LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-04-2007, 03:12 PM   #1
opto
Member
 
Registered: Jun 2006
Location: Pennsylvania
Distribution: Slackware64 , OS X , OpenBSD
Posts: 56

Rep: Reputation: 15
rootkit hunter warning found differences in output kernel modules


Running Slackware 10.2 with kernel version 2.4.31

I run Rootkit Hunter and chkrookit about twice a day. I decided to make a simple bash script to make the process a little easier, here is the code:
Code:
#!/bin/bash
# this script is for executing chkrootkit and rootkit #hunter (update & scan) without all of the typing.
#Run as root

cd /usr/newapps/chkrootkit-0.47
./chkrootkit
rkhunter --update
rkhunter -c
exit 0
I decided to test the script (while in my home directory /home/michael/bin). chkrootkit said everything was fine, but when Rootkit Hunter ran I got this warning:
Code:
* OS dependant tests

 Linux
  Checking loaded kernel modules...[ Warning! (found difference in output) ]
   Checking file attributes        [ OK ]
   Checking LKM module path        [ OK ]
To see if the warning would come up again, I decided to run Rootkit Hunter normally by typing rkhunter -c in root. Here are the commands I typed:
Code:
root@toroidal:/home/michael/bin# rkhunter --update
root@toroidal:/home/michael/bin# rkhunter -c
The warning did not come up again. I tried running chkrootkit to see if it would show me something, but everything it said everything was O.K. I decided to run my bash script again, but the warning did not come up in Rootkit Hunter.

Running my bash script the first time I got the warning, but it did not show up the second time. chkrookit did not show any errors or warnings, and Rootkit Hunter did not show the warning again (regardless of using the script or not).

This is the first time this has happened. I did not update the kernel nor did I update kernel modules. I searched google and LQ but nothing came up. Nothing obvious is different with my system (like password changes, deleted files, etc.) I should note that it seems Rootkit Hunter 1.2.9 does not fully support my OS.

Code:
root@toroidal:/home/michael/bin# rkhunter --update;rkhunter -c
Running updater...

Mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated
Using mirror http://rkhunter.sourceforge.net
[DB] Mirror file                      : Up to date
[DB] MD5 hashes system binaries       : Up to date
[DB] Operating System information     : ERROR
Fatal error: no valid version tag in filename

Ready.


Rootkit Hunter 1.2.9 is running

Determining OS... Unknown
Warning: This operating system is not fully supported!
All MD5 checks will be skipped!
Has anybody come across anything like this before? Does anybody have a reasonable explanation for this?
Does anybody think that I've been compromised? Should I be worried about this warning?

Last edited by opto; 02-04-2007 at 03:14 PM.
 
Old 02-04-2007, 04:23 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,277
Blog Entries: 54

Rep: Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852
Checking loaded kernel modules...[ Warning! (found difference in output) ]
The first thing to check would be your rkhunter.log.


I should note that it seems Rootkit Hunter 1.2.9 does not fully support my OS.
If you read the accompanying(/online) FAQ and/or rkhunter-users mailing list archives you'd see running 'hashupd' fixes that. The upcoming version of RKH will have none of those issues anymore.


Has anybody come across anything like this before?
No.


Does anybody have a reasonable explanation for this?
No. In 1.2.9 the code is a diff between these two commands:
Code:
]# vi rkhunter
:set number

   3759                         temp1=`cat /proc/modules | sort | tr -d ' '`
   3763                     temp2=`lsmod | grep -v "Size  Used by" | sort | tr -d ' '`
so it would be ultra easy to generate a script to test for yourself if this occurs more than sporadically.


Does anybody think that I've been compromised? Should I be worried about this warning?
I can not tell because you do not present "evidence" that points in either direction. Doubts should be addressed by running checks. If you need guidance use the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html (as RKH's FAQ would point you to).
 
Old 02-04-2007, 10:24 PM   #3
opto
Member
 
Registered: Jun 2006
Location: Pennsylvania
Distribution: Slackware64 , OS X , OpenBSD
Posts: 56

Original Poster
Rep: Reputation: 15
I checked out CERT that you linked to, I did all of the checks and so far everything seems to be O.K. I am still going to investigate further. I might just reinstall just to make sure. Thanks for the help.
 
Old 02-05-2007, 03:33 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,277
Blog Entries: 54

Rep: Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852
I checked out CERT that you linked to, I did all of the checks and so far everything seems to be O.K.
OK, good to hear.


I am still going to investigate further.
May I ask what and how? If everything checked out from the Intruder Detection Checklist the next thing I would do is boot a Live CD like Helix or KNOPPIX and check filesystem integrity.


I might just reinstall just to make sure.
Don't conclude that too easily. There's still chances of it being a false positive.
 
Old 02-06-2007, 11:35 AM   #5
opto
Member
 
Registered: Jun 2006
Location: Pennsylvania
Distribution: Slackware64 , OS X , OpenBSD
Posts: 56

Original Poster
Rep: Reputation: 15
Follow up Post

After trying to check the file system with Knoppix, I just decided to upgrade to Slackware 11.0. I did not install all of my backup files fearing that any one of them could be infected (only installed the files that I absolutely trusted).

I know I did the cheesy solution to the problem but oh well. Slackware 11.0 runs great. Thanks for the help unSpawn, next time I'll be a more diligent user.
 
Old 02-06-2007, 11:48 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,277
Blog Entries: 54

Rep: Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852
OK, NP. After all it's *your* well-informed choice and nobody can argue with that.
Do me a favour and check out the LQ FAQ: Security references. Just in case. OK?
 
Old 02-06-2007, 07:30 PM   #7
opto
Member
 
Registered: Jun 2006
Location: Pennsylvania
Distribution: Slackware64 , OS X , OpenBSD
Posts: 56

Original Poster
Rep: Reputation: 15
O.K. I'll check out the link.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Rootkit Hunter: looking for C++ developers unSpawn Linux - Security 0 07-26-2006 08:03 AM
Rootkit Hunter: looking for C/C++ developers unSpawn Programming 0 07-26-2006 08:03 AM
DISCUSSION: The Rootkit Hunter jeremy LinuxAnswers Discussion 0 10-10-2005 07:36 PM
Rootkit hunter question NNP Linux - Security 1 07-03-2005 06:48 AM


All times are GMT -5. The time now is 11:07 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration