LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-10-2007, 10:58 AM   #1
d@@b
LQ Newbie
 
Registered: Sep 2005
Location: Baltimore, MD
Posts: 12

Rep: Reputation: 0
Help me understand rkhunter scan results


Mind you, I'm new to rkhunter and still learning about security. The result shows that there is 2 vulnerables application. Can you help me find which ones?
Also, the box is a mail server runing FC3(hopefully will be upgrade soon).

Code:
Rootkit Hunter 1.2.9 is running

Determining OS... Ready


Checking binaries
* Selftests
     Strings (command)     [ OK ]


* System tools
Info: prelinked files found
  Performing 'known good' check...
   /bin/cat  [ OK ]
   /bin/chmod  [ OK ]
   /bin/chown  [ OK ]
   /bin/dmesg  [ OK ]
   /bin/egrep  [ OK ]
   /bin/env  [ OK ]
   /bin/fgrep  [ OK ]
   /bin/grep  [ OK ]
   /bin/kill  [ OK ]
   /bin/login  [ OK ]
   /bin/ls  [ OK ]
   /bin/mount  [ OK ]
   /bin/netstat  [ OK ]
   /bin/ps  [ OK ]
   /bin/su  [ OK ]
   /sbin/chkconfig  [ OK ]
   /sbin/depmod  [ OK ]
   /sbin/ifconfig  [ OK ]
   /sbin/init  [ OK ]
   /sbin/insmod  [ OK ]
   /sbin/ip  [ OK ]
   /sbin/modinfo  [ OK ]
   /sbin/runlevel  [ OK ]
   /sbin/sysctl  [ OK ]
   /sbin/syslogd  [ OK ]
   /usr/bin/file  [ OK ]
   /usr/bin/find  [ OK ]
   /usr/bin/kill  [ OK ]
   /usr/bin/killall  [ OK ]
   /usr/bin/lsattr  [ OK ]
   /usr/bin/pstree  [ OK ]
   /usr/bin/sha1sum  [ OK ]
   /usr/bin/stat  [ OK ]
   /usr/bin/users  [ OK ]
   /usr/bin/w  [ OK ]
   /usr/bin/watch  [ OK ]
   /usr/bin/who  [ OK ]
   /usr/bin/whoami  [ OK ]


Check rootkits
* Default files and directories
   Rootkit '55808 Trojan - Variant A'...   [ OK ]
   ADM Worm...   [ OK ]
   Rootkit 'AjaKit'...   [ OK ]
   Rootkit 'aPa Kit'...   [ OK ]
   Rootkit 'Apache Worm'...   [ OK ]
   Rootkit 'Ambient (ark) Rootkit'...   [ OK ]
   Rootkit 'Balaur Rootkit'...   [ OK ]
   Rootkit 'BeastKit'...   [ OK ]
   Rootkit 'beX2'...   [ OK ]
   Rootkit 'BOBKit'...   [ OK ]
   Rootkit 'CiNIK Worm (Slapper.B variant)'...   [ OK ]
   Rootkit 'Danny-Boy's Abuse Kit'...   [ OK ]
   Rootkit 'Devil RootKit'...   [ OK ]
   Rootkit 'Dica'...   [ OK ]
   Rootkit 'Dreams Rootkit'...   [ OK ]
   Rootkit 'Duarawkz'...   [ OK ]
   Rootkit 'Flea Linux Rootkit'...   [ OK ]
   Rootkit 'FreeBSD Rootkit'...   [ OK ]
   Rootkit 'Fuck`it Rootkit'...   [ OK ]
   Rootkit 'GasKit'...   [ OK ]
   Rootkit 'Heroin LKM'...   [ OK ]
   Rootkit 'HjC Kit'...   [ OK ]
   Rootkit 'ignoKit'...   [ OK ]
   Rootkit 'ImperalsS-FBRK'...   [ OK ]
   Rootkit 'Irix Rootkit'...   [ OK ]
   Rootkit 'Kitko'...   [ OK ]
   Rootkit 'Knark'...   [ OK ]
   Rootkit 'Li0n Worm'...   [ OK ]
   Rootkit 'Lockit / LJK2'...   [ OK ]
   Rootkit 'MRK'...   [ OK ]
   Rootkit 'Ni0 Rootkit'...   [ OK ]
   Rootkit 'RootKit for SunOS / NSDAP'...   [ OK ]
   Rootkit 'Optic Kit (Tux)'...   [ OK ]
   Rootkit 'Oz Rootkit'...   [ OK ]
   Rootkit 'Portacelo'...   [ OK ]
   Rootkit 'R3dstorm Toolkit'...   [ OK ]
   Rootkit 'RH-Sharpe's rootkit'...   [ OK ]
   Rootkit 'RSHA's rootkit'...   [ OK ]
   Sebek LKM...  [ OK ]
   Rootkit 'Scalper Worm'...   [ OK ]
   Rootkit 'Shutdown'...   [ OK ]
   Rootkit 'SHV4'...   [ OK ]
   Rootkit 'SHV5'...   [ OK ]
   Rootkit 'Sin Rootkit'...   [ OK ]
   Rootkit 'Slapper'...   [ OK ]
   Rootkit 'Sneakin Rootkit'...   [ OK ]
   Rootkit 'Suckit Rootkit'...   [ OK ]
   Rootkit 'SunOS Rootkit'...   [ OK ]
   Rootkit 'Superkit'...   [ OK ]
   Rootkit 'TBD (Telnet BackDoor)'...   [ OK ]
   Rootkit 'TeLeKiT'...   [ OK ]
   Rootkit 'T0rn Rootkit'...   [ OK ]
   Rootkit 'Trojanit Kit'...   [ OK ]
   Rootkit 'Tuxtendo'...   [ OK ]
   Rootkit 'URK'...   [ OK ]
   Rootkit 'VcKit'...   [ OK ]
   Rootkit 'Volc Rootkit'...   [ OK ]
   Rootkit 'X-Org SunOS Rootkit'...   [ OK ]
   Rootkit 'zaRwT.KiT Rootkit'...   [ OK ]

* Suspicious files and malware
   Scanning for known rootkit strings  [ OK ]
   Scanning for known rootkit files  [ OK ]
   Testing running processes...   [ OK ]
   Miscellaneous Login backdoors  [ OK ]
   Miscellaneous directories  [ OK ]
   Software related files  [ OK ]
   Sniffer logs  [ OK ]

* Trojan specific characteristics
   shv4
     Checking /etc/rc.d/rc.sysinit
       Test 1  [ Clean ]
       Test 2  [ Clean ]
       Test 3  [ Clean ]
     Checking /etc/inetd.conf  [ Not found ]
     Checking /etc/xinetd.conf  [ Clean ]

* Suspicious file properties
   chmod properties
     Checking /bin/ps  [ Clean ]
     Checking /bin/ls  [ Clean ]
     Checking /usr/bin/w  [ Clean ]
     Checking /usr/bin/who  [ Clean ]
     Checking /bin/netstat  [ Clean ]
     Checking /bin/login  [ Clean ]
   Script replacements
     Checking /bin/ps  [ Clean ]
     Checking /bin/ls  [ Clean ]
     Checking /usr/bin/w  [ Clean ]
     Checking /usr/bin/who  [ Clean ]
     Checking /bin/netstat  [ Clean ]
     Checking /bin/login  [ Clean ]

* OS dependant tests

   Linux
     Checking loaded kernel modules...   [ OK ]
     Checking file attributes  [ OK ]
     Checking LKM module path  [ OK ]


Networking
* Check: frequently used backdoors
  Port 2001: Scalper Rootkit  [ OK ]
  Port 2006: CB Rootkit  [ OK ]
  Port 2128: MRK  [ OK ]
  Port 14856: Optic Kit (Tux)  [ OK ]
  Port 47107: T0rn Rootkit  [ OK ]
  Port 60922: zaRwT.KiT  [ OK ]

* Interfaces
     Scanning for promiscuous interfaces...  [ OK ]


System checks
* Allround tests
   Checking hostname... Found. Hostname is xxx.xxxxxx.com
   Checking for passwordless user accounts... OK
   Checking for differences in user accounts... OK. No changes.
   Checking for differences in user groups... OK. No changes.
   Checking boot.local/rc.local file... 
     - /etc/rc.local  [ OK ]
     - /etc/rc.d/rc.local  [ OK ]
     - /usr/local/etc/rc.local  [ Not found ]
     - /usr/local/etc/rc.d/rc.local  [ Not found ]
     - /etc/conf.d/local.start  [ Not found ]
     - /etc/init.d/boot.local  [ Not found ]
   Checking rc.d files... 
     Processing........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               .
   Result rc.d files check  [ OK ]
   Checking history files
     Bourne Shell  [ OK ]

