Re: [newbie] Rootkit ?
On Tuesday 04 January 2005 08:20, Kaj Haulrich wrote: When doing a chkrootkit everything looks fine except this : Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... Checking `rexedcs'... not found Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient) Checking `w55808'... not infected Checking `wted'... nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected What is this sniffer thing and does it matter ? Packet sniffer. If you are running an Intrusion Detection System like portsentry or Snort, that would account for the detection of a packet sniffer as IDS's have to sniff packet to detect intrusions. -- Bryan Phinney Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Rootkit ?
Kaj Haulrich wrote: When doing a chkrootkit everything looks fine except this : Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... Checking `rexedcs'... not found Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient) Checking `w55808'... not infected Checking `wted'... nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected I get the same message so I googled around and found that the dhcp client and server are using the same port used by the sniffer (exploit?) and chkrootkit cannot distinguish between them thus the message. Avi -- Avi Schwartz http://public.xdi.org/=avi.schwartz When you have robbed a man of everything, he is no longer in your power. He is free again. -- Alexander Solzhenitsyn Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Rootkit ?
On Tuesday 04 January 2005 15:07, Bryan Phinney wrote: On Tuesday 04 January 2005 08:20, Kaj Haulrich wrote: When doing a chkrootkit everything looks fine except this : Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... Checking `rexedcs'... not found Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient) Checking `w55808'... not infected Checking `wted'... nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected What is this sniffer thing and does it matter ? Packet sniffer. If you are running an Intrusion Detection System like portsentry or Snort, that would account for the detection of a packet sniffer as IDS's have to sniff packet to detect intrusions. Thanks Bryan and Avi, but I'm running snort or portsentry or anything. So where does this sniffer come from ? - To me it sounds pretty much like one of those thousands of Windows-spyware malignancies. Never thought a Linux system could get one, but maybe I'll have to think again ? Kaj Haulrich. -- *sent from a 100% Microsoft-free workstation* * http://haulrich.net * *Running Linux (Mandrake 10.1) - kernel 2.6.8* Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Rootkit ?
Kaj Haulrich wrote: On Tuesday 04 January 2005 15:07, Bryan Phinney wrote: On Tuesday 04 January 2005 08:20, Kaj Haulrich wrote: When doing a chkrootkit everything looks fine except this : Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... Checking `rexedcs'... not found Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient) Checking `w55808'... not infected Checking `wted'... nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected What is this sniffer thing and does it matter ? Packet sniffer. If you are running an Intrusion Detection System like portsentry or Snort, that would account for the detection of a packet sniffer as IDS's have to sniff packet to detect intrusions. Thanks Bryan and Avi, but I'm running snort or portsentry or anything. So where does this sniffer come from ? - To me it sounds pretty much like one of those thousands of Windows-spyware malignancies. Never thought a Linux system could get one, but maybe I'll have to think again ? Please re-read my previous email, but if you prefer, also check the following: http://lists.debian.org/debian-user/2004/01/msg05013.html Avi -- Avi Schwartz http://public.xdi.org/=avi.schwartz When you have robbed a man of everything, he is no longer in your power. He is free again. -- Alexander Solzhenitsyn Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Rootkit ?
On Tuesday 04 January 2005 16:38, Avi Schwartz wrote: snip Thanks Bryan and Avi, but I'm running snort or portsentry or anything. So where does this sniffer come from ? - To me it sounds pretty much like one of those thousands of Windows-spyware malignancies. Never thought a Linux system could get one, but maybe I'll have to think again ? Please re-read my previous email, but if you prefer, also check the following: http://lists.debian.org/debian-user/2004/01/msg05013.html Avi /snip Thanks, Avi. Now I have calmed down again. Kaj Haulrich. -- *sent from a 100% Microsoft-free workstation* * http://haulrich.net * *Running Linux (Mandrake 10.1) - kernel 2.6.8* Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Rootkit Hunter
On Tuesday 14 September 2004 08:50 pm, Chris wrote: The source is super easy to install, it has its own install script, takes about two minutes to run through the complete installation. By the way, I was going to start another thread but since we're on the subject of root killer, it reports that I'm in promiscuous mode, what the hell is that and how do I get out of it? I've googled and googled/linux and I've never really found a good answer. I'm not running any servers, that I'm aware of. If you are running an intrusion detection system, such as Snort, the application itself will put the ethernet device into promiscuous mode so that it can listen to all communication attempts to know when you are being probed and attacked. Network sniffers, some port sentry applications, network usage monitors, etc. all require the ethernet device to be in promiscuous mode in order to monitor communications. The only warning attached to a device being switched to promiscuous mode is that a sniffer may have been surreptiously loaded onto your system. Check to make sure that you do not have a sniffer running that YOU are unaware of, other than that, it is really no problem. From the web: 1) In a network, promiscuous mode allows a network device to intercept and read each network packet that arrives in its entirety. This mode of operation is sometimes given to a network snoop server that captures and saves all packets for analysis (for example, for monitoring network usage). -- Bryan Phinney Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Rootkit Hunter
On September 14, 2004 18:17, Tom Brinkman wrote: On Tuesday 14 September 2004 12:35 pm, Ron Hunter-Duvar wrote: On September 14, 2004 07:37, Tom Brinkman wrote: ... urpmi rkhunter I have contrib defined (using proxad.net, b/c all the North American mirrors seem to be unreliable), but urpmi rkhunter gives me no package named rkhunter. I tried a search for rk and one for hunt too, in case the spelling was slightly off, but there's nothing that resembles rkhunter showing up. Mea culpa. Since it's just a noarch script, I thought it would be available for all Mandrake versions. I didn't check. Anyhow, you can get the 10.1 CE version here: ftp://ftp.proxad.net/pub/Distributions_Linux/Mandrake/devel/cooker/i586/med ia/contrib/rkhunter-1.1.6-2mdk.noarch.rpm It should work on any Mandrake version. Thanks, that worked better. It gave me a warning about the signature not matching, which worries me a little with a security app! I know others report getting this a lot, but I don't normally. But I went ahead with the install anyway. I noticed it has a --update option to get all the latest scan info, so I did that first. I don't know if this eliminates the benefits of going to 1.1.8. Pretty impressive list of things checked. It didn't find any nasties on my system, but it reported the following: * Application version scan - GnuPG 1.2.4 [ OK ] - OpenSSL 0.9.7c [ Vulnerable ] - Procmail MTA 3.22[ OK ] - ProFTPd 1.2.9[ Vulnerable ] I just updated everything on Monday (after switching to a working mirror). Any idea what's up with these vulnerability warnings? Has Mandrake not released fixed versions of these apps yet? Should I wait or install from source? I don't use these apps. Not directly anyway, but maybe something else uses them? -- Ron Hunter-Duvar ronhd at users dot sourceforge dot net Opinions expressed here are all mine. Rights to use these opinions are granted under the GNU GPL. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Rootkit Hunter
On Mon, 2004-09-13 at 21:21, Chris wrote: Found this little app in my Freshmeat daily newsletter. Seems to check much more than chkrootkit. That being the case, you or someone else should go to Mandrakeclub and propose this program as an rpm for packaging by the contributors in the rpm voting section. As far as I know, chkrootkit has no competition except for this applet. If this applet is better maybe it could replace chkrootkit. License: GNU General Public License (GPL) URL: http://freshmeat.net/projects/rkhunter/ LX Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Rootkit Hunter
On September 14, 2004 07:37, Tom Brinkman wrote: ... urpmi rkhunter I have contrib defined (using proxad.net, b/c all the North American mirrors seem to be unreliable), but urpmi rkhunter gives me no package named rkhunter. I tried a search for rk and one for hunt too, in case the spelling was slightly off, but there's nothing that resembles rkhunter showing up. -- Ron Hunter-Duvar ronhd at users dot sourceforge dot net Opinions expressed here are all mine. Rights to use these opinions are granted under the GNU GPL. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Rootkit Hunter
On Tuesday 14 September 2004 12:35 pm, Ron Hunter-Duvar wrote: On September 14, 2004 07:37, Tom Brinkman wrote: ... urpmi rkhunter I have contrib defined (using proxad.net, b/c all the North American mirrors seem to be unreliable), but urpmi rkhunter gives me no package named rkhunter. I tried a search for rk and one for hunt too, in case the spelling was slightly off, but there's nothing that resembles rkhunter showing up. Mea culpa. Since it's just a noarch script, I thought it would be available for all Mandrake versions. I didn't check. Anyhow, you can get the 10.1 CE version here: ftp://ftp.proxad.net/pub/Distributions_Linux/Mandrake/devel/cooker/i586/media/contrib/rkhunter-1.1.6-2mdk.noarch.rpm It should work on any Mandrake version. -- Tom Brinkman Corpus Christi, Texas Proud to be an American Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Rootkit Hunter
On Tuesday 14 September 2004 08:17 pm, Tom Brinkman wrote: Mea culpa. Since it's just a noarch script, I thought it would be available for all Mandrake versions. I didn't check. Anyhow, you can get the 10.1 CE version here: ftp://ftp.proxad.net/pub/Distributions_Linux/Mandrake/devel/cooker/i586/med ia/contrib/rkhunter-1.1.6-2mdk.noarch.rpm It should work on any Mandrake version. Or you could go here: ftp://ftp.webtrek.com/pub/rpms/rkhunter-1.1.8-1.noarch.rpm which is 1.1.8. I am running 10.0 CE but updated from Community so it should be just a little behind cooker. As long as you are interested, you might want to get the latest version. -- Bryan Phinney Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Rootkit Hunter
