LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   rkhunter warnings (http://www.linuxquestions.org/questions/slackware-14/rkhunter-warnings-529257/)

adityavpratap 02-15-2007 07:57 AM

rkhunter warnings
 
Hi,
I am getting the following warnings when I run the rootkit hunter -

Quote:

#rkhunter -c

Quote:

* Filesystem check

Checking /dev/ for suspicious files [OK]
Scanning for hidden files [warning]

___________________________________________________
/dev/.udev /etc/.pwd.lock
___________________________________________________
Please inspect: /dev/.udev (directory)

* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
info:
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ Warning (SSH v1 allowed) ]
Any suggestions as to what is going on?

Hangdog42 02-15-2007 08:02 AM

You need to lock down your ssh server, or turn it off.

In your /etc/ssh/sshd_config find these lines and change:

Protocol 2,1 should be changed to Protocol 2

and

PermitRootLogin yes should be changed to PermitRootLogin no

adityavpratap 02-15-2007 09:18 AM

Hi,
Thanks for the reply. Actually I am not running ssh on my system and /etc/rc.d/rc.sshd is not executable. And moreover the lines "Protocol 2,1" and "Permitrootlogin yes" were actually commented out in the config file. I have now uncommented these line and changed them as "Protocol 2" and "Permitrootlogin no". Will this help?

Hangdog42 02-15-2007 12:46 PM

It certainly will reduce the complaining from rkhunter, but since you weren't actually running sshd, it won't matter from a security perspective. In other words, it never was a security problem since sshd wasn't runnning.

The warning rkhunter gives is probably just from checking the config file, and not from testing whether sshd was running. The bonus is that should you turn sshd on, you'll have a more secure system running since you've already made the changes.

Quote:

And moreover the lines "Protocol 2,1" and "Permitrootlogin yes" were actually commented out in the config file.
I believe that in sshd_config, any value that is presented, and also commented out, is considered a default. Again, should you decide to turn on sshd, you do need to worry about this stuff, but if you're not using it, and its not running, it doesn't present a security problem.

adityavpratap 02-15-2007 09:05 PM

Thanks! :-)

adityavpratap 02-19-2007 06:53 AM

Today, I am getting these warnings when I did rkhunter -c -
Quote:

Checking binaries
* Selftests
Strings (command) [ OK ]


* System tools
Performing 'known good' check...
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/date [ OK ]
/bin/dmesg [ OK ]
/bin/env [ OK ]
/bin/grep [ OK ]
/bin/id [ OK ]
/bin/kill [ OK ]
/bin/login [ BAD ]
failed to open //var/lib/rpm/packages.rpm

/bin/ls [ OK ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/netstat [ OK ]
/bin/ps [ OK ]
/bin/su [ BAD ]
failed to open //var/lib/rpm/packages.rpm

/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/rmmod [ OK ]
/sbin/runlevel [ OK ]
/sbin/sulogin [ BAD ]
failed to open //var/lib/rpm/packages.rpm

/sbin/sysctl [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/passwd [ BAD ]
failed to open //var/lib/rpm/packages.rpm

/usr/bin/pstree [ OK ]
/usr/bin/slocate [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/top [ OK ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wget [ OK ]
/usr/bin/whereis [ OK ]
/usr/sbin/inetd [ OK ]
Rootkit Hunter found some bad or unknown hashes. This can be happen due replaced
binaries or updated packages (which give other hashes). Be sure your hashes are
fully updated (rkhunter --update).
Can someone tell me what is the meaning of unknown hashes. According to rkhunter my login, su and passwd files are "BAD". To me it appears a pretty serious scenario. Can any one tell me what is going on. As it appears from the message displayed by rkhunter, this can happen due to replaced binaries or updated packages. I don't remember having updated either login, su or passwd packages.

Hangdog42 02-19-2007 07:59 AM

Quote:

Can someone tell me what is the meaning of unknown hashes.
I think the way rkhunter works is that it has a hash (i.e. a digital signature) of the known good binary that it compares to what is on your system. If the two match, then the binary passes the test. If they don't match, it means that the binary on your system has been modified in some manner. That can come either from upgrading the package or from someone tampering with it.

Quote:

As it appears from the message displayed by rkhunter, this can happen due to replaced binaries or updated packages. I don't remember having updated either login, su or passwd packages.
Since you're posting in the Slackware forum, I'm assuming this is a stock Slackware 11 install. If you've just been using the Slackware updates, you're right, those haven't been updated. If you haven't done anything on your own, this could be real trouble. Have you run rkunter -update recently?

I'm going to suggest you do two things:

1) Pull this box off the net. If it is compromised, you don't want whoever did it to be able to use it. However, don't reboot or turn it off.

2) Start working through the CERT/CC checklist on what to do if you think you've been compromised.

If that shows any signs of tampering, or if you are still suspicious, use the Report button and ask the moderators to move this thread to the Security forum. You'll probably get good advice here, but you will definitely get good advice there.

<edit>
You might want to run chkrootkit for a second opinion on the machine. Also, do you run a file checker like Aide or Samhain or Tripwire?
</edit>

adityavpratap 02-19-2007 09:12 AM

One more question before I hit the panic button. I have installed Dropline Gnome and have heard that it makes changes to the stock Slackware 11.0 install. Is it possible that my installation of Dropline may have changed these binaries?

Hangdog42 02-19-2007 09:53 AM

Hm. That might explain a lot, but I think you'll need to investigate what Dropline actually touches. I know one of the changes it makes is to move to PAM for authentication, and that has the potential to explain the binaries marked as BAD. So there is at least one question that needs to be answered:

Did the rkhunter warnings start on the first run after installing Dropline or has Dropline been running for a bit? Also, did you update rkhunter after installing Dropline?

I know a few of the Dropline developers do monitor this forum, so hopefully they will chime in. If they don't, you might want to start a thread in Dropline's forums and ask if they know if Dropline will cause rkhunter to react. In addition, I'm going to drop unSpawn an email and see if he will take a look at this thread. He's leading the rkhunter development and probably has some insights and/or additional questions.

adityavpratap 02-19-2007 10:17 AM

Hey Hangdog42, you have been very helpful friend. This is what I love about Linux - helpful forums and friendly, learned and cooperative users who are always ready to help people in real trouble!
Actually I didn't checkup rkhunter till a few days after installing Dropline. I'll start a thread in Dropline forums as well.

Hangdog42 02-19-2007 11:47 AM

Quote:

Originally Posted by adityavpratap
Actually I didn't checkup rkhunter till a few days after installing Dropline.

Glad to help.....

Anyway, I'm not entirely sure you understood my question so I'll try again. Was the rkhunter run you posted the first since you installed Dropline? It doesn't matter how long it was between the Dropline install and the first rkhunter run, but if this was the first time, it could (but doesn't necessarily) support the idea that the Dropline install caused this. However, if you have run rkhunter a few times since you installed Dropline and those other runs came up clean, then Dropline is almost certainly not the culprit and you've likely got a real problem here.

unSpawn 02-19-2007 03:13 PM

I am getting the following warnings when I run the rootkit hunter
What version of Rootkit Hunter (abbrev.: RKH) are you running?
If not 1.2.9 or CVS, do upgrade before reporting *anything*.


The warning rkhunter gives is probably just from checking the config file, and not from testing whether sshd was running.
That is correct.


* System tools
Performing 'known good' check...
/bin/cat [ OK ]
(..)
/bin/login [ BAD ]
failed to open //var/lib/rpm/packages.rpm
(..)
I don't remember having updated either login, su or passwd packages.

First of all please don't "think" or "assume" or "try to remember": just look at your logs.
Second, if you're running RKH, and you determined the files where updated or otherwise legitemately changed (think stuff like prelinking), then you will want to run 'hashupd'.
You will find it on RKH's D/L page at Sourceforge.

* BTW, I'm also interested in the "failed to open " message. If you run RKH 1.2.9 run it again as "sh -x rkhunter -c -sk --cronjob 2>&1>/tmp/rkhunter.debug", compress it and post me a download link I can get the file from. If you can't dump it temporarily send me an email and we'll discuss things.

* I would also like to note RKH has a pretty efficient end-user mailing list on which problems like these are solved usually within 48 hrs. Besides that the off|online FAQ, docs and rkhunter-users mailing list archives already show answers to questions like these. My point is (and this is not to chide you): if you use something, please try to make an effort to get aquainted with its possibilities and use all sources of information you can.


http://www.linuxquestions.org/questi...84#post2636884
You sense a certain doubt.
You post a clear list of steps to follow.
Well done!


I have installed Dropline Gnome and have heard that it makes changes to the stock Slackware 11.0 install. Is it possible that my installation of Dropline may have changed these binaries?
FWIW: IMHO the chance Dropline would even want to touch directories containing default system binaries seems infinitesmal to me.

zborgerd 02-21-2007 03:46 PM

Dropline does indeed replace the standard Slackware Shadow package in order to add PAM support, as mentioned in the download page:

http://forums.droplinegnome.org/viewtopic.php?t=4739

The Shadow package contains binaries for /bin/login, /bin/su, and /usr/bin/passwd (among other things in the Shadow package), which is where the PAM login authentication comes from. It's essentially the only way to get proper HAL support on Slackware, one of the only distributions in the world that still doesn't use PAM.

The problem with rootkit hunters like this is that they do not take package rebuilds into consideration. If your rootkit hunter is simply checking known hashes of popular distributions, then these binaries will fail a hash check. If you are concerned, you can manually check the binaries in the Dropline Shadow package (which I built), and if they are correct - you can update rkhunter's hashes with the --update flag:

http://umn.dl.sourceforge.net/source...1-i686-2dl.tgz

adityavpratap 02-22-2007 02:39 AM

Thanks a lot, I'll update the hashes

unSpawn 02-22-2007 12:31 PM

if they are correct - you can update rkhunter's hashes with the --update flag
No, hashupd.


All times are GMT -5. The time now is 04:41 PM.