LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-01-2005, 02:13 PM   #1
The MCP
Member
 
Registered: Nov 2003
Distribution: SUSE
Posts: 31

Rep: Reputation: 15
Possible compromise - rkhunter finds 2 (?) questionable hashes


I've added rkhunter to my server's daily litany of security checks, and it's turned up something scary. It printer that the hashes of depmod and insmod don't match what they should for Mandrake 10.0. In the logs, it's doing something bizzare when it checks hashes:

[19:05:43] /bin/login hash valid, found in database
[19:05:43] /bin/login Hash NOT valis (My MD5: 33c48af148c49d8424dd3eed064b670b, expected: f81ebc313dc5cb2c197b80c0f288d8a4)

How can a hash be simultaneously valid and not valid? It does this with netstat, grep, twice with depmod, ip, twice with modinfo, syslogd, file, and lsattr.

It then finished running without another complaint about anything, except my old version of proftpd (not running). What's going on? Have I been 0wn3d or just updated?
 
Old 04-02-2005, 06:39 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
The hash you listed above for /bin/login is valid. Take a look at the default hashes db to make sure it's in there:
Code:
[root@localhost files]# cat defaulthashes.dat | grep 33c48
129:/bin/login:33c48af148c49d8424dd3eed064b670b:ed5eb5c6f3c4576923ccf7f67ad34be2e8db90f4:19768:util-linux-2.12-2mdk:
How are you running rkhunter as a cron job? It sounds like it's some kind of verbose mode, which just prints output for each hash in the db, even though there are multiple hashes for /bin/login. What version of rkhunter are you running?
 
Old 04-02-2005, 01:45 PM   #3
The MCP
Member
 
Registered: Nov 2003
Distribution: SUSE
Posts: 31

Original Poster
Rep: Reputation: 15
rkhunter job && security script

I've written a simple script that I imaginatively named "checkall" which runs security tests when executed. I then made an entry in crontab.daily, '/root/systest/checkall >> /var/log/checkall'

I've placed the script up for others to use at ejksdesktop.homelinux.com/checkall.sh (execute priveleges revoked, don't worry if you'd like to examine it.

It invokes rkhunter with 'rkhunter --checkall --skip-keypress --nocolors --createlogfile'. I suppose that --createlogfile it technically redundant, since stdout is being captured anyway, but who knows. Hope this helps!
 
Old 04-02-2005, 06:15 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
The log file will always show debugging info, that's just how rkhunter works. In fact if you take a look at the rkhunter FAQ, they even have a comment about this:

Quote:
8. Q: Although Rootkit Hunter tells me my binaries do have the correct hashes (=OK), the logfile shows a lot of incorrect items. How is that possible?
A: Because the main program is a shell script, a lot of small utilities are used to read the database (in fact a CSV-alike file). The output you see in the logfile is debug information and contains of a lot of extra information. Because every line of the hash database will be read and compared with the real hash of the binary, it will have some good and bad hashes for one single binary (because the multiple versions of a single binary). Every line will be available in the logfile too, so if a hash DOESN'T match with the binary, it will log this too. If ONE of the multiple hashes match, you don't have to worry about the 'failed' lines.
Personally, I'd just run rkhunter with the --cronjob option and then just redirect stdout somewhere.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
questionable content in /var/log/messages sovietpower Linux - Security 1 05-28-2005 01:08 PM
Rkhunter finds "suspicious" files in /dev Ovalteen Linux - Security 3 03-22-2005 06:28 AM
YUM finds 4 updates while up2date finds 29? guest Linux - Newbie 3 03-15-2005 09:01 PM
Security Compromise apache Linux - Security 16 08-07-2004 10:29 PM
Gaim 0.71: pkg-config finds 2.2.3, ./configure finds 2.2.1 GreenPenInc Linux - Software 3 10-23-2003 08:00 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration