Hello all, Just like I posted 'hashupd' at the time I release 'suspscan' to this list in the hope it could help and in turn you all could lend a hand turning this PoC into something qualitatively better. I consider the status to be an "unofficial goodie" for the benefit of those that are subscribed to this list.
About
Suspscan ("suspicious files scanner") is a small Bash script which
scans a directory for file contents that could indicate a potential
problem. The script only needs basic GNU/Linux tools like bash,
egrep, file, strings. Nothing fancy.
License
While not marked as such it's definately GPLv2.
Big fat warning
Suspscan is not a substitute for proper host and network hardening
and regular auditing. Suspscan is an unfinished Proof of Concept
(aka "kludge" ;-p). It has no guaranteed or implied usefulness. It
is slow, can be defeated and it only alerts. It does not act (you
have to). Running 'suspscan' implies you take the risk: I won't be
held responsable for any damages. If you run 'suspscan' on
production machines w/o testing it elsewhere it probably won't
break stuff but it would be, uh, slightly daft.
Motivation
Inability of Chkrootkit, Rootkit Hunter and AV products to
determine if files are a cause for concern unless they match a
static(!) location, a string or a signature. While we could patch
RKH to run on public temp dirs too for now I chose to whip up
something modular to play with which I could cronjob.
Alternatives
The only alternative I can imagine would be running an active file
integrity checker like Samhain or plugging something into
[DI]notify.
If there's other quality alternatives please tell me.
Where NOT to run this?
On machines that are hardened well (think SELinux, GRSecurity).
Where to run this, then?
On machines that have (publicly) accessable temp dirs, say machines
that run PHP-based apps since those are more prone to access
problems and more likely to be vulnerable in some way.
How to run
Running it w/o args shows help, what to configure and explanations.
Read, understand, configure, run. Easy :-]
Feedback
The RKH team should not be bothered with it until it turns into
something useful, so don't use the RKH SF tracker or mailing list.
I support it personally and *only* for those subscribed to this
list. If you're not, either subscribe or find yourself SOL. Details
about stuff suspscan picks up, constructive comments, patches and
questions are welcome and should be directed at my email address.
If you want to post (debug) output or add info over 10 lines
*please* attach a compressed tarball. If there's progress I'll post
updates to this list unless instructed otherwise.
Thanks for your time and cooperation.
Regards, unSpawn
suspscan-0.3.sh
Description: Bourne shell script
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
