rkhunter 1.4.2 volc rootkit found & then gone?
Hello.
I don't usually come here too often but rkhunter running via cron caught something weird today. I forgot that running rkhunter more than once will overwrite the /var/log/rkhunter.log file (and I overwrote rkhunter.log.old as well), so unfortunately I don't have the necessary rkhunter logs. This is on a Slackware system. What I post next is from memory: 1. The rootkit "found" was called "Volc" rootkit and it mentioned something about "divine" (based on rkhunter.logs I'm assuming it was talking about /usr/lib/volc/backdoor/divine). 2. The rkhunter message given in the previous rkhunter.log (the one that caught the supposed rootkit) said to use: Code:
lsof -i # or So afterwards... 1. The output of "lsof -i" just gave me firefox and irssi connections. 2. Searching for the string "irssi" or "firefox" in the output of "netstat -an" didn't give any results. 3. I /quit out of irssi. 4. Re-scanning (twice, hence my lack of the necessary log) produced 0 rootkit results. 5. Code:
netstat -plunt So I guess my question is, should I have investigated further and am I in the OK because I honestly can't tell if this was a false positive (and I realize without logs its hard to believe me)? What can/should I do further in case I am still affected (I went through the CERT checklist on archive.org) Irssi seems to be okay. Restarting it didn't pick it up as a problem, nor did a reinstall of irssi (with gpg key of the package verified) pick it up as a problem. |
I apologize for double posting (and not waiting the 24 hour bump limit).
After further investigation it seems like a false positive and below is why I believe it to be so (please correct me if I'm wrong): I did some more research and came upon rkhunter's database files, most notably -- $install_root/var/lib/rkhunter/db/backdoorports.dat This line in particular stood out Code:
33369:Volc Rootkit SSH server (divine):TCP Code:
Warning: Network TCP port <port> is being used by <program>. Possible rootkit: Volc Rootkit SSH server (divine) For temporary testing I changed the line from port 33369 to something else that is currently in use and established. Lo and behold that program now becomes the "problem" and the possible rootkit is detected. The Volc rootkit itself was not picked up by rkhunter, and if the system had been compromised (from http://sourceforge.net/apps/trac/rkhunter/wiki/SPRKH) Code:
However, a scan on an existing install will still reveal rootkits. |
Do note we're trying to enhance RKH with ClamAV signatures to be more effective scanning for "evidence". Right now is an ongoing effort anyone could help with. But as traditional rootkit threats dwindle I do not intend to spend much time creating kernel 2.4 or kernel 2.6-era rootkit signs though anyone could petition specific ones found right now via our Sourceforge bug tracker. So, if you didn't find evidence of file /usr/bin/volc and directory /usr/lib/volc but only the port then, yes, I'd mark that as a false positive.
|
Quote:
Quote:
|
Quote:
Quote:
|
All times are GMT -5. The time now is 06:51 PM. |