Commit 8b1f0ed2 authored by Francois Marier's avatar Francois Marier

New upstream version 1.4.6

parent eca1837f
......@@ -35,6 +35,7 @@ CaPaCuL Turkish translations
Mitsuhiri Yoshida Japanese translation
Alexander Wittig BSDng package manager code
Patrick G. IPCS whitelisting code
incitem/geophy Alpine Linux (busybox) support
And thanks to all others who contributed to Rootkit Hunter:
......
......@@ -18,6 +18,79 @@
--
* 1.4.6 (20/02/2018)
New:
- Added support for Alpine Linux (busybox).
- Added the 'Diamorphine LKM' test.
- Added the ALLOWIPCPID configuration file option. This will allow
specific PIDs to be whitelisted from the shared memory check.
- Added the ALLOWIPCUSER configuration file option. This will allow
specific usernames to be whitelisted from the shared memory check.
- Added the IPC_SEG_SIZE configuration file option. This can be used
to set the minimum shared memory segment size to check. The default
value is 1048576 bytes (1MB).
- Added the SKIP_INODE_CHECK configuration file option. Setting this
option will disable the reporting of any changed inode numbers.
The default is to report inode changes. (This option may be useful
for filesystems such as Btrfs.)
- Added Ebury sshd backdoor test.
- Added a new SSH configuration test to check for various suspicious
configuration options. Currently there is only one check which
relates to the Ebury backdoor.
- Added basic test for Jynx2 rootkit.
- Added Komplex trojan test.
- Added basic test for KeRanger running process.
- Added test for Keydnap backdoor.
- Added basic test for Eleanor backdoor running process.
- Added basic tests for Mokes backdoor.
- Added tests for Proton backdoor.
- Added the SUSPSCAN_WHITELIST configuration file option. This
option can be used to whitelist file pathnames from the
'suspscan' test.
Changes:
- The 'ipc_shared_mem' test will now log the minimum segment size
that will be checked. It will also log the size of any segments
which appear suspicious (that is, larger than the configured
allowed maximum size).
- If verbose logging is disabled, then generally only the test
name and the final result for the test will now be logged.
- Kernel symbol checks will now use the 'System.map' file, if it
exists, and no other kernel symbol file can be found.
Bugfixes:
- For prelinked systems ensure that the default hash function is
SHA1 and not SHA256.
- The result from the 'hidden_procs' test was not being
calculated correctly.
- Checking the O/S version number could be missed in some cases.
- Minor improvement to the *BSD immutable files check.
- The 'OS_VERSION_FILE' configuration option pathname cannot be
a link, but this was not checked.
- Improved checks for the O/S name on Devuan systems.
- Handling of the '/etc/issue' file during O/S detection has now
improved. Escape sequences are either replaced or removed.
- Not all the linux kernel module names were being checked.
- The logging of detached memory segments tried to show the
process pathname. This has now been corrected, and where no
pathname is available, the segment owner and PID will be logged.
- It was possible for the return code to be lost when running the
'ipc_shared_mem' test. This has now been corrected.
- Some configuration options were still not being handled correctly
when specified more than once.
- The 'ipc_shared_mem' test did not correctly handle whitelisting
when a segment pathname was flagged as deleted. This has now
been corrected.
- Commands disabled in the configuration file were being logged
as not found. They are now logged as having been disabled.
- Disabling verbose logging could hide some warning messages.
- The 'shared_libs' test now caters for simple filenames, as well
as pathnames which contain the '$LIB', '$ORIGIN' or '$PLATFORM'
variables.
--
* 1.4.4 (29/06/2017)
New:
......
......@@ -2,8 +2,8 @@
ROOTKIT HUNTER FREQUENTLY ASKED QUESTIONS (FAQ)
===============================================
The latest version of this FAQ can be found at the RKH web site.
(http://rkhunter.cvs.sourceforge.net/viewvc/*checkout*/rkhunter/rkhunter/files/FAQ)
The latest version of this FAQ can be found on the RKH web site.
(https://sourceforge.net/p/rkhunter/rkh_code/ci/develop/tree/files/FAQ)
===========================================================
......
......@@ -180,9 +180,9 @@ TESTING RKHUNTER WITHOUT INSTALLING IT
It is perfectly understandable that new users may wish to try out rkhunter
without having to fully install it. Similarly current users may want to
test a new version of rkhunter, or a CVS version of it, without it affecting
their current system or current installation of rkhunter. This is all
perfectly possible, and quite easy, using a standalone installation.
test a new version of rkhunter, or a development version of it, without it
affecting their current system or current installation of rkhunter. This is
all perfectly possible, and quite easy, using a standalone installation.
First, as the root user, it is suggested that a separate temporary directory
is created, and then change to that directory. For example:
......@@ -193,14 +193,14 @@ is created, and then change to that directory. For example:
It is now necessary to either copy or download a tarball of the version of
rkhunter that you want to test. (Since you are reading this file, we assume
you have already downloaded the relevant version.) For users wishing to try
the latest CVS version, it is possible to download a tarball. For example:
the latest development version, it is possible to download a tarball:
wget http://rkhunter.sourceforge.net/rkhunter-CVS.tar.gz
wget http://rkhunter.sourceforge.net/rkhunter-dev.tar.gz
Next, it is necessary to extract the files from the tarball. The simplest
way is to use the 'tar' command, such as:
tar xzf rkhunter-CVS.tar.gz
tar xzf rkhunter-dev.tar.gz
Obviously, for official releases, you will need to use the correct tarball
name. For example:
......@@ -211,21 +211,16 @@ For users of systems with alternative implementations of 'tar', for example
Solaris users, you may need to break the extraction process into two steps
(or use the 'gtar' command if you have it installed). For example:
gunzip rkhunter-CVS.tar.gz
tar xf rkhunter-CVS.tar
Additionally it is possible to download from CVS directly using the command:
cvs -d:pserver:anonymous@rkhunter.cvs.sourceforge.net:/cvsroot/rkhunter co -P rkhunter
gunzip rkhunter-dev.tar.gz
tar xf rkhunter-dev.tar
The extraction process will create a sub-directory containing all the
rkhunter files. The sub-directory name will contain the rkhunter version
number, or, for CVS tarballs, it will simply be called 'rkhunter'.
number, or, for development tarballs, it will simply be called 'rkhunter'.
Change into this directory:
cd rkhunter-1.4.0 (for an official release tarball)
or cd rkhunter (for CVS and CVS tarballs)
or cd rkhunter (for development tarballs)
Now, we can run the installer program as described in the section above
about standalone installations:
......
Version:2017062301
Version:2018021101
#
# We start with the definitions of the message types and results. There
# are very few of these, so including these and all the parts of each
......@@ -87,6 +87,7 @@ CONFIG_MIRRORS_MODE2:Only remote mirrors will be used
FOUND_CMD:Found the '$1' command: $2
NOT_FOUND_CMD:Unable to find the '$1' command
DISABLED_CMD:The '$1' command has been disabled
CMD_ERROR:The command '$1' gave error code $2.
SYS_PRELINK:System is using prelinking
......@@ -232,9 +233,9 @@ USER_CMD_LIST:Including user commands for file properties check:
USER_DIR_LIST:Including user directories for file properties check:
USER_EXCLUDE_PROP:Excluding from file properties check:
KSYMS_FOUND:Found ksym file '$1'
KSYMS_UNAVAIL:All ksyms and kallsyms checks will be skipped - the file is unreadable.
KSYMS_MISSING:All ksyms and kallsyms checks will be skipped - neither file is present on the system.
KSYMS_FOUND:Found kernel symbols file '$1'
KSYMS_UNAVAIL:All kernel symbol checks will be skipped - the kernel symbols file is unreadable: $1
KSYMS_MISSING:All kernel symbol checks will be skipped - could not find a kernel symbols file on the system.
STARTING_TEST:Starting test name '$1'
USER_DISABLED_TEST:Test '$1' disabled at users request.
......@@ -260,16 +261,20 @@ FILE_PROP_START:Performing file properties checks
FILE_PROP_CMDS:Checking for prerequisites
FILE_PROP_IMMUT_OS:Skipping all immutable-bit checks. This check is only available for Linux systems.
FILE_PROP_IMMUT_SET:The immutable-bit check will be reversed.
FILE_PROP_SKIP_ATTR:Unable to find 'stat' command - all file attribute checks will be skipped.
FILE_PROP_SKIP_ATTR:Unable to find the 'stat' command - all file attribute checks will be skipped.
FILE_PROP_SKIP_ATTR_DISABLED:The 'stat' command has been disabled - all file attribute checks will be skipped.
FILE_PROP_SKIP_HASH:All file hash checks will be skipped because:
FILE_PROP_SKIP_HASH_FUNC:The current hash function ($1) or package manager ($2) is incompatible with the hash function ($3) or package manager ($4) used to store the values.
FILE_PROP_SKIP_HASH_PRELINK:Unable to find 'prelink' command.
FILE_PROP_SKIP_HASH_SHA1:This system uses prelinking, but the hash function command does not look like SHA1 or MD5.
FILE_PROP_SKIP_HASH_LIBSAFE:Libsafe was found, which can cause errors. If possible, disable libsafe and then run the prelink command. Finally, recreate the hash values using 'rkhunter --propupd'.
FILE_PROP_SKIP_IMMUT:Unable to find 'lsattr' command - all file immutable-bit checks will be skipped.
FILE_PROP_SKIP_IMMUT:Unable to find the 'lsattr' command - all file immutable-bit checks will be skipped.
FILE_PROP_SKIP_IMMUT_DISABLED:The 'lsattr' command has been disabled - all file immutable-bit checks will be skipped.
FILE_PROP_SKIP_IMMUT_CMD:No output from the '$1' command - all file immutable-bit checks will be skipped.
FILE_PROP_SKIP_SCRIPT:Unable to find 'file' command - all script replacement checks will be skipped.
FILE_PROP_SKIP_SCRIPT:Unable to find the 'file' command - all script replacement checks will be skipped.
FILE_PROP_SKIP_SCRIPT_DISABLED:The 'file' command has been disabled - all script replacement checks will be skipped.
FILE_PROP_SKIP_FILE_CMD:No output from the 'file' command - all script replacement checks will be skipped.
FILE_PROP_SKIP_INODE:All file inode checks will be skipped.
FILE_PROP_NO_OS_WARNING:Warnings of any O/S change have been disabled at the users request.
FILE_PROP_OS_CHANGED:The local host configuration or operating system has changed.
FILE_PROP_DAT_MISSING:The file of stored file properties (rkhunter.dat) does not exist, and should be created. To do this type in 'rkhunter --propupd'.
......@@ -364,9 +369,10 @@ ROOTKIT_PHALANX2_PROC_PPID:Expected 'kthread' parent PID '$1' found parent PID '
ROOTKIT_PHALANX2_PROC_PS_ERR:Running 'ps' returned unexpected results: possibly unsupported cmdline arguments.
ROOTKIT_ADD_START:Performing additional rootkit checks
ROOTKIT_ADD_SUCKIT:Suckit Rookit additional checks
ROOTKIT_ADD_SUCKIT_LOG:Performing Suckit Rookit additional checks
ROOTKIT_ADD_SUCKIT:Suckit Rootkit additional checks
ROOTKIT_ADD_SUCKIT_LOG:Performing Suckit Rootkit additional checks
ROOTKIT_ADD_SUCKIT_LINK_NOCMD:Checking '/sbin/init' link count: no 'stat' command found
ROOTKIT_ADD_SUCKIT_LINK_DISABLED:Checking '/sbin/init' link count: the 'stat' command has been disabled
ROOTKIT_ADD_SUCKIT_LINK_FOUND:Checking '/sbin/init' link count: count is $1, it should be 1
ROOTKIT_ADD_SUCKIT_EXT:Checking for hidden file extensions
ROOTKIT_ADD_SUCKIT_EXT_FOUND:Checking for hidden file extensions: found: $1
......@@ -409,10 +415,14 @@ ROOTKIT_MALWARE_SFW_INTRUSION_FOUND:The file '$1' contains the string '$2'. Poss
ROOTKIT_MALWARE_SFW_INTRUSION_SKIP:Check skipped - tripwire not installed
ROOTKIT_MALWARE_SNIFFER:Checking for sniffer log files
ROOTKIT_MALWARE_SNIFFER_FOUND:Found possible sniffer log file: $1
ROOTKIT_MALWARE_IPCS:Checking for suspicious shared memory segments
ROOTKIT_MALWARE_IPCS_FOUND:The following suspicious shared memory segments have been found:
ROOTKIT_MALWARE_IPCS_DETAILS:Process: $1 PID: $2 Owner: $3
ROOTKIT_MALWARE_IPCS_WL:Found process pathname '$1': it is whitelisted.
ROOTKIT_MALWARE_IPCS:Checking for suspicious (large) shared memory segments
ROOTKIT_MALWARE_IPCS_FOUND:The following suspicious (large) shared memory segments have been found:
ROOTKIT_MALWARE_IPCS_DETAILS:Process: $1 PID: $2 Owner: $3 Size: $4 (configured size allowed: $5)
ROOTKIT_MALWARE_IPCS_DETACHED:Detached segment with no pathname: Owner: $1 PID: $2 Segment ID: $3 Size: $4 (configured size allowed: $5)
ROOTKIT_MALWARE_IPCS_ATTACHED:Attached segment with no pathname: Owner: $1 Segment ID: $2 Attached processes: $3 Creator PID: $4 Last PID: $5 Size: $4 (configured size allowed: $5)
ROOTKIT_MALWARE_IPCS_WL_PATH:Found process pathname '$1': it is whitelisted.
ROOTKIT_MALWARE_IPCS_WL_USER:Found process username '$1': it is whitelisted.
ROOTKIT_MALWARE_IPCS_WL_PID:Found process PID '$1': it is whitelisted.
ROOTKIT_TROJAN_START:Performing trojan specific checks
ROOTKIT_TROJAN_INETD:Checking for enabled inetd services
......@@ -516,6 +526,8 @@ SYSTEM_CONFIGS_SSH_PROTO_DIFF1:SSH configuration option 'Protocol': $1
SYSTEM_CONFIGS_SSH_PROTO_DIFF2:Rkhunter configuration option 'ALLOW_SSH_PROT_V1': $1
SYSTEM_CONFIGS_SSH_PROTO_NOTFOUND:The SSH configuration option 'Protocol' has not been set.
SYSTEM_CONFIGS_SSH_PROTO_NOTFOUND:The default value may be '2,1', to allow the use of protocol version 1.
SYSTEM_CONFIGS_SSH_EXTRA:Checking for other suspicious configuration settings
SYSTEM_CONFIGS_SSH_EBURY:Possible Ebury sshd backdoor found (SSH AuthorizedKeysFile setting)
SYSTEM_CONFIGS_SYSLOG:Checking for a running system logging daemon
SYSTEM_CONFIGS_SYSLOG_NOT_RUNNING:No running system logging daemon has been found.
SYSTEM_CONFIGS_SYSLOG_DAEMON:A running '$1' daemon has been found.
