Commit 8b1f0ed2 authored by Francois Marier's avatar Francois Marier

New upstream version 1.4.6

parent eca1837f
...@@ -35,6 +35,7 @@ CaPaCuL Turkish translations ...@@ -35,6 +35,7 @@ CaPaCuL Turkish translations
Mitsuhiri Yoshida Japanese translation Mitsuhiri Yoshida Japanese translation
Alexander Wittig BSDng package manager code Alexander Wittig BSDng package manager code
Patrick G. IPCS whitelisting code Patrick G. IPCS whitelisting code
incitem/geophy Alpine Linux (busybox) support
And thanks to all others who contributed to Rootkit Hunter: And thanks to all others who contributed to Rootkit Hunter:
......
...@@ -18,6 +18,79 @@ ...@@ -18,6 +18,79 @@
-- --
* 1.4.6 (20/02/2018)
New:
- Added support for Alpine Linux (busybox).
- Added the 'Diamorphine LKM' test.
- Added the ALLOWIPCPID configuration file option. This will allow
specific PIDs to be whitelisted from the shared memory check.
- Added the ALLOWIPCUSER configuration file option. This will allow
specific usernames to be whitelisted from the shared memory check.
- Added the IPC_SEG_SIZE configuration file option. This can be used
to set the minimum shared memory segment size to check. The default
value is 1048576 bytes (1MB).
- Added the SKIP_INODE_CHECK configuration file option. Setting this
option will disable the reporting of any changed inode numbers.
The default is to report inode changes. (This option may be useful
for filesystems such as Btrfs.)
- Added Ebury sshd backdoor test.
- Added a new SSH configuration test to check for various suspicious
configuration options. Currently there is only one check which
relates to the Ebury backdoor.
- Added basic test for Jynx2 rootkit.
- Added Komplex trojan test.
- Added basic test for KeRanger running process.
- Added test for Keydnap backdoor.
- Added basic test for Eleanor backdoor running process.
- Added basic tests for Mokes backdoor.
- Added tests for Proton backdoor.
- Added the SUSPSCAN_WHITELIST configuration file option. This
option can be used to whitelist file pathnames from the
'suspscan' test.
Changes:
- The 'ipc_shared_mem' test will now log the minimum segment size
that will be checked. It will also log the size of any segments
which appear suspicious (that is, larger than the configured
allowed maximum size).
- If verbose logging is disabled, then generally only the test
name and the final result for the test will now be logged.
- Kernel symbol checks will now use the 'System.map' file, if it
exists, and no other kernel symbol file can be found.
Bugfixes:
- For prelinked systems ensure that the default hash function is
SHA1 and not SHA256.
- The result from the 'hidden_procs' test was not being
calculated correctly.
- Checking the O/S version number could be missed in some cases.
- Minor improvement to the *BSD immutable files check.
- The 'OS_VERSION_FILE' configuration option pathname cannot be
a link, but this was not checked.
- Improved checks for the O/S name on Devuan systems.
- Handling of the '/etc/issue' file during O/S detection has now
improved. Escape sequences are either replaced or removed.
- Not all the linux kernel module names were being checked.
- The logging of detached memory segments tried to show the
process pathname. This has now been corrected, and where no
pathname is available, the segment owner and PID will be logged.
- It was possible for the return code to be lost when running the
'ipc_shared_mem' test. This has now been corrected.
- Some configuration options were still not being handled correctly
when specified more than once.
- The 'ipc_shared_mem' test did not correctly handle whitelisting
when a segment pathname was flagged as deleted. This has now
been corrected.
- Commands disabled in the configuration file were being logged
as not found. They are now logged as having been disabled.
- Disabling verbose logging could hide some warning messages.
- The 'shared_libs' test now caters for simple filenames, as well
as pathnames which contain the '$LIB', '$ORIGIN' or '$PLATFORM'
variables.
--
* 1.4.4 (29/06/2017) * 1.4.4 (29/06/2017)
New: New:
......
...@@ -2,8 +2,8 @@ ...@@ -2,8 +2,8 @@
ROOTKIT HUNTER FREQUENTLY ASKED QUESTIONS (FAQ) ROOTKIT HUNTER FREQUENTLY ASKED QUESTIONS (FAQ)
=============================================== ===============================================
The latest version of this FAQ can be found at the RKH web site. The latest version of this FAQ can be found on the RKH web site.
(http://rkhunter.cvs.sourceforge.net/viewvc/*checkout*/rkhunter/rkhunter/files/FAQ) (https://sourceforge.net/p/rkhunter/rkh_code/ci/develop/tree/files/FAQ)
=========================================================== ===========================================================
......
...@@ -180,9 +180,9 @@ TESTING RKHUNTER WITHOUT INSTALLING IT ...@@ -180,9 +180,9 @@ TESTING RKHUNTER WITHOUT INSTALLING IT
It is perfectly understandable that new users may wish to try out rkhunter It is perfectly understandable that new users may wish to try out rkhunter
without having to fully install it. Similarly current users may want to without having to fully install it. Similarly current users may want to
test a new version of rkhunter, or a CVS version of it, without it affecting test a new version of rkhunter, or a development version of it, without it
their current system or current installation of rkhunter. This is all affecting their current system or current installation of rkhunter. This is
perfectly possible, and quite easy, using a standalone installation. all perfectly possible, and quite easy, using a standalone installation.
First, as the root user, it is suggested that a separate temporary directory First, as the root user, it is suggested that a separate temporary directory
is created, and then change to that directory. For example: is created, and then change to that directory. For example:
...@@ -193,14 +193,14 @@ is created, and then change to that directory. For example: ...@@ -193,14 +193,14 @@ is created, and then change to that directory. For example:
It is now necessary to either copy or download a tarball of the version of It is now necessary to either copy or download a tarball of the version of
rkhunter that you want to test. (Since you are reading this file, we assume rkhunter that you want to test. (Since you are reading this file, we assume
you have already downloaded the relevant version.) For users wishing to try you have already downloaded the relevant version.) For users wishing to try
the latest CVS version, it is possible to download a tarball. For example: the latest development version, it is possible to download a tarball:
wget http://rkhunter.sourceforge.net/rkhunter-CVS.tar.gz wget http://rkhunter.sourceforge.net/rkhunter-dev.tar.gz
Next, it is necessary to extract the files from the tarball. The simplest Next, it is necessary to extract the files from the tarball. The simplest
way is to use the 'tar' command, such as: way is to use the 'tar' command, such as:
tar xzf rkhunter-CVS.tar.gz tar xzf rkhunter-dev.tar.gz
Obviously, for official releases, you will need to use the correct tarball Obviously, for official releases, you will need to use the correct tarball
name. For example: name. For example:
...@@ -211,21 +211,16 @@ For users of systems with alternative implementations of 'tar', for example ...@@ -211,21 +211,16 @@ For users of systems with alternative implementations of 'tar', for example
Solaris users, you may need to break the extraction process into two steps Solaris users, you may need to break the extraction process into two steps
(or use the 'gtar' command if you have it installed). For example: (or use the 'gtar' command if you have it installed). For example:
gunzip rkhunter-CVS.tar.gz gunzip rkhunter-dev.tar.gz
tar xf rkhunter-CVS.tar tar xf rkhunter-dev.tar
Additionally it is possible to download from CVS directly using the command:
cvs -d:pserver:anonymous@rkhunter.cvs.sourceforge.net:/cvsroot/rkhunter co -P rkhunter
The extraction process will create a sub-directory containing all the The extraction process will create a sub-directory containing all the
rkhunter files. The sub-directory name will contain the rkhunter version rkhunter files. The sub-directory name will contain the rkhunter version
number, or, for CVS tarballs, it will simply be called 'rkhunter'. number, or, for development tarballs, it will simply be called 'rkhunter'.
Change into this directory: Change into this directory:
cd rkhunter-1.4.0 (for an official release tarball) cd rkhunter-1.4.0 (for an official release tarball)
or cd rkhunter (for CVS and CVS tarballs) or cd rkhunter (for development tarballs)
Now, we can run the installer program as described in the section above Now, we can run the installer program as described in the section above
about standalone installations: about standalone installations:
......
Version:2017062301 Version:2018021101
# #
# We start with the definitions of the message types and results. There # We start with the definitions of the message types and results. There
# are very few of these, so including these and all the parts of each # are very few of these, so including these and all the parts of each
...@@ -87,6 +87,7 @@ CONFIG_MIRRORS_MODE2:Only remote mirrors will be used ...@@ -87,6 +87,7 @@ CONFIG_MIRRORS_MODE2:Only remote mirrors will be used
FOUND_CMD:Found the '$1' command: $2 FOUND_CMD:Found the '$1' command: $2
NOT_FOUND_CMD:Unable to find the '$1' command NOT_FOUND_CMD:Unable to find the '$1' command
DISABLED_CMD:The '$1' command has been disabled
CMD_ERROR:The command '$1' gave error code $2. CMD_ERROR:The command '$1' gave error code $2.
SYS_PRELINK:System is using prelinking SYS_PRELINK:System is using prelinking
...@@ -232,9 +233,9 @@ USER_CMD_LIST:Including user commands for file properties check: ...@@ -232,9 +233,9 @@ USER_CMD_LIST:Including user commands for file properties check:
USER_DIR_LIST:Including user directories for file properties check: USER_DIR_LIST:Including user directories for file properties check:
USER_EXCLUDE_PROP:Excluding from file properties check: USER_EXCLUDE_PROP:Excluding from file properties check:
KSYMS_FOUND:Found ksym file '$1' KSYMS_FOUND:Found kernel symbols file '$1'
KSYMS_UNAVAIL:All ksyms and kallsyms checks will be skipped - the file is unreadable. KSYMS_UNAVAIL:All kernel symbol checks will be skipped - the kernel symbols file is unreadable: $1
KSYMS_MISSING:All ksyms and kallsyms checks will be skipped - neither file is present on the system. KSYMS_MISSING:All kernel symbol checks will be skipped - could not find a kernel symbols file on the system.
STARTING_TEST:Starting test name '$1' STARTING_TEST:Starting test name '$1'
USER_DISABLED_TEST:Test '$1' disabled at users request. USER_DISABLED_TEST:Test '$1' disabled at users request.
...@@ -260,16 +261,20 @@ FILE_PROP_START:Performing file properties checks ...@@ -260,16 +261,20 @@ FILE_PROP_START:Performing file properties checks
FILE_PROP_CMDS:Checking for prerequisites FILE_PROP_CMDS:Checking for prerequisites
FILE_PROP_IMMUT_OS:Skipping all immutable-bit checks. This check is only available for Linux systems. FILE_PROP_IMMUT_OS:Skipping all immutable-bit checks. This check is only available for Linux systems.
FILE_PROP_IMMUT_SET:The immutable-bit check will be reversed. FILE_PROP_IMMUT_SET:The immutable-bit check will be reversed.
FILE_PROP_SKIP_ATTR:Unable to find 'stat' command - all file attribute checks will be skipped. FILE_PROP_SKIP_ATTR:Unable to find the 'stat' command - all file attribute checks will be skipped.
FILE_PROP_SKIP_ATTR_DISABLED:The 'stat' command has been disabled - all file attribute checks will be skipped.
FILE_PROP_SKIP_HASH:All file hash checks will be skipped because: FILE_PROP_SKIP_HASH:All file hash checks will be skipped because:
FILE_PROP_SKIP_HASH_FUNC:The current hash function ($1) or package manager ($2) is incompatible with the hash function ($3) or package manager ($4) used to store the values. FILE_PROP_SKIP_HASH_FUNC:The current hash function ($1) or package manager ($2) is incompatible with the hash function ($3) or package manager ($4) used to store the values.
FILE_PROP_SKIP_HASH_PRELINK:Unable to find 'prelink' command. FILE_PROP_SKIP_HASH_PRELINK:Unable to find 'prelink' command.
FILE_PROP_SKIP_HASH_SHA1:This system uses prelinking, but the hash function command does not look like SHA1 or MD5. FILE_PROP_SKIP_HASH_SHA1:This system uses prelinking, but the hash function command does not look like SHA1 or MD5.
FILE_PROP_SKIP_HASH_LIBSAFE:Libsafe was found, which can cause errors. If possible, disable libsafe and then run the prelink command. Finally, recreate the hash values using 'rkhunter --propupd'. FILE_PROP_SKIP_HASH_LIBSAFE:Libsafe was found, which can cause errors. If possible, disable libsafe and then run the prelink command. Finally, recreate the hash values using 'rkhunter --propupd'.
FILE_PROP_SKIP_IMMUT:Unable to find 'lsattr' command - all file immutable-bit checks will be skipped. FILE_PROP_SKIP_IMMUT:Unable to find the 'lsattr' command - all file immutable-bit checks will be skipped.
FILE_PROP_SKIP_IMMUT_DISABLED:The 'lsattr' command has been disabled - all file immutable-bit checks will be skipped.
FILE_PROP_SKIP_IMMUT_CMD:No output from the '$1' command - all file immutable-bit checks will be skipped. FILE_PROP_SKIP_IMMUT_CMD:No output from the '$1' command - all file immutable-bit checks will be skipped.
FILE_PROP_SKIP_SCRIPT:Unable to find 'file' command - all script replacement checks will be skipped. FILE_PROP_SKIP_SCRIPT:Unable to find the 'file' command - all script replacement checks will be skipped.
FILE_PROP_SKIP_SCRIPT_DISABLED:The 'file' command has been disabled - all script replacement checks will be skipped.
FILE_PROP_SKIP_FILE_CMD:No output from the 'file' command - all script replacement checks will be skipped. FILE_PROP_SKIP_FILE_CMD:No output from the 'file' command - all script replacement checks will be skipped.
FILE_PROP_SKIP_INODE:All file inode checks will be skipped.
FILE_PROP_NO_OS_WARNING:Warnings of any O/S change have been disabled at the users request. FILE_PROP_NO_OS_WARNING:Warnings of any O/S change have been disabled at the users request.
FILE_PROP_OS_CHANGED:The local host configuration or operating system has changed. FILE_PROP_OS_CHANGED:The local host configuration or operating system has changed.
FILE_PROP_DAT_MISSING:The file of stored file properties (rkhunter.dat) does not exist, and should be created. To do this type in 'rkhunter --propupd'. FILE_PROP_DAT_MISSING:The file of stored file properties (rkhunter.dat) does not exist, and should be created. To do this type in 'rkhunter --propupd'.
...@@ -364,9 +369,10 @@ ROOTKIT_PHALANX2_PROC_PPID:Expected 'kthread' parent PID '$1' found parent PID ' ...@@ -364,9 +369,10 @@ ROOTKIT_PHALANX2_PROC_PPID:Expected 'kthread' parent PID '$1' found parent PID '
ROOTKIT_PHALANX2_PROC_PS_ERR:Running 'ps' returned unexpected results: possibly unsupported cmdline arguments. ROOTKIT_PHALANX2_PROC_PS_ERR:Running 'ps' returned unexpected results: possibly unsupported cmdline arguments.
ROOTKIT_ADD_START:Performing additional rootkit checks ROOTKIT_ADD_START:Performing additional rootkit checks
ROOTKIT_ADD_SUCKIT:Suckit Rookit additional checks ROOTKIT_ADD_SUCKIT:Suckit Rootkit additional checks
ROOTKIT_ADD_SUCKIT_LOG:Performing Suckit Rookit additional checks ROOTKIT_ADD_SUCKIT_LOG:Performing Suckit Rootkit additional checks
ROOTKIT_ADD_SUCKIT_LINK_NOCMD:Checking '/sbin/init' link count: no 'stat' command found ROOTKIT_ADD_SUCKIT_LINK_NOCMD:Checking '/sbin/init' link count: no 'stat' command found
ROOTKIT_ADD_SUCKIT_LINK_DISABLED:Checking '/sbin/init' link count: the 'stat' command has been disabled
ROOTKIT_ADD_SUCKIT_LINK_FOUND:Checking '/sbin/init' link count: count is $1, it should be 1 ROOTKIT_ADD_SUCKIT_LINK_FOUND:Checking '/sbin/init' link count: count is $1, it should be 1
ROOTKIT_ADD_SUCKIT_EXT:Checking for hidden file extensions ROOTKIT_ADD_SUCKIT_EXT:Checking for hidden file extensions
ROOTKIT_ADD_SUCKIT_EXT_FOUND:Checking for hidden file extensions: found: $1 ROOTKIT_ADD_SUCKIT_EXT_FOUND:Checking for hidden file extensions: found: $1
...@@ -409,10 +415,14 @@ ROOTKIT_MALWARE_SFW_INTRUSION_FOUND:The file '$1' contains the string '$2'. Poss ...@@ -409,10 +415,14 @@ ROOTKIT_MALWARE_SFW_INTRUSION_FOUND:The file '$1' contains the string '$2'. Poss
ROOTKIT_MALWARE_SFW_INTRUSION_SKIP:Check skipped - tripwire not installed ROOTKIT_MALWARE_SFW_INTRUSION_SKIP:Check skipped - tripwire not installed
ROOTKIT_MALWARE_SNIFFER:Checking for sniffer log files ROOTKIT_MALWARE_SNIFFER:Checking for sniffer log files
ROOTKIT_MALWARE_SNIFFER_FOUND:Found possible sniffer log file: $1 ROOTKIT_MALWARE_SNIFFER_FOUND:Found possible sniffer log file: $1
ROOTKIT_MALWARE_IPCS:Checking for suspicious shared memory segments ROOTKIT_MALWARE_IPCS:Checking for suspicious (large) shared memory segments
ROOTKIT_MALWARE_IPCS_FOUND:The following suspicious shared memory segments have been found: ROOTKIT_MALWARE_IPCS_FOUND:The following suspicious (large) shared memory segments have been found:
ROOTKIT_MALWARE_IPCS_DETAILS:Process: $1 PID: $2 Owner: $3 ROOTKIT_MALWARE_IPCS_DETAILS:Process: $1 PID: $2 Owner: $3 Size: $4 (configured size allowed: $5)
ROOTKIT_MALWARE_IPCS_WL:Found process pathname '$1': it is whitelisted. ROOTKIT_MALWARE_IPCS_DETACHED:Detached segment with no pathname: Owner: $1 PID: $2 Segment ID: $3 Size: $4 (configured size allowed: $5)
ROOTKIT_MALWARE_IPCS_ATTACHED:Attached segment with no pathname: Owner: $1 Segment ID: $2 Attached processes: $3 Creator PID: $4 Last PID: $5 Size: $4 (configured size allowed: $5)
ROOTKIT_MALWARE_IPCS_WL_PATH:Found process pathname '$1': it is whitelisted.
ROOTKIT_MALWARE_IPCS_WL_USER:Found process username '$1': it is whitelisted.
ROOTKIT_MALWARE_IPCS_WL_PID:Found process PID '$1': it is whitelisted.
ROOTKIT_TROJAN_START:Performing trojan specific checks ROOTKIT_TROJAN_START:Performing trojan specific checks
ROOTKIT_TROJAN_INETD:Checking for enabled inetd services ROOTKIT_TROJAN_INETD:Checking for enabled inetd services
...@@ -516,6 +526,8 @@ SYSTEM_CONFIGS_SSH_PROTO_DIFF1:SSH configuration option 'Protocol': $1 ...@@ -516,6 +526,8 @@ SYSTEM_CONFIGS_SSH_PROTO_DIFF1:SSH configuration option 'Protocol': $1
SYSTEM_CONFIGS_SSH_PROTO_DIFF2:Rkhunter configuration option 'ALLOW_SSH_PROT_V1': $1 SYSTEM_CONFIGS_SSH_PROTO_DIFF2:Rkhunter configuration option 'ALLOW_SSH_PROT_V1': $1
SYSTEM_CONFIGS_SSH_PROTO_NOTFOUND:The SSH configuration option 'Protocol' has not been set. SYSTEM_CONFIGS_SSH_PROTO_NOTFOUND:The SSH configuration option 'Protocol' has not been set.
SYSTEM_CONFIGS_SSH_PROTO_NOTFOUND:The default value may be '2,1', to allow the use of protocol version 1. SYSTEM_CONFIGS_SSH_PROTO_NOTFOUND:The default value may be '2,1', to allow the use of protocol version 1.
SYSTEM_CONFIGS_SSH_EXTRA:Checking for other suspicious configuration settings
SYSTEM_CONFIGS_SSH_EBURY:Possible Ebury sshd backdoor found (SSH AuthorizedKeysFile setting)
SYSTEM_CONFIGS_SYSLOG:Checking for a running system logging daemon SYSTEM_CONFIGS_SYSLOG:Checking for a running system logging daemon
SYSTEM_CONFIGS_SYSLOG_NOT_RUNNING:No running system logging daemon has been found. SYSTEM_CONFIGS_SYSLOG_NOT_RUNNING:No running system logging daemon has been found.
SYSTEM_CONFIGS_SYSLOG_DAEMON:A running '$1' daemon has been found. SYSTEM_CONFIGS_SYSLOG_DAEMON:A running '$1' daemon has been found.
...@@ -536,8 +548,10 @@ FILESYSTEM_HIDDEN_DIR_FOUND:Hidden directory found: $1 ...@@ -536,8 +548,10 @@ FILESYSTEM_HIDDEN_DIR_FOUND:Hidden directory found: $1
FILESYSTEM_HIDDEN_FILE_FOUND:Hidden file found: $1 FILESYSTEM_HIDDEN_FILE_FOUND:Hidden file found: $1
FILESYSTEM_LOGFILE_MISSING:Checking for missing log files FILESYSTEM_LOGFILE_MISSING:Checking for missing log files
FILESYSTEM_LOGFILE_MISSING_FOUND:The log file '$1' is missing. FILESYSTEM_LOGFILE_MISSING_FOUND:The log file '$1' is missing.
FILESYSTEM_LOGFILE_MISS_DISABLED:No missing log file names configured.
FILESYSTEM_LOGFILE_EMPTY:Checking for empty log files FILESYSTEM_LOGFILE_EMPTY:Checking for empty log files
FILESYSTEM_LOGFILE_EMPTY_FOUND:The log file '$1' is empty. FILESYSTEM_LOGFILE_EMPTY_FOUND:The log file '$1' is empty.