* Filesystem checks
   Checking /dev for suspicious files...   [ OK ]
   Scanning for hidden files...  [ OK ]


Application advisories
* Application scan
   Checking Apache2 modules ...      [ Not found ]
   Checking Apache configuration ...      [ OK ]

* Application version scan
   - GnuPG 1.2.7   [ Old or patched version ]
   - Apache 2.0.53   [ OK ]
   - Bind DNS 9.2.5   [ OK ]
   - OpenSSL 0.9.7a   [ Old or patched version ]
   - PHP 4.3.11   [ OK ]
   - Procmail MTA 3.22   [ OK ]
   - OpenSSH 3.9p1   [ OK ]



Security advisories
* Check: Groups and Accounts
   Searching for /etc/passwd...   [ Found ]
   Checking users with UID '0' (root)...   [ OK ]

* Check: SSH
   Searching for sshd_config... 
   Found /etc/ssh/sshd_config
   Checking for allowed root login...   [ OK (Remote root login disabled) ]
   Checking for allowed protocols...   [ Warning (SSH v1 allowed) ]

* Check: Events and Logging
   Search for syslog configuration...   [ OK ]
   Checking for running syslog slave...   [ OK ]
   Checking for logging to remote system...   [ OK (no remote logging) ]


---------------------------- Scan results ----------------------------

MD5 scan
Scanned files: 92
Incorrect MD5 checksums: 0

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 2

Scanning took 34 seconds

-----------------------------------------------------------------------

Last edited by d@@b; 04-12-2007 at 03:02 PM.
 
Old 04-10-2007, 11:31 AM   #2
marozsas
Senior Member
 
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,508
Blog Entries: 2

Rep: Reputation: 68
rkhunter complains about GnuPG 1.2.7 and OpenSSL 0.9.7a.
A quick inspection in my system shows openssl-0.9.8d-23.1 and gpg-1.4.5-24.4.

Take a look at the release notes of theses programs to see if there are any serious vulnerabilities fixed in next releases.
 
Old 04-10-2007, 11:34 AM   #3
d@@b
LQ Newbie
 
Registered: Sep 2005
Location: Baltimore, MD
Posts: 12

Original Poster
Rep: Reputation: 0
That's what I thougth about GnuPG and OpenSSL. I will take a look at the release note.
 
Old 04-10-2007, 10:26 PM   #4
rocket357
Member
 
Registered: Mar 2007
Location: 127.0.0.1
Distribution: OpenBSD-CURRENT
Posts: 485
Blog Entries: 187

Rep: Reputation: 74
Have you run rkhunter --update recently?

I know it's a dumb question, and I certainly don't intend to insult your intelligence in any way, so please don't take such a simple suggestion that way...

Also, I'd disable SSHv1 login. SSHv1 has known problems, and if you read one of the sticky posts in this (the Security) forum, you'll see that SSH scanning has become commonplace, most likely due to SSHv1 security problems. You have remote root login disabled, but if an attacker gets a su or sudo-enabled account, you could still be in trouble.

Just a paranoid Linux user's 2 cents...
 
Old 04-12-2007, 03:04 PM   #5
d@@b
LQ Newbie
 
Registered: Sep 2005
Location: Baltimore, MD
Posts: 12

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by rocket357
Have you run rkhunter --update recently?

I know it's a dumb question, and I certainly don't intend to insult your intelligence in any way, so please don't take such a simple suggestion that way...

Also, I'd disable SSHv1 login. SSHv1 has known problems, and if you read one of the sticky posts in this (the Security) forum, you'll see that SSH scanning has become commonplace, most likely due to SSHv1 security problems. You have remote root login disabled, but if an attacker gets a su or sudo-enabled account, you could still be in trouble.

Just a paranoid Linux user's 2 cents...
I updated rkhunter before running it and also went ahead disable SSHv1 after the scan.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Rkhunter results-bad? bhert Linux - Security 4 08-18-2006 03:27 AM
clam av scan results Shadowalker Linux - Security 1 04-15-2006 07:39 PM
nmap scan results ! dimgr Linux - Security 3 01-21-2005 12:39 PM
nmap scan results juanb Linux - Security 5 11-16-2004 02:31 AM
Strange port scan results sbogus Linux - Security 16 06-29-2004 02:25 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration