Slackware-current hacked????

vaworx · 09-01-2004, 10:58 PM

I just got the current version of rkhunter 1.1.7 and it seems there is something wrong with my system. Here is a part of the rkhunter log file:

Code:

[17:38:13] ---------------------------- MD5 hash tests ---------------------------
[17:38:13] Starting MD5 checksum test (/usr/local/rkhunter/lib/rkhunter/scripts/filehashmd5.pl)
[17:38:14] /bin/cat hash valid, found in database
[17:38:14] /bin/chmod hash valid, found in database
[17:38:14] /bin/chown hash valid, found in database
[17:38:14] /bin/dmesg hash valid, found in database
[17:38:15] /bin/egrep hash valid, found in database
[17:38:15] /bin/fgrep hash valid, found in database
[17:38:15] /bin/grep hash valid, found in database
[17:38:15] /bin/kill hash valid, found in database
[17:38:15] /bin/kill hash valid, found in database
[17:38:16] /bin/killall Hash NOT valid (My MD5: e521900374bf15fe5aad53b0cf1c1381, expected: fe0e265ee4b28e1dbd5f85fa422243fc)
[17:38:16] Using whitelists to compare MD5 hash (searching for e521900374bf15fe5aad53b0cf1c1381)
[17:38:16] No whitelisted MD5 hash found for /bin/killall
[17:38:16] MD5 hash for my file (/bin/killall) is e521900374bf15fe5aad53b0cf1c1381, but is not in database
[17:38:16] End of whitelist compare
[17:38:16] Checking /bin/killall against hashes in database (fe0e265ee4b28e1dbd5f85fa422243fc) failed
[17:38:16] RPM info: your package 'file /bin/killall is not owned by any package'
[17:38:16] RPM info: packages in database: -
[17:38:16] /bin/login hash valid, found in database
[17:38:16] /bin/ls hash valid, found in database
[17:38:17] /bin/mount hash valid, found in database
[17:38:17] /bin/netstat hash valid, found in database
[17:38:17] /bin/ps Hash NOT valid (My MD5: e9b7ced9b9a28d4e005e4db58f45ce2d, expected: f76dca7dd7291424e509af6a16c9f1fb)
[17:38:17] Using whitelists to compare MD5 hash (searching for e9b7ced9b9a28d4e005e4db58f45ce2d)
[17:38:17] No whitelisted MD5 hash found for /bin/ps
[17:38:17] MD5 hash for my file (/bin/ps) is e9b7ced9b9a28d4e005e4db58f45ce2d, but is not in database
[17:38:17] End of whitelist compare
[17:38:17] Checking /bin/ps against hashes in database (f76dca7dd7291424e509af6a16c9f1fb) failed
[17:38:18] RPM info: your package 'file /bin/ps is not owned by any package'
[17:38:18] RPM info: packages in database: -
[17:38:18] /bin/su hash valid, found in database
[17:38:18] /sbin/depmod hash valid, found in database
[17:38:18] /sbin/ifconfig hash valid, found in database
[17:38:19] /sbin/init hash valid, found in database
[17:38:19] /sbin/insmod hash valid, found in database
[17:38:19] /sbin/ip hash valid, found in database
[17:38:19] /sbin/modinfo hash valid, found in database
[17:38:20] /sbin/mount hash valid, found in database
[17:38:20] /sbin/runlevel hash valid, found in database
[17:38:20] /sbin/sysctl Hash NOT valid (My MD5: 928ce3fc5e9429463a8502422c21b12d, expected: 0682e66bc9d6cd2ba44e4522a3687e02)
[17:38:20] Using whitelists to compare MD5 hash (searching for 928ce3fc5e9429463a8502422c21b12d)
[17:38:20] No whitelisted MD5 hash found for /sbin/sysctl
[17:38:20] MD5 hash for my file (/sbin/sysctl) is 928ce3fc5e9429463a8502422c21b12d, but is not in database
[17:38:20] End of whitelist compare
[17:38:20] Checking /sbin/sysctl against hashes in database (0682e66bc9d6cd2ba44e4522a3687e02) failed
[17:38:20] RPM info: your package 'file /sbin/sysctl is not owned by any package'
[17:38:20] RPM info: packages in database: -
[17:38:21] /usr/bin/cat hash valid, found in database
[17:38:21] /usr/bin/chmod hash valid, found in database
[17:38:21] /usr/bin/chown hash valid, found in database
[17:38:21] /usr/bin/egrep hash valid, found in database
[17:38:22] /usr/bin/env hash valid, found in database
[17:38:22] /usr/bin/fgrep hash valid, found in database
[17:38:22] /usr/bin/file hash valid, found in database
[17:38:22] /usr/bin/find hash valid, found in database
[17:38:23] /usr/bin/find hash valid, found in database
[17:38:23] /usr/bin/grep hash valid, found in database
[17:38:23] /usr/bin/groups hash valid, found in database
[17:38:23] /usr/bin/ls hash valid, found in database
[17:38:24] /usr/bin/lsattr hash valid, found in database
[17:38:24] /usr/bin/ps Hash NOT valid (My MD5: e9b7ced9b9a28d4e005e4db58f45ce2d, expected: f76dca7dd7291424e509af6a16c9f1fb)
[17:38:24] Using whitelists to compare MD5 hash (searching for e9b7ced9b9a28d4e005e4db58f45ce2d)
[17:38:24] No whitelisted MD5 hash found for /usr/bin/ps
[17:38:24] MD5 hash for my file (/usr/bin/ps) is e9b7ced9b9a28d4e005e4db58f45ce2d, but is not in database
[17:38:24] End of whitelist compare
[17:38:24] Checking /usr/bin/ps against hashes in database (f76dca7dd7291424e509af6a16c9f1fb) failed
[17:38:24] RPM info: your package 'file /usr/bin/ps is not owned by any package'
[17:38:24] RPM info: packages in database: -
[17:38:24] /usr/bin/pstree Hash NOT valid (My MD5: ad0d1952bcb0fbacf39df92c5233c3b3, expected: 61409b9017ac8bfc563273a205a848c8)
[17:38:24] Using whitelists to compare MD5 hash (searching for ad0d1952bcb0fbacf39df92c5233c3b3)
[17:38:24] No whitelisted MD5 hash found for /usr/bin/pstree
[17:38:24] MD5 hash for my file (/usr/bin/pstree) is ad0d1952bcb0fbacf39df92c5233c3b3, but is not in database
[17:38:24] End of whitelist compare
[17:38:25] Checking /usr/bin/pstree against hashes in database (61409b9017ac8bfc563273a205a848c8) failed
[17:38:25] RPM info: your package 'file /usr/bin/pstree is not owned by any package'
[17:38:25] RPM info: packages in database: -
[17:38:25] /usr/bin/sha1sum hash valid, found in database
[17:38:25] /usr/bin/stat hash valid, found in database
[17:38:25] /usr/bin/users hash valid, found in database
[17:38:26] /usr/bin/w Hash NOT valid (My MD5: 594e2d8e125cc840e1d78957ea81e047, expected: fbf9ebb55423c4ce5c2e2f4c73c94086)
[17:38:26] Using whitelists to compare MD5 hash (searching for 594e2d8e125cc840e1d78957ea81e047)
[17:38:26] No whitelisted MD5 hash found for /usr/bin/w
[17:38:26] MD5 hash for my file (/usr/bin/w) is 594e2d8e125cc840e1d78957ea81e047, but is not in database
[17:38:26] End of whitelist compare
[17:38:26] Checking /usr/bin/w against hashes in database (fbf9ebb55423c4ce5c2e2f4c73c94086) failed
[17:38:26] RPM info: your package 'file /usr/bin/w is not owned by any package'
[17:38:26] RPM info: packages in database: -
[17:38:26] /usr/bin/watch Hash NOT valid (My MD5: 975ad7a3df589a0ec0796561c40b18a9, expected: 40b20e9216030dfde32a1028aa4c7de3)
[17:38:26] Using whitelists to compare MD5 hash (searching for 975ad7a3df589a0ec0796561c40b18a9)
[17:38:26] No whitelisted MD5 hash found for /usr/bin/watch
[17:38:26] MD5 hash for my file (/usr/bin/watch) is 975ad7a3df589a0ec0796561c40b18a9, but is not in database
[17:38:26] End of whitelist compare
[17:38:26] Checking /usr/bin/watch against hashes in database (40b20e9216030dfde32a1028aa4c7de3) failed
[17:38:26] RPM info: your package 'file /usr/bin/watch is not owned by any package'
[17:38:26] RPM info: packages in database: -
[17:38:27] /usr/bin/who hash valid, found in database
[17:38:27] /usr/bin/whoami hash valid, found in database
[17:38:27] /usr/sbin/syslogd hash valid, found in database

Any ideas or should i be woried. BTW ProFTPd 1.2.9 is eventually vulnerable as well as the Procmail 3.15.2

Code:

17:39:49] Scanning Procmail%%MTA...
[17:39:49] /usr/bin/procmail found
[17:39:49] Version 3.15.2 seems to be vulnerable (if unpatched)!
[17:39:50] ----------------------------------------------------------
[17:39:50] Scanning ProFTPd...
[17:39:50] /usr/sbin/proftpd found
[17:39:50] Version 1.2.9 seems to be vulnerable (if unpatched)!
[17:39:50] ----------------------------------------------------------

btmiller · 09-01-2004, 11:47 PM

Possibly you should be worried ... you need to investigate this further. First step is to check those files which rkhunter found. Is there any chance they could've been replaced by an attacker. They all look like normal files, so their mere presence doesn't really say much. You should also check for suspicious log file entries and strange looking accounts in /etc/passwd.

Not sure about the vulnerable applications -- they look pretty recent. This might be a problem with the rkhunter application database. At least the proftpd web site makes no note of vulnerabilities with version 1.2.9.

Capt_Caveman · 09-02-2004, 01:07 AM

Keep in mind that rkhunter uses a list of "good" md5 hashes for various distros (usually all stable releases) in its whitelist db, so if you're running bleeding-edge or current/nightly builds, it's highly likely that you'll get false positives. Might want to think about using chkrootkit instead or not using the md5sum comparison feature at all.

Most accurate way to check would be to compare md5sums of those packages to the ones on the cd-rom you installed with.

sh1ft · 09-02-2004, 12:32 PM

I get the same thing, along with other slack-current users, see the bottom of this thread. Seems to be a problem with rkhunter I think. I checked with chrootkit and everything seems fine.

vaworx · 09-10-2004, 08:55 PM

I checked with Patrick - it is the rkhunter tool -=> if you guys download the newest version everything will be ok. It will show that ProFTPD is still vulnerable which is not true but anyways ProFTPD won't be the default FTP server anymore - VsFTPD seems to be a lot more reliable and it's gonna be the default ftpd from now on.