LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 02-15-2007, 06:57 AM   #1
adityavpratap
Member
 
Registered: Dec 2004
Location: Hyderabad, India
Distribution: Slackware 13, Ubuntu 12.04
Posts: 440

Rep: Reputation: 32
rkhunter warnings


Hi,
I am getting the following warnings when I run the rootkit hunter -

Quote:
#rkhunter -c

Quote:
* Filesystem check

Checking /dev/ for suspicious files [OK]
Scanning for hidden files [warning]

___________________________________________________
/dev/.udev /etc/.pwd.lock
___________________________________________________
Please inspect: /dev/.udev (directory)

* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
info:
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ Warning (SSH v1 allowed) ]
Any suggestions as to what is going on?
 
Old 02-15-2007, 07:02 AM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
You need to lock down your ssh server, or turn it off.

In your /etc/ssh/sshd_config find these lines and change:

Protocol 2,1 should be changed to Protocol 2

and

PermitRootLogin yes should be changed to PermitRootLogin no
 
Old 02-15-2007, 08:18 AM   #3
adityavpratap
Member
 
Registered: Dec 2004
Location: Hyderabad, India
Distribution: Slackware 13, Ubuntu 12.04
Posts: 440

Original Poster
Rep: Reputation: 32
Hi,
Thanks for the reply. Actually I am not running ssh on my system and /etc/rc.d/rc.sshd is not executable. And moreover the lines "Protocol 2,1" and "Permitrootlogin yes" were actually commented out in the config file. I have now uncommented these line and changed them as "Protocol 2" and "Permitrootlogin no". Will this help?
 
Old 02-15-2007, 11:46 AM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
It certainly will reduce the complaining from rkhunter, but since you weren't actually running sshd, it won't matter from a security perspective. In other words, it never was a security problem since sshd wasn't runnning.

The warning rkhunter gives is probably just from checking the config file, and not from testing whether sshd was running. The bonus is that should you turn sshd on, you'll have a more secure system running since you've already made the changes.

Quote:
And moreover the lines "Protocol 2,1" and "Permitrootlogin yes" were actually commented out in the config file.
I believe that in sshd_config, any value that is presented, and also commented out, is considered a default. Again, should you decide to turn on sshd, you do need to worry about this stuff, but if you're not using it, and its not running, it doesn't present a security problem.
 
Old 02-15-2007, 08:05 PM   #5
adityavpratap
Member
 
Registered: Dec 2004
Location: Hyderabad, India
Distribution: Slackware 13, Ubuntu 12.04
Posts: 440

Original Poster
Rep: Reputation: 32
Thanks! :-)
 
Old 02-19-2007, 05:53 AM   #6
adityavpratap
Member
 
Registered: Dec 2004
Location: Hyderabad, India
Distribution: Slackware 13, Ubuntu 12.04
Posts: 440

Original Poster
Rep: Reputation: 32
Today, I am getting these warnings when I did rkhunter -c -
Quote:
Checking binaries
* Selftests
Strings (command) [ OK ]


* System tools
Performing 'known good' check...
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/date [ OK ]
/bin/dmesg [ OK ]
/bin/env [ OK ]
/bin/grep [ OK ]
/bin/id [ OK ]
/bin/kill [ OK ]
/bin/login [ BAD ]
failed to open //var/lib/rpm/packages.rpm

/bin/ls [ OK ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/netstat [ OK ]
/bin/ps [ OK ]
/bin/su [ BAD ]
failed to open //var/lib/rpm/packages.rpm

/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/rmmod [ OK ]
/sbin/runlevel [ OK ]
/sbin/sulogin [ BAD ]
failed to open //var/lib/rpm/packages.rpm

/sbin/sysctl [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/passwd [ BAD ]
failed to open //var/lib/rpm/packages.rpm

/usr/bin/pstree [ OK ]
/usr/bin/slocate [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/top [ OK ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wget [ OK ]
/usr/bin/whereis [ OK ]
/usr/sbin/inetd [ OK ]
Rootkit Hunter found some bad or unknown hashes. This can be happen due replaced
binaries or updated packages (which give other hashes). Be sure your hashes are
fully updated (rkhunter --update).
Can someone tell me what is the meaning of unknown hashes. According to rkhunter my login, su and passwd files are "BAD". To me it appears a pretty serious scenario. Can any one tell me what is going on. As it appears from the message displayed by rkhunter, this can happen due to replaced binaries or updated packages. I don't remember having updated either login, su or passwd packages.
 
Old 02-19-2007, 06:59 AM   #7
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Quote:
Can someone tell me what is the meaning of unknown hashes.
I think the way rkhunter works is that it has a hash (i.e. a digital signature) of the known good binary that it compares to what is on your system. If the two match, then the binary passes the test. If they don't match, it means that the binary on your system has been modified in some manner. That can come either from upgrading the package or from someone tampering with it.

Quote:
As it appears from the message displayed by rkhunter, this can happen due to replaced binaries or updated packages. I don't remember having updated either login, su or passwd packages.
Since you're posting in the Slackware forum, I'm assuming this is a stock Slackware 11 install. If you've just been using the Slackware updates, you're right, those haven't been updated. If you haven't done anything on your own, this could be real trouble. Have you run rkunter -update recently?

I'm going to suggest you do two things:

1) Pull this box off the net. If it is compromised, you don't want whoever did it to be able to use it. However, don't reboot or turn it off.

2) Start working through the CERT/CC checklist on what to do if you think you've been compromised.

If that shows any signs of tampering, or if you are still suspicious, use the Report button and ask the moderators to move this thread to the Security forum. You'll probably get good advice here, but you will definitely get good advice there.

<edit>
You might want to run chkrootkit for a second opinion on the machine. Also, do you run a file checker like Aide or Samhain or Tripwire?
</edit>

Last edited by Hangdog42; 02-19-2007 at 07:02 AM.
 
Old 02-19-2007, 08:12 AM   #8
adityavpratap
Member
 
Registered: Dec 2004
Location: Hyderabad, India
Distribution: Slackware 13, Ubuntu 12.04
Posts: 440

Original Poster
Rep: Reputation: 32
One more question before I hit the panic button. I have installed Dropline Gnome and have heard that it makes changes to the stock Slackware 11.0 install. Is it possible that my installation of Dropline may have changed these binaries?
 
Old 02-19-2007, 08:53 AM   #9
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Hm. That might explain a lot, but I think you'll need to investigate what Dropline actually touches. I know one of the changes it makes is to move to PAM for authentication, and that has the potential to explain the binaries marked as BAD. So there is at least one question that needs to be answered:

Did the rkhunter warnings start on the first run after installing Dropline or has Dropline been running for a bit? Also, did you update rkhunter after installing Dropline?

I know a few of the Dropline developers do monitor this forum, so hopefully they will chime in. If they don't, you might want to start a thread in Dropline's forums and ask if they know if Dropline will cause rkhunter to react. In addition, I'm going to drop unSpawn an email and see if he will take a look at this thread. He's leading the rkhunter development and probably has some insights and/or additional questions.

Last edited by Hangdog42; 02-19-2007 at 08:55 AM.
 
Old 02-19-2007, 09:17 AM   #10
adityavpratap
Member
 
Registered: Dec 2004
Location: Hyderabad, India
Distribution: Slackware 13, Ubuntu 12.04
Posts: 440

Original Poster
Rep: Reputation: 32
Hey Hangdog42, you have been very helpful friend. This is what I love about Linux - helpful forums and friendly, learned and cooperative users who are always ready to help people in real trouble!
Actually I didn't checkup rkhunter till a few days after installing Dropline. I'll start a thread in Dropline forums as well.
 
Old 02-19-2007, 10:47 AM   #11
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Quote:
Originally Posted by adityavpratap
Actually I didn't checkup rkhunter till a few days after installing Dropline.
Glad to help.....

Anyway, I'm not entirely sure you understood my question so I'll try again. Was the rkhunter run you posted the first since you installed Dropline? It doesn't matter how long it was between the Dropline install and the first rkhunter run, but if this was the first time, it could (but doesn't necessarily) support the idea that the Dropline install caused this. However, if you have run rkhunter a few times since you installed Dropline and those other runs came up clean, then Dropline is almost certainly not the culprit and you've likely got a real problem here.
 
Old 02-19-2007, 02:13 PM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I am getting the following warnings when I run the rootkit hunter
What version of Rootkit Hunter (abbrev.: RKH) are you running?
If not 1.2.9 or CVS, do upgrade before reporting *anything*.


The warning rkhunter gives is probably just from checking the config file, and not from testing whether sshd was running.
That is correct.


* System tools
Performing 'known good' check...
/bin/cat [ OK ]
(..)
/bin/login [ BAD ]
failed to open //var/lib/rpm/packages.rpm
(..)
I don't remember having updated either login, su or passwd packages.

First of all please don't "think" or "assume" or "try to remember": just look at your logs.
Second, if you're running RKH, and you determined the files where updated or otherwise legitemately changed (think stuff like prelinking), then you will want to run 'hashupd'.
You will find it on RKH's D/L page at Sourceforge.

* BTW, I'm also interested in the "failed to open " message. If you run RKH 1.2.9 run it again as "sh -x rkhunter -c -sk --cronjob 2>&1>/tmp/rkhunter.debug", compress it and post me a download link I can get the file from. If you can't dump it temporarily send me an email and we'll discuss things.

* I would also like to note RKH has a pretty efficient end-user mailing list on which problems like these are solved usually within 48 hrs. Besides that the off|online FAQ, docs and rkhunter-users mailing list archives already show answers to questions like these. My point is (and this is not to chide you): if you use something, please try to make an effort to get aquainted with its possibilities and use all sources of information you can.


http://www.linuxquestions.org/questi...84#post2636884
You sense a certain doubt.
You post a clear list of steps to follow.
Well done!


I have installed Dropline Gnome and have heard that it makes changes to the stock Slackware 11.0 install. Is it possible that my installation of Dropline may have changed these binaries?
FWIW: IMHO the chance Dropline would even want to touch directories containing default system binaries seems infinitesmal to me.
 
Old 02-21-2007, 02:46 PM   #13
zborgerd
Member
 
Registered: Mar 2004
Distribution: Slackware / Dropline GNOME
Posts: 378

Rep: Reputation: 30
Dropline does indeed replace the standard Slackware Shadow package in order to add PAM support, as mentioned in the download page:

http://forums.droplinegnome.org/viewtopic.php?t=4739

The Shadow package contains binaries for /bin/login, /bin/su, and /usr/bin/passwd (among other things in the Shadow package), which is where the PAM login authentication comes from. It's essentially the only way to get proper HAL support on Slackware, one of the only distributions in the world that still doesn't use PAM.

The problem with rootkit hunters like this is that they do not take package rebuilds into consideration. If your rootkit hunter is simply checking known hashes of popular distributions, then these binaries will fail a hash check. If you are concerned, you can manually check the binaries in the Dropline Shadow package (which I built), and if they are correct - you can update rkhunter's hashes with the --update flag:

http://umn.dl.sourceforge.net/source...1-i686-2dl.tgz

Last edited by zborgerd; 02-21-2007 at 02:49 PM.
 
Old 02-22-2007, 01:39 AM   #14
adityavpratap
Member
 
Registered: Dec 2004
Location: Hyderabad, India
Distribution: Slackware 13, Ubuntu 12.04
Posts: 440

Original Poster
Rep: Reputation: 32
Thanks a lot, I'll update the hashes
 
Old 02-22-2007, 11:31 AM   #15
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
if they are correct - you can update rkhunter's hashes with the --update flag
No, hashupd.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
rkhunter warnings jantman Linux - Security 4 01-23-2007 02:39 PM
rkhunter atlaika Linux - Security 7 11-29-2005 10:47 AM
rkhunter found the following monroetech Linux - Security 3 12-20-2004 08:51 PM
rkhunter phatbastard Linux - Security 3 12-08-2004 09:44 PM
Snort and rkhunter lord_zoo Linux - Security 5 11-28-2004 08:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 09:41 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration