LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 10-24-2005, 11:58 AM   #1
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,814
Blog Entries: 54

Rep: Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989
Misc. patches for rkhunter-1.2.7.tar.gz


Rootkit Hunter, version 1.2.7, miscellanious patches.

Since mr Boelen seems unavailable and there is no mailinglist for Rootkit Hunter I thought it best to post my patch here. Patch is clean against version 1.2.7 and is tested on Linux only.

Contents:
- not all binaries use testresult ( FOUND -eq 1) from BINPATHS,
- corrects finding skdet binary,
- skdet missing "-a" param,
- adding promisc flag to 1 interface, then adding next shows only last interface as promisc,
- parse subdirs for config file,
- "MYDIR" referenced in rkhunter but not in rkhunter.conf,
- use "-x" instead of "-f" for checking binaries,
- TMPDIR variable contamination by parent shell,
- correct some SCAN_ROOTKIT tag,
- displaytext/logtext,
- adds alternative check for /var/log/ksymoops (if dir available).

*I would urge you to install "ip" since ifconfig is close to worthless.
Please test if you can, TIA.

Code:
--- rkhunter	2005-05-24 07:40:23.000000000 -0100
+++ rkhunter	2005-05-24 07:40:23.000000000 -0100
@@ -131,6 +131,9 @@
   NOARGS=1
 fi
 
+# Var contamination
+unset TMPDIR 
+
 while [ $# -ge 1 ]; do
   case $1 in
       --allow-ssh-root-user)
@@ -564,11 +567,34 @@
 	               ( touch ${randf} && test -f ${randf} && rm -f ${randf} ||\
 	                logtext "WARNING! ${SCAN_ROOTKIT} ${ext} hiding" )
 	        done
-	        # If we've got skdet (check Debian), let's use it too
-	        which skdet 2>/dev/null >/dev/null && skdet
 	     else
 	      logtext "Info: Extended suckit tests skipped, due to missing stat binary"       
 	   fi
+
+          SCAN_ROOTKIT="Adore"
+            if [ "${SKDETFOUND}" -eq 1 ]; then
+	        # If we've got skdet (check Debian), let's use it too
+	         ${SKDETBINARY} -a 2>&1 | tr -s " " | grep -ie invis | while read pid invistag; do
+                        _thisAlert="WARNING! ${SCAN_ROOTKIT} FOUND INVISIBLE PID [${pid}] "
+                        displaytext "$_thisAlert"; logtext "$_thisAlert"
+                 done
+
+	     else
+	      #logtext "Info: Extended suckit tests skipped, due to missing skdet binary"
+              logtext "Info: Extended Adore tests skipped, due to missing skdet binary, defaulting to ksymoops"
+                 # Hardcoded dir, now was this a requirement in the modutils or sysklogd package, or should we use "find"?
+                 if [ -d "/var/log/ksymoops" ]; then
+                        egrep -ie "(adore|cleaner)" /var/log/ksymoops/*.ksyms | while read line; do
+                             line=(${line}); _date=$(basename "${line[0]}");
+                             _y=${_date:0:4}; _m=${_date:4:2}; _d=${_date:6:2}
+                             _h=${_date:8:2} _m=${_date:10:2} _s=${_date:12:2}
+                             _mod=${line[2]}; _thisAlert="WARNING! ${SCAN_ROOTKIT} FOUND module ${_mod} loaded ${_y}/${_m}/${_d} ${_h}:${_m}:${_s}"
+                             displaytext "$_thisAlert"; logtext "$_thisAlert" 
+                        done
+                 else
+                        logtext "Info: Extended Adore tests skipped, due to missing ksymoops directory"
+                 fi
+	    fi
 	  else
 	    logtext "Info: Extended suckit tests skipped for this operating system (no Linux architecture)"
 	fi
@@ -588,9 +614,13 @@
 
 
 # Check configuration file
-if [ "${CONFIGFILE}" = "" ]
+if [ -z "${CONFIGFILE}" ]
   then
-    if [ -f /etc/rkhunter.conf ]
+    # Relative, from current installdir root
+    if [ -d "../etc" -a -f "../etc/rkhunter.conf" ]
+      then
+        CONFIGFILE="../etc/rkhunter.conf"
+      elif [ -f "/etc/rkhunter.conf" ]
       then
         CONFIGFILE="/etc/rkhunter.conf"
       else
@@ -606,8 +636,8 @@
 fi
 
 # Is the installation directory available in the configuration file? 
-MYDIR=`cat ${CONFIGFILE} | grep 'INSTALLDIR=' | sed s/INSTALLDIR=//`
-if [ "${MYDIR}" = "" ]
+MYDIR=`grep '^INSTALLDIR=' ${CONFIGFILE} | sed s/INSTALLDIR=//`
+if [ -z "${MYDIR}" ]
   then
     echo "Fatal error: can't find INSTALLDIR option in configuration file (${CONFIGFILE})"
     exit 1
@@ -630,10 +660,10 @@
 if [ "${TMPDIR}" = "" ]
   then
     # Search in configuration file
-    TMPDIR=`cat ${CONFIGFILE} | egrep '^TMPDIR=' | sed s/TMPDIR=//`
+    TMPDIR=`grep '^TMPDIR=' ${CONFIGFILE} | sed s/TMPDIR=//`
     
     # If not available in configuration file, make it static
-    if [ "${TMPDIR}" = "" ]
+    if [ -z "${TMPDIR}" ]
       then
         TMPDIR="${MYDIR}/lib/rkhunter/tmp"
     fi
@@ -715,33 +745,34 @@
 PERLFOUND=0; PRELINKFOUND=0; PSFOUND=0;
 STATFOUND=0; STRINGSFOUND=0
 WGETFOUND=0
-
+SKDETFOUND=0
 
 logtext "-------------------------- Application scan ---------------------------"
 
 for I in ${BINPATHS}; do
 
 
-  J=${I}"/find";      	if [ -f ${J} ]; then logtext "Found ${J}"; FINDFOUND=1;    	 FINDBINARY=${J};      	fi
-  J=${I}"/ip";      	if [ -f ${J} ]; then logtext "Found ${J}"; IPFOUND=1;    	 IPBINARY=${J};      	fi
-  J=${I}"/ifconfig";	if [ -f ${J} ]; then logtext "Found ${J}"; IFCONFIGFOUND=1;      IFCONFIGBINARY=${J};   fi
-  J=${I}"/lynx";    	if [ -f ${J} ]; then logtext "Found ${J}"; LYNXFOUND=1;	 	 LYNXBINARY=${J};       fi
-  J=${I}"/ls";      	if [ -f ${J} ]; then logtext "Found ${J}"; LSFOUND=1;   	 LSBINARY=${J};         fi
-  J=${I}"/lsattr";     	if [ -f ${J} ]; then logtext "Found ${J}"; LSATTRFOUND=1;  	 LSATTRBINARY=${J};     fi
-  J=${I}"/lsmod";      	if [ -f ${J} ]; then logtext "Found ${J}"; LSMODFOUND=1;    	 LSMODBINARY=${J};      fi
-  J=${I}"/lsof";    	if [ -f ${J} ]; then logtext "Found ${J}"; LSOFFOUND=1;    	 LSOFBINARY=${J};       fi
-  J=${I}"/md5";     	if [ -f ${J} ]; then logtext "Found ${J}"; MD5FOUND=1;     	 MD5BINARY=${J};        fi
-  J=${I}"/md5sum";  	if [ -f ${J} ]; then logtext "Found ${J}"; MD5FOUND=1;     	 MD5BINARY=${J};        fi
-  J=${I}"/nmap";    	if [ -f ${J} ]; then logtext "Found ${J}"; NMAPFOUND=1;    	 NMAPBINARY=${J};       fi
-  J=${I}"/prelink";   	if [ -f ${J} ]; then logtext "Found ${J}"; PRELINKFOUND=1; 	 PRELINKBINARY=${J};    fi
-  J=${I}"/ps";      	if [ -f ${J} ]; then logtext "Found ${J}"; PSFOUND=1;      	 PSBINARY=${J};         fi
-  J=${I}"/stat"; 	if [ -f ${J} ]; then logtext "Found ${J}"; STATFOUND=1;	   	 STATBINARY=${J};       fi
-  J=${I}"/strings"; 	if [ -f ${J} ]; then logtext "Found ${J}"; STRINGSFOUND=1; 	 STRINGSBINARY=${J};    fi
-  J=${I}"/wget";    	if [ -f ${J} ]; then logtext "Found ${J}"; WGETFOUND=1;    	 WGETBINARY=${J};       fi
+  J=${I}"/find";      	if [ -x ${J} ]; then logtext "Found ${J}"; FINDFOUND=1;    	 FINDBINARY=${J};      	fi
+  J=${I}"/ip";      	if [ -x ${J} ]; then logtext "Found ${J}"; IPFOUND=1;    	 IPBINARY=${J};      	fi
+  J=${I}"/ifconfig";	if [ -x ${J} ]; then logtext "Found ${J}"; IFCONFIGFOUND=1;      IFCONFIGBINARY=${J};   fi
+  J=${I}"/lynx";    	if [ -x ${J} ]; then logtext "Found ${J}"; LYNXFOUND=1;	 	 LYNXBINARY=${J};       fi
+  J=${I}"/ls";      	if [ -x ${J} ]; then logtext "Found ${J}"; LSFOUND=1;   	 LSBINARY=${J};         fi
+  J=${I}"/lsattr";     	if [ -x ${J} ]; then logtext "Found ${J}"; LSATTRFOUND=1;  	 LSATTRBINARY=${J};     fi
+  J=${I}"/lsmod";      	if [ -x ${J} ]; then logtext "Found ${J}"; LSMODFOUND=1;    	 LSMODBINARY=${J};      fi
+  J=${I}"/lsof";    	if [ -x ${J} ]; then logtext "Found ${J}"; LSOFFOUND=1;    	 LSOFBINARY=${J};       fi
+  J=${I}"/md5";     	if [ -x ${J} ]; then logtext "Found ${J}"; MD5FOUND=1;     	 MD5BINARY=${J};        fi
+  J=${I}"/md5sum";  	if [ -x ${J} ]; then logtext "Found ${J}"; MD5FOUND=1;     	 MD5BINARY=${J};        fi
+  J=${I}"/nmap";    	if [ -x ${J} ]; then logtext "Found ${J}"; NMAPFOUND=1;    	 NMAPBINARY=${J};       fi
+  J=${I}"/prelink";   	if [ -x ${J} ]; then logtext "Found ${J}"; PRELINKFOUND=1; 	 PRELINKBINARY=${J};    fi
+  J=${I}"/ps";      	if [ -x ${J} ]; then logtext "Found ${J}"; PSFOUND=1;      	 PSBINARY=${J};         fi
+  J=${I}"/stat"; 	if [ -x ${J} ]; then logtext "Found ${J}"; STATFOUND=1;	   	 STATBINARY=${J};       fi
+  J=${I}"/strings"; 	if [ -x ${J} ]; then logtext "Found ${J}"; STRINGSFOUND=1; 	 STRINGSBINARY=${J};    fi
+  J=${I}"/wget";    	if [ -x ${J} ]; then logtext "Found ${J}"; WGETFOUND=1;    	 WGETBINARY=${J};       fi
+  J=${I}"/skdet";    	if [ -x ${J} ]; then logtext "Found ${J}"; SKDETFOUND=1;    	 SKDETBINARY=${J};      fi
   
   # Perl
   J=${I}"/perl";
-  if [ -f ${J} ]; then
+  if [ -x ${J} ]; then
     PERLFOUND=1
     PERLBINARY=${J}
     #PERLVERSION=`${J} -V:version | tr -d "version" | tr -d '=' | tr -d "'" | tr -d ";" `
@@ -776,6 +807,12 @@
   logtext "Info: ip not found" >> ${DEBUGFILE}
 fi
 
+if [ "${SKDETFOUND}" -eq 1 ]; then
+  logtext "Info: skdet found" >> ${DEBUGFILE}
+ else
+  logtext "Info: skdet not found" >> ${DEBUGFILE}
+fi
+
 
 
 logtext "Application scan ended"
@@ -2299,7 +2336,7 @@
 		  MYPACKAGES=`cat ${DB_PATH}/defaulthashes.dat | grep "${os_id}:/" | grep ":${file}:" | cut -d : -f 6`
 		  #FILEHASHES=`echo ${i} | cut -d : -f 3`
 		  for J in ${FILEHASHES}; do
-		  if [ ${PRELINKING} -eq 1 ]
+		  if [ "$PRELINKING" -eq "1" -a "$PRELINKFOUND" -eq "1" ]
 		    then
 		      PRELINKVERIFY=`${PRELINKBINARY} --verify ${file} > ${TMPDIR}/prelink.tst`
 		      myhash=`${md5} ${TMPDIR}/prelink.tst | cut -d " " -f 1`
@@ -3843,7 +3880,7 @@
 	    	logtext "Possible promisc interfaces:"
 		logtext "Output test 1: ${PROMISCSCAN}"
 	        if [ ! "${PROMISCSCAN2}" = "" ]; then
-		  PROMISCSCAN2IFACES=`${IPBINARY} -s link | grep 'PROMISC' | tr -s ' ' | cut -d ' ' -f2 | tr -d ':'`
+		  PROMISCSCAN2IFACES=( `${IPBINARY} -s link | grep 'PROMISC' | tr -s ' ' | cut -d ' ' -f2 | tr -d ':'` ); PROMISCSCAN2IFACES="${PROMISCSCAN2IFACES[@]}"
 		  logtext "Output test 2: ${PROMISCSCAN2IFACES}"
 		  
 	        fi
 
  


Reply

Tags
rkhunter, rootkit


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how can i decompress this tar.tar file? hmmm sounds new.. tar.tar.. help ;) kublador Linux - Software 10 02-23-2008 06:40 AM
rkhunter atlaika Linux - Security 7 11-29-2005 11:47 AM
rkhunter phatbastard Linux - Security 3 12-08-2004 10:44 PM
RedHat patches vs open source patches paulsh2k4 Linux - Software 1 10-14-2004 04:18 AM
Getting Warning during rkhunter? BajaNick Linux - Security 8 09-12-2004 09:34 PM


All times are GMT -5. The time now is 09:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration