 'play' before you notice anything then the more damage they can do to your system, your site, and any other site that they may be able to contact. Running RKH more than once per day is better, so long as it doesn't impact on the service your servers are providing. How often to run RKH though is something you will have to experiment with and judge for yourself. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Recommend Cron
On Tue, 2007-01-23 at 20:04 -0600, Mike Blezien wrote: > > Thanks for the information. We will be running, the rkhunter cronjob -c check > twice a day for awhile and see what happens. We have been running it for > quiet > some time once a day with no problems and always good reports on a RHEL 4 > along > with our Firewall and Mod Security and few other security tools, we have been > hacker-free now for about 4yrs :) > Ah, bold words! :-) If you are happy with running RKH twice a day then that is fine. If you can run it more often then so much the better, but that will be for you to experiment with. > We have been running the --update & --versioncheck once a day always. > I should have added that, as far as I remember, it is possible to run the 'update' option with the '-c' option. The next release will handle this better, allowing the user to run '-c', along with '--update' and/or '--versioncheck'. However, I do not personally do this. I would rather run the system checks very frequently, and the other options much less frequently. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] file /var/lib/rkhunter/db/os.dat not found (rkhunter 1.2.9)
On Mon, 2007-02-05 at 10:57 +0200, Yakov Lerner wrote: > Right after installation, I am getting following error: > $ /usr/local/bin/rkhunter -c > Rootkit Hunter 1.2.9 is running > Determining OS... cat: /var/lib/rkhunter/db/os.dat: No such file or > directory > > ls -l /var/lib/rkhunter/db/os.dat > ls: /var/lib/rkhunter/db/os.dat: No such file or directory > > locate os.dat > /usr/local/rkhunter/lib/rkhunter/db/os.dat > > Hmmm ? WHy os.dat was installed into /usr/local/rkhunter/lib/rkhunter/db, > but rkhunter loks for it in /var/lib/rkhunter/db? > RKH will look for the os.dat file because of your rkhunter.conf file. Can you run 'locate rkhunter.conf'. In the file there *may* be a line beginning 'DBDIR='. If there is and it specifies the '/var/lib/rkhunter/db' directory, then comment out the line. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] unusual files found
On Mon, 2007-02-05 at 17:55 +1300, Michael Doerner - TechnologyWise wrote: > > rkhunter --version > Rootkit Hunter 1.2.9 > > but problem is the same: > > * Filesystem checks >Checking /dev for suspicious files... [ Warning! > (unusual files found) ] > - > Unusual files: > : ASCII text > - > I'm going to take a guess here that the problem will be with the 'file' command. RKH is cutting the output somewhere and accidentally removing the file name. That would explain the ': ascii text' bit. When you submit the tracker, please include your O/S name and version. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] rkhunter-1.2.9-1 on EL4 (CentOS 4.4)
On Fri, 2007-02-09 at 17:28 -0500, Phil Schaffner wrote: > > Duhhh, OK. A bit dense today I guess: > > # rkhunter -c > > > Rootkit Hunter 1.2.9 is running > > Determining OS... cat: /var/rkhunter/db: Is a directory > I'm going to jump in here a bit. Next release RKH won't even start if there is a configuration file problem, if you specify a directory instead of a file, etc. So the above is already 'fixed in next release'. > > # > > # All lines beginning with a dash (#) or empty lines, will be ignored. > This is from a pre-1.2.9 configuration file. > > [EMAIL PROTECTED] etc]# grep DBDIR rkhunter.conf~ > #DBDIR=/var/rkhunter/db > DBDIR=/var/rkhunter/db > [EMAIL PROTECTED] etc]# grep TMPDIR rkhunter.conf~ > #TMPDIR=/var/rkhunter/tmp > TMPDIR=/var/rkhunter/tmp > > The problems seem to have come from the redundant definitions of > TMPDIR=/var/rkhunter/tmp and DBDIR=/var/rkhunter/db I introduced when > customizing it to function like my previous version. Seems like the > duplicate definitions should be harmless, but apparently they are not. > Sorry for the confusion, but perhaps there is a bug in there somewhere. > What does 'grep DBDIR rkhunter.conf' show? If you really do have duplicate definitions in there, then yes that is a bug. Again though, 'fixed in next release'. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] fresh FC6 with last updates
