Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
04-10-2007, 10:58 AM
|
#1
|
LQ Newbie
Registered: Sep 2005
Location: Baltimore, MD
Posts: 12
Rep:
|
Help me understand rkhunter scan results
Mind you, I'm new to rkhunter and still learning about security. The result shows that there is 2 vulnerables application. Can you help me find which ones?
Also, the box is a mail server runing FC3(hopefully will be upgrade soon).
Code:
Rootkit Hunter 1.2.9 is running
Determining OS... Ready
Checking binaries
* Selftests
Strings (command) [ OK ]
* System tools
Info: prelinked files found
Performing 'known good' check...
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/dmesg [ OK ]
/bin/egrep [ OK ]
/bin/env [ OK ]
/bin/fgrep [ OK ]
/bin/grep [ OK ]
/bin/kill [ OK ]
/bin/login [ OK ]
/bin/ls [ OK ]
/bin/mount [ OK ]
/bin/netstat [ OK ]
/bin/ps [ OK ]
/bin/su [ OK ]
/sbin/chkconfig [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/modinfo [ OK ]
/sbin/runlevel [ OK ]
/sbin/sysctl [ OK ]
/sbin/syslogd [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/kill [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/users [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
Check rootkits
* Default files and directories
Rootkit '55808 Trojan - Variant A'... [ OK ]
ADM Worm... [ OK ]
Rootkit 'AjaKit'... [ OK ]
Rootkit 'aPa Kit'... [ OK ]
Rootkit 'Apache Worm'... [ OK ]
Rootkit 'Ambient (ark) Rootkit'... [ OK ]
Rootkit 'Balaur Rootkit'... [ OK ]
Rootkit 'BeastKit'... [ OK ]
Rootkit 'beX2'... [ OK ]
Rootkit 'BOBKit'... [ OK ]
Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
Rootkit 'Danny-Boy's Abuse Kit'... [ OK ]
Rootkit 'Devil RootKit'... [ OK ]
Rootkit 'Dica'... [ OK ]
Rootkit 'Dreams Rootkit'... [ OK ]
Rootkit 'Duarawkz'... [ OK ]
Rootkit 'Flea Linux Rootkit'... [ OK ]
Rootkit 'FreeBSD Rootkit'... [ OK ]
Rootkit 'Fuck`it Rootkit'... [ OK ]
Rootkit 'GasKit'... [ OK ]
Rootkit 'Heroin LKM'... [ OK ]
Rootkit 'HjC Kit'... [ OK ]
Rootkit 'ignoKit'... [ OK ]
Rootkit 'ImperalsS-FBRK'... [ OK ]
Rootkit 'Irix Rootkit'... [ OK ]
Rootkit 'Kitko'... [ OK ]
Rootkit 'Knark'... [ OK ]
Rootkit 'Li0n Worm'... [ OK ]
Rootkit 'Lockit / LJK2'... [ OK ]
Rootkit 'MRK'... [ OK ]
Rootkit 'Ni0 Rootkit'... [ OK ]
Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
Rootkit 'Optic Kit (Tux)'... [ OK ]
Rootkit 'Oz Rootkit'... [ OK ]
Rootkit 'Portacelo'... [ OK ]
Rootkit 'R3dstorm Toolkit'... [ OK ]
Rootkit 'RH-Sharpe's rootkit'... [ OK ]
Rootkit 'RSHA's rootkit'... [ OK ]
Sebek LKM... [ OK ]
Rootkit 'Scalper Worm'... [ OK ]
Rootkit 'Shutdown'... [ OK ]
Rootkit 'SHV4'... [ OK ]
Rootkit 'SHV5'... [ OK ]
Rootkit 'Sin Rootkit'... [ OK ]
Rootkit 'Slapper'... [ OK ]
Rootkit 'Sneakin Rootkit'... [ OK ]
Rootkit 'Suckit Rootkit'... [ OK ]
Rootkit 'SunOS Rootkit'... [ OK ]
Rootkit 'Superkit'... [ OK ]
Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
Rootkit 'TeLeKiT'... [ OK ]
Rootkit 'T0rn Rootkit'... [ OK ]
Rootkit 'Trojanit Kit'... [ OK ]
Rootkit 'Tuxtendo'... [ OK ]
Rootkit 'URK'... [ OK ]
Rootkit 'VcKit'... [ OK ]
Rootkit 'Volc Rootkit'... [ OK ]
Rootkit 'X-Org SunOS Rootkit'... [ OK ]
Rootkit 'zaRwT.KiT Rootkit'... [ OK ]
* Suspicious files and malware
Scanning for known rootkit strings [ OK ]
Scanning for known rootkit files [ OK ]
Testing running processes... [ OK ]
Miscellaneous Login backdoors [ OK ]
Miscellaneous directories [ OK ]
Software related files [ OK ]
Sniffer logs [ OK ]
* Trojan specific characteristics
shv4
Checking /etc/rc.d/rc.sysinit
Test 1 [ Clean ]
Test 2 [ Clean ]
Test 3 [ Clean ]
Checking /etc/inetd.conf [ Not found ]
Checking /etc/xinetd.conf [ Clean ]
* Suspicious file properties
chmod properties
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
Script replacements
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
* OS dependant tests
Linux
Checking loaded kernel modules... [ OK ]
Checking file attributes [ OK ]
Checking LKM module path [ OK ]
Networking
* Check: frequently used backdoors
Port 2001: Scalper Rootkit [ OK ]
Port 2006: CB Rootkit [ OK ]
Port 2128: MRK [ OK ]
Port 14856: Optic Kit (Tux) [ OK ]
Port 47107: T0rn Rootkit [ OK ]
Port 60922: zaRwT.KiT [ OK ]
* Interfaces
Scanning for promiscuous interfaces... [ OK ]
System checks
* Allround tests
Checking hostname... Found. Hostname is xxx.xxxxxx.com
Checking for passwordless user accounts... OK
Checking for differences in user accounts... OK. No changes.
Checking for differences in user groups... OK. No changes.
Checking boot.local/rc.local file...
- /etc/rc.local [ OK ]
- /etc/rc.d/rc.local [ OK ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
- /etc/init.d/boot.local [ Not found ]
Checking rc.d files...
Processing........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
.
Result rc.d files check [ OK ]
Checking history files
Bourne Shell [ OK ]
* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ OK ]
Application advisories
* Application scan
Checking Apache2 modules ... [ Not found ]
Checking Apache configuration ... [ OK ]
* Application version scan
- GnuPG 1.2.7 [ Old or patched version ]
- Apache 2.0.53 [ OK ]
- Bind DNS 9.2.5 [ OK ]
- OpenSSL 0.9.7a [ Old or patched version ]
- PHP 4.3.11 [ OK ]
- Procmail MTA 3.22 [ OK ]
- OpenSSH 3.9p1 [ OK ]
Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]
* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... [ OK (Remote root login disabled) ]
Checking for allowed protocols... [ Warning (SSH v1 allowed) ]
* Check: Events and Logging
Search for syslog configuration... [ OK ]
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]
---------------------------- Scan results ----------------------------
MD5 scan
Scanned files: 92
Incorrect MD5 checksums: 0
File scan
Scanned files: 342
Possible infected files: 0
Application scan
Vulnerable applications: 2
Scanning took 34 seconds
-----------------------------------------------------------------------
Last edited by d@@b; 04-12-2007 at 03:02 PM.
|
|
|
04-10-2007, 11:31 AM
|
#2
|
Senior Member
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,508
Rep:
|
rkhunter complains about GnuPG 1.2.7 and OpenSSL 0.9.7a.
A quick inspection in my system shows openssl-0.9.8d-23.1 and gpg-1.4.5-24.4.
Take a look at the release notes of theses programs to see if there are any serious vulnerabilities fixed in next releases.
|
|
|
04-10-2007, 11:34 AM
|
#3
|
LQ Newbie
Registered: Sep 2005
Location: Baltimore, MD
Posts: 12
Original Poster
Rep:
|
That's what I thougth about GnuPG and OpenSSL. I will take a look at the release note.
|
|
|
04-10-2007, 10:26 PM
|
#4
|
Member
Registered: Mar 2007
Location: 127.0.0.1
Distribution: OpenBSD-CURRENT
Posts: 485
Rep:
|
Have you run rkhunter --update recently?
I know it's a dumb question, and I certainly don't intend to insult your intelligence in any way, so please don't take such a simple suggestion that way...
Also, I'd disable SSHv1 login. SSHv1 has known problems, and if you read one of the sticky posts in this (the Security) forum, you'll see that SSH scanning has become commonplace, most likely due to SSHv1 security problems. You have remote root login disabled, but if an attacker gets a su or sudo-enabled account, you could still be in trouble.
Just a paranoid Linux user's 2 cents...
|
|
|
04-12-2007, 03:04 PM
|
#5
|
LQ Newbie
Registered: Sep 2005
Location: Baltimore, MD
Posts: 12
Original Poster
Rep:
|
Quote:
Originally Posted by rocket357
Have you run rkhunter --update recently?
I know it's a dumb question, and I certainly don't intend to insult your intelligence in any way, so please don't take such a simple suggestion that way...
Also, I'd disable SSHv1 login. SSHv1 has known problems, and if you read one of the sticky posts in this (the Security) forum, you'll see that SSH scanning has become commonplace, most likely due to SSHv1 security problems. You have remote root login disabled, but if an attacker gets a su or sudo-enabled account, you could still be in trouble.
Just a paranoid Linux user's 2 cents...
|
I updated rkhunter before running it and also went ahead disable SSHv1 after the scan.
|
|
|
All times are GMT -5. The time now is 10:19 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|