Updating rkhunter dat partnership liquidating distributions property

Rkhunter (Rootkit Hunter) is an open source Unix/Linux based scanner tool for Linux systems released under GPL that scans backdoors, rootkits and local exploits on your systems.It scans hidden files, wrong permissions set on binaries, suspicious strings in kernel etc.To know more about Rkhunter and its features visit Directory /usr/local/lib64/rkhunter/scripts: creating: OK Directory /var/lib/rkhunter/db: creating: OK Directory /var/lib/rkhunter/tmp: creating: OK Directory /var/lib/rkhunter/db/i18n: creating: OK Directory /var/lib/rkhunter/db/signatures: creating: OK Installing check_modules.pl: OK Installing filehashsha.pl: OK Installing stat.pl: OK Installing readlink.sh: OK Installing backdoorports.dat: OK Installing mirrors.dat: OK Installing programs_bad.dat: OK Installing suspscan.dat: OK Installing rkhunter.8: OK Installing ACKNOWLEDGMENTS: OK Installing CHANGELOG: OK Installing FAQ: OK Installing LICENSE: OK Installing README: OK Installing language support files: OK Installing Clam AV signatures: OK Installing rkhunter: OK Installing rkhunter.conf: OK Installation complete [ Rootkit Hunter version 1.4.2 ] Checking rkhunter data files...

updating rkhunter dat-51updating rkhunter dat-27updating rkhunter dat-76

[Press to continue] Performing additional rootkit checks Suckit Rookit additional checks [ OK ] Checking for possible rootkit files and directories [ None found ] Checking for possible rootkit strings [ None found ] .... Performing checks on the network ports Checking for backdoor ports [ None found ] ....

Performing system configuration file checks Checking for an SSH configuration file [ Found ] Checking if SSH root access is allowed [ Warning ] Checking if SSH protocol v1 is allowed [ Warning ] Checking for a running system logging daemon [ Found ] Checking for a system logging configuration file [ Found ] Checking if syslog remote logging is allowed [ Not allowed ] ...

Is there a tool like rkhunter that works over SSH, so that it could be run from another server entirely to lower the chance of false negatives? I think to be able to do that it would also have to fool the update servers (notice the rkhunter cronjob checks the version and updates itself before running a check).

I suppose in theory it would be possible but I can't conceive of the level of integration with the install and updating that would be needed to pull off a trick like that. I remember in my 'windows' days I used to run two virus checkers and one discovered an infection whilst the other didn't and vica-versa.

If a rootkit comes onto your system, all it needs to do is replace rkhunter with a binary that prints "Updating...

successful, scanning for rootkits, none found", etc. Rkhunter works in the same manner as chkrootkit (see this article) but rkhunter also scans for other types of exploits. Continuing with the scanning for rootkits articles, we now concentrate on installing and configuring rkhunter.Checking installation directories: Directory /usr/local/share/doc/rkhunter-1.4.2: creating: OK Directory /usr/local/share/man/man8: exists and is writable. Create following file with the help of your favourite editor. /bin/sh ( /usr/local/bin/rkhunter --versioncheck /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --cronjob --report-warnings-only ) | /bin/mail -s 'rkhunter Daily Run (Put Your Server Name Here)' [email protected][ Rootkit Hunter version 1.4.2 ] Checking system commands...Performing 'strings' command checks Checking 'strings' command [ OK ] Performing 'shared libraries' checks Checking for preloading variables [ None found ] Checking for preloaded libraries [ None found ] Checking LD_LIBRARY_PATH variable [ Not found ] Performing file properties checks Checking for prerequisites [ OK ] /usr/local/bin/rkhunter [ OK ] /usr/sbin/adduser [ OK ] /usr/sbin/chkconfig [ OK ] /usr/sbin/chroot [ OK ] /usr/sbin/depmod [ OK ] /usr/sbin/fsck [ OK ] /usr/sbin/fuser [ OK ] /usr/sbin/groupadd [ OK ] /usr/sbin/groupdel [ OK ] /usr/sbin/groupmod [ OK ] /usr/sbin/grpck [ OK ] /usr/sbin/ifconfig [ OK ] /usr/sbin/ifdown [ Warning ] /usr/sbin/ifup [ Warning ] /usr/sbin/init [ OK ] /usr/sbin/insmod [ OK ] /usr/sbin/ip [ OK ] /usr/sbin/lsmod [ OK ] /usr/sbin/lsof [ OK ] /usr/sbin/modinfo [ OK ] /usr/sbin/modprobe [ OK ] /usr/sbin/nologin [ OK ] /usr/sbin/pwck [ OK ] /usr/sbin/rmmod [ OK ] /usr/sbin/route [ OK ] /usr/sbin/rsyslogd [ OK ] /usr/sbin/runlevel [ OK ] /usr/sbin/sestatus [ OK ] /usr/sbin/sshd [ OK ] /usr/sbin/sulogin [ OK ] /usr/sbin/sysctl [ OK ] /usr/sbin/tcpd [ OK ] /usr/sbin/useradd [ OK ] /usr/sbin/userdel [ OK ] /usr/sbin/usermod [ OK ] .... Performing check of known rootkit files and directories 55808 Trojan - Variant A [ Not found ] ADM Worm [ Not found ] Aja Kit Rootkit [ Not found ] Adore Rootkit [ Not found ] a Pa Kit [ Not found ] .....Guys, if you are a regular reader of you will notice that this is our third article on security tools.

Comments are closed.