Re: rkhunter sshd warning
On Wed, 2014-03-19 at 01:00 -0700, Wolfgang S. Rupprecht wrote: > Patrick O'Callaghan writes: > > On Sun, 2014-03-16 at 15:04 -0700, Wolfgang S. Rupprecht wrote: > >> A clever intruder is just going to wait until a batch of changes > goe > >> out and then add their trojan. > > > > Of course you check the hash signatures on those downloads, right? > > Yes, but in a haphazard, infrequent manner. The whole point of > me installing rkhunter was to automate detection of trojans. If I'm > going to have to check the hashes myself, what is rkhunter bringing to > the party? Your earlier comment was about a possibly trojaned rkhunter. The way to guard against that is by checking the hash of the checker. You don't have to check every hash, but if you aren't checking the hash of rkhunter itself, the whole exercise is more about feel-good security than real security. Same applies to any security checking tool. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: rkhunter sshd warning
Patrick O'Callaghan writes: > On Sun, 2014-03-16 at 15:04 -0700, Wolfgang S. Rupprecht wrote: >> A clever intruder is just going to wait until a batch of changes goe >> out and then add their trojan. > > Of course you check the hash signatures on those downloads, right? Yes, but in a haphazard, infrequent manner. The whole point of me installing rkhunter was to automate detection of trojans. If I'm going to have to check the hashes myself, what is rkhunter bringing to the party? The more I think about it the more --propupd bothers me. rkhunter emits warnings that turn into regular mailbox clutter and sooner or later one is going to ignore them. -wolfgang -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: rkhunter sshd warning
On Sun, 2014-03-16 at 15:04 -0700, Wolfgang S. Rupprecht wrote: > A clever intruder is just going to wait until a batch of changes goe > out and then add their trojan. Of course you check the hash signatures on those downloads, right? poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: rkhunter sshd warning
John Horne writes: > On Sun, 2014-03-16 at 12:59 -0700, Wolfgang S. Rupprecht wrote: >> -- Start Rootkit Hunter Scan >> -- >> Warning: The file '/usr/sbin/sshd' exists on the system, but it is >> not present in the 'rkhunter.dat' file. >> Warning: The file '/usr/bin/ssh' exists on the system, but it is >> not present in the 'rkhunter.dat' file. >> Warning: The file '/usr/bin/telnet' exists on the system, but it >> is not present in the 'rkhunter.dat' file. >> > You should have run 'rkhunter --propupd' after installing the new > release of RKH. > > From the RKH CHANGELOG file for release 1.4.2: > > - The 'ssh', 'sshd' and 'telnet' commands are now checked as part of >the file properties test. > > > So these commands are now being checked automatically. > Run 'rkhunter --propupd'. Thanks! I'm beginning to wonder if rkhunter is ever going to find any real intrusions for me if I keep on having to run 'rkhunter --propupd'. A clever intruder is just going to wait until a batch of changes goe out and then add their trojan. The --propupd is going to approve it in the sweep and it will have succeeded in coming in under the wire. To be useful rkhunter really needs to know how to identify changed files by knowing the hashes, sizes etc without grabbing them from the local system. -wolfgang -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: rkhunter sshd warning
On Sun, 2014-03-16 at 12:59 -0700, Wolfgang S. Rupprecht wrote: > -- Start Rootkit Hunter Scan > -- > Warning: The file '/usr/sbin/sshd' exists on the system, but it is > not present in the 'rkhunter.dat' file. > Warning: The file '/usr/bin/ssh' exists on the system, but it is > not present in the 'rkhunter.dat' file. > Warning: The file '/usr/bin/telnet' exists on the system, but it > is not present in the 'rkhunter.dat' file. > You should have run 'rkhunter --propupd' after installing the new release of RKH. From the RKH CHANGELOG file for release 1.4.2: - The 'ssh', 'sshd' and 'telnet' commands are now checked as part of the file properties test. So these commands are now being checked automatically. Run 'rkhunter --propupd'. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: rkhunter sshd warning
Kevin Fenzi writes: > On Sun, 16 Mar 2014 12:59:29 -0700 > "Wolfgang S. Rupprecht" wrote: >> Are other people seeing this? I'm not looking forward to a full scrub >> and clean installation. > > Did you recently install or update openssh-server, openssh or > telnet-server ? When you update packages you need to re-run > 'rkhunter --propupd' to update it's db. > > The /dev/dev/ thing is a dracut bug from a while back. You can safely > remove that /dev/dev/ directory and it's contents. $ grep ssh /var/log/yum.log Jan 06 19:27:53 Updated: openssh-6.4p1-3.fc20.x86_64 Jan 06 19:28:23 Updated: openssh-server-6.4p1-3.fc20.x86_64 Jan 06 19:28:23 Updated: openssh-clients-6.4p1-3.fc20.x86_64 Jan 06 19:28:23 Installed: openssh-askpass-6.4p1-3.fc20.x86_64 I do nightly yum updates but ssh* hasn't updated in a long while. I also recall the file updated messages are a bit different, complaining that an inode changed. I also did an 'rpm -Va' to see if the hash changed, but it hadn't. While it is possible that rpm was replaced with a version that lies, I honestly can't believe the rabbit hole goes that deep. I'm leaning towards something bad having happened to upstream's rkhunter. I guess I should check with a fedora live usb just to be sure. (Again, I have to trust that the tools aren't doctored so much that burning a live image is still doable without inserting a trojan.) -wolfgang -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: rkhunter sshd warning
On Sun, 16 Mar 2014 12:59:29 -0700 "Wolfgang S. Rupprecht" wrote: ...snip... > Are other people seeing this? I'm not looking forward to a full scrub > and clean installation. Did you recently install or update openssh-server, openssh or telnet-server ? When you update packages you need to re-run 'rkhunter --propupd' to update it's db. The /dev/dev/ thing is a dracut bug from a while back. You can safely remove that /dev/dev/ directory and it's contents. kevin signature.asc Description: PGP signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
rkhunter sshd warning
Things that make you go 'hmmm' (see sshd, ssh, telnet mention): From: root (root) To: root Subject: rkhunter Daily Run on [redacted] Date: Sun, 16 Mar 2014 07:51:04 -0700 - Start Rootkit Hunter Update - [ Rootkit Hunter version 1.4.2 ] Checking rkhunter data files... Checking file mirrors.dat [ No update ] Checking file programs_bad.dat [ No update ] Checking file backdoorports.dat[ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ No update ] Checking file i18n/de [ No update ] Checking file i18n/en [ No update ] Checking file i18n/tr [ No update ] Checking file i18n/tr.utf8 [ No update ] Checking file i18n/zh [ No update ] Checking file i18n/zh.utf8 [ No update ] -- Start Rootkit Hunter Scan -- Warning: The file '/usr/sbin/sshd' exists on the system, but it is not present in the 'rkhunter.dat' file. Warning: The file '/usr/bin/ssh' exists on the system, but it is not present in the 'rkhunter.dat' file. Warning: The file '/usr/bin/telnet' exists on the system, but it is not present in the 'rkhunter.dat' file. Warning: GasKit Rootkit [ Warning ] Directory '/dev/dev' found --- End Rootkit Hunter Scan --- In the famous words of the Three Miles Island operators "Ignore those gauges. They are clearly wrong." Every one of my systems here is showing some subset of this error. Some only show sshd, others all three. Disconcerting to say the least. Are other people seeing this? I'm not looking forward to a full scrub and clean installation. -wolfgang -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org