On Fri, 2007-02-09 at 15:42 -0800, Tyler Evans wrote: > I have similar problems with rkhunter's latest version and fedora. > > eg. wget shows a bad md5 sum on a fedora core 5 box, and the prelink / > hashupd solution outlined in the FAQ will not fix it. > Did you disable selinux before running prelink/hashupd? (And re-enable it again afterwards.) John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] wrong warning message
On Mon, 2007-02-12 at 10:32 +0100, François Patte wrote: > Every time I install new packages on my FC 6 box, when rkhunter is run > after that, I get a warning message and I can read in the rkh daily run > mail: > > << Rootkit Hunter found some bad or unknown hashes. This can be happen > due replaced binaries or updated packages (which give other hashes). Be > sure your hashes are fully updated (rkhunter --update). If you're in > doubt about these hashes, contact the author (fill in the contact form). >> > > > There no use to run "rkhunter --update" to solve the problem! the proper > program to run is hashupd. > Yes, you are right. I'm afraid that situation arose because of the prelinking problems we had with rkhunter, which in turn led to the creation of the hashupd.sh script. We have corrected the messages for the next release. Thanks, John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Running hashupd.sh script
On Mon, 2007-02-12 at 10:32 -0800, russbucket wrote: > I'm trying to run the hashupd.sh script on SUSE 10.2. with the following > command as su root: rkhunter --update; hashupd.sh. The update runs but the > hashupd gives me an error it cannot find command. I copied the script > to /usr/share/rkhunter/scripts but I still get the error. The command was > found in an email from this list. > > Where should the script be placed? I gave it the same permissions as the > other > scripts in the above directory. > > Error message: bash: hashupd.sh: command not found. > Hello, You either need to either: 1) put the hashupd.sh script in to a directory which is in your PATH. Run 'echo $PATH' (as root) to see which directories are in your path. Then run hashupd.sh as before. 2) change to the directory containing the script and then use './hashupd.sh' - note the './' at the beginning. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] syslog remote logging detection
On Tue, 2007-02-27 at 01:45 +0100, [EMAIL PROTECTED] wrote: > Hello JJ, > > On Mon, 26 Feb 2007 21:39:37 +0100 John Fitzgerald > <[EMAIL PROTECTED]> wrote: > >A quick heads-up/note/question regarding syslog remote logging > >detection > >with rkhunter. > > >ps -auwwx | grep syslogd > > > >to find out if syslogd is running with the -f parameter pointing > >to another syslog.conf file which might have remote logging > specified. > This is probably a bit more of a general problem. The xinetd check should maybe also check to see if xinetd has started with the '-f' option? At present I have modifed my local RKH to allow users to specify the xinetd configuration file pathname in the RKH config file. This may be a better solution since it avoids determining the 'ps' options to use for differing O/S's ('ps -auwwx' won't work on Solaris). Secondly, if the sysadmin is deliberately starting xinetd/syslogd with a non-default config file pathname, then they should modify the RKH config file accordingly. Thirdly, other software we might want to check may use some other option than '-f', so we then get into the 'if software = ... do this; else if software = ... do that' etc situation. Along with point 1 above ('ps' options), it starts to get a bit messy. That's my thinking anyway :-) John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
[Rkhunter-users] Rkhunter update failures
Hello, As per the recent messages regarding update failures, it seems that sourceforge are still having some problems. All my servers have suddenly got a load of update errors: [: From the sourceforge website, it seems they are still having a problem and are working to resolve it. The RKH '--versioncheck' option will likewise give an error message: Can't fetch latest version number. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users