Commit cecc7464 authored by Julien Valroff's avatar Julien Valroff

Imported Upstream version 1.3.6

parent ef43551f
......@@ -2,9 +2,9 @@
ROOTKIT HUNTER ACKNOWLEDGMENTS
==============================
Michael Boelen For providing and opening up RKH for
active development
John Horne For opening up a true cornucopia of enhancements
Michael Boelen Initial Rootkit Hunter developer
John Horne Current Rootkit Hunter developer
Aus9 For Wiki and documentation support
Gary Bak For enhancing AIX support and testing
Andrej Ricnik For patching and testing
konsolebox For loads of suggestions and testing
......@@ -13,7 +13,7 @@ Constantin Stefan For ideas
Iain Roberts AIX and OpenBSD support
Doncho N. Gunchev
Steph For testing
unSpawn
unSpawn Current Rootkit Hunter developer
KNOWN CONTRIBUTORS
......@@ -26,8 +26,14 @@ jabel FreeBSD 6.1 cli vs cron
baddcarma ProFTPd 1.3.0 on SuSE 10.0
linux_fqh Chinese translations
Ryan Beckett For IRIX support
Marc Becker German translation
Julien Valroff Bug reports, ideas and fixes
Dick Gevers For packaging and hosting skdet
Jan Iven Bug reports, ideas and fixes
Finally, thanks go to all the maintainers and end-users that have
volunteered to support RKH.
And thanks to all others who contributed to Rootkit Hunter:
the regulars on the Rootkit Hunter users mailing list, bug
reporters, package maintainers, end-users and those promoting
Rootkit Hunter usage.
This diff is collapsed.
......@@ -50,7 +50,7 @@ The latest version of this FAQ can be found at the RKH web site.
4.1) What does the following warning mean:
The file of stored file properties (rkhunter.dat) is empty,
and so must be created. To do this type in
and should be created. To do this type in
'rkhunter --propupd'.
4.2) Rootkit Hunter skips some checks, and the logfile indicates
that certain commands are missing. What can I do?
......@@ -68,6 +68,9 @@ The latest version of this FAQ can be found at the RKH web site.
installed. How it this possible?
5.2) Can I be notified when a new release will be available?
6. WHITELISTING EXAMPLES
6.1) Common whitelisting examples
===========================================================
......@@ -153,7 +156,8 @@ A. The RKH source contains an rkhunter.spec file which will
A. Prior to any incident it is recommended that you have read
"Intruder Detection Checklist". This is available from
http://www.cert.org/tech_tips/intruder_detection_checklist.html
http://www.cert.org/tech_tips/intruder_detection_checklist.html or
http://web.archive.org/web/20080109214340/http://www.cert.org/tech_tips/intruder_detection_checklist.html
This document will tell you what to check, and makes it easier
for you to find out and answer any questions.
......@@ -169,7 +173,7 @@ A. Prior to any incident it is recommended that you have read
binaries. If so, then please check further:
1. If you run a file integrity checker, for example Aide,
Samhain, or tripwire, consult the results from running those
Samhain, or Tripwire, consult the results from running those
tools. Note they must be installed directly after the O/S
installation in order to be useful, and you must keep a copy
of the binary, configuration files and databases off-site.
......@@ -265,7 +269,7 @@ A. Some distributions, for example Red Hat and OpenBSD, do patch
If you wish you can skip the application version check completely
by adding the 'apps' test name to the DISABLE_TESTS option in your
rkhunter.conf configuration file.
rkhunter configuration file.
3.3) How can I automatically run Rootkit Hunter every day?
......@@ -361,7 +365,8 @@ A. See the README file for information about the test names.
A. Generally no. Within the tests the space character is typically
used to delimit command output fields. Some tests will work, but
others will not.
others will not. Additionally some tests will not like filenames
with the colon (:) character in them either.
3.6) What does the following warning mean:
......@@ -404,7 +409,7 @@ A. The first run of rkhunter after an installation will usually give
message. Once the reason for the warning has been found, and you
believe that rkhunter has given a false-positive result, then
looking in the configuration file may show you that the relevant
item can be whitelisted.
item can be whitelisted. Also see WHITELISTING EXAMPLES below.
3.8) When I used the '--propupd' option, Rootkit Hunter told me
......@@ -474,7 +479,7 @@ A. The output from rkhunter probably shows something like this:
4.1) What does the following warning mean:
The file of stored file properties (rkhunter.dat) is empty,
and so must be created. To do this type in
and should be created. To do this type in
'rkhunter --propupd'.
A. For rkhunter to perform file property checks, it must first
......@@ -592,3 +597,39 @@ A. Yes, you can join the rkhunter-announce mailing list. This is
===========================================================
6. WHITELISTING EXAMPLES
========================
6.1) After Rootkit Hunter has run you may encounter items in the log file
you would like to whitelist. First verify that the entries are
safe to add. The results of running these commands can be added to
your rkhunter.conf. Please adjust the commands and the location of
your rkhunter.log and verify the results before adding them. Do not
automate adding whitelist entries to your rkhunter.conf.
Allow script replacements ("properties" test):
awk -F"'" '/replaced by a script/ {print "SCRIPTWHITELIST="$2}' rkhunter.log
Allow processes using deleted files ("deleted_files" test):
awk '/Process: / {print "ALLOWPROCDELFILE="$3}' rkhunter.log | sort -u
Allow Xinetd services:
awk '/Found enabled xinetd service/ {print $NF}' rkhunter.log |\
xargs -iX grep -e "server[[:blank:]]" 'X' | awk '{print "XINETD_ALLOWED_SVC="$NF}'
Allow packet capturing applications ("packet_cap_apps" test):
awk -F"'" '/is listening on the network/ {print "ALLOWPROCLISTEN="$2}' rkhunter.log
Allow "suspicious" files ("filesystem" test):
grep '^\[..:..:..\][[:blank:]]\{6\}.*/dev/shm/.*:' rkhunter.log |\
awk '{print "ALLOWDEVFILE="$2}' | sed -e "s|:$||g"
Allow hidden directories ("filesystem" test):
awk '/Warning: Hidden directory/ {print "ALLOWHIDDENDIR="$6}' rkhunter.log
Allow hidden files ("filesystem" test):
awk '/Warning: Hidden file/ {print "ALLOWHIDDENFILE="$6}' rkhunter.log |\
sed -e "s|:$||g"
===========================================================
This diff is collapsed.
#################################################################################
#
# WISHLIST : Personal and public 'wishes' for Rootkit Hunter
#
# Notes:
# - All things below CAN be integrated in future, but there are no planned
# dates available. *Your* support can change help that!
#
#################################################################################
#
# Request:
# - Do you have a copy of an undetected rootkit? Please send it to us, so
# it can be added and help others.
# - Are you a package maintainer? Please submit your changes through
# rkhunter.sourceforge.net so *everyone* can benefit from it.
# - Are you an enduser? If you want to submit a patch or discuss enhancements,
# file a bug report, have comments, gripes or questions please
# visit rkhunter.sourceforge.net on how you can best reach the project team and
# fellow Rootkit Hunter users.
#
#################################################################################
#
Project:
- more dedicated medior developers
- more dedicated testers
Important:
- Add MD5 check for unknown OSes
- Add/improve Tuxkit
- Missing hashes for any releases of supported O.S.es
- Promiscuous mode detection. In kernel-2.6 the ifconfig + ip (iproute2)
method is no longer working.
Startup:
- Comparing LKM/KLD startups from rc-scripts (differences)
- Checking for kldload (*BSD) and loading of LKMs in rc-scripts
- Black/whitelisting of LKM/KLD
Processes:
- Check for multiple instances of tools (like file, ls, ps, find)
Support:
- Set lo interface into promisc mode to test ifconfig
- Improve support for Sebek LKM
- Option to use Perl modules on a different place than the usual
(requested by Henk Wevers)
- Debian package (.deb)
Misc:
- Scanning of multiple machines by using a central server
- Add support for SSH version of SSH.com
Website:
- Adding comparision between Rootkit Hunter and other projects (pros/cons).
*** Maybe someone would like to help us with this? I would like an objective comparison.
NetBSD:
- Remove whereis parameter '-b' (doesn't exist)
- Use /usr/pkg/bin/perl instead of /usr/bin/perl
#
#################################################################################
#
Version:2007080301
Version:2009110901
#
# Syntax: <port>:<description>:protocol
#
......@@ -7,9 +7,24 @@ Version:2007080301
# The protocol must be UDP or TCP.
#
1524:Possible FreeBSD (FBRK) Rootkit backdoor:TCP:
1984:Fuckit Rootkit:TCP:
2001:Scalper:UDP:
2006:CB:TCP:
2006:CB Rootkit or w00tkit Rootkit SSH server:TCP:
2128:MRK:TCP:
6666:Possible rogue IRC bot:TCP:
6667:Possible rogue IRC bot:TCP:
6668:Possible rogue IRC bot:TCP:
6669:Possible rogue IRC bot:TCP:
7000:Possible rogue IRC bot:TCP:
13000:Possible Universal Rootkit (URK) SSH server:TCP:
14856:Optic Kit (Tux):TCP:
25000:Possible Universal Rootkit (URK) component:TCP:
29812:FreeBSD (FBRK) Rootkit default backdoor port:TCP:
31337:Historical backdoor port:TCP:
33369:Volc Rootkit SSH server (divine):TCP:
47107:T0rn:TCP:
47018:Possible Universal Rootkit (URK) component:TCP:
60922:zaRwT.KiT:TCP:
62883:Possible FreeBSD (FBRK) Rootkit default backdoor port:TCP:
65535:FreeBSD Rootkit (FBRK) telnet port:TCP:
......@@ -21,7 +21,9 @@
#
# Digest modules:
# > install Digest::MD5
# > install Digest::SHA
# > install Digest::SHA1
# > install Digest::SHA256
#
#################################################################################
......@@ -33,7 +35,9 @@ my $check = "0";
# Modules to check
my @modCheck = qw(
Digest::MD5
Digest::SHA
Digest::SHA1
Digest::SHA256
);
# Use command-line module names if present.
......
#!/usr/bin/perl -w
use strict;
use IO::Socket;
my ( $peer, $port );
$peer = $ARGV[0];
my $i = 0;
my $sock = 0;
my $sock2 = 0;
for ($i=0; $i<5000; $i++)
{
$port = $i;
$sock = IO::Socket::INET->new("$peer:$port");
# $sock2 = 'Net::UDP'->new($peer,$port);
if ($sock)
{
print "Port ",$port,"\n";
# Close socket
# close($sock);
}
# if ($sock2)
# {
# print "UDPPort ",$port,"\n";
# }
}
exit;
#!/bin/sh
if [ "$1" = "" -o "$2" = "" -o "$3" = "" -o "$4" = "" ]; then
echo "Usage $0 <path/to/rkhunter.conf> <path/to/mirrors.dat> </path/to/dbdir> </path/to/logfile>"
exit 1
fi
WGETFOUND=0
CONFFILE=$1
# Mirrors
MIRRORFILE=$2
DBDIR=$3
LOGFILE=$4
debug() {
echo $1 >> ${LOGFILE}
}
debug "--------------------------------------------------"
debug "Updater output:"
BINPATHS="/bin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /sw/bin"
for I in ${BINPATHS}; do
J=${I}"/wget"
if [ -f ${J} ]; then
WGETFOUND=1
WGETBINARY=${J}
fi
done
if [ ${WGETFOUND} -eq 0 ]; then
echo "Fatal error: can't find WGet"
exit 1
fi
# Retrieve file info
FILEINFO=`cat ${CONFFILE} | grep 'UPDATEFILEINFO=' | tr -d 'UPDATEFILEINFO='`
if [ "${FILEINFO}" = "" ]; then
echo "Fatal error. Missing line 'UPDATEFILEINFO=' or wrong/non-existing file"
echo "Please check your configuration file (${CONFFILE})"
exit 1
fi
checkupdate() {
echo -n "${FILEDESC}: "
UPDATEDBURL="${FIRSTMIRROR}/${VERSIONUPDATEURL}"
LATESTVERSION="`${WGETBINARY} -q -O - ${UPDATEDBURL}`"
if [ "${LATESTVERSION}" = "" ]; then
echo "ERROR"
echo "Fatal error: Problem while fetching file"
exit 1
fi
CURRENTVERSION=`cat ${DBDIR}/${FILENAME} | grep '000:version' | cut -d ':' -f3`
if [ "${CURRENTVERSION}" = "" ]; then
CURRENTVERSION=`cat ${DBDIR}/${FILENAME} | grep 'version=' | cut -d '=' -f2`
if [ "${CURRENTVERSION}" = "" ]; then
echo "ERROR"
echo "Fatal error: no valid version tag in filename"
exit 1
fi
fi
if [ "${LATESTVERSION}" = "" ]; then
echo "Skipped"
echo "Error: can't obtain valid version tag from downloaded file (or 404 error). Possible outdated mirror."
debug "Tried to fetch ${UPDATEDBURL}"
else
if [ ${CURRENTVERSION} -lt ${LATESTVERSION} ]; then
echo "${WHITE}Update available${NORMAL}"
# Fetch file
GETFILE="${FIRSTMIRROR}/${FILENAME}.gz"
TMPFILE="`mktemp ${DBDIR}/rkhunter.upd.gz.XXXXXX`" || exit 1
if [ ! "`${WGETBINARY} -q -O - ${GETFILE} | gunzip -c > ${TMPFILE}`" ]; then
cat ${TMPFILE} >${DBDIR}/${FILENAME}
echo " Action: Database updated (current version: ${CURRENTVERSION}, new version ${LATESTVERSION})"
else
echo "Fatal error: Can't retrieve file: ${GETFILE}"
fi
rm -f ${TMPFILE}
else
if [ ${CURRENTVERSION} -gt ${LATESTVERSION} ]; then
echo "Mirror outdated. Skipped"
echo " Info (current version: ${CURRENTVERSION}, version of mirror: ${LATESTVERSION})"
else
echo "Up to date"
fi
fi
fi
}
if [ -f ${MIRRORFILE} ]; then
MIRRORSVERSION=`cat ${MIRRORFILE} | grep 'version=' | head -n 1`
# Retrieve first mirror
FIRSTMIRROR=`cat ${MIRRORFILE} | grep 'mirror=' | head -n 1`
OTHERMIRRORS=`cat ${MIRRORFILE} | grep -v 'version=' | grep -v ${FIRSTMIRROR}`
# Clean up files
if [ -f ${MIRRORFILE}.new ]; then
rm -f ${MIRRORFILE}.new
fi
echo "${MIRRORSVERSION}" > ${MIRRORFILE}.new
for I in ${OTHERMIRRORS}; do
echo ${I} >> ${MIRRORFILE}.new
done;
echo ${FIRSTMIRROR} >> ${MIRRORFILE}.new
# Use rotated file
cat ${MIRRORFILE}.new >${MIRRORFILE}
echo "Mirrorfile ${MIRRORFILE} rotated"
rm -f ${MIRRORFILE}.new
FIRSTMIRROR=`echo ${FIRSTMIRROR} | cut -d '=' -f2`
echo "Using mirror ${FIRSTMIRROR}"
##############################################################################################
LATESTVERSION="unknown"
FILEDESC="[DB] Mirror file "
FILENAME="mirrors.dat"
VERSIONUPDATEURL="mirrors.dat.ver"
checkupdate
###########################
LATESTVERSION="unknown"
FILEDESC="[DB] MD5 hashes system binaries "
FILENAME="defaulthashes.dat"
VERSIONUPDATEURL="defaulthashes.dat.ver"
checkupdate
###########################
LATESTVERSION="unknown"
FILEDESC="[DB] Operating System information "
FILENAME="os.dat"
VERSIONUPDATEURL="os.dat.ver"
checkupdate
###########################
LATESTVERSION="unknown"
FILEDESC="[DB] MD5 blacklisted tools/binaries "
FILENAME="md5blacklist.dat"
VERSIONUPDATEURL="md5blacklist.dat.ver"
checkupdate
###########################
LATESTVERSION="unknown"
FILEDESC="[DB] Known good program versions "
FILENAME="programs_good.dat"
VERSIONUPDATEURL="programs_good.dat.ver"
checkupdate
###########################
LATESTVERSION="unknown"
FILEDESC="[DB] Known bad program versions "
FILENAME="programs_bad.dat"
VERSIONUPDATEURL="programs_bad.dat.ver"
checkupdate
##############################################################################################
echo "" ; echo ""; echo ""
else
echo "Fatal error: ${MIRRORFILE} does not exist"
exit 1
fi
This source diff could not be displayed because it is too large. You can view the blob instead.
#!/usr/bin/perl
use Digest::MD5;
use Digest::SHA1;
my $i=0;
# Open file in binary mode
my $file = $ARGV[0];
open(FILE, $file) or die "Sorry. Can't open '$file'";
binmode(FILE);
$sha1 = Digest::SHA1->new;
$md5 = Digest::MD5->new;
# File size
my $filesize = -s $file;
# Hash file contents
while (<FILE>) {
$sha1->add($_);
$md5->add($_);
$i++;
}
close(FILE);
print "OSNUMBER:",$file,":",$md5->hexdigest,":",$sha1->hexdigest,":",$filesize,":-:\n";
#!/bin/sh
# Temporary file for sorting the results
TMPFILE="`mktemp /tmp/rkhunter.createhashes.XXXXXX`" || exit 1
DIRS="/sbin /bin /usr/bin /usr/sbin"
FILES="find
cron
ifconfig
watch
w
whoami
who
users
stat
sha1sum
kill
find
file
pstree
killall
lsattr
mount
netstat
egrep
fgrep
grep
cat
chmod
chown
env
ls
su
ps
dmesg
kill
login
chkconfig
depmod
insmod
modinfo
sysctl
syslogd
init
runlevel
groups
ip"
for I in ${FILES}; do
for J in ${DIRS}; do
FILE="${J}/${I}"
if [ -f ${FILE} ]; then
./createfilehashes.pl ${FILE} >> ${TMPFILE}
fi
done
done
sort ${TMPFILE}
rm -f ${TMPFILE}
exit 0
#!/bin/sh
DIRS="/sbin /bin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin"
for I in ${DIRS}; do
FILES=`ls ${I}/*`
for J in ${FILES}; do
./createfilehashes.pl ${J}
done
done
#! /usr/bin/perl -w
#
# A simple util to check the lines in the i18n/en file
# exist in the rkhunter program.
#
# Author: John Horne (17-2-07)
#
my $keyword = my $arg = my $found = '';
my $dir = '/var/lib/rkhunter/db/i18n';
my $rkh = '/usr/local/bin';
while (@ARGV) {
$arg = shift;
if ($arg =~ /^--?d$/io) {
$dir = shift;
}
elsif ($arg =~ /^--?p$/io) {
$rkh = shift;
}
elsif ($arg =~ /^--?h$/io) {
print "\nUsage: i18nchk [-d i18n_dir] [-p rkhunter_dir]\n\n";
exit;
}
else {
print "Unknown option: $arg\n";
exit 1;
}
}
if (! $dir || ! -d $dir) {
print "Unable to find the i18n directory.\n";
exit 1;
}
elsif (! $rkh || ! -d $rkh) {
print "Unable to find the rkhunter program.\n";
exit 1;
}
unless (open(I18N, "$dir/en")) {
print "Unable to open i18n file: $!\n";
exit 1;
}
while (defined($keyword = <I18N>)) {
next if ($keyword =~ /^\s*(#|$)/o);
next if ($keyword =~ /^version:/io);
next if ($keyword eq "MSG_TYPE_PLAIN:\n");
chomp($keyword);
if ($keyword =~ /^([^:]+):\s*\S/o) {
$keyword = $1;
}
else {
print "Keyword $keyword has no value.\n";
}
$keyword = $1 if ($keyword =~ /^MSG_TYPE_(.*)/o);
$keyword = $1 if ($keyword =~ /^MSG_RESULT_(.*)/o);
if ($keyword =~ /[a-z]/o) {
print "Keyword $keyword contains lowercase characters.\n";
}
$found = `egrep -e " $keyword( |\$)" $rkh/rkhunter`;
unless ($found) {
print "Keyword $keyword not found in rkhunter.\n";
}
# print "$keyword\n";
}
close(I18N);
exit;
#!/bin/sh
echo "File locations:"
whereis -b md5
whereis -b md5sum
whereis -b md5sums
whereis -b sha1
whereis -b sha1sum
whereis -b sha1sums
echo "-------------------------------"
echo "Output uname -a:"
uname -a
echo "Output uname -m:"
uname -m
echo "Output uname -n:"
uname -n
echo "Output uname -p:"
uname -p
echo "Output uname -r:"
uname -r
echo "Output uname -s:"
uname -s
echo "Output uname -v:"
uname -v
for I in `ls /etc/*-release`; do
echo "Found ${I}"
echo "${I}:"
cat ${I}
done
for I in `ls /etc/*_version`; do
echo "Found ${I}"
echo "${I}:"
cat ${I}
done
#!/bin/sh
FILES="/usr/bin/find /usr/sbin/cron /sbin/ifconfig /usr/bin/watch /usr/bin/w /usr/bin/whoami /usr/bin/who /usr/bin/users /usr/bin/stat /usr/bin/sha1sum /usr/bin/kill /usr/bin/find /usr/bin/file /usr/bin/pstree /usr/bin/killall /usr/bin/lsattr /bin/mount /bin/netstat /bin/egrep /bin/fgrep /bin/grep /bin/cat /bin/chmod /bin/chown /bin/env /bin/ls /bin/su /bin/ps /bin/dmesg /bin/kill /bin/login /sbin/chkconfig /sbin/depmod /sbin/insmod /sbin/modinfo /sbin/sysctl /sbin/syslogd /sbin/init /sbin/runlevel /usr/bin/groups /sbin/ip"
OSID="OSNO"
for I in ${FILES}; do
if [ -f ${I} ]; then
FILESIZE=`ls -l ${I} | tr -s ' ' ',' | cut -d ',' -f5`
RPM=`rpm -qf ${I}`
MD5=`md5sum ${I} | cut -d ' ' -f1`
SHA1=`sha1sum ${I} | cut -d ' ' -f1`
echo "${OSID}:${I}:${MD5}:${SHA1}:${FILESIZE}:${RPM}:"
fi
done
#!/bin/sh
echo '-------------------------------------------------------'
cat "$0"
echo '-------------------------------------------------------'