Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-23-2007, 08:51 PM
|
#1
|
LQ Newbie
Registered: Jul 2005
Posts: 22
Rep:
|
Considerable existing/potential security problems were detected in the system
Rootkit Hunter 1.2.8 is running
I get the following output. Is there something that I need to be concerned? And I will really appreciate any guidance on how to make the appropriate corrections.
Running updater...
Mirrorfile /usr/local/psa/var/modules/watchdog/lib/rkhunter/db/mirrors.dat rotated
Using mirror http://rkhunter.sourceforge.net
[DB] Mirror file : Up to date
[DB] MD5 hashes system binaries : Up to date
[DB] Operating System information : Up to date
[DB] MD5 blacklisted tools/binaries : Up to date
[DB] Known good program versions : Up to date
[DB] Known bad program versions : Up to date
Ready.
Rootkit Hunter 1.2.8 is running
Determining OS... Ready
Checking binaries
* Selftests
Strings (command) /usr/bin/whoami [ OK ]
* System tools
Performing 'known good' check...
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/date [ OK ]
/bin/dmesg [ OK ]
/bin/env [ OK ]
/bin/grep [ OK ]
/bin/kill [ OK ]
/bin/login [ OK ]
/bin/ls [ OK ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/netstat [ OK ]
/bin/ps [ BAD ]
/bin/su [ OK ]
/sbin/chkconfig [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/rmmod [ OK ]
/sbin/runlevel [ OK ]
/sbin/sulogin [ OK ]
/sbin/sysctl [ BAD ]
/sbin/syslogd [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/du [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/head [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/slocate [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/top [ BAD ]
/usr/bin/users [ OK ]
/usr/bin/vmstat [ BAD ]
/usr/bin/w [ BAD ]
/usr/bin/watch [ BAD ]
/usr/bin/wc [ OK ]
/usr/bin/wget [ OK ]
/usr/bin/whereis [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
--------------------------------------------------------------------------------
Rootkit Hunter found some bad or unknown hashes. This can be happen due replaced
binaries or updated packages (which give other hashes).
--------------------------------------------------------------------------------
Check rootkits
* Default files and directories
Rootkit '55808 Trojan - Variant A'... [ OK ]
ADM Worm... [ OK ]
Rootkit 'AjaKit'... [ OK ]
Rootkit 'aPa Kit'... [ OK ]
Rootkit 'Apache Worm'... [ OK ]
Rootkit 'Ambient (ark) Rootkit'... [ OK ]
Rootkit 'Balaur Rootkit'... [ OK ]
Rootkit 'BeastKit'... [ OK ]
Rootkit 'beX2'... [ OK ]
Rootkit 'BOBKit'... [ OK ]
Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
Rootkit 'Danny-Boy's Abuse Kit'... [ OK ]
Rootkit 'Devil RootKit'... [ OK ]
Rootkit 'Dica'... [ OK ]
Rootkit 'Dreams Rootkit'... [ OK ]
Rootkit 'Duarawkz'... [ OK ]
Rootkit 'Flea Linux Rootkit'... [ OK ]
Rootkit 'FreeBSD Rootkit'... [ OK ]
Rootkit 'Fuck`it Rootkit'... [ OK ]
Rootkit 'GasKit'... [ OK ]
Rootkit 'Heroin LKM'... [ OK ]
Rootkit 'HjC Kit'... [ OK ]
Rootkit 'ignoKit'... [ OK ]
Rootkit 'ImperalsS-FBRK'... [ OK ]
Rootkit 'Irix Rootkit'... [ OK ]
Rootkit 'Kitko'... [ OK ]
Rootkit 'Knark'... [ OK ]
Rootkit 'Li0n Worm'... [ OK ]
Rootkit 'Lockit / LJK2'... [ OK ]
Rootkit 'MRK'... [ OK ]
Rootkit 'Ni0 Rootkit'... [ OK ]
Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
Rootkit 'Optic Kit (Tux)'... [ OK ]
Rootkit 'Oz Rootkit'... [ OK ]
Rootkit 'Portacelo'... [ OK ]
Rootkit 'R3dstorm Toolkit'... [ OK ]
Rootkit 'RH-Sharpe's rootkit'... [ OK ]
Rootkit 'RSHA's rootkit'... [ OK ]
Sebek LKM [ OK ]
Rootkit 'Scalper Worm'... [ OK ]
Rootkit 'Shutdown'... [ OK ]
Rootkit 'SHV4'... [ OK ]
Rootkit 'SHV5'... [ OK ]
Rootkit 'Sin Rootkit'... [ OK ]
Rootkit 'Slapper'... [ OK ]
Rootkit 'Sneakin Rootkit'... [ OK ]
Rootkit 'Suckit Rootkit'... [ OK ]
Rootkit 'SunOS Rootkit'... [ OK ]
Rootkit 'Superkit'... [ OK ]
Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
Rootkit 'TeLeKiT'... [ OK ]
Rootkit 'T0rn Rootkit'... [ OK ]
Rootkit 'Trojanit Kit'... [ OK ]
Rootkit 'Tuxtendo'... [ OK ]
Rootkit 'URK'... [ OK ]
Rootkit 'VcKit'... [ OK ]
Rootkit 'Volc Rootkit'... [ OK ]
Rootkit 'X-Org SunOS Rootkit'... [ OK ]
Rootkit 'zaRwT.KiT Rootkit'... [ OK ]
* Suspicious files and malware
Scanning for known rootkit strings [ OK ]
Scanning for known rootkit files [ OK ]
Testing running processes... [ OK ]
Miscellaneous Login backdoors [ OK ]
Miscellaneous directories [ OK ]
Software related files [ OK ]
Sniffer logs [ OK ]
* Trojan specific characteristics
shv4
Checking /etc/rc.d/rc.sysinit
Test 1 [ Clean ]
Test 2 [ Clean ]
Test 3 [ Clean ]
Checking /etc/inetd.conf [ Not found ]
Checking /etc/xinetd.conf [ Clean ]
* Suspicious file properties
chmod properties
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
Script replacements
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
* OS dependant tests
Linux
Checking loaded kernel modules... [ OK ]
Checking files attributes [ OK ]
Checking LKM module path [ OK ]
Networking
* Check: frequently used backdoors
Port 2001: Scalper Rootkit [ OK ]
Port 2006: CB Rootkit [ OK ]
Port 2128: MRK [ OK ]
Port 14856: Optic Kit (Tux) [ OK ]
Port 47107: T0rn Rootkit [ OK ]
Port 60922: zaRwT.KiT [ OK ]
* Interfaces
Scanning for promiscuous interfaces [ OK ]
System checks
* Allround tests
Checking hostname... Found. Hostname is www.mywebsite.com
Checking for passwordless user accounts... OK
Checking for differences in user accounts... OK. No changes.
Checking for differences in user groups... OK. No changes.
Checking boot.local/rc.local file...
- /etc/rc.local [ OK ]
- /etc/rc.d/rc.local [ OK ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
- /etc/init.d/boot.local [ Not found ]
Checking rc.d files...
Processing........................................
........................................
........................................
........................................
........................................
........................................
........................................
......................................
Result rc.d files check [ OK ]
Checking history files
Bourne Shell [ Not Found ]
* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ OK ]
Application advisories
* Application scan
Checking Apache2 modules ... [ Not found ]
Checking Apache configuration ... [ OK ]
* Application version scan
- GnuPG 1.4.2.2 [ OK ]
- Apache 2.0.54 [ OK ]
- Bind DNS 9.3.1 [ OK ]
- OpenSSL 0.9.7f [ Old or patched version ]
- PHP 5.0.4 [ OK ]
- Procmail MTA 3.22 [ OK ]
- ProFTPd 1.3.0 [ OK ]
- OpenSSH 4.2p1 [ OK ]
Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]
* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out. Root login possible. Possible risk!
info:
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ OK ( Only SSH2 allowed) ]
* Check: Events and Logging
Search for syslog configuration... [ OK ]
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK ( no remote logging) ]
---------------------------- Scan results ----------------------------
MD5
MD5 compared: 53
Incorrect MD5 checksums: 6
File scan
Scanned files: 342
Possible infected files: 0
Application scan
Vulnerable applications: 1
Scanning took 172 seconds
Scan results written to logfile (/var/log/rkhunter.log)
|
|
|
06-24-2007, 01:28 AM
|
#2
|
Member
Registered: Oct 2006
Location: Melbourne, Australia
Distribution: ArchLinux, ArchServer, Fedora, CentOS
Posts: 449
Rep:
|
Quote:
/bin/ps [ BAD ]
/sbin/sysctl [ BAD ]
/usr/bin/top [ BAD ]
/usr/bin/vmstat [ BAD ]
/usr/bin/w [ BAD ]
/usr/bin/watch [ BAD ]
|
So have you replaced / upgraded any of those binaries to make them non-standard for your distribution?
A rootkit would traditionally replace ps, top, w and probably vmstat and possibly sysctl... I can't imagine why they would bother with 'watch'
What distribution are you running?
|
|
|
06-24-2007, 02:01 AM
|
#3
|
LQ Newbie
Registered: Jul 2005
Posts: 22
Original Poster
Rep:
|
I have Fedora Core 4 with Plesk 8.0
The only updates I make are through the control panel using the tools it came with.
|
|
|
06-24-2007, 06:34 AM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
The first thing to do is to check with your file integrity checker if you run one (Aide, Samhain, even tripwire), else check your logs to see if there where any updates done (unless you know in case you only update manually), then verify the packages these binaries are in ("rpm -q --whatprovides /some/binary") with the hashes in your RPM database, or if you don't trust that with those of remote copies of these packages. Apart from malicious changes and updates also prelink can work on binaries if enabled.
BTW, FC4 is deprecated: they're at 7 now. If you can't afford to keep up please choose one with a more stabe release scheme like for instance CentOS. Also RKH-1.2.8 is unsupported: 1.2.9 was released long time ago and upcoming will be 1.3.0 (in CVS) which is by now stable enough to work with.
Quote:
A rootkit would traditionally replace ps, top, w and probably vmstat and possibly sysctl... I can't imagine why they would bother with 'watch'
|
Filenames are just filenames. If I were to introduce X-Hide or BNC I sure as hell would try to make the names sound innocuous. Please don't superficially interprete signs at first glance as either "looks OK" or "can't be done". Alerts and anomalies should be investigated.
|
|
|
06-24-2007, 07:37 AM
|
#5
|
Member
Registered: Oct 2006
Location: Melbourne, Australia
Distribution: ArchLinux, ArchServer, Fedora, CentOS
Posts: 449
Rep:
|
Quote:
Originally Posted by unSpawn
Filenames are just filenames. If I were to introduce X-Hide or BNC I sure as hell would try to make the names sound innocuous. Please don't superficially interprete signs at first glance as either "looks OK" or "can't be done". Alerts and anomalies should be investigated.
|
True - I wasn't making the assumption that everything was OK, hence my questions to seek further info... My thoughts were, why 'hide' something in something many admin's use regularly?
(I'm speaking mainly from my experience of being 'rooted' several years ago when I first started in *nix )
|
|
|
07-04-2007, 09:39 PM
|
#6
|
LQ Newbie
Registered: Jul 2005
Posts: 22
Original Poster
Rep:
|
Thank you for your advice.
I decided to go ahead and just re-format the server and start from scratch. Some other problems came up and it was just easier to start from scratch.
I appreciate you help.
I do have another issue with the new set up. I ran yum, did all of the upgrades on my server and it all appears to be up to date wit the exemption of my OpenSSL I cannot make it update using yum.
/usr/bin/openssl found
Version 0.9.7f seems to be vulnerable (if unpatched)!
Any help will be greatly appreciated.
|
|
|
07-05-2007, 02:43 AM
|
#7
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by xchido
I ran yum, did all of the upgrades on my server and it all appears to be up to date wit the exemption of my OpenSSL I cannot make it update using yum.
/usr/bin/openssl found
Version 0.9.7f seems to be vulnerable (if unpatched)!
|
I've seen several cases where the distro will keep the OpenSSL version number the same, even after having upgrading the binaries. Check the changelog for your distro and verify if the OpenSSL package has received security patches. Considering that Fedora Core 4 was released in May 2005, you'd be looking for patches to these:
http://secunia.com/advisories/22130/
http://secunia.com/advisories/21709/
http://secunia.com/advisories/17151/
|
|
|
07-05-2007, 02:56 AM
|
#8
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
I just saw your other post. Hopefully when you fix that yum update issue you'll get a newer OpenSSL package. This begs the question: Are you sure that Fedora Core 4 is still maintained? If it's not, then that's probably the Core of your problem. No pun intended.
|
|
|
07-05-2007, 03:37 PM
|
#9
|
Member
Registered: Aug 2006
Posts: 74
Rep:
|
Quote:
Originally Posted by xchido
I have Fedora Core 4 with Plesk 8.0
The only updates I make are through the control panel using the tools it came with.
|
plesk would explain a lot
|
|
|
07-05-2007, 03:37 PM
|
#10
|
Member
Registered: Aug 2006
Posts: 74
Rep:
|
Quote:
Originally Posted by win32sux
|
/qft
freebsd does this
|
|
|
07-08-2007, 12:21 AM
|
#11
|
LQ Newbie
Registered: Jul 2005
Posts: 22
Original Poster
Rep:
|
Thanks for your advise win32sux. FC4 and SUSE 9.3 are the only options I have to install with my provider 1and1. I wonder is it will be a good idea to change to SUSE 9.3?
|
|
|
All times are GMT -5. The time now is 05:22 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|