FILESYSTEM_LOGFILE_EMPTY_DISABLED:No empty log file names configured.
CHECK_APPS:Checking application versions... CHECK_APPS:Checking application versions...
APPS_NONE_FOUND:No known applications found - all version checks skipped. APPS_NONE_FOUND:No known applications found - all version checks skipped.
...@@ -592,7 +606,7 @@ NETWORK_PACKET_CAP_WL:Found process '$1': it is whitelisted. ...@@ -592,7 +606,7 @@ NETWORK_PACKET_CAP_WL:Found process '$1': it is whitelisted.
SHARED_LIBS_START:Performing 'shared libraries' checks SHARED_LIBS_START:Performing 'shared libraries' checks
SHARED_LIBS_PRELOAD_VAR:Checking for preloading variables SHARED_LIBS_PRELOAD_VAR:Checking for preloading variables
SHARED_LIBS_PRELOAD_VAR_FOUND:Found library preload variable(s): $1 SHARED_LIBS_PRELOAD_VAR_FOUND:Found library preload variable: $1
SHARED_LIBS_PRELOAD_FILE:Checking for preloaded libraries SHARED_LIBS_PRELOAD_FILE:Checking for preloaded libraries
SHARED_LIBS_PRELOAD_LIB_FOUND:Found preloaded shared library: $1 SHARED_LIBS_PRELOAD_LIB_FOUND:Found preloaded shared library: $1
SHARED_LIBS_PRELOAD_FILE_FOUND:Found library preload file: $1 SHARED_LIBS_PRELOAD_FILE_FOUND:Found library preload file: $1
...@@ -605,13 +619,9 @@ SUSPSCAN_DIR_NOT_EXIST:The directory '$1' does not exist. ...@@ -605,13 +619,9 @@ SUSPSCAN_DIR_NOT_EXIST:The directory '$1' does not exist.
SUSPSCAN_INSPECT:File '$1' (score: $2) contains some suspicious content and should be checked. SUSPSCAN_INSPECT:File '$1' (score: $2) contains some suspicious content and should be checked.
SUSPSCAN_START:Performing check of files with suspicious contents SUSPSCAN_START:Performing check of files with suspicious contents
SUSPSCAN_DIRS:Directories to check are: $1 SUSPSCAN_DIRS:Directories to check are: $1
SUSPSCAN_NO_DIRS:No directories specified: using defaults ($1)
SUSPSCAN_TEMP:Temporary directory to use: $1 SUSPSCAN_TEMP:Temporary directory to use: $1
SUSPSCAN_NO_TEMP:No temporary directory specified: using default ($1)
SUSPSCAN_SIZE:Maximum file size to check (in bytes): $1 SUSPSCAN_SIZE:Maximum file size to check (in bytes): $1
SUSPSCAN_NO_SIZE:No maximum file size specified: using default ($1)
SUSPSCAN_THRESH:Score threshold is set to: $1 SUSPSCAN_THRESH:Score threshold is set to: $1
SUSPSCAN_NO_THRESH:No score threshold specified: using default ($1)
SUSPSCAN_DIR_CHECK:Checking directory: $1 SUSPSCAN_DIR_CHECK:Checking directory: $1
SUSPSCAN_FILE_CHECK:File checked: Name: '$1' Score: $2 SUSPSCAN_FILE_CHECK:File checked: Name: '$1' Score: $2
SUSPSCAN_FILE_CHECK_DEBUG:File checked: Name: '$1' Score: $2 Hitcount: $3 Hits: ($4) SUSPSCAN_FILE_CHECK_DEBUG:File checked: Name: '$1' Score: $2 Hitcount: $3 Hits: ($4)
...@@ -623,6 +633,7 @@ SUSPSCAN_FILE_LINK_CHANGE:Symbolic link found: '$1' -> '$2' ...@@ -623,6 +633,7 @@ SUSPSCAN_FILE_LINK_CHANGE:Symbolic link found: '$1' -> '$2'
SUSPSCAN_DAT_MISSING:The data file of suspicious contents is missing or empty: $1 SUSPSCAN_DAT_MISSING:The data file of suspicious contents is missing or empty: $1
SUSPSCAN_DAT_MISSING:Run 'rkhunter --update' to restore the default file. SUSPSCAN_DAT_MISSING:Run 'rkhunter --update' to restore the default file.
SUSPSCAN_DAT_NOTAFILE:The data file of suspicious contents is not a file: $1 SUSPSCAN_DAT_NOTAFILE:The data file of suspicious contents is not a file: $1
SUSPSCAN_WL:Found file '$1': it is whitelisted.
LIST_TESTS:Current test names: LIST_TESTS:Current test names:
LIST_GROUPED_TESTS:Grouped test names: LIST_GROUPED_TESTS:Grouped test names:
...@@ -636,4 +647,6 @@ LOCK_UNUSED:Locking is not being used ...@@ -636,4 +647,6 @@ LOCK_UNUSED:Locking is not being used
LOCK_WAIT:Waiting for lock file LOCK_WAIT:Waiting for lock file
LOCK_FAIL:Unable to get the lock file: rkhunter has not run! LOCK_FAIL:Unable to get the lock file: rkhunter has not run!
IPC_SEG_SIZE:The minimum shared memory segment size to be checked (in bytes): $1
LINUX_ONLY:Check skipped - this check is only for Linux systems. LINUX_ONLY:Check skipped - this check is only for Linux systems.
Version:2014030201 Version:2017080401
# #
# We start with the definitions of the message types and results. There # We start with the definitions of the message types and results. There
# are very few of these, so including these and all the parts of each # are very few of these, so including these and all the parts of each
...@@ -108,6 +108,7 @@ HASH_PKGMGR_OLD_UNSET:Depolan do ...@@ -108,6 +108,7 @@ HASH_PKGMGR_OLD_UNSET:Depolan do
HASH_PKGMGR:Dosya zellikleri kontrol iin '$1' paket yneticisi kullanlyor HASH_PKGMGR:Dosya zellikleri kontrol iin '$1' paket yneticisi kullanlyor
HASH_PKGMGR_MD5:Paket yneticisi dorulamasna yardmc olmas iin MD5 salama fonksiyonu komutu '$1' kullanlyor HASH_PKGMGR_MD5:Paket yneticisi dorulamasna yardmc olmas iin MD5 salama fonksiyonu komutu '$1' kullanlyor
HASH_PKGMGR_SHA:Paket yneticisi dorulamasna yardmc olmas iin SHA salama fonksiyonu komutu '$1' kullanlyor
HASH_PKGMGR_SUM:Paket dorulamas iin depolanan 16-bit salama kullanlyor HASH_PKGMGR_SUM:Paket dorulamas iin depolanan 16-bit salama kullanlyor
HASH_PKGMGR_NOT_SPEC:Paket yneticisi belirtilmedi: '$1' salama fonksiyonu kullanlyor HASH_PKGMGR_NOT_SPEC:Paket yneticisi belirtilmedi: '$1' salama fonksiyonu kullanlyor
HASH_PKGMGR_NOT_SPEC_PRELINKED:Paket yneticisi belirtilmedi: '$1' ile prelink komutu kullanlyor HASH_PKGMGR_NOT_SPEC_PRELINKED:Paket yneticisi belirtilmedi: '$1' ile prelink komutu kullanlyor
...@@ -212,7 +213,8 @@ PROPUPD_START:Dosya ...@@ -212,7 +213,8 @@ PROPUPD_START:Dosya
PROPUPD_OSINFO_START:letim Sistemi bilgisi toplanyor... PROPUPD_OSINFO_START:letim Sistemi bilgisi toplanyor...
PROPUPD_ARCH_FOUND:Sistem mimarisi bulundu: $1 PROPUPD_ARCH_FOUND:Sistem mimarisi bulundu: $1
PROPUPD_REL_FILE:Srm dosyas bulundu: $1 PROPUPD_REL_FILE:Srm dosyas bulundu: $1
PROPUPD_NO_REL_FILE:Bir srm dosyas bulunamad: LS kts: PROPUPD_NO_REL_FILE_NO_OUTPUT:Bir /S srm dosyas bulunamad.
PROPUPD_NO_REL_FILE:Bir /S srm dosyas bulunamad: LS kts:
PROPUPD_OSNAME_FOUND:Bulunan letim Sistemi: $1 PROPUPD_OSNAME_FOUND:Bulunan letim Sistemi: $1
PROPUPD_ERROR:Yeni rkhunter.dat dosyas kurulurken hata. Kod $1 PROPUPD_ERROR:Yeni rkhunter.dat dosyas kurulurken hata. Kod $1
PROPUPD_NEW_DAT_FILE:Yeni rkhunter.dat dosyas '$1' dizininde kuruldu PROPUPD_NEW_DAT_FILE:Yeni rkhunter.dat dosyas '$1' dizininde kuruldu
...@@ -389,38 +391,34 @@ ROOTKIT_MALWARE_SUSP_FILES_FOUND_CMD:Komut: $1 ...@@ -389,38 +391,34 @@ ROOTKIT_MALWARE_SUSP_FILES_FOUND_CMD:Komut: $1
ROOTKIT_MALWARE_SUSP_FILES_FOUND_PATH:Yol ismi: $1 ROOTKIT_MALWARE_SUSP_FILES_FOUND_PATH:Yol ismi: $1
ROOTKIT_MALWARE_SUSP_FILES_FOUND_RTKT:Olas Rootkit: $1 ROOTKIT_MALWARE_SUSP_FILES_FOUND_RTKT:Olas Rootkit: $1
ROOTKIT_MALWARE_HIDDEN_PROCS:Gizli ilemler kontrol ediliyor ROOTKIT_MALWARE_HIDDEN_PROCS:Gizli ilemler kontrol ediliyor
ROOTKIT_MALWARE_HIDDEN_PROCS_NOUNHIDE:Kullanc isteiyle, '$1' kullanm devred brakld
ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_VERS:'unhide' komut srm bulundu: $1 ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_VERS:'unhide' komut srm bulundu: $1
ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_CMD:'$1' komutu kullanlyor ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_CMD:'$1' komutu kullanlyor
ROOTKIT_MALWARE_HIDDEN_PROCS_UNH_ERR:'unhide' altrlabilir deil: geersiz yaplandrlm testler: $1 ROOTKIT_MALWARE_HIDDEN_PROCS_UNH_ERR:'unhide' altrlabilir deil: geersiz yaplandrlm testler: $1
ROOTKIT_MALWARE_HIDDEN_PROCS_RUBY_ERR:'unhide.rb' komutu bir hata verdi:
ROOTKIT_MALWARE_HIDDEN_PROCS_FOUND:Gizli ilemler bulundu: ROOTKIT_MALWARE_HIDDEN_PROCS_FOUND:Gizli ilemler bulundu:
ROOTKIT_MALWARE_DELETED_FILES:Silinen dosyalar iin alan ilemler kontrol ediliyor ROOTKIT_MALWARE_DELETED_FILES:Silinen dosyalar iin alan ilemler kontrol ediliyor
ROOTKIT_MALWARE_DELETED_FILES_FOUND:Aadaki ilemler silinen dosya(lar) kullanyor: ROOTKIT_MALWARE_DELETED_FILES_FOUND:Aadaki ilemler silinen dosya(lar) kullanyor:
ROOTKIT_MALWARE_DELETED_FILES_FOUND_DATA:lem: $1 PID: $2 Dosya: $3 ROOTKIT_MALWARE_DELETED_FILES_FOUND_DATA:lem: $1 PID: $2 Dosya: $3
ROOTKIT_MALWARE_DELETED_FILES_WL:Beyaz listedeki '$1' dosyasn kullanan '$1' ilemi bulundu. ROOTKIT_MALWARE_DELETED_FILES_WL:Beyaz listedeki '$1' dosyasn kullanan '$1' ilemi bulundu.
ROOTKIT_MALWARE_LOGIN_BDOOR:Arkakap girileri kontrol ediliyor ROOTKIT_MALWARE_LOGIN_BDOOR:Arkakap girileri kontrol ediliyor
ROOTKIT_MALWARE_LOGIN_BDOOR_LOG:Arkakap girilerinin kontrol altrlyor
ROOTKIT_MALWARE_LOGIN_BDOOR_CHK:'$1' kontrol ediliyor ROOTKIT_MALWARE_LOGIN_BDOOR_CHK:'$1' kontrol ediliyor
ROOTKIT_MALWARE_LOGIN_BDOOR_FOUND:Arkakap giri dosyas bulundu: $1 ROOTKIT_MALWARE_LOGIN_BDOOR_FOUND:Arkakap giri dosyas bulundu: $1
ROOTKIT_MALWARE_SUSP_DIR:pheli klasrler kontrol ediliyor ROOTKIT_MALWARE_SUSP_DIR:pheli klasrler kontrol ediliyor
ROOTKIT_MALWARE_SUSP_DIR_LOG:pheli klasrlerin kontrol altrlyor
ROOTKIT_MALWARE_SUSP_DIR_FOUND:pheli klasr bulundu: $1 ROOTKIT_MALWARE_SUSP_DIR_FOUND:pheli klasr bulundu: $1
ROOTKIT_MALWARE_SFW_INTRUSION:Yazlm ihlalleri kontrol ediliyor ROOTKIT_MALWARE_SFW_INTRUSION:Yazlm ihlalleri kontrol ediliyor
ROOTKIT_MALWARE_SFW_INTRUSION_FOUND:'$1' dosyas '$2' dizisini ieriyor. Olas rootkit: SHV5 ROOTKIT_MALWARE_SFW_INTRUSION_FOUND:'$1' dosyas '$2' dizisini ieriyor. Olas rootkit: SHV5
ROOTKIT_MALWARE_SFW_INTRUSION_SKIP:Kontrol atland - tripwire ykl deil ROOTKIT_MALWARE_SFW_INTRUSION_SKIP:Kontrol atland - tripwire ykl deil
ROOTKIT_MALWARE_SNIFFER:Alglayc gnlk/kayt dosyalar kontrol ediliyor ROOTKIT_MALWARE_SNIFFER:Alglayc gnlk/kayt dosyalar kontrol ediliyor
ROOTKIT_MALWARE_SNIFFER_LOG:Alglayc gnlk/kayt dosyalarnn kontrol altrlyor
ROOTKIT_MALWARE_SNIFFER_FOUND:Alglayc gnlk/kayt dosyas bulundu: $1 ROOTKIT_MALWARE_SNIFFER_FOUND:Alglayc gnlk/kayt dosyas bulundu: $1
ROOTKIT_MALWARE_IPCS:pheli Paylalan Bellek segmentleri ROOTKIT_MALWARE_IPCS:pheli Paylalan Bellek segmentleri
ROOTKIT_MALWARE_IPCS_FOUND:u pheli paylam bellei segmentleri bulundu:
ROOTKIT_MALWARE_IPCS_DETAILS:lem: $1 PID: $2 Sahibi: $3 ROOTKIT_MALWARE_IPCS_DETAILS:lem: $1 PID: $2 Sahibi: $3
ROOTKIT_MALWARE_IPCS_WL:lem yolu ad '$1': beyaz listeye alnd.
ROOTKIT_TROJAN_START:Spesifik trojan kontrolleri altrlyor ROOTKIT_TROJAN_START:Spesifik trojan kontrolleri altrlyor
ROOTKIT_TROJAN_INETD:Etkin inetd servisleri kontrol ediliyor ROOTKIT_TROJAN_INETD:Etkin inetd servisleri kontrol ediliyor
ROOTKIT_TROJAN_INETD_SKIP:Kontrol atland - '$1' dosyas mevcut deil. ROOTKIT_TROJAN_INETD_SKIP:Kontrol atland - '$1' dosyas mevcut deil.
ROOTKIT_TROJAN_INETD_FOUND:Etkin inetd servisi bulundu: $1 ROOTKIT_TROJAN_INETD_FOUND:Etkin inetd servisi bulundu: $1
ROOTKIT_TROJAN_XINETD:Etkin xinetd servisleri kontrol ediliyor ROOTKIT_TROJAN_XINETD:Etkin xinetd servisleri kontrol ediliyor
ROOTKIT_TROJAN_XINETD_LOG:Etkin xinetd servislerinin kontrol altrlyor
ROOTKIT_TROJAN_XINETD_ENABLED:Etkin servisler iin, '$1' altrlyor ROOTKIT_TROJAN_XINETD_ENABLED:Etkin servisler iin, '$1' altrlyor
ROOTKIT_TROJAN_XINETD_INCLUDE:'include $1' direktifi bulundu ROOTKIT_TROJAN_XINETD_INCLUDE:'include $1' direktifi bulundu
ROOTKIT_TROJAN_XINETD_INCLUDEDIR:'includedir $1' direktifi bulundu ROOTKIT_TROJAN_XINETD_INCLUDEDIR:'includedir $1' direktifi bulundu
...@@ -633,6 +631,9 @@ LIST_PERL:Perl mod ...@@ -633,6 +631,9 @@ LIST_PERL:Perl mod
LIST_RTKTS:Kontrol edilen rootkitler: LIST_RTKTS:Kontrol edilen rootkitler:
LOCK_USED:Kilitleme kullanmda: zaman am $1 saniye LOCK_USED:Kilitleme kullanmda: zaman am $1 saniye
LOCK_DIR:Kilitleme dizini olarak '$1' kullanlyor
LOCK_UNUSED:Kilitleme kullanmda deil LOCK_UNUSED:Kilitleme kullanmda deil
LOCK_WAIT:Kilit dosyas bekleniyor LOCK_WAIT:Kilit dosyas bekleniyor
LOCK_FAIL:Kilit dosyas alnamad: rkhunter almad! LOCK_FAIL:Kilit dosyas alnamad: rkhunter almad!
LINUX_ONLY:Kontrol atland - bu kontrol sadece Linux sistemler iindir.
Version:2014030201 Version:2017080401
# #
# We start with the definitions of the message types and results. There # We start with the definitions of the message types and results. There
# are very few of these, so including these and all the parts of each # are very few of these, so including these and all the parts of each
...@@ -108,6 +108,7 @@ HASH_PKGMGR_OLD_UNSET:Depolan doğrulama verileri, bir paket yöneticisi kullanm ...@@ -108,6 +108,7 @@ HASH_PKGMGR_OLD_UNSET:Depolan doğrulama verileri, bir paket yöneticisi kullanm
HASH_PKGMGR:Dosya özellikleri kontrolü için '$1' paket yöneticisi kullanılıyor HASH_PKGMGR:Dosya özellikleri kontrolü için '$1' paket yöneticisi kullanılıyor
HASH_PKGMGR_MD5:Paket yöneticisi doğrulamasına yardımcı olması için MD5 sağlama fonksiyonu komutu '$1' kullanılıyor HASH_PKGMGR_MD5:Paket yöneticisi doğrulamasına yardımcı olması için MD5 sağlama fonksiyonu komutu '$1' kullanılıyor
HASH_PKGMGR_SHA:Paket yöneticisi doğrulamasına yardımcı olması için SHA sağlama fonksiyonu komutu '$1' kullanılıyor
HASH_PKGMGR_SUM:Paket doğrulaması için depolanan 16-bit sağlama kullanılıyor HASH_PKGMGR_SUM:Paket doğrulaması için depolanan 16-bit sağlama kullanılıyor
HASH_PKGMGR_NOT_SPEC:Paket yöneticisi belirtilmedi: '$1' sağlama fonksiyonu kullanılıyor HASH_PKGMGR_NOT_SPEC:Paket yöneticisi belirtilmedi: '$1' sağlama fonksiyonu kullanılıyor
HASH_PKGMGR_NOT_SPEC_PRELINKED:Paket yöneticisi belirtilmedi: '$1' ile prelink komutu kullanılıyor HASH_PKGMGR_NOT_SPEC_PRELINKED:Paket yöneticisi belirtilmedi: '$1' ile prelink komutu kullanılıyor
...@@ -212,7 +213,8 @@ PROPUPD_START:Dosya özellikleri veri güncellemesi başlatılıyor... ...@@ -212,7 +213,8 @@ PROPUPD_START:Dosya özellikleri veri güncellemesi başlatılıyor...
PROPUPD_OSINFO_START:İşletim Sistemi bilgisi toplanıyor... PROPUPD_OSINFO_START:İşletim Sistemi bilgisi toplanıyor...
PROPUPD_ARCH_FOUND:Sistem mimarisi bulundu: $1 PROPUPD_ARCH_FOUND:Sistem mimarisi bulundu: $1
PROPUPD_REL_FILE:Sürüm dosyası bulundu: $1 PROPUPD_REL_FILE:Sürüm dosyası bulundu: $1
PROPUPD_NO_REL_FILE:Bir sürüm dosyası bulunamadı: LS çıktısı: PROPUPD_NO_REL_FILE_NO_OUTPUT:Bir İ/S sürüm dosyası bulunamadı.
PROPUPD_NO_REL_FILE:Bir İ/S sürüm dosyası bulunamadı: LS çıktısı:
PROPUPD_OSNAME_FOUND:Bulunan İşletim Sistemi: $1 PROPUPD_OSNAME_FOUND:Bulunan İşletim Sistemi: $1
PROPUPD_ERROR:Yeni rkhunter.dat dosyası kurulurken hata. Kod $1 PROPUPD_ERROR:Yeni rkhunter.dat dosyası kurulurken hata. Kod $1
PROPUPD_NEW_DAT_FILE:Yeni rkhunter.dat dosyası '$1' dizininde kuruldu PROPUPD_NEW_DAT_FILE:Yeni rkhunter.dat dosyası '$1' dizininde kuruldu
...@@ -389,38 +391,34 @@ ROOTKIT_MALWARE_SUSP_FILES_FOUND_CMD:Komut: $1 ...@@ -389,38 +391,34 @@ ROOTKIT_MALWARE_SUSP_FILES_FOUND_CMD:Komut: $1
ROOTKIT_MALWARE_SUSP_FILES_FOUND_PATH:Yol ismi: $1 ROOTKIT_MALWARE_SUSP_FILES_FOUND_PATH:Yol ismi: $1
ROOTKIT_MALWARE_SUSP_FILES_FOUND_RTKT:Olası Rootkit: $1 ROOTKIT_MALWARE_SUSP_FILES_FOUND_RTKT:Olası Rootkit: $1
ROOTKIT_MALWARE_HIDDEN_PROCS:Gizli işlemler kontrol ediliyor ROOTKIT_MALWARE_HIDDEN_PROCS:Gizli işlemler kontrol ediliyor
ROOTKIT_MALWARE_HIDDEN_PROCS_NOUNHIDE:Kullanıcı isteğiyle, '$1' kullanımı devredışı bırakıldı
ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_VERS:'unhide' komut sürümü bulundu: $1 ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_VERS:'unhide' komut sürümü bulundu: $1
ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_CMD:'$1' komutu kullanılıyor ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_CMD:'$1' komutu kullanılıyor
ROOTKIT_MALWARE_HIDDEN_PROCS_UNH_ERR:'unhide' çalıştırılabilir değil: geçersiz yapılandırılmış testler: $1 ROOTKIT_MALWARE_HIDDEN_PROCS_UNH_ERR:'unhide' çalıştırılabilir değil: geçersiz yapılandırılmış testler: $1
ROOTKIT_MALWARE_HIDDEN_PROCS_RUBY_ERR:'unhide.rb' komutu bir hata verdi:
ROOTKIT_MALWARE_HIDDEN_PROCS_FOUND:Gizli işlemler bulundu: ROOTKIT_MALWARE_HIDDEN_PROCS_FOUND:Gizli işlemler bulundu:
ROOTKIT_MALWARE_DELETED_FILES:Silinen dosyalar için çalışan işlemler kontrol ediliyor ROOTKIT_MALWARE_DELETED_FILES:Silinen dosyalar için çalışan işlemler kontrol ediliyor
ROOTKIT_MALWARE_DELETED_FILES_FOUND:Aşağıdaki işlemler silinen dosya(lar) kullanıyor: ROOTKIT_MALWARE_DELETED_FILES_FOUND:Aşağıdaki işlemler silinen dosya(lar) kullanıyor:
ROOTKIT_MALWARE_DELETED_FILES_FOUND_DATA:İşlem: $1 PID: $2 Dosya: $3 ROOTKIT_MALWARE_DELETED_FILES_FOUND_DATA:İşlem: $1 PID: $2 Dosya: $3
ROOTKIT_MALWARE_DELETED_FILES_WL:Beyaz listedeki '$1' dosyasını kullanan '$1' işlemi bulundu. ROOTKIT_MALWARE_DELETED_FILES_WL:Beyaz listedeki '$1' dosyasını kullanan '$1' işlemi bulundu.
ROOTKIT_MALWARE_LOGIN_BDOOR:Arkakapı girişleri kontrol ediliyor ROOTKIT_MALWARE_LOGIN_BDOOR:Arkakapı girişleri kontrol ediliyor
ROOTKIT_MALWARE_LOGIN_BDOOR_LOG:Arkakapı girişlerinin kontrolü çalıştırılıyor
ROOTKIT_MALWARE_LOGIN_BDOOR_CHK:'$1' kontrol ediliyor ROOTKIT_MALWARE_LOGIN_BDOOR_CHK:'$1' kontrol ediliyor
ROOTKIT_MALWARE_LOGIN_BDOOR_FOUND:Arkakapı giriş dosyası bulundu: $1 ROOTKIT_MALWARE_LOGIN_BDOOR_FOUND:Arkakapı giriş dosyası bulundu: $1
ROOTKIT_MALWARE_SUSP_DIR:Şüpheli klasörler kontrol ediliyor ROOTKIT_MALWARE_SUSP_DIR:Şüpheli klasörler kontrol ediliyor
ROOTKIT_MALWARE_SUSP_DIR_LOG:Şüpheli klasörlerin kontrolü çalıştırılıyor
ROOTKIT_MALWARE_SUSP_DIR_FOUND:Şüpheli klasör bulundu: $1 ROOTKIT_MALWARE_SUSP_DIR_FOUND:Şüpheli klasör bulundu: $1
ROOTKIT_MALWARE_SFW_INTRUSION:Yazılım ihlalleri kontrol ediliyor ROOTKIT_MALWARE_SFW_INTRUSION:Yazılım ihlalleri kontrol ediliyor
ROOTKIT_MALWARE_SFW_INTRUSION_FOUND:'$1' dosyası '$2' dizisini içeriyor. Olası rootkit: SHV5 ROOTKIT_MALWARE_SFW_INTRUSION_FOUND:'$1' dosyası '$2' dizisini içeriyor. Olası rootkit: SHV5
ROOTKIT_MALWARE_SFW_INTRUSION_SKIP:Kontrol atlandı - tripwire yüklü değil ROOTKIT_MALWARE_SFW_INTRUSION_SKIP:Kontrol atlandı - tripwire yüklü değil
ROOTKIT_MALWARE_SNIFFER:Algılayıcı günlük/kayıt dosyaları kontrol ediliyor ROOTKIT_MALWARE_SNIFFER:Algılayıcı günlük/kayıt dosyaları kontrol ediliyor
ROOTKIT_MALWARE_SNIFFER_LOG:Algılayıcı günlük/kayıt dosyalarının kontrolü çalıştırılıyor
ROOTKIT_MALWARE_SNIFFER_FOUND:Algılayıcı günlük/kayıt dosyası bulundu: $1 ROOTKIT_MALWARE_SNIFFER_FOUND:Algılayıcı günlük/kayıt dosyası bulundu: $1
ROOTKIT_MALWARE_IPCS:Şüpheli Paylaşılan Bellek segmentleri ROOTKIT_MALWARE_IPCS:Şüpheli Paylaşılan Bellek segmentleri
ROOTKIT_MALWARE_IPCS_FOUND:Şu şüpheli paylaşım belleği segmentleri bulundu:
ROOTKIT_MALWARE_IPCS_DETAILS:İşlem: $1 PID: $2 Sahibi: $3 ROOTKIT_MALWARE_IPCS_DETAILS:İşlem: $1 PID: $2 Sahibi: $3
ROOTKIT_MALWARE_IPCS_WL:İşlem yolu adı '$1': beyaz listeye alındı.
ROOTKIT_TROJAN_START:Spesifik trojan kontrolleri çalıştırılıyor ROOTKIT_TROJAN_START:Spesifik trojan kontrolleri çalıştırılıyor
ROOTKIT_TROJAN_INETD:Etkin inetd servisleri kontrol ediliyor ROOTKIT_TROJAN_INETD:Etkin inetd servisleri kontrol ediliyor
ROOTKIT_TROJAN_INETD_SKIP:Kontrol atlandı - '$1' dosyası mevcut değil. ROOTKIT_TROJAN_INETD_SKIP:Kontrol atlandı - '$1' dosyası mevcut değil.
ROOTKIT_TROJAN_INETD_FOUND:Etkin inetd servisi bulundu: $1 ROOTKIT_TROJAN_INETD_FOUND:Etkin inetd servisi bulundu: $1
ROOTKIT_TROJAN_XINETD:Etkin xinetd servisleri kontrol ediliyor ROOTKIT_TROJAN_XINETD:Etkin xinetd servisleri kontrol ediliyor
ROOTKIT_TROJAN_XINETD_LOG:Etkin xinetd servislerinin kontrolü çalıştırılıyor
ROOTKIT_TROJAN_XINETD_ENABLED:Etkin servisler için, '$1' çalıştırılıyor ROOTKIT_TROJAN_XINETD_ENABLED:Etkin servisler için, '$1' çalıştırılıyor
ROOTKIT_TROJAN_XINETD_INCLUDE:'include $1' direktifi bulundu ROOTKIT_TROJAN_XINETD_INCLUDE:'include $1' direktifi bulundu
ROOTKIT_TROJAN_XINETD_INCLUDEDIR:'includedir $1' direktifi bulundu ROOTKIT_TROJAN_XINETD_INCLUDEDIR:'includedir $1' direktifi bulundu
...@@ -633,6 +631,9 @@ LIST_PERL:Perl modülü kurulum durumu: ...@@ -633,6 +631,9 @@ LIST_PERL:Perl modülü kurulum durumu:
LIST_RTKTS:Kontrol edilen rootkitler: LIST_RTKTS:Kontrol edilen rootkitler:
LOCK_USED:Kilitleme kullanımda: zaman aşımı $1 saniye LOCK_USED:Kilitleme kullanımda: zaman aşımı $1 saniye
LOCK_DIR:Kilitleme dizini olarak '$1' kullanılıyor
LOCK_UNUSED:Kilitleme kullanımda değil LOCK_UNUSED:Kilitleme kullanımda değil
LOCK_WAIT:Kilit dosyası bekleniyor LOCK_WAIT:Kilit dosyası bekleniyor
LOCK_FAIL:Kilit dosyası alınamadı: rkhunter çalışmadı! LOCK_FAIL:Kilit dosyası alınamadı: rkhunter çalışmadı!
LINUX_ONLY:Kontrol atlandı - bu kontrol sadece Linux sistemler içindir.
This source diff could not be displayed because it is too large. You can view the blob instead.
...@@ -380,7 +380,8 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a ...@@ -380,7 +380,8 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a
# #
# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. # NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
# #
# The default value is the SHA256 function. # The default value is the SHA256 function, unless prelinking is used in
# which case it defaults to the SHA1 function.
# #
# Also see the HASH_FLD_IDX option. In addition, note the comments under # Also see the HASH_FLD_IDX option. In addition, note the comments under
# the PKGMGR option relating to the use of HASH_CMD. # the PKGMGR option relating to the use of HASH_CMD.
...@@ -551,7 +552,7 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a ...@@ -551,7 +552,7 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a
# NOTE: The user must take into consideration how often the file will appear # NOTE: The user must take into consideration how often the file will appear
# and disappear from the system in relation to how often rkhunter is run. If # and disappear from the system in relation to how often rkhunter is run. If
# the file appears, and disappears, too often then rkhunter may not notice # the file appears, and disappears, too often then rkhunter may not notice
# this. All it will see is that the file has changed. The inode-number and DTM # this. All it will see is that the file has changed. The inode number and DTM
# will certainly be different for each new file, and rkhunter will report this. # will certainly be different for each new file, and rkhunter will report this.
# #
# The default value is the null string. # The default value is the null string.
...@@ -606,6 +607,18 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a ...@@ -606,6 +607,18 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a
# #
#IMMUTABLE_SET=0 #IMMUTABLE_SET=0
#
# If this option is set to '1', then any changed inode value is ignored in
# the file properties check. The inode test itself still runs, but it will
# always return that no inodes have changed.
#
# This option may be useful for filesystems such as Btrfs, which handle inodes
# slightly differently than other filesystems.
#
# The default value is '0'.
#
#SKIP_INODE_CHECK=0
# #
# Allow the specified hidden directory to be whitelisted. # Allow the specified hidden directory to be whitelisted.
# #
...@@ -712,6 +725,36 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a ...@@ -712,6 +725,36 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a
#ALLOWIPCPROC=/usr/bin/firefox #ALLOWIPCPROC=/usr/bin/firefox
#ALLOWIPCPROC=/usr/bin/vlc #ALLOWIPCPROC=/usr/bin/vlc
#
# Allow the specified memory segment creator PIDs to use shared memory segments.
#
# This is a space-separated list of PID numbers (as given by the
# 'ipcs -p' command). This option may be specified more than once.
#
# The default value is the null string.
#
#ALLOWIPCPID=12345 6789
#
# Allow the specified account names to use shared memory segments.
#
# This is a space-separated list of account names. The option may be specified
# more than once.
#
# The default value is the null string.
#
#ALLOWIPCUSER=usera userb
#
# This option can be used to set the maximum shared memory segment size
# (in bytes) that is not considered suspicious. Any segment above this size,
# and with 600 or 666 permissions, will be considered suspicious during the
# shared memory check.
#
# The default is 1048576 (1M) bytes.
#
#IPC_SEG_SIZE=1048576
# #
# This option is used to indicate if the Phalanx2 test is to perform a basic # This option is used to indicate if the Phalanx2 test is to perform a basic
# check, or a more thorough check. If the option is set to '0', then a basic # check, or a more thorough check. If the option is set to '0', then a basic
...@@ -913,6 +956,18 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a ...@@ -913,6 +956,18 @@ DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps a
# #
#SUSPSCAN_THRESH=200 #SUSPSCAN_THRESH=200
#
# This option may be used to whitelist file pathnames from the suspscan test.
#
# Shell globbing may be used in the pathname. Also see the GLOBSTAR configuration
# option.
#
# This option may be specified more than once.
#
# The default value is the null string.
#
#SUSPSCAN_WHITELIST=""
# #
# The following options can be used to whitelist network ports which are known # The following options can be used to whitelist network ports which are known
# to have been used by malware. # to have been used by malware.
......
...@@ -6,7 +6,7 @@ ...@@ -6,7 +6,7 @@
#%%dump #%%dump
%define name rkhunter %define name rkhunter
%define ver 1.4.4 %define ver 1.4.5
%define rel 1 %define rel 1
%define epoch 0 %define epoch 0
......
...@@ -11,8 +11,8 @@ ...@@ -11,8 +11,8 @@
################################################################################ ################################################################################
INSTALLER_NAME="Rootkit Hunter installer" INSTALLER_NAME="Rootkit Hunter installer"
INSTALLER_VERSION="1.2.20" INSTALLER_VERSION="1.2.21"
INSTALLER_COPYRIGHT="Copyright 2003-2017, Michael Boelen" INSTALLER_COPYRIGHT="Copyright 2018, Michael Boelen"
INSTALLER_LICENSE=" INSTALLER_LICENSE="
This software was developed by the Rootkit Hunter project team. This software was developed by the Rootkit Hunter project team.
...@@ -25,7 +25,7 @@ of the GNU General Public License. See LICENSE for details. ...@@ -25,7 +25,7 @@ of the GNU General Public License. See LICENSE for details.
" "
APPNAME="rkhunter" APPNAME="rkhunter"
APPVERSION="1.4.4" APPVERSION="1.4.6"
RKHINST_OWNER="0:0" RKHINST_OWNER="0:0"
RKHINST_MODE_EX="0700" RKHINST_MODE_EX="0700"
RKHINST_MODE_RW="0600" RKHINST_MODE_RW="0600"
...@@ -33,7 +33,6 @@ RKHINST_MODE_RWR="0644" ...@@ -33,7 +33,6 @@ RKHINST_MODE_RWR="0644"
RKHINST_LAYOUT="default" RKHINST_LAYOUT="default"
RKHINST_ACTION="" RKHINST_ACTION=""
RKHINST_ACTION_SEEN=0 RKHINST_ACTION_SEEN=0
USE_CVS=0
ERRCODE=0 ERRCODE=0
OVERWRITE=0 OVERWRITE=0
STRIPROOT=