Branches
Comments
[»]
Announce: Rootkit Hunter mailinglist
by unSpawn - Jan 25th 2006 14:48:20
I would like to announce Rootkit Hunter now has a mailinglist on
SourceForge. If you run RKH please go to
http://lists.sourceforge.net/mailman/listinfo/rkhunter-users to add
yourself to the list to beable to ask questions, discuss topics related to
RKH, to drop requests or even help out with RKH.
Cheers, unSpawn
[reply]
[top]
[»]
MD5 check fails on fedora core 3 file
by fedo2 - Sep 20th 2005 00:58:20
Hi,
I have a Server with Fedora Core 3. Recently i updated the
e2fsprogs-1.38-0.FC3.1 rpm package and then, Rkhunter returns a MD5 error
in /usr/bin/lsattr file, which is included in that package. It's a false
negative?
Thanks.
Here is the rkhunter 1.27 log:
Rootkit Hunter 1.2.7 is running
Determining OS... Ready
Checking binaries
* Selftests
Strings (command) [ OK ]
* System tools
Info: prelinked files found
Performing 'known good' check...
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/dmesg [ OK ]
/bin/egrep [ OK ]
/bin/env [ OK ]
/bin/fgrep [ OK ]
/bin/grep [ OK ]
/bin/kill [ OK ]
/bin/login [ OK ]
/bin/ls [ OK ]
/bin/mount [ OK ]
/bin/netstat [ OK ]
/bin/ps [ OK ]
/bin/su [ OK ]
/sbin/chkconfig [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/modinfo [ OK ]
/sbin/runlevel [ OK ]
/sbin/sysctl [ OK ]
/sbin/syslogd [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/kill [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/lsattr [ BAD ] <---- MD5 fails
/usr/bin/pstree [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/users [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
-------------------------------------------------
Rootkit Hunter found some bad or unknown hashes. This can be happen due
replaced
binaries or updated packages (which give other hashes). Be sure your
hashes are
fully updated (rkhunter --update). If you're in doubt about these hashes,
contact
the author (fill in the contact form).
-------------------------------------------------
[reply]
[top]
[»]
problem with Hash tests on Suse
by Andreas Fuchs - Jun 7th 2005 06:02:20
Hi rkhunter is not doing the Hash tests on my system:
Rootkit Hunter 1.2.7, Copyright 2003-2005, Michael Boelen
.
.
[14:20:02] ---------------------------- System checks
----------------------------
[14:20:02] Info: kernel is 2.6
[14:20:02] Info: Found /etc/SuSE-release
[14:20:02] Info: Full OS name = SuSE Linux 9.2 (i586)
[14:20:02] Info: OS ID = 163
[14:20:02] Info: Using /usr/bin/md5sum to verify MD5 hashes
[14:20:02] Info: /usr/bin/md5sum found
[14:20:02] Info: using /usr/local/rkhunter/lib/rkhunter/tmp as temporary
directory
[14:20:02] Info: UID is zero (root)
[14:20:02] Info: Perl version 5.8.5 found
[14:20:02] Info: Digest::MD5 installed (version 2.33).
[14:20:02] Info: Using Perl Digest::MD5 module instead of
/usr/bin/md5sum
[14:20:02] Info: Digest::SHA1 installed (version 2.10).
[14:20:02] Info: ksyms file check will be skipped (/proc/ksyms not
available on this system)
[14:20:02] ---------------------------- File checks
-----------------------------
[14:20:02] Checking
/usr/local/rkhunter/lib/rkhunter/db/md5blacklist.dat... OK
[14:20:02] Checking /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat...
OK
[14:20:02] Checking
/usr/local/rkhunter/lib/rkhunter/db/programs_bad.dat... OK
[14:20:02] Checking
/usr/local/rkhunter/lib/rkhunter/db/programs_good.dat... OK
[14:20:02] ------------------------------ Selftests
------------------------------
[14:20:02] Strings selftest: scanning for string /usr/sbin/ntpsx...
OK
[14:20:02] Strings selftest: scanning for string /usr/lib/.../ls...
OK
.
.
all OK
.
.
[14:20:03] ---------------------------- MD5 hash tests
---------------------------
[14:20:03] Starting MD5 checksum test
(/usr/local/rkhunter/lib/rkhunter/scripts/filehashmd5.pl)
[14:20:09] ------------------------------ Rootkits
------------------------------
Thats all it shows
if i run the .pl manualy i get:
/usr/local/rkhunter/lib/rkhunter/scripts/filehashmd5.pl /bin/ps
f9d313f205a74e710baa3c3702caa145
Any ideas what's wrong?
[reply]
[top]
[»]
strange update issue.
by pr4shant - May 23rd 2005 05:19:45
Hey
A very strange issue here, I've tried to update rootkit hunter from 1.2.5
to 1.2.6.
Now after update, when I try rkhunter --update, I get this:
Mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated
Using mirror http://mirror11.mirror.rkhunter.org
[DB] Mirror file : Up to date
[DB] MD5 hashes system binaries : Update available
Action: Database updated (current version: 2005050600, new version
2005051900)
[DB] Operating System information : Update available
Action: Database updated (current version: 2005050700, new version
2005052200)
[DB] MD5 blacklisted tools/binaries : Up to date
[DB] Known good program versions : Up to date
[DB] Known bad program versions : Up to date
But if I try rkhunter --update again, I get the same message, seems like
the MD5 hashes system binaries db and Operating System information db are
not getting updated.
MD5 hashes db is always showing 2005050600 as current version although the
latest is quite high but doesn't seem to be getting updated.
Sames goes, with OS information, current version is 2005050700 and new
version is 2005052200, but not getting updated.
Any ideas?
Thanks,
Prashant
[reply]
[top]
[»]
Re: strange update issue.
by M. Boelen - May 24th 2005 23:37:19
This is solved in release version 1.2.7
[reply]
[top]
[»]
Knoppix 3.8.1 on HDD with rootkit hunter
by Scout - May 2nd 2005 23:59:58
Hi all and Knoppix users,
I've test rootkit hunter on Knoppix 3.8.1 ...
If Knoppix 3.8.1 is installed on a harddisk...
rootkit hunter runs well !
(I've test it at Version 1.2.3)
Great thanks to the developers
greetings
Scout
[reply]
[top]
[»]
Email Alert to send more info
by GraFX - Apr 1st 2005 05:05:54
Can be that email alert to send a full info, not just is a possibble
problem?
--
Regards,
Valics Lehel
http://www.grafxsoftware.com
[reply]
[top]
[»]
Re: Email Alert to send more info
by M. Boelen - Apr 6th 2005 01:57:43
> Can be that email alert to send a full
> info, not just is a possibble problem?
It's already on my ToDo list. If you have more questions, please ask them
at the official website.
[reply]
[top]
[»]
Errormessage /usr/local/bin/rkhunter: line 3853: [: too many arguments
by lukewill - Mar 19th 2005 05:53:21
I have updated from 1.2.1 to 1.2.2.
The scan show's this message by checking: Checking for passwordless user
accounts... /usr/local/bin/rkhunter: line 3853: [: too many arguments
My system is a linux (suse9.0) 2.4.21.
greetings
[reply]
[top]
[»]
Re: Errormessage /usr/local/bin/rkhunter: line 3853: [: too many arguments
by M. Boelen - Mar 19th 2005 10:39:14
> I have updated from 1.2.1 to 1.2.2.
>
> The scan show's this message by
> checking: Checking for passwordless user
> accounts... /usr/local/bin/rkhunter:
> line 3853: [: too many arguments
>
> My system is a linux (suse9.0) 2.4.21.
>
> greetings
A known problem. Will be solved within next release.
[reply]
[top]
[»]
rootkit hunter for firewalls
by Scout - Feb 1st 2005 10:32:59
Very cool tool !!!
...and so I'v tested it for eg. smoothwall express2.0
I think all firewalls must be include this !!!
[reply]
[top]
[»]
What's the script update_server.sh in ../rkhunter/files/tools ?
by Scout - Aug 16th 2004 16:04:47
Question: ...for an autoupdate ?
[reply]
[top]
[»]
Re: What's the script update_server.sh in ../rkhunter/files/tools ?
by M. Boelen - Aug 17th 2004 02:42:37
>
> Question: ...for an autoupdate ?
Please ask all your questions by mail and I will answer them ;-)
[reply]
[top]
[»]
SuSE and the .directory ...
by Scout - Aug 16th 2004 16:02:03
this is the content of eg /etc/.directory in SuSE 8.2 :
[URL properties]
IconSize=0
[reply]
[top]
[»]
message by V.1.1.4
by Scout - Aug 16th 2004 15:59:32
/bin/ls Hash NOT valid (My MD5: 7c745f9f3e2c1c7197935ad5c754a76d, expected:
c2d9c431223bd234a7ff0215a220c88b)
/usr/sbin/xinetd Hash NOT valid (My MD5: fc92bab32f8ce804916f631ee3aefee3,
expected: 80f0315e74aa4f2c37524c1f1854e855)
??? HELP !!!
[reply]
[top]
[»]
Re: message by V.1.1.4
by A.Bune - Mar 29th 2005 06:26:55
here is what FAQ says
http://www.rootkit.nl/articles/rootkit_hunter_faq.html
8. Q: Although Rootkit Hunter tells me my binaries do have the correct
hashes (=OK), the logfile shows a lot of incorrect items. How is that
possible?
A: Because the main program is a shell script, a lot of small utilities
are used to read the database (in fact a CSV-alike file). The output you
see in the logfile is debug information and contains of a lot of extra
information. Because every line of the hash database will be read and
compared with the real hash of the binary, it will have some good and bad
hashes for one single binary (because the multiple versions of a single
binary). Every line will be available in the logfile too, so if a hash
DOESN'T match with the binary, it will log this too. If ONE of the
multiple hashes match, you don't have to worry about the 'failed' lines.
[reply]
[top]
[»]
run check_update.sh in V1.1.4 - get the following message:
by Scout - Aug 16th 2004 15:57:24
I'm test the script check_update.sh and get the following message:
Usage ./check_update.sh <path/to/rkhunter.conf>
<path/to/mirrors.dat> </path/to/dbdir>
</path/to/md5>
Help !
[reply]
[top]
[»]
rkhunter in a firewall eg smoothwall ?
by Scout - Aug 15th 2004 06:22:50
Who know about implementation in a firewall ?
Eg. Smoothwall Express 2.0
(Info about smoothwall firewall... go smoothwall.org)
[reply]
[top]
[»]
Re: rkhunter in a firewall eg smoothwall ?
by M. Boelen - Aug 15th 2004 23:35:18
> Who know about implementation in a
> firewall ?
> Eg. Smoothwall Express 2.0
>
> (Info about smoothwall firewall... go
> smoothwall.org)
>
>
Already spoken by e-mail. See website for contact form when you want to
ask a new question.
[reply]
[top]
[»]
Why does option --versioncheck not function rightly in V. 1.1.4 ?
by Scout - Aug 15th 2004 06:15:00
*And the command rkhunter --versioncheck answer me: new version 1.1.4 by
installed version 1.1.4 ?!
But I have seen on your server is the newer 1.1.5 version.
???
[reply]
[top]
[»]
the script with name *update.sh in V.1.1.4 ?
by Scout - Aug 15th 2004 06:11:45
What does the script with name *update.sh ?
[reply]
[top]
[»]
REPORT rkhunter V.1.0 rc3 update to 1.1.4
by Scout - Aug 15th 2004 06:10:24
After install and first scan with new rkhunter version 1.1.4 on SuSE 8.2
System
1.a.)
* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ Warning!
]
---------------
/bin/.directory
I think it's a or the problem in SuSE with the hidden .directory
files
Every time SuSE write this file also in a FAT32 partition or on floppy
disk
1.b.)
* Application version scan
- GnuPG 1.2.2-rc1-SuSE [ Unknown
]
- Procmail MTA 3.15.1 [ Unknown
]
- OpenSSH version [ Unknown
]
I don't know whats the matter ?!
Who know this problem / any answers ?!
Thanks
[reply]
[top]
[»]
Works Quite Well - Really Cool!!!
by inky7836 - Aug 1st 2004 08:53:34
This is well written, works very well, simple to use, load and setup, and
really gives one a sense of comfort to see all of the checks come up OK.
I had some SSH problems and had no idea until I ran this great program.
Some folks using SuSE set it up with a cron job to run the checks each
day. I highly recommend this app.
[reply]
[top]
[»]
Cool!
by Jason Wallwork - Apr 27th 2004 18:55:03
This is handy app and is simple to install and use. No
compiling is needed. I disagree with a previous
commenter who said it'd be better if it only stated
problems found. I get a lot of comfort from seeing
those [OK]'s.
[reply]
[top]
[»]
Really great program
by Gooserider - Apr 4th 2004 22:37:35
A very nice program, it appears to do exactly what it says, and I feel it
provides useful reassurance that a system hasn't been compromised.
The only minor nits are:
1. It would be nice if there was a summary at the end saying just what
problems (if any) or that no problems had been found rather than having to
scan back through the output. A really slick setup might classify the
severity of the problems and spit out a chunk of text suggesting how
'scared' you should be and what should be done for each level of problem
found.
2. Something that only RMS and friends would care about, is that the
standard output of the program (rkhunter -c) doesn't spit out any info
about the program being GPL'd, w/o warrantee, etc. Neither do the help or
version screens. I could be wrong but my interpretation of the GPL is that
it's supposed to. (There is a copy of the GPL "LICENCE" file in
the install package) This isn't a big deal to me, but some folks might
care.
Gooserider
--
This signature intentionally left blank.
[reply]
[top]
[»]
Solaris problem
by Radu - Feb 14th 2005 05:59:58
Hi,
No way to install it on Solaris 8, the output is here:
./installer.sh: print: not found
Rootkit Hunter installer 1.1.9 (Copyright 2003-2004, Michael Boelen)
---------------
Starting installation/update
Checking UID...
OK
Checking /usr/local...
-e OK
Checking file retrieval tools...
/usr/local/bin/wget
Checking installation directories...
- Checking /usr/local/rkhunter...
-e Created
- Checking /usr/local/rkhunter/etc...
-e Created
- Checking /usr/local/rkhunter/bin...
-e Created
- Checking /usr/local/rkhunter/lib/rkhunter/db...
-e Created
- Checking /usr/local/rkhunter/lib/rkhunter/docs...
-e Created
- Checking /usr/local/rkhunter/lib/rkhunter/scripts...
-e Created
- Checking /usr/local/rkhunter/lib/rkhunter/tmp...
-e Created
- Checking /usr/local/etc...
-e Exists
Checking system settings...
- Perl...
-e OK
Installing files...
Installing Perl module checker...
./installer.sh: ~/.rkhunter.log: cannot create
-e Failed
Installing Database updater...
./installer.sh: ~/.rkhunter.log: cannot create
-e Failed
Installing Portscanner...
./installer.sh: ~/.rkhunter.log: cannot create
-e Failed
Installing MD5 Digest generator...
./installer.sh: ~/.rkhunter.log: cannot create
-e Failed
Installing SHA1 Digest generator...
./installer.sh: ~/.rkhunter.log: cannot create
-e Failed
Installing Directory viewer...
./installer.sh: ~/.rkhunter.log: cannot create
-e Failed
Installing Database Backdoor ports...
./installer.sh: ~/.rkhunter.log: cannot create
-e Failed
Installing Database Update mirrors...
./installer.sh: ~/.rkhunter.log: cannot create
-e Failed
Installing Database Operating Systems...
./installer.sh: ~/.rkhunter.log: cannot create
-e Failed
Installing Database Program versions...
./installer.sh: ~/.rkhunter.log: cannot create
-e Failed
Installing Database Program versions...
./installer.sh: ~/.rkhunter.log: cannot create
-e Failed
Installing Database Default file hashes...
./installer.sh: ~/.rkhunter.log: cannot create
-e Failed
Installing Database MD5 blacklisted files...
./installer.sh: ~/.rkhunter.log: cannot create
-e Failed
Installing Changelog...
./installer.sh: ~/.rkhunter.log: cannot create
-e Failed
Installing Readme and FAQ...
./installer.sh: ~/.rkhunter.log: cannot create
-e Failed
Installing Wishlist and TODO...
./installer.sh: ~/.rkhunter.log: cannot create
-e Failed
Installing RK Hunter configuration file...
Skipped (no overwrite)
Installing RK Hunter binary...
./installer.sh: ~/.rkhunter.log: cannot create
-e Failed
Configuration already updated.
-e Install Failed
Check ~/.rkhunter.log
Regards,
Radu
[reply]
[top]
[»]
Re: Solaris problem
by Radu - Feb 14th 2005 07:21:49
> ./installer.sh: ~/.rkhunter.log: cannot
> create
Solution: in solaris ~root does not make sense, so writing in the
~/.rkhunter.log file was impossible.
I replaced it by /tmp/.rkhunter.log in the installer.sh script and
everything works fine now
Radu
[reply]
[top]
|