On Tuesday 14 September 2004 07:34 pm, Bryan Phinney wrote: On Tuesday 14 September 2004 08:17 pm, Tom Brinkman wrote: Mea culpa. Since it's just a noarch script, I thought it would be available for all Mandrake versions. I didn't check. Anyhow, you can get the 10.1 CE version here: ftp://ftp.proxad.net/pub/Distributions_Linux/Mandrake/devel/cooker/i586 /med ia/contrib/rkhunter-1.1.6-2mdk.noarch.rpm It should work on any Mandrake version. Or you could go here: ftp://ftp.webtrek.com/pub/rpms/rkhunter-1.1.8-1.noarch.rpm which is 1.1.8. I am running 10.0 CE but updated from Community so it should be just a little behind cooker. As long as you are interested, you might want to get the latest version. The source is super easy to install, it has its own install script, takes about two minutes to run through the complete installation. By the way, I was going to start another thread but since we're on the subject of root killer, it reports that I'm in promiscuous mode, what the hell is that and how do I get out of it? I've googled and googled/linux and I've never really found a good answer. I'm not running any servers, that I'm aware of. Thanks for any help -- Chris Registered Linux User 283774 http://counter.li.org 7:42pm up 7 days, 21 min, 1 user, load average: 0.16, 0.14, 0.07 Brahma said: Well, after hearing ten thousand explanations, a fool is no wiser. But an intelligent man needs only two thousand five hundred. -- The Mahabharata Live - From Virgin Radio UK The Eagles - One of these nights Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Rootkit Hunter
- Original Message - From: Chris [EMAIL PROTECTED] Date: Mon, 13 Sep 2004 20:21:44 -0500 To: [EMAIL PROTECTED] Subject: [newbie] Rootkit Hunter Found this little app in my Freshmeat daily newsletter. Seems to check much more than chkrootkit. About: Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers. The package contains one shell script, a few text-based databases, and optional Perl modules. It should run on almost every Unix clone. Changes: This release has extended support for Red Hat 6.2 and Enterprise Linux (AS/ES). Suckit detection has been improved, FreeBSD version detection is better, path searches are improved, and several operating systems are updated (new hashes). License: GNU General Public License (GPL) URL: http://freshmeat.net/projects/rkhunter/ -- Chris ** Yes, I have been using rkhunter for a while, and I agree that it seems as though it does a more thorough job of things than chkrootkit. There is a third party rpm available here: http://www.rootkit.nl/projects/rootkit_hunter.html It is quite an easy program to use, and I like that too. :-) --Angus Let us not look back in anger or forward in fear, but around in awareness. -- James Thurber *** ~Linux Powered by Mandrake 10.0~ *** ~Reg. Linux User #278931~ *** -- _ Web-based SMS services available at http://www.operamail.com. From your mailbox to local or overseas cell phones. Powered by Outblaze Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Rootkit?
On Wed, 2004-04-14 at 07:23, Job Evers wrote: My college sent me an email warning: There have been many recent break-ins to university Solaris and Linux systems, including ones for which the administrator puts a lot of effort into security. We have recently seen an increase in successful attacks of this nature. Stanford is one affected university, and they've composed a detailed web page, http://securecomputing.stanford.edu/alerts/multiple-unix-6apr2004.html So, honestly, how worried should one be about this? Also, in the never ending Linux vs. Windows security argument how do vulnerabilities like this come in? *NIX security is vastly different than Windows security. It takes quite a bit more thinking and planning to bust into any type of *NIX box whereas it takes only the right program to break up a Windows box (or network); mind you, though, that once a *NIX network (or box) or busted, it's easy enough for the perp to get wherever they want - with the exception of localised *NIX boxes where they then have to repeat the process they began with on the first of the boxes. IT CAN BE DONE, but requires an awful lot of work, brains and patience...(which script kiddies don't have - hence they attack Windows boxes mostly) stephen kuhn - owner == illawarra computer services a kuhn media australia company http://kma.0catch.com -- * This message was composed on a 100% Microsoft free computer * We expressly refuse to utilise Microsoft DRM encoded documents -- The savior becomes the victim. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] rootkit
On Wednesday 21 Aug 2002 4:01 pm, Wilson, Jack wrote: Is there a script for checking for rootkits (chkrootkit) for Mandrake like there is for RH? Thanks Jack Yes... The search button in Mandrake Software Manager will find it for you. derek Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [newbie] rootkit
Thanks. I appreciate it. -Original Message- From: Derek Jennings [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 10:25 AM To: [EMAIL PROTECTED] Subject: Re: [newbie] rootkit On Wednesday 21 Aug 2002 4:01 pm, Wilson, Jack wrote: Is there a script for checking for rootkits (chkrootkit) for Mandrake like there is for RH? Thanks Jack Yes... The search button in Mandrake Software Manager will find it for you. derek Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] rootkit
On Wednesday August 21 2002 10:01 am, Wilson, Jack wrote: Is there a script for checking for rootkits (chkrootkit) for Mandrake like there is for RH? Thanks Jack http://www.chkrootkit.org/ There's also Mandrake rmps, http://rpmfind.net/linux/rpm2html/search.php?query=chkrootkitsubmit=Search+...system=mandrakearch= It might be on your CD's -- Tom Brinkman Corpus Christi, Texas Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com