Commit ef43551f authored by Julien Valroff's avatar Julien Valroff

Imported Upstream version 1.3.4

parent a8ccd210
ROOTKIT HUNTER ACKNOWLEDGMENTS
==============================
Michael Boelen For providing and opening up RKH for
active development
John Horne For opening up a true cornucopia of enhancements
Gary Bak For enhancing AIX support and testing
Andrej Ricnik For patching and testing
konsolebox For loads of suggestions and testing
Sibtay Abbas For testing
Constantin Stefan For ideas
Iain Roberts AIX and OpenBSD support
Doncho N. Gunchev
Steph For testing
unSpawn
KNOWN CONTRIBUTORS
==================
Macemoneta FUSE support
B. Donnachie cAos support
intrigeri Parallel run support
jabel FreeBSD 6.1 cli vs cron
baddcarma ProFTPd 1.3.0 on SuSE 10.0
linux_fqh Chinese translations
Ryan Beckett For IRIX support
Finally, thanks go to all the maintainers and end-users that have
volunteered to support RKH.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
#################################################################################
#
# WISHLIST : Personal and public 'wishes' for Rootkit Hunter
#
# Notes:
# - All things below CAN be integrated in future, but there are no planned
# dates available. *Your* support can change help that!
#
#################################################################################
#
# Request:
# - Do you have a copy of an undetected rootkit? Please send it to us, so
# it can be added and help others.
# - Are you a package maintainer? Please submit your changes through
# rkhunter.sourceforge.net so *everyone* can benefit from it.
# - Are you an enduser? If you want to submit a patch or discuss enhancements,
# file a bug report, have comments, gripes or questions please
# visit rkhunter.sourceforge.net on how you can best reach the project team and
# fellow Rootkit Hunter users.
#
#################################################################################
#
Project:
- more dedicated medior developers
- more dedicated testers
Important:
- Add MD5 check for unknown OSes
- Add/improve Tuxkit
- Missing hashes for any releases of supported O.S.es
- Promiscuous mode detection. In kernel-2.6 the ifconfig + ip (iproute2)
method is no longer working.
Startup:
- Comparing LKM/KLD startups from rc-scripts (differences)
- Checking for kldload (*BSD) and loading of LKMs in rc-scripts
- Black/whitelisting of LKM/KLD
Processes:
- Check for multiple instances of tools (like file, ls, ps, find)
Support:
- Set lo interface into promisc mode to test ifconfig
- Improve support for Sebek LKM
- Option to use Perl modules on a different place than the usual
(requested by Henk Wevers)
- Debian package (.deb)
Misc:
- Scanning of multiple machines by using a central server
- Add support for SSH version of SSH.com
Website:
- Adding comparision between Rootkit Hunter and other projects (pros/cons).
*** Maybe someone would like to help us with this? I would like an objective comparison.
NetBSD:
- Remove whereis parameter '-b' (doesn't exist)
- Use /usr/pkg/bin/perl instead of /usr/bin/perl
#
#################################################################################
#
Version:2007080301
#
# Syntax: <port>:<description>:protocol
#
# Note: The port number must be between 1 and 65535 inclusive.
# Descriptions cannot contain any colon (:) characters.
# The protocol must be UDP or TCP.
#
2001:Scalper:UDP:
2006:CB:TCP:
2128:MRK:TCP:
14856:Optic Kit (Tux):TCP:
47107:T0rn:TCP:
60922:zaRwT.KiT:TCP:
#!/usr/bin/perl -w
#################################################################################
#
# Perl module checker 0.0.3
#
#################################################################################
#
# This Perl script checks for installed modules by trying to 'use' the
# module. If the check fails, then the module is not present.
#
# If you want to install additional modules, use:
# > perl -MCPAN -e shell
# > install [module name]
#
# If the first one fails, please install the perl-CPAN package first
#
# Upgrade CPAN if possible:
# > install Bundle::CPAN
# > reload cpan
#
# Digest modules:
# > install Digest::MD5
# > install Digest::SHA1
#
#################################################################################
use strict;
my $check = "0";
# Modules to check
my @modCheck = qw(
Digest::MD5
Digest::SHA1
);
# Use command-line module names if present.
@modCheck = @ARGV if (@ARGV);
for (@modCheck)
{
if (installed("$_"))
{
print "$_ installed (version ",$check,").\n"
}
else
{
print "$_ NOT installed.\n"
}
}
#########################################
#
# SUB: Installed modules
#
#########################################
sub installed
{
my $module = $_;
# Try to use the Perl module
eval "use $module";
# Check eval response
if ($@)
{
# Module is NOT installed
$check = 0;
}
else
{
# Module is installed (reset module version to '1')
$check = 1;
my $version = 0;
# Try to retrieve version number (by using eval again)
eval "\$version = \$$module\::VERSION";
# Set version number if no problem occurred
$check = $version if (!$@);
}
# Return version number
return $check;
}
exit();
# The end
#!/usr/bin/perl -w
use strict;
use IO::Socket;
my ( $peer, $port );
$peer = $ARGV[0];
my $i = 0;
my $sock = 0;
my $sock2 = 0;
for ($i=0; $i<5000; $i++)
{
$port = $i;
$sock = IO::Socket::INET->new("$peer:$port");
# $sock2 = 'Net::UDP'->new($peer,$port);
if ($sock)
{
print "Port ",$port,"\n";
# Close socket
# close($sock);
}
# if ($sock2)
# {
# print "UDPPort ",$port,"\n";
# }
}
exit;
#!/bin/sh
if [ "$1" = "" -o "$2" = "" -o "$3" = "" -o "$4" = "" ]; then
echo "Usage $0 <path/to/rkhunter.conf> <path/to/mirrors.dat> </path/to/dbdir> </path/to/logfile>"
exit 1
fi
WGETFOUND=0
CONFFILE=$1
# Mirrors
MIRRORFILE=$2
DBDIR=$3
LOGFILE=$4
debug() {
echo $1 >> ${LOGFILE}
}
debug "--------------------------------------------------"
debug "Updater output:"
BINPATHS="/bin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /sw/bin"
for I in ${BINPATHS}; do
J=${I}"/wget"
if [ -f ${J} ]; then
WGETFOUND=1
WGETBINARY=${J}
fi
done
if [ ${WGETFOUND} -eq 0 ]; then
echo "Fatal error: can't find WGet"
exit 1
fi
# Retrieve file info
FILEINFO=`cat ${CONFFILE} | grep 'UPDATEFILEINFO=' | tr -d 'UPDATEFILEINFO='`
if [ "${FILEINFO}" = "" ]; then
echo "Fatal error. Missing line 'UPDATEFILEINFO=' or wrong/non-existing file"
echo "Please check your configuration file (${CONFFILE})"
exit 1
fi
checkupdate() {
echo -n "${FILEDESC}: "
UPDATEDBURL="${FIRSTMIRROR}/${VERSIONUPDATEURL}"
LATESTVERSION="`${WGETBINARY} -q -O - ${UPDATEDBURL}`"
if [ "${LATESTVERSION}" = "" ]; then
echo "ERROR"
echo "Fatal error: Problem while fetching file"
exit 1
fi
CURRENTVERSION=`cat ${DBDIR}/${FILENAME} | grep '000:version' | cut -d ':' -f3`
if [ "${CURRENTVERSION}" = "" ]; then
CURRENTVERSION=`cat ${DBDIR}/${FILENAME} | grep 'version=' | cut -d '=' -f2`
if [ "${CURRENTVERSION}" = "" ]; then
echo "ERROR"
echo "Fatal error: no valid version tag in filename"
exit 1
fi
fi
if [ "${LATESTVERSION}" = "" ]; then
echo "Skipped"
echo "Error: can't obtain valid version tag from downloaded file (or 404 error). Possible outdated mirror."
debug "Tried to fetch ${UPDATEDBURL}"
else
if [ ${CURRENTVERSION} -lt ${LATESTVERSION} ]; then
echo "${WHITE}Update available${NORMAL}"
# Fetch file
GETFILE="${FIRSTMIRROR}/${FILENAME}.gz"
TMPFILE="`mktemp ${DBDIR}/rkhunter.upd.gz.XXXXXX`" || exit 1
if [ ! "`${WGETBINARY} -q -O - ${GETFILE} | gunzip -c > ${TMPFILE}`" ]; then
cat ${TMPFILE} >${DBDIR}/${FILENAME}
echo " Action: Database updated (current version: ${CURRENTVERSION}, new version ${LATESTVERSION})"
else
echo "Fatal error: Can't retrieve file: ${GETFILE}"
fi
rm -f ${TMPFILE}
else
if [ ${CURRENTVERSION} -gt ${LATESTVERSION} ]; then
echo "Mirror outdated. Skipped"
echo " Info (current version: ${CURRENTVERSION}, version of mirror: ${LATESTVERSION})"
else
echo "Up to date"
fi
fi
fi
}
if [ -f ${MIRRORFILE} ]; then
MIRRORSVERSION=`cat ${MIRRORFILE} | grep 'version=' | head -n 1`
# Retrieve first mirror
FIRSTMIRROR=`cat ${MIRRORFILE} | grep 'mirror=' | head -n 1`
OTHERMIRRORS=`cat ${MIRRORFILE} | grep -v 'version=' | grep -v ${FIRSTMIRROR}`
# Clean up files
if [ -f ${MIRRORFILE}.new ]; then
rm -f ${MIRRORFILE}.new
fi
echo "${MIRRORSVERSION}" > ${MIRRORFILE}.new
for I in ${OTHERMIRRORS}; do
echo ${I} >> ${MIRRORFILE}.new
done;
echo ${FIRSTMIRROR} >> ${MIRRORFILE}.new
# Use rotated file
cat ${MIRRORFILE}.new >${MIRRORFILE}
echo "Mirrorfile ${MIRRORFILE} rotated"
rm -f ${MIRRORFILE}.new
FIRSTMIRROR=`echo ${FIRSTMIRROR} | cut -d '=' -f2`
echo "Using mirror ${FIRSTMIRROR}"
##############################################################################################
LATESTVERSION="unknown"
FILEDESC="[DB] Mirror file "
FILENAME="mirrors.dat"
VERSIONUPDATEURL="mirrors.dat.ver"
checkupdate
###########################
LATESTVERSION="unknown"
FILEDESC="[DB] MD5 hashes system binaries "
FILENAME="defaulthashes.dat"
VERSIONUPDATEURL="defaulthashes.dat.ver"
checkupdate
###########################
LATESTVERSION="unknown"
FILEDESC="[DB] Operating System information "
FILENAME="os.dat"
VERSIONUPDATEURL="os.dat.ver"
checkupdate
###########################
LATESTVERSION="unknown"
FILEDESC="[DB] MD5 blacklisted tools/binaries "
FILENAME="md5blacklist.dat"
VERSIONUPDATEURL="md5blacklist.dat.ver"
checkupdate
###########################
LATESTVERSION="unknown"
FILEDESC="[DB] Known good program versions "
FILENAME="programs_good.dat"
VERSIONUPDATEURL="programs_good.dat.ver"
checkupdate
###########################
LATESTVERSION="unknown"
FILEDESC="[DB] Known bad program versions "
FILENAME="programs_bad.dat"
VERSIONUPDATEURL="programs_bad.dat.ver"
checkupdate
##############################################################################################
echo "" ; echo ""; echo ""
else
echo "Fatal error: ${MIRRORFILE} does not exist"
exit 1
fi
#####################################################################################################
#
# Contrib
#
# NOTE: submitted conbtributions may have their own license.
# Please check the source of each file to see how you can use this software.
#
#####################################################################################################
[name] [description]
run_rkhunter script: start rkhunter
rkhunter_remote_howto.txt howto: run Rootkit Hunter from a central server.
RUNNING ROOTKIT HUNTER FROM A CENTRAL SERVER
============================================
An example for running Rootkit Hunter using Webjob.
Rootkit Hunter (RKH) currently does not have the capability
to be run in a client-server way. We can remedy that by
running RKH as a webjob command. Webjob allows you to run a
command or a set of commands on a client by fetching the
command from a remote server and returning the output to the
server. While this setup is not exhaustively tested the steps
should provide enough information to get you going.
PREREQUISITES
=============
- A webserver with CGI capabilities and Perl
- A client with the requirements for running Webjob and RKH
SETUP
=====
1. Set up Webjob and PAD by following the instructions included in
the Webjob tarball.
2. Install "webjob" binary client-side and verify server-client
operation works as expected with a client config (~/.webjob.cfg):
ClientId=client_1
URLGetURL=http://your.server.net/cgi-client/nph-webjob.cgi
URLPutURL=http://your.server.net/cgi-client/nph-webjob.cgi
URLUsername=client_1
URLPassword=<password>
URLAuthType=basic
RunType=snapshot
TempDirectory=/dev/shm
OverwriteExecutable=Y
UnlinkOutput=N
UnlinkExecutable=N
- Download and unpack RKH and create a local installation:
sh installer.sh --install --layout .
- Set executable mode on the main rkhunter script, then rename
the "files" directory, make the tarball, then pad:
chmod 0755 files/rkhunter
mv files rkhunter
tar -czf rkhunter.tgz rkhunter
pad-make-script --create rkhunter.tgz > rkhunter.tgz.pad
- Now remove rkhunter/ and ../rkhunter-1.2.9/ and move
rkhunter.tgz.pad to $WEBJOB_DIR/profiles/client_1/commands/.
- Add a Sudo entry to allow an unprivileged user to run RKH from
webjob as root account user. Note this is one line:
Cmnd_Alias WEBJOB_RKH=/dev/shm/rkhunter/rkhunter --configfile
/dev/shm/rkhunter/rkhunter.conf -c -sk --cronjob
- Add the alias as a NOPASSWD entry to the unprivileged user account.
- As unprivileged user run (note this is one line):
rm -rf /dev/shm/rkhunter
/usr/local/webjob/bin/webjob --execute --file ~/.webjob.cfg
rkhunter.tgz.pad tar -C /dev/shm -zxf %payload \&\& cd /dev/shm/rkhunter
\&\& sudo /dev/shm/rkhunter/rkhunter --configfile
/dev/shm/rkhunter/rkhunter.conf -c -sk --cronjob
- Inspect output on your.server.net in the $WEBJOB_DIR/incoming/
directory. It is named client_1_DATE-SPEC_JOB-SPEC_rkhunter.tgz.pad.out.
CAUTION
=======
Note this example does not cover running webjob and RKH on a compromised
host. For RKH to produce less questionable results in such a situation you
would minimally need to check the integrity of the download-capable binary
before executing your secure download, be aware of the consequences of
disturbing a "live" filesystem and memory contents, and download all
requirements for unpacking and running RKH or access those from read-only
media.
GETTING HELP
============
- In the steps above we have taken the examples and variable
names from the Webjob README. Inspect the Webjob README for
answers about the examples and variable names.
- Webjob-related questions about configuring, installing, running
the server-side and client-side part should be directed to
http://sourceforge.net/projects/webjob.
- Sudo-related problems should be remedied by reading the man page.
Please do not use the RKH mailing list for questions about webjob
or sudo.
#!/bin/sh
#
# run_rkhunter -- check the system integrity using rkhunter
# Author: Dr. Andy Spiegl, KasCada Telekommunikation (www.kascada.com)
# This software is GPL and free to use.
#
############################################
# Have cron call this script, eg. like this:
# /etc/cron.d/run_rkhunter
############################################
# # Fallthrough in case of errors in this cronfile
# MAILTO=your_address@yourdomain.com
#
# SKRIPT=/usr/local/sbin/kas/run_rkhunter
# PATH=/sbin:/bin:/usr/sbin:/usr/bin
#
# 15 4 * * * root test -x $SKRIPT && $SKRIPT 2>&1
############################################
############################################
# History:
#
# v0.1 2005-02-14: first Version, split from run_chkrootkit
# v0.2 2005-02-15: translated into English
# v0.3 2005-02-20: changed some private information
#
############################################
# where to send the output of rkhunter
MAILADDRESSES=rkhunter_errors@yourdomain.com
# use aktelog instead:
#AKTELOG=/usr/local/sbin/aktelog
#AKTELOG_LABEL="rkhunter"
# appending logfile (rotate it!)
LOGFILE=/var/log/mylogdir/rkhunter.log
# rkhunters own logfile (only contains info from last run)
RKLOGFILE=/var/log/rkhunter.log
RKHUNTER=/usr/local/rkhunter/bin/rkhunter
RKHUNTER_OPTS="-c --cronjob --report-warnings-only --skip-application-check --createlogfile --tmpdir /usr/local/rkhunter/lib/rkhunter/tmp"
# try to get a secure tempfile
if [ -x /bin/tempfile ]; then
TMPLOGFILE1=`/bin/tempfile -p rkhu.`
TMPLOGFILE2=`/bin/tempfile -p rkhu.`
else
TMPLOGFILE1=/var/tmp/rkhunter.tmp1.$$
TMPLOGFILE2=/var/tmp/rkhunter.tmp2.$$
# avoid symlink attacks
rm -fr $TMPLOGFILE1 $TMPLOGFILE2
touch $TMPLOGFILE1 $TMPLOGFILE2
fi
# first update the rkhunter hashes
echo "=======Updating=================================" >> $LOGFILE
/bin/date >> $LOGFILE
$RKHUNTER --update 2>&1 >> $TMPLOGFILE1
if egrep -q "(Error|outdated)" $TMPLOGFILE1 ; then
echo . >> $TMPLOGFILE1
echo "WARNING: rkhunter couldn't update its hashes which will" >> $TMPLOGFILE1
echo "most likely lead to errors now." >> $TMPLOGFILE1
fi
cat $TMPLOGFILE1 >> $LOGFILE
# now start checking the server
echo "=======Checking=================================" >> $LOGFILE
/bin/date >> $LOGFILE
$RKHUNTER $RKHUNTER_OPTS >> $TMPLOGFILE2
/bin/cat $RKLOGFILE >> $LOGFILE
echo done. >> $LOGFILE
if [ -s $TMPLOGFILE2 ]; then
(
echo __Start__: Output of rkhunter at `/bin/date`;
echo "=======Updating=================================";
/bin/cat $TMPLOGFILE1 ;
echo "=======Checking=================================";
/bin/cat $TMPLOGFILE2 ;
echo __End__ of rkhunter output
) | mail -s "rkhunter output" $MAILADDRESSES
# ) | $AKTELOG $AKTELOG_LABEL
fi
rm -f $TMPLOGFILE1 $TMPLOGFILE2
This diff is collapsed.
#!/usr/bin/perl
use Digest::MD5;
use Digest::SHA1;
my $i=0;
# Open file in binary mode
my $file = $ARGV[0];
open(FILE, $file) or die "Sorry. Can't open '$file'";
binmode(FILE);
$sha1 = Digest::SHA1->new;
$md5 = Digest::MD5->new;
# File size
my $filesize = -s $file;
# Hash file contents
while (<FILE>) {
$sha1->add($_);
$md5->add($_);
$i++;
}
close(FILE);
print "OSNUMBER:",$file,":",$md5->hexdigest,":",$sha1->hexdigest,":",$filesize,":-:\n";
#!/bin/sh
# Temporary file for sorting the results
TMPFILE="`mktemp /tmp/rkhunter.createhashes.XXXXXX`" || exit 1
DIRS="/sbin /bin /usr/bin /usr/sbin"
FILES="find
cron
ifconfig
watch
w
whoami
who
users
stat
sha1sum
kill
find
file
pstree
killall
lsattr
mount
netstat
egrep
fgrep
grep
cat
chmod
chown
env
ls
su
ps
dmesg
kill
login
chkconfig
depmod
insmod
modinfo
sysctl
syslogd
init
runlevel
groups
ip"
for I in ${FILES}; do
for J in ${DIRS}; do
FILE="${J}/${I}"
if [ -f ${FILE} ]; then
./createfilehashes.pl ${FILE} >> ${TMPFILE}
fi
done
done
sort ${TMPFILE}
rm -f ${TMPFILE}
exit 0
#!/bin/sh
DIRS="/sbin /bin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin"
for I in ${DIRS}; do