......@@ -536,8 +548,10 @@ FILESYSTEM_HIDDEN_DIR_FOUND:Hidden directory found: $1
FILESYSTEM_HIDDEN_FILE_FOUND:Hidden file found: $1
FILESYSTEM_LOGFILE_MISSING:Checking for missing log files
FILESYSTEM_LOGFILE_MISSING_FOUND:The log file '$1' is missing.
FILESYSTEM_LOGFILE_MISS_DISABLED:No missing log file names configured.
FILESYSTEM_LOGFILE_EMPTY:Checking for empty log files
FILESYSTEM_LOGFILE_EMPTY_FOUND:The log file '$1' is empty.
FILESYSTEM_LOGFILE_EMPTY_DISABLED:No empty log file names configured.
CHECK_APPS:Checking application versions...
APPS_NONE_FOUND:No known applications found - all version checks skipped.
......@@ -592,7 +606,7 @@ NETWORK_PACKET_CAP_WL:Found process '$1': it is whitelisted.
SHARED_LIBS_START:Performing 'shared libraries' checks
SHARED_LIBS_PRELOAD_VAR:Checking for preloading variables
SHARED_LIBS_PRELOAD_VAR_FOUND:Found library preload variable(s): $1
SHARED_LIBS_PRELOAD_VAR_FOUND:Found library preload variable: $1
SHARED_LIBS_PRELOAD_FILE:Checking for preloaded libraries
SHARED_LIBS_PRELOAD_LIB_FOUND:Found preloaded shared library: $1
SHARED_LIBS_PRELOAD_FILE_FOUND:Found library preload file: $1
......@@ -605,13 +619,9 @@ SUSPSCAN_DIR_NOT_EXIST:The directory '$1' does not exist.
SUSPSCAN_INSPECT:File '$1' (score: $2) contains some suspicious content and should be checked.
SUSPSCAN_START:Performing check of files with suspicious contents
SUSPSCAN_DIRS:Directories to check are: $1
SUSPSCAN_NO_DIRS:No directories specified: using defaults ($1)
SUSPSCAN_TEMP:Temporary directory to use: $1
SUSPSCAN_NO_TEMP:No temporary directory specified: using default ($1)
SUSPSCAN_SIZE:Maximum file size to check (in bytes): $1
SUSPSCAN_NO_SIZE:No maximum file size specified: using default ($1)
SUSPSCAN_THRESH:Score threshold is set to: $1
SUSPSCAN_NO_THRESH:No score threshold specified: using default ($1)
SUSPSCAN_DIR_CHECK:Checking directory: $1
SUSPSCAN_FILE_CHECK:File checked: Name: '$1' Score: $2
SUSPSCAN_FILE_CHECK_DEBUG:File checked: Name: '$1' Score: $2 Hitcount: $3 Hits: ($4)
......@@ -623,6 +633,7 @@ SUSPSCAN_FILE_LINK_CHANGE:Symbolic link found: '$1' -> '$2'
SUSPSCAN_DAT_MISSING:The data file of suspicious contents is missing or empty: $1
SUSPSCAN_DAT_MISSING:Run 'rkhunter --update' to restore the default file.
SUSPSCAN_DAT_NOTAFILE:The data file of suspicious contents is not a file: $1
SUSPSCAN_WL:Found file '$1': it is whitelisted.
LIST_TESTS:Current test names:
LIST_GROUPED_TESTS:Grouped test names:
......@@ -636,4 +647,6 @@ LOCK_UNUSED:Locking is not being used
LOCK_WAIT:Waiting for lock file
LOCK_FAIL:Unable to get the lock file: rkhunter has not run!
IPC_SEG_SIZE:The minimum shared memory segment size to be checked (in bytes): $1
LINUX_ONLY:Check skipped - this check is only for Linux systems.
Version:2014030201
Version:2017080401
#
# We start with the definitions of the message types and results. There
# are very few of these, so including these and all the parts of each
......@@ -108,6 +108,7 @@ HASH_PKGMGR_OLD_UNSET:Depolan do
HASH_PKGMGR:Dosya zellikleri kontrol iin '$1' paket yneticisi kullanlyor
HASH_PKGMGR_MD5:Paket yneticisi dorulamasna yardmc olmas iin MD5 salama fonksiyonu komutu '$1' kullanlyor
HASH_PKGMGR_SHA:Paket yneticisi dorulamasna yardmc olmas iin SHA salama fonksiyonu komutu '$1' kullanlyor
HASH_PKGMGR_SUM:Paket dorulamas iin depolanan 16-bit salama kullanlyor
HASH_PKGMGR_NOT_SPEC:Paket yneticisi belirtilmedi: '$1' salama fonksiyonu kullanlyor
HASH_PKGMGR_NOT_SPEC_PRELINKED:Paket yneticisi belirtilmedi: '$1' ile prelink komutu kullanlyor
......@@ -212,7 +213,8 @@ PROPUPD_START:Dosya
PROPUPD_OSINFO_START:letim Sistemi bilgisi toplanyor...
PROPUPD_ARCH_FOUND:Sistem mimarisi bulundu: $1
PROPUPD_REL_FILE:Srm dosyas bulundu: $1
PROPUPD_NO_REL_FILE:Bir srm dosyas bulunamad: LS kts:
PROPUPD_NO_REL_FILE_NO_OUTPUT:Bir /S srm dosyas bulunamad.
PROPUPD_NO_REL_FILE:Bir /S srm dosyas bulunamad: LS kts:
PROPUPD_OSNAME_FOUND:Bulunan letim Sistemi: $1
PROPUPD_ERROR:Yeni rkhunter.dat dosyas kurulurken hata. Kod $1
PROPUPD_NEW_DAT_FILE:Yeni rkhunter.dat dosyas '$1' dizininde kuruldu
......@@ -389,38 +391,34 @@ ROOTKIT_MALWARE_SUSP_FILES_FOUND_CMD:Komut: $1
ROOTKIT_MALWARE_SUSP_FILES_FOUND_PATH:Yol ismi: $1
ROOTKIT_MALWARE_SUSP_FILES_FOUND_RTKT:Olas Rootkit: $1
ROOTKIT_MALWARE_HIDDEN_PROCS:Gizli ilemler kontrol ediliyor
ROOTKIT_MALWARE_HIDDEN_PROCS_NOUNHIDE:Kullanc isteiyle, '$1' kullanm devred brakld
ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_VERS:'unhide' komut srm bulundu: $1
ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_CMD:'$1' komutu kullanlyor
ROOTKIT_MALWARE_HIDDEN_PROCS_UNH_ERR:'unhide' altrlabilir deil: geersiz yaplandrlm testler: $1
ROOTKIT_MALWARE_HIDDEN_PROCS_RUBY_ERR:'unhide.rb' komutu bir hata verdi:
ROOTKIT_MALWARE_HIDDEN_PROCS_FOUND:Gizli ilemler bulundu:
ROOTKIT_MALWARE_DELETED_FILES:Silinen dosyalar iin alan ilemler kontrol ediliyor
ROOTKIT_MALWARE_DELETED_FILES_FOUND:Aadaki ilemler silinen dosya(lar) kullanyor:
ROOTKIT_MALWARE_DELETED_FILES_FOUND_DATA:lem: $1 PID: $2 Dosya: $3
ROOTKIT_MALWARE_DELETED_FILES_WL:Beyaz listedeki '$1' dosyasn kullanan '$1' ilemi bulundu.
ROOTKIT_MALWARE_LOGIN_BDOOR:Arkakap girileri kontrol ediliyor
ROOTKIT_MALWARE_LOGIN_BDOOR_LOG:Arkakap girilerinin kontrol altrlyor
ROOTKIT_MALWARE_LOGIN_BDOOR_CHK:'$1' kontrol ediliyor
ROOTKIT_MALWARE_LOGIN_BDOOR_FOUND:Arkakap giri dosyas bulundu: $1
ROOTKIT_MALWARE_SUSP_DIR:pheli klasrler kontrol ediliyor
ROOTKIT_MALWARE_SUSP_DIR_LOG:pheli klasrlerin kontrol altrlyor
ROOTKIT_MALWARE_SUSP_DIR_FOUND:pheli klasr bulundu: $1
ROOTKIT_MALWARE_SFW_INTRUSION:Yazlm ihlalleri kontrol ediliyor
ROOTKIT_MALWARE_SFW_INTRUSION_FOUND:'$1' dosyas '$2' dizisini ieriyor. Olas rootkit: SHV5
ROOTKIT_MALWARE_SFW_INTRUSION_SKIP:Kontrol atland - tripwire ykl deil
ROOTKIT_MALWARE_SNIFFER:Alglayc gnlk/kayt dosyalar kontrol ediliyor
ROOTKIT_MALWARE_SNIFFER_LOG:Alglayc gnlk/kayt dosyalarnn kontrol altrlyor
ROOTKIT_MALWARE_SNIFFER_FOUND:Alglayc gnlk/kayt dosyas bulundu: $1
ROOTKIT_MALWARE_IPCS:pheli Paylalan Bellek segmentleri
ROOTKIT_MALWARE_IPCS_FOUND:u pheli paylam bellei segmentleri bulundu:
ROOTKIT_MALWARE_IPCS_DETAILS:lem: $1 PID: $2 Sahibi: $3
ROOTKIT_MALWARE_IPCS_WL:lem yolu ad '$1': beyaz listeye alnd.
ROOTKIT_TROJAN_START:Spesifik trojan kontrolleri altrlyor
ROOTKIT_TROJAN_INETD:Etkin inetd servisleri kontrol ediliyor
ROOTKIT_TROJAN_INETD_SKIP:Kontrol atland - '$1' dosyas mevcut deil.
ROOTKIT_TROJAN_INETD_FOUND:Etkin inetd servisi bulundu: $1
ROOTKIT_TROJAN_XINETD:Etkin xinetd servisleri kontrol ediliyor
ROOTKIT_TROJAN_XINETD_LOG:Etkin xinetd servislerinin kontrol altrlyor
ROOTKIT_TROJAN_XINETD_ENABLED:Etkin servisler iin, '$1' altrlyor
ROOTKIT_TROJAN_XINETD_INCLUDE:'include $1' direktifi bulundu
ROOTKIT_TROJAN_XINETD_INCLUDEDIR:'includedir $1' direktifi bulundu
......@@ -633,6 +631,9 @@ LIST_PERL:Perl mod
LIST_RTKTS:Kontrol edilen rootkitler:
LOCK_USED:Kilitleme kullanmda: zaman am $1 saniye
LOCK_DIR:Kilitleme dizini olarak '$1' kullanlyor
LOCK_UNUSED:Kilitleme kullanmda deil
LOCK_WAIT:Kilit dosyas bekleniyor
LOCK_FAIL:Kilit dosyas alnamad: rkhunter almad!
LINUX_ONLY:Kontrol atland - bu kontrol sadece Linux sistemler iindir.
Version:2014030201
Version:2017080401
#
# We start with the definitions of the message types and results. There
# are very few of these, so including these and all the parts of each
......@@ -108,6 +108,7 @@ HASH_PKGMGR_OLD_UNSET:Depolan doğrulama verileri, bir paket yöneticisi kullanm
HASH_PKGMGR:Dosya özellikleri kontrolü için '$1' paket yöneticisi kullanılıyor
HASH_PKGMGR_MD5:Paket yöneticisi doğrulamasına yardımcı olması için MD5 sağlama fonksiyonu komutu '$1' kullanılıyor
HASH_PKGMGR_SHA:Paket yöneticisi doğrulamasına yardımcı olması için SHA sağlama fonksiyonu komutu '$1' kullanılıyor
HASH_PKGMGR_SUM:Paket doğrulaması için depolanan 16-bit sağlama kullanılıyor
HASH_PKGMGR_NOT_SPEC:Paket yöneticisi belirtilmedi: '$1' sağlama fonksiyonu kullanılıyor
HASH_PKGMGR_NOT_SPEC_PRELINKED:Paket yöneticisi belirtilmedi: '$1' ile prelink komutu kullanılıyor
......@@ -212,7 +213,8 @@ PROPUPD_START:Dosya özellikleri veri güncellemesi başlatılıyor...
PROPUPD_OSINFO_START:İşletim Sistemi bilgisi toplanıyor...
PROPUPD_ARCH_FOUND:Sistem mimarisi bulundu: $1
PROPUPD_REL_FILE:Sürüm dosyası bulundu: $1
PROPUPD_NO_REL_FILE:Bir sürüm dosyası bulunamadı: LS çıktısı:
PROPUPD_NO_REL_FILE_NO_OUTPUT:Bir İ/S sürüm dosyası bulunamadı.
PROPUPD_NO_REL_FILE:Bir İ/S sürüm dosyası bulunamadı: LS çıktısı:
PROPUPD_OSNAME_FOUND:Bulunan İşletim Sistemi: $1
PROPUPD_ERROR:Yeni rkhunter.dat dosyası kurulurken hata. Kod $1
PROPUPD_NEW_DAT_FILE:Yeni rkhunter.dat dosyası '$1' dizininde kuruldu
......@@ -389,38 +391,34 @@ ROOTKIT_MALWARE_SUSP_FILES_FOUND_CMD:Komut: $1
ROOTKIT_MALWARE_SUSP_FILES_FOUND_PATH:Yol ismi: $1
ROOTKIT_MALWARE_SUSP_FILES_FOUND_RTKT:Olası Rootkit: $1
ROOTKIT_MALWARE_HIDDEN_PROCS:Gizli işlemler kontrol ediliyor
ROOTKIT_MALWARE_HIDDEN_PROCS_NOUNHIDE:Kullanıcı isteğiyle, '$1' kullanımı devredışı bırakıldı
ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_VERS:'unhide' komut sürümü bulundu: $1
ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_CMD:'$1' komutu kullanılıyor
ROOTKIT_MALWARE_HIDDEN_PROCS_UNH_ERR:'unhide' çalıştırılabilir değil: geçersiz yapılandırılmış testler: $1
ROOTKIT_MALWARE_HIDDEN_PROCS_RUBY_ERR:'unhide.rb' komutu bir hata verdi:
ROOTKIT_MALWARE_HIDDEN_PROCS_FOUND:Gizli işlemler bulundu:
ROOTKIT_MALWARE_DELETED_FILES:Silinen dosyalar için çalışan işlemler kontrol ediliyor
ROOTKIT_MALWARE_DELETED_FILES_FOUND:Aşağıdaki işlemler silinen dosya(lar) kullanıyor:
ROOTKIT_MALWARE_DELETED_FILES_FOUND_DATA:İşlem: $1 PID: $2 Dosya: $3
ROOTKIT_MALWARE_DELETED_FILES_WL:Beyaz listedeki '$1' dosyasını kullanan '$1' işlemi bulundu.
