FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 08-18-2008, 06:54 PM
"Dean S. Messing"
 
Default rkhunter (root kit hunter) warning

I just installed rkhunter on this F7 machine
and am using the default config file (probably
a mistake.)
This morning I found this in my mail:

Subject: [rkhunter] Warnings found for medulla
Date: Mon, 18 Aug 2008 04:07:41 -0700 (PDT)

Please inspect this machine, because it may be infected.

I've looked at the generated log and found nothing suspicious. But
I'm not an experienced hunter and the log is >1000 lines long. I'd
like to post it here but I think it is too long for that. Here is the
final summary:


[04:07:40] System checks summary
[04:07:40] =====================
[04:07:40]
[04:07:40] File properties checks...
[04:07:40] Required commands check failed
[04:07:40] Files checked: 129
[04:07:41] Suspect files: 0
[04:07:41]
[04:07:41] Rootkit checks...
[04:07:41] Rootkits checked : 64
[04:07:41] Possible rootkits: 0
[04:07:41]
[04:07:41] Applications checks...
[04:07:41] Applications checked: 5
[04:07:41] Suspect applications: 0
[04:07:41]
[04:07:41] The system checks took: 29 seconds
[04:07:41]
[04:07:41] Info: End date is Mon Aug 18 04:07:41 PDT 2008

The only thing that catches the eye is the "Required commands check
failed." But a search for the words "failed" or "required" finds only
this line.

Lots of stuff was "skipped" in the log. For example:

[04:07:35] Performing trojan specific checks
[04:07:35] Info: Starting test name 'trojans'
[04:07:36] Checking for enabled inetd services [ Skipped ]
[04:07:36] Info: Check skipped - file '/etc/inetd.conf' does not exist.

Indeed it doesn't. I believe it has been replaced by /etc/xinetd.d/

This machine has iptables running on it is behind our
corporate firewall. I'm not sure how to proceed.

Dean

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 08-18-2008, 11:58 PM
Kevin Fenzi
 
Default rkhunter (root kit hunter) warning

On Mon, 18 Aug 2008 11:54:05 -0700 (PDT)
deanm@sharplabs.com ("Dean S. Messing") wrote:

>
> I just installed rkhunter on this F7 machine

Sadly, F7 is no longer supported...

> and am using the default config file (probably
> a mistake.)

Well, I maintain rkhunter, and some issues were found with the config,
but only after F7 was end of lifed. I thus wasn't able to update it. ;(

You could try rebuilding the F-9 src.rpm for F7.

Also, make sure you run 'rkhunter -propupd' to update the properties.

kevin
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 08-19-2008, 01:25 AM
"Dean S. Messing"
 
Default rkhunter (root kit hunter) warning

Kevin Fenzi wrote:
> On Mon, 18 Aug 2008 11:54:05 -0700 (PDT)
> deanm@sharplabs.com ("Dean S. Messing") wrote:
>
> >
> > I just installed rkhunter on this F7 machine
>
> Sadly, F7 is no longer supported...
>
> > and am using the default config file (probably
> > a mistake.)
>
> Well, I maintain rkhunter, and some issues were found with the config,
> but only after F7 was end of lifed. I thus wasn't able to update it. ;(
>
> You could try rebuilding the F-9 src.rpm for F7.
>
> Also, make sure you run 'rkhunter -propupd' to update the properties.

Thanks a lot Kevin!

Were the changes you mention made during F8? If so I might have more
success rebuilding and installing the latest F8 rpm (1.3.2-4.fc8, I
think). In the past I've had problems trying to build new packages on
older systems due to changes in "rpm" and new package requirements
(dependency hell).

Do you know if not having the Properties DB would cause the
warning message I got:

Please inspect this machine, because it may be infected.

I had not run "-propupd" because the F7 machine is several
months old and I could not guarantee what was required in the warning
on the man page:

WARNING: It is the users responsibility to ensure that the files on
the system are genuine and from a reliable source. rkhunter can
only report if a file has changed, but not on what has caused the
change. Hence, if a file has changed, and the --propupd command
option is used, then rkhunter will assume that the file is genuine.

Dean

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 08-19-2008, 07:57 PM
Kevin Fenzi
 
Default rkhunter (root kit hunter) warning

On Mon, 18 Aug 2008 18:25:08 -0700 (PDT)
"Dean S. Messing" <deanm@sharplabs.com> wrote:

> Kevin Fenzi wrote:
> > On Mon, 18 Aug 2008 11:54:05 -0700 (PDT)
> > deanm@sharplabs.com ("Dean S. Messing") wrote:
> >
> > >
> > > I just installed rkhunter on this F7 machine
> >
> > Sadly, F7 is no longer supported...
> >
> > > and am using the default config file (probably
> > > a mistake.)
> >
> > Well, I maintain rkhunter, and some issues were found with the
> > config, but only after F7 was end of lifed. I thus wasn't able to
> > update it. ;(
> >
> > You could try rebuilding the F-9 src.rpm for F7.
> >
> > Also, make sure you run 'rkhunter -propupd' to update the
> > properties.
>
> Thanks a lot Kevin!
>
> Were the changes you mention made during F8? If so I might have more
> success rebuilding and installing the latest F8 rpm (1.3.2-4.fc8, I
> think). In the past I've had problems trying to build new packages on
> older systems due to changes in "rpm" and new package requirements
> (dependency hell).

Yeah, the changes should be in F8 as well.
It's a very simple build/setup anyhow, so any of them should work...

> Do you know if not having the Properties DB would cause the
> warning message I got:
>
> Please inspect this machine, because it may be infected.

Yes. It will do that until you run propery update.

> I had not run "-propupd" because the F7 machine is several
> months old and I could not guarantee what was required in the warning
> on the man page:
>
> WARNING: It is the users responsibility to ensure that the
> files on the system are genuine and from a reliable source.
> rkhunter can only report if a file has changed, but not on what
> has caused the change. Hence, if a file has changed, and the
> --propupd command option is used, then rkhunter will assume that the
> file is genuine.

Right. So, you might either not run it from cron, or filter those
emails, or just run the propupd anyhow.

> Dean

kevin
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 08-19-2008, 09:47 PM
"Dean S. Messing"
 
Default rkhunter (root kit hunter) warning

Kevin Fenzi wrote:
> Dean Messing wrote:
<snip>
> > Do you know if not having the Properties DB would cause the
> > warning message I got:
> >=20
> > Please inspect this machine, because it may be infected.
>
> Yes. It will do that until you run propery update.=20
<snip>

Thanks again, Kevin for your help.
I'll do the -propup and see what happens.
I'll soon be installing F8 on this machine and
will be sure to do the properties update before putting
it on the network.

Dean

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 04:56 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org