~ubuntu-branches/ubuntu/feisty/rkhunter/feisty

Viewing changes to files/README

Committer: Bazaar Package Importer
Author(s): Julien Valroff
Date: 2006-10-22 09:58:10 UTC
mfrom: (1.1.2 upstream) (2.1.1 etch)
Revision ID: james.westby@ubuntu.com-20061022095810-av7dpiazai5sjwdb

Tags: 1.2.9-2

http://bugs.debian.org/330930

* Added patch to ship the package with only updated mirrors
* Added patch to fix output when dash is linked to dash (Closes: #330930)

files added:
debian/patches/02_only-updated-mirrors.dpatch

debian/patches/03_dash-output.dpatch

debian/po/pt.po

files removed:
debian/patches/02_regex_escape.dpatch

debian/patches/03_avoid_broken_mirrors.dpatch

files modified:
debian/README.Debian

debian/changelog

debian/control

debian/cron.daily

debian/patches/00list

debian/patches/04_add_sid_etch_architectures.dpatch

debian/patches/05_custom_conffile.dpatch

debian/patches/06_lib_to_share.dpatch

debian/rules

debian/watch

files/CHANGELOG

files/README

files/WISHLIST

files/check_update.sh

files/defaulthashes.dat

files/development/rkhunter.8

files/mirrors.dat

files/os.dat

files/programs_bad.dat

files/programs_good.dat

files/rkhunter

files/rkhunter.conf

files/rkhunter.spec

installer.sh

Show diffs side-by-side

added added

removed removed

files/README

#################################################################################

Project Members:

- Michael Boelen (Project leader / founder)

The Rootkit Hunter project team are:

- Gary Bak

- Konsolebox

- Andrej Ricnik

- Jim Mcnamara

- Sibtay Abbas

- Junaid Sahibzada

- John Horne

- Constantin Stefan

- unSpawn

Known contributors:

- Macemoneta: (SF tracker bug 1449701)

- B. Donnachie: (rkhunter-users: cAos support)

- John Horne: (rkhunter-users: user support and patches)

- intrigeri: (rkhunter-users: parallel run support)

- jabel: (rkhunter-users: FreeBSD 6.1 cli vs cron)

- baddcarma: (rkhunter-users: ProFTPd 1.3.0 on SuSE 10.0)

- Michael Boelen (founder)

Translators:

- Dutch, English : Michael Boelen <michael AT rootkit DOT nl>

#################################################################################

See the website for the latest and complete FAQ

Basic questions

What's up with Rootkit Hunter? I haven't seen any updates in *ages*!

In the second quarter (IIRC) of 2006 the founder of Rootkit Hunter (abbrev.: RKH)

found out the hard way maintaining FOSS can be difficult when RL commitments overrule.

Management of the project (read: responsability ;-p) was taken over by unSpawn and

a project group comprising of developers and testers was formed. The Rootkit Hunter

project team is committed to making sure development continues. If you're interested

in joining the development team send an email to unspawn at users dot sourceforge dot

net (--verbosity appreciated).

What is Rootkit Hunter?

It is an easy-to-use tool which checks machines running UNIX (clones) for the

presence of rootkits and other unwanted tools.

What are rootkits?

Most times it are selfhiding toolkits used by blackhats/crackers/scriptkiddies to

avoid the eye of the sysadmin.

How do I install Rootkit Hunter?

Download the gzipped tarball, extract it and run the installation script.

download Rootkit Hunter from http://rkhunter.sourceforge.net

Note: It doesn't matter where you save the archive

extract:

# tar zxf rkhunter-<version>.tar.gz

installation:

# cd rkhunter

# ./installer.sh

Or you can create a RPM file with the integrated rkhunter.spec file and install

your own package

# rpmbuild -ta rkhunter-<version>.tar.gz

Note: I don't support any 3rd party RPM file, but I will maintain the spec file.

If you have questions/suggestions about the spec file, please let us know.

Rootkit Hunter tells me there is something wrong with my system, what to do?

* Read "Intruder Detection Checklist" first:

http://www.cert.org/tech_tips/intruder_detection_checklist.html

it tells you what to check. This makes it easier for you to find out and

answer questions.

* Remember that if you are unsure you can get a second opinion about everywhere

100

from the rkhunter-users mailinglist to Linux-oriented fora like LinuxQuestions.org

101

to IRC.

102

103

(1) If just one check fails, it is possible you have an so called false positive.

104

Sometimes this will happen due to package updates, custom configurations or

105

changed binaries. If so, please validate:

106

107

Files:

108

- If you run a file integrity checker like Aide, Samhain or even tripwire consult

109

the result from running those tools. Note they must be installed directly after

110

the O.S. installation to be useful and you must keep a copy of the binary, config

111

and databases off-site. Also note running those and Rootkit Hunter is no substitute

112

for updating software when updates are released and proper host and network hardening.

113

- If you don't run a file integrity checker you can possibly use your distributions

114

package management system if it (is configured to) deal with verification.

115

- "strings <file>" and check for untrusted file paths (things like /dev/.hiddendir)

116

- recently updated binaries and their original source. If it is due an update, please sent

117

us an URI to the changed file (like a RPM), so I can add new hashes to the databases.

118

- "file <file>" and compare them with others (especially trusted binaries). If some binaries

119

are linked static and others are all dynamic, than they could have been trojaned..

120

121

Other warnings:

122

If you have a warning about another part of the checks, please join the rkhunter-users

123

mailinglist and tell us about your system configuration:

124

- purpose of the server (for example: webserver, intranet fileserver, shell server),

125

- the (aproximate) date of the incident and when you found out,

126

- the running distribution name, release and kernel version,

127

- if any passwd/shadow data has changed,

128

- any anomalies you find from reading system, daemon, IDS and firewall logs,

129

- if all installed software was recently updated,

130

- what services are or where running at the time,

131

- if you found setuid root files in directories for temporary files,

132

- any anomalies you find from reading user shell histories.

133

134

135

(2) If your system is infected with an rootkit, cleaning up is not an option. Restoring

136

is also not an option unless you are skilled and have autonomous and independant means of

137

verifying the backup is a) clean and b) does not contain misconfigured or stale software.

138

Never trust a compromised machine. Period.

139

140

* Read "Steps for Recovering from a UNIX or NT System Compromise":

141

http://www.cert.org/tech_tips/root_compromise.html

142

143

A clean install of the system is recommended after backing up the full system. So follow

144

the next steps:

145

1. Stay calm. Be methodical.

146

2. From another machine inform users (and the network, facility or host owner) the machine

147

is compromised.

148

3. Get the host offline or make sure the firewall is raised to only allow traffic to and from

149

your management IP or range.

150

4. Backup your data. If you do not intend to investigate: do not backup binaries or binary data

151

you have not the means for to verify their integrity.

152

5. Verify the integrity of your backup by visual inspection (auth data, configs, logs) or using

153

a file integrity checker or your distributions package management tools.

154

6. Install your host with a fresh install and restrict network access to it using the systems

155

authentication features like accounts, PAM, firewall, tcp wrappers, daemon configs, while

156

you update and configure software and services. Please make sure you properly harden the machine.

157

7. Investigate the old log files and the possible used tools. Also investigate the services which

158

were vulnerable at the time of hack.

159

160

161

162

What does the warning "Determining OS... Warning: this operating system is not fully

163

supported!" mean?

164

It simply means: not all functions and checks can be performed, because the system is

165

'unknown' to the script (things like which md5 utility is available, md5 hashes for

166

this system etc.). If you want support for a newly distro, please join the

167

rkhunter-users mailinglist and tell us which distro you are using.

168

169

170

171

Rootkit Hunter gives me a error some binary couldn't be found, what do do?

172

Sometimes a binary can't be found in the PATH variable. Because Rootkit Hunter just tries

173

to run the binary by executing it without a path, the systems will searches it path. If

174

the binary couldn't be found, an error will occur.

175

176

For example:

177

Checking loaded kernel modules... /usr/local/bin/rkhunter: lsmod: command not found

178

[ Warning! (found difference in output) ]

179

Please enter `echo $PATH` and check your path settings.

180

181

182

183

Rootkit Hunter tells me a lot of installed software is 'vulnerable', what does it mean?

184

It means this software does possible contain software bugs which make external (or local)

185

attacks possible. In worst case, a person with malicious intentions can get full access

186

to your server.

187

188

189

190

Rootkit Hunter tells me I have vulnerable applications installed, but I have fully patched

191

my server! How is this possible?

192

Some distributions like Red Hat and OpenBSD do patch old versions. So Rootkit Hunter thinks

193

it's a old version, but instead it's a safe patched version. If you have the same situation,

194

don't use the program version checker (--skip-application-check), to suppress the false positives.

195

196

197

198

Rootkit Hunter installation fails with Solaris, why?

199

You have to use the bash shell to install Rootkit Hunter.

200

201

# (/path/to)bash installer.sh

202

203

204

B10

205

How can I run Rootkit Hunter every day?

206

207

You can create a cronjob script like this:

208

=========== /etc/cron.daily/rkhunter ====================

209

#!/bin/sh

210