ROOTKIT_MALWARE_LOGIN_BDOOR:Arkakapı girişleri kontrol ediliyor
ROOTKIT_MALWARE_LOGIN_BDOOR_LOG:Arkakapı girişlerinin kontrolü çalıştırılıyor
ROOTKIT_MALWARE_LOGIN_BDOOR_CHK:'$1' kontrol ediliyor
ROOTKIT_MALWARE_LOGIN_BDOOR_FOUND:Arkakapı giriş dosyası bulundu: $1
ROOTKIT_MALWARE_SUSP_DIR:Şüpheli klasörler kontrol ediliyor
ROOTKIT_MALWARE_SUSP_DIR_LOG:Şüpheli klasörlerin kontrolü çalıştırılıyor
ROOTKIT_MALWARE_SUSP_DIR_FOUND:Şüpheli klasör bulundu: $1
ROOTKIT_MALWARE_SFW_INTRUSION:Yazılım ihlalleri kontrol ediliyor
ROOTKIT_MALWARE_SFW_INTRUSION_FOUND:'$1' dosyası '$2' dizisini içeriyor. Olası rootkit: SHV5
ROOTKIT_MALWARE_SFW_INTRUSION_SKIP:Kontrol atlandı - tripwire yüklü değil
ROOTKIT_MALWARE_SNIFFER:Algılayıcı günlük/kayıt dosyaları kontrol ediliyor
ROOTKIT_MALWARE_SNIFFER_LOG:Algılayıcı günlük/kayıt dosyalarının kontrolü çalıştırılıyor
ROOTKIT_MALWARE_SNIFFER_FOUND:Algılayıcı günlük/kayıt dosyası bulundu: $1
ROOTKIT_MALWARE_IPCS:Şüpheli Paylaşılan Bellek segmentleri
ROOTKIT_MALWARE_IPCS_FOUND:Şu şüpheli paylaşım belleği segmentleri bulundu:
ROOTKIT_MALWARE_IPCS_DETAILS:İşlem: $1 PID: $2 Sahibi: $3
ROOTKIT_MALWARE_IPCS_WL:İşlem yolu adı '$1': beyaz listeye alındı.
ROOTKIT_TROJAN_START:Spesifik trojan kontrolleri çalıştırılıyor
ROOTKIT_TROJAN_INETD:Etkin inetd servisleri kontrol ediliyor
ROOTKIT_TROJAN_INETD_SKIP:Kontrol atlandı - '$1' dosyası mevcut değil.
ROOTKIT_TROJAN_INETD_FOUND:Etkin inetd servisi bulundu: $1
ROOTKIT_TROJAN_XINETD:Etkin xinetd servisleri kontrol ediliyor
ROOTKIT_TROJAN_XINETD_LOG:Etkin xinetd servislerinin kontrolü çalıştırılıyor
ROOTKIT_TROJAN_XINETD_ENABLED:Etkin servisler için, '$1' çalıştırılıyor
ROOTKIT_TROJAN_XINETD_INCLUDE:'include $1' direktifi bulundu
ROOTKIT_TROJAN_XINETD_INCLUDEDIR:'includedir $1' direktifi bulundu
......@@ -633,6 +631,9 @@ LIST_PERL:Perl modülü kurulum durumu:
LIST_RTKTS:Kontrol edilen rootkitler:
LOCK_USED:Kilitleme kullanımda: zaman aşımı $1 saniye
LOCK_DIR:Kilitleme dizini olarak '$1' kullanılıyor
LOCK_UNUSED:Kilitleme kullanımda değil
LOCK_WAIT:Kilit dosyası bekleniyor
LOCK_FAIL:Kilit dosyası alınamadı: rkhunter çalışmadı!
LINUX_ONLY:Kontrol atlandı - bu kontrol sadece Linux sistemler içindir.
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -380,7 +380,8 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a
#
# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
#
# The default value is the SHA256 function.
# The default value is the SHA256 function, unless prelinking is used in
# which case it defaults to the SHA1 function.
#
# Also see the HASH_FLD_IDX option. In addition, note the comments under
# the PKGMGR option relating to the use of HASH_CMD.
......@@ -551,7 +552,7 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a
# NOTE: The user must take into consideration how often the file will appear
# and disappear from the system in relation to how often rkhunter is run. If
# the file appears, and disappears, too often then rkhunter may not notice
# this. All it will see is that the file has changed. The inode-number and DTM
# this. All it will see is that the file has changed. The inode number and DTM
# will certainly be different for each new file, and rkhunter will report this.
#
# The default value is the null string.
......@@ -606,6 +607,18 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a
#
#IMMUTABLE_SET=0
#
# If this option is set to '1', then any changed inode value is ignored in
# the file properties check. The inode test itself still runs, but it will
# always return that no inodes have changed.
#
# This option may be useful for filesystems such as Btrfs, which handle inodes
# slightly differently than other filesystems.
#
# The default value is '0'.
#
#SKIP_INODE_CHECK=0
#
# Allow the specified hidden directory to be whitelisted.
#
......@@ -712,6 +725,36 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a
#ALLOWIPCPROC=/usr/bin/firefox
#ALLOWIPCPROC=/usr/bin/vlc
#
# Allow the specified memory segment creator PIDs to use shared memory segments.
#
# This is a space-separated list of PID numbers (as given by the
# 'ipcs -p' command). This option may be specified more than once.
#
# The default value is the null string.
#
#ALLOWIPCPID=12345 6789
#
# Allow the specified account names to use shared memory segments.
#
# This is a space-separated list of account names. The option may be specified
# more than once.
#
# The default value is the null string.
#
#ALLOWIPCUSER=usera userb
#
# This option can be used to set the maximum shared memory segment size
# (in bytes) that is not considered suspicious. Any segment above this size,
# and with 600 or 666 permissions, will be considered suspicious during the
# shared memory check.
#
# The default is 1048576 (1M) bytes.
#
#IPC_SEG_SIZE=1048576
#
# This option is used to indicate if the Phalanx2 test is to perform a basic
# check, or a more thorough check. If the option is set to '0', then a basic
......@@ -913,6 +956,18 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a
#
#SUSPSCAN_THRESH=200
#
# This option may be used to whitelist file pathnames from the suspscan test.
#
# Shell globbing may be used in the pathname. Also see the GLOBSTAR configuration
# option.
#
# This option may be specified more than once.
#
# The default value is the null string.
#
#SUSPSCAN_WHITELIST=""
#
# The following options can be used to whitelist network ports which are known
# to have been used by malware.
......
......@@ -6,7 +6,7 @@
#%%dump
%define name rkhunter
%define ver 1.4.4
%define ver 1.4.5
%define rel 1
%define epoch 0
......
......@@ -11,8 +11,8 @@
################################################################################
INSTALLER_NAME="Rootkit Hunter installer"
INSTALLER_VERSION="1.2.20"
INSTALLER_COPYRIGHT="Copyright 2003-2017, Michael Boelen"
INSTALLER_VERSION="1.2.21"
INSTALLER_COPYRIGHT="Copyright 2018, Michael Boelen"
INSTALLER_LICENSE="
This software was developed by the Rootkit Hunter project team.
......@@ -25,7 +25,7 @@ of the GNU General Public License. See LICENSE for details.
"
APPNAME="rkhunter"
APPVERSION="1.4.4"
APPVERSION="1.4.6"
RKHINST_OWNER="0:0"
RKHINST_MODE_EX="0700"
RKHINST_MODE_RW="0600"
......@@ -33,7 +33,6 @@ RKHINST_MODE_RWR="0644"
RKHINST_LAYOUT="default"
RKHINST_ACTION=""
RKHINST_ACTION_SEEN=0
USE_CVS=0
ERRCODE=0
OVERWRITE=0
STRIPROOT=""
......@@ -520,49 +519,6 @@ showTemplate() { # Take input from the "--install parameter"
}
useCVS() {
# If the 'which' output contains a space, then it is probably an error.
SEARCH=`which cvs 2>/dev/null | grep -v ' '`
if [ -z "${SEARCH}" ]; then
echo "Unable to find the 'cvs' command."
exit 1
else
cvs -z3 -d:pserver:anonymous@rkhunter.cvs.sourceforge.net:/cvsroot/rkhunter co rkhunter >/dev/null 2>&1
ERRCODE=$?
if [ $ERRCODE -eq 0 ]; then
echo "Succeeded in getting Rootkit Hunter source from CVS."
if [ -d "./files" ]; then
rm -rf "./files"
fi
mv -f rkhunter/files .
if [ -d "./files/CVS" ]; then
rm -rf "./files/CVS"
fi
case "${RKHINST_LAYOUT}" in
RPM|DEB|TGZ|TXZ)
;;
*)
for ITEM in `find ./files`; do
chown "${RKHINST_OWNER}" "${ITEM}"
done
;;
esac
else
echo "Failed to get Rootkit Hunter from CVS: code $ERRCODE"
exit 1
fi
fi
return
}
#################################################################################
#
# Start installation
......@@ -578,12 +534,6 @@ doInstall() {
if [ -f "./files/${APPNAME}" ]; then
echo " ${INSTALLER_NAME} files: found"
if [ $USE_CVS -eq 1 ]; then
# You want it, and you got it!
# The hottest source in the land...
useCVS
fi
case "${RKHINST_LAYOUT}" in
RPM|DEB|TGZ|TXZ)
;;
......@@ -647,14 +597,6 @@ doInstall() {
if [ "${PREFIX}" = "." ]; then
chown -R ${RKHINST_OWNER} ./files
for DIR in `find ./files -type d -name CVS`; do
rm -rf "${DIR}"
done
for FILE in `find ./files -type f -name Entries -o -name Repository -o -name Root`; do
rm -rf "${FILE}"
done
for ITEM in `find ./files -type f`; do
case "${ITEM}" in
*.sh|*.pl|*/rkhunter)
......@@ -838,10 +780,6 @@ doInstall() {
# Language support files
ERRCODE=0
if [ -d "./files/i18n/CVS" ]; then
rm -rf "./files/i18n/CVS"
fi
for FILE in `find ./files/i18n -type f`; do
cp "${FILE}" "${RKHINST_LANG_DIR}" >/dev/null 2>&1
ERRCODE=$?
......@@ -867,10 +805,6 @@ doInstall() {
# ClamAV signatures
ERRCODE=0
if [ -d "./files/signatures/CVS" ]; then
rm -rf "./files/signatures/CVS"
fi
for FILE in `find ./files/signatures -type f`; do
cp "${FILE}" "${RKHINST_SIG_DIR}" >/dev/null 2>&1
ERRCODE=$?
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment