LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-23-2007, 08:51 PM   #1
xchido
LQ Newbie
 
Registered: Jul 2005
Posts: 22

Rep: Reputation: 15
Considerable existing/potential security problems were detected in the system


Rootkit Hunter 1.2.8 is running

I get the following output. Is there something that I need to be concerned? And I will really appreciate any guidance on how to make the appropriate corrections.

Running updater...

Mirrorfile /usr/local/psa/var/modules/watchdog/lib/rkhunter/db/mirrors.dat rotated
Using mirror http://rkhunter.sourceforge.net
[DB] Mirror file : Up to date
[DB] MD5 hashes system binaries : Up to date
[DB] Operating System information : Up to date
[DB] MD5 blacklisted tools/binaries : Up to date
[DB] Known good program versions : Up to date
[DB] Known bad program versions : Up to date




Ready.


Rootkit Hunter 1.2.8 is running

Determining OS... Ready


Checking binaries
* Selftests
Strings (command) /usr/bin/whoami [ OK ]


* System tools
Performing 'known good' check...
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/date [ OK ]
/bin/dmesg [ OK ]
/bin/env [ OK ]
/bin/grep [ OK ]
/bin/kill [ OK ]
/bin/login [ OK ]
/bin/ls [ OK ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/netstat [ OK ]
/bin/ps [ BAD ]
/bin/su [ OK ]
/sbin/chkconfig [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/rmmod [ OK ]
/sbin/runlevel [ OK ]
/sbin/sulogin [ OK ]
/sbin/sysctl [ BAD ]
/sbin/syslogd [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/du [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/head [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/slocate [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/top [ BAD ]
/usr/bin/users [ OK ]
/usr/bin/vmstat [ BAD ]
/usr/bin/w [ BAD ]
/usr/bin/watch [ BAD ]
/usr/bin/wc [ OK ]
/usr/bin/wget [ OK ]
/usr/bin/whereis [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
--------------------------------------------------------------------------------
Rootkit Hunter found some bad or unknown hashes. This can be happen due replaced
binaries or updated packages (which give other hashes).
--------------------------------------------------------------------------------


Check rootkits
* Default files and directories
Rootkit '55808 Trojan - Variant A'... [ OK ]
ADM Worm... [ OK ]
Rootkit 'AjaKit'... [ OK ]
Rootkit 'aPa Kit'... [ OK ]
Rootkit 'Apache Worm'... [ OK ]
Rootkit 'Ambient (ark) Rootkit'... [ OK ]
Rootkit 'Balaur Rootkit'... [ OK ]
Rootkit 'BeastKit'... [ OK ]
Rootkit 'beX2'... [ OK ]
Rootkit 'BOBKit'... [ OK ]
Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
Rootkit 'Danny-Boy's Abuse Kit'... [ OK ]
Rootkit 'Devil RootKit'... [ OK ]
Rootkit 'Dica'... [ OK ]
Rootkit 'Dreams Rootkit'... [ OK ]
Rootkit 'Duarawkz'... [ OK ]
Rootkit 'Flea Linux Rootkit'... [ OK ]
Rootkit 'FreeBSD Rootkit'... [ OK ]
Rootkit 'Fuck`it Rootkit'... [ OK ]
Rootkit 'GasKit'... [ OK ]
Rootkit 'Heroin LKM'... [ OK ]
Rootkit 'HjC Kit'... [ OK ]
Rootkit 'ignoKit'... [ OK ]
Rootkit 'ImperalsS-FBRK'... [ OK ]
Rootkit 'Irix Rootkit'... [ OK ]
Rootkit 'Kitko'... [ OK ]
Rootkit 'Knark'... [ OK ]
Rootkit 'Li0n Worm'... [ OK ]
Rootkit 'Lockit / LJK2'... [ OK ]
Rootkit 'MRK'... [ OK ]
Rootkit 'Ni0 Rootkit'... [ OK ]
Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
Rootkit 'Optic Kit (Tux)'... [ OK ]
Rootkit 'Oz Rootkit'... [ OK ]
Rootkit 'Portacelo'... [ OK ]
Rootkit 'R3dstorm Toolkit'... [ OK ]
Rootkit 'RH-Sharpe's rootkit'... [ OK ]
Rootkit 'RSHA's rootkit'... [ OK ]
Sebek LKM [ OK ]
Rootkit 'Scalper Worm'... [ OK ]
Rootkit 'Shutdown'... [ OK ]
Rootkit 'SHV4'... [ OK ]
Rootkit 'SHV5'... [ OK ]
Rootkit 'Sin Rootkit'... [ OK ]
Rootkit 'Slapper'... [ OK ]
Rootkit 'Sneakin Rootkit'... [ OK ]
Rootkit 'Suckit Rootkit'... [ OK ]
Rootkit 'SunOS Rootkit'... [ OK ]
Rootkit 'Superkit'... [ OK ]
Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
Rootkit 'TeLeKiT'... [ OK ]
Rootkit 'T0rn Rootkit'... [ OK ]
Rootkit 'Trojanit Kit'... [ OK ]
Rootkit 'Tuxtendo'... [ OK ]
Rootkit 'URK'... [ OK ]
Rootkit 'VcKit'... [ OK ]
Rootkit 'Volc Rootkit'... [ OK ]
Rootkit 'X-Org SunOS Rootkit'... [ OK ]
Rootkit 'zaRwT.KiT Rootkit'... [ OK ]

* Suspicious files and malware
Scanning for known rootkit strings [ OK ]
Scanning for known rootkit files [ OK ]
Testing running processes... [ OK ]
Miscellaneous Login backdoors [ OK ]
Miscellaneous directories [ OK ]
Software related files [ OK ]
Sniffer logs [ OK ]

* Trojan specific characteristics
shv4
Checking /etc/rc.d/rc.sysinit
Test 1 [ Clean ]
Test 2 [ Clean ]
Test 3 [ Clean ]
Checking /etc/inetd.conf [ Not found ]
Checking /etc/xinetd.conf [ Clean ]

* Suspicious file properties
chmod properties
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
Script replacements
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]

* OS dependant tests

Linux
Checking loaded kernel modules... [ OK ]
Checking files attributes [ OK ]
Checking LKM module path [ OK ]


Networking
* Check: frequently used backdoors
Port 2001: Scalper Rootkit [ OK ]
Port 2006: CB Rootkit [ OK ]
Port 2128: MRK [ OK ]
Port 14856: Optic Kit (Tux) [ OK ]
Port 47107: T0rn Rootkit [ OK ]
Port 60922: zaRwT.KiT [ OK ]

* Interfaces
Scanning for promiscuous interfaces [ OK ]


System checks
* Allround tests
Checking hostname... Found. Hostname is www.mywebsite.com
Checking for passwordless user accounts... OK
Checking for differences in user accounts... OK. No changes.
Checking for differences in user groups... OK. No changes.
Checking boot.local/rc.local file...
- /etc/rc.local [ OK ]
- /etc/rc.d/rc.local [ OK ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
- /etc/init.d/boot.local [ Not found ]
Checking rc.d files...
Processing........................................
........................................
........................................
........................................
........................................
........................................
........................................
......................................
Result rc.d files check [ OK ]
Checking history files
Bourne Shell [ Not Found ]

* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ OK ]


Application advisories
* Application scan
Checking Apache2 modules ... [ Not found ]
Checking Apache configuration ... [ OK ]

* Application version scan
- GnuPG 1.4.2.2 [ OK ]
- Apache 2.0.54 [ OK ]
- Bind DNS 9.3.1 [ OK ]
- OpenSSL 0.9.7f [ Old or patched version ]
- PHP 5.0.4 [ OK ]
- Procmail MTA 3.22 [ OK ]
- ProFTPd 1.3.0 [ OK ]
- OpenSSH 4.2p1 [ OK ]



Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]

* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out. Root login possible. Possible risk!
info:
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ OK ( Only SSH2 allowed) ]

* Check: Events and Logging
Search for syslog configuration... [ OK ]
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK ( no remote logging) ]


---------------------------- Scan results ----------------------------

MD5
MD5 compared: 53
Incorrect MD5 checksums: 6

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 1

Scanning took 172 seconds
Scan results written to logfile (/var/log/rkhunter.log)
 
Old 06-24-2007, 01:28 AM   #2
fukawi2
Member
 
Registered: Oct 2006
Location: Melbourne, Australia
Distribution: ArchLinux, ArchServer, Fedora, CentOS
Posts: 449

Rep: Reputation: 34
Quote:
/bin/ps [ BAD ]
/sbin/sysctl [ BAD ]
/usr/bin/top [ BAD ]
/usr/bin/vmstat [ BAD ]
/usr/bin/w [ BAD ]
/usr/bin/watch [ BAD ]
So have you replaced / upgraded any of those binaries to make them non-standard for your distribution?
A rootkit would traditionally replace ps, top, w and probably vmstat and possibly sysctl... I can't imagine why they would bother with 'watch'

What distribution are you running?
 
Old 06-24-2007, 02:01 AM   #3
xchido
LQ Newbie
 
Registered: Jul 2005
Posts: 22

Original Poster
Rep: Reputation: 15
I have Fedora Core 4 with Plesk 8.0

The only updates I make are through the control panel using the tools it came with.
 
Old 06-24-2007, 06:34 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603
The first thing to do is to check with your file integrity checker if you run one (Aide, Samhain, even tripwire), else check your logs to see if there where any updates done (unless you know in case you only update manually), then verify the packages these binaries are in ("rpm -q --whatprovides /some/binary") with the hashes in your RPM database, or if you don't trust that with those of remote copies of these packages. Apart from malicious changes and updates also prelink can work on binaries if enabled.

BTW, FC4 is deprecated: they're at 7 now. If you can't afford to keep up please choose one with a more stabe release scheme like for instance CentOS. Also RKH-1.2.8 is unsupported: 1.2.9 was released long time ago and upcoming will be 1.3.0 (in CVS) which is by now stable enough to work with.


Quote:
A rootkit would traditionally replace ps, top, w and probably vmstat and possibly sysctl... I can't imagine why they would bother with 'watch'
Filenames are just filenames. If I were to introduce X-Hide or BNC I sure as hell would try to make the names sound innocuous. Please don't superficially interprete signs at first glance as either "looks OK" or "can't be done". Alerts and anomalies should be investigated.
 
Old 06-24-2007, 07:37 AM   #5
fukawi2
Member
 
Registered: Oct 2006
Location: Melbourne, Australia
Distribution: ArchLinux, ArchServer, Fedora, CentOS
Posts: 449

Rep: Reputation: 34
Quote:
Originally Posted by unSpawn
Filenames are just filenames. If I were to introduce X-Hide or BNC I sure as hell would try to make the names sound innocuous. Please don't superficially interprete signs at first glance as either "looks OK" or "can't be done". Alerts and anomalies should be investigated.
True - I wasn't making the assumption that everything was OK, hence my questions to seek further info... My thoughts were, why 'hide' something in something many admin's use regularly?

(I'm speaking mainly from my experience of being 'rooted' several years ago when I first started in *nix )
 
Old 07-04-2007, 09:39 PM   #6
xchido
LQ Newbie
 
Registered: Jul 2005
Posts: 22

Original Poster
Rep: Reputation: 15
Thank you for your advice.

I decided to go ahead and just re-format the server and start from scratch. Some other problems came up and it was just easier to start from scratch.

I appreciate you help.

I do have another issue with the new set up. I ran yum, did all of the upgrades on my server and it all appears to be up to date wit the exemption of my OpenSSL I cannot make it update using yum.

/usr/bin/openssl found
Version 0.9.7f seems to be vulnerable (if unpatched)!


Any help will be greatly appreciated.
 
Old 07-05-2007, 02:43 AM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by xchido
I ran yum, did all of the upgrades on my server and it all appears to be up to date wit the exemption of my OpenSSL I cannot make it update using yum.

/usr/bin/openssl found
Version 0.9.7f seems to be vulnerable (if unpatched)!
I've seen several cases where the distro will keep the OpenSSL version number the same, even after having upgrading the binaries. Check the changelog for your distro and verify if the OpenSSL package has received security patches. Considering that Fedora Core 4 was released in May 2005, you'd be looking for patches to these:

http://secunia.com/advisories/22130/

http://secunia.com/advisories/21709/

http://secunia.com/advisories/17151/
 
Old 07-05-2007, 02:56 AM   #8
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
I just saw your other post. Hopefully when you fix that yum update issue you'll get a newer OpenSSL package. This begs the question: Are you sure that Fedora Core 4 is still maintained? If it's not, then that's probably the Core of your problem. No pun intended.
 
Old 07-05-2007, 03:37 PM   #9
rg.viza
Member
 
Registered: Aug 2006
Posts: 74

Rep: Reputation: 15
Quote:
Originally Posted by xchido
I have Fedora Core 4 with Plesk 8.0

The only updates I make are through the control panel using the tools it came with.
plesk would explain a lot
 
Old 07-05-2007, 03:37 PM   #10
rg.viza
Member
 
Registered: Aug 2006
Posts: 74

Rep: Reputation: 15
Quote:
Originally Posted by win32sux
I've seen several cases where the distro will keep the OpenSSL version number the same, even after having upgrading the binaries. Check the changelog for your distro and verify if the OpenSSL package has received security patches. Considering that Fedora Core 4 was released in May 2005, you'd be looking for patches to these:

http://secunia.com/advisories/22130/

http://secunia.com/advisories/21709/

http://secunia.com/advisories/17151/
/qft
freebsd does this
 
Old 07-08-2007, 12:21 AM   #11
xchido
LQ Newbie
 
Registered: Jul 2005
Posts: 22

Original Poster
Rep: Reputation: 15
Thanks for your advise win32sux. FC4 and SUSE 9.3 are the only options I have to install with my provider 1and1. I wonder is it will be a good idea to change to SUSE 9.3?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Removing users; potential problems? JF1980 Linux - Software 3 06-21-2007 08:51 AM
Compling a kernel. Potential problems with old compiled packages? TheBrick Linux - Software 2 03-24-2006 05:16 AM
Potential problems: 9.0 to 9.2 upgrade jimaman SUSE / openSUSE 4 03-16-2005 08:41 PM
Dual-boot, 2 HDDs -- potential problems to watch for? Genesee Linux - Software 5 07-17-2004 09:16 PM
Block potential security threats Greg21 Slackware 6 06-22-2003 06:51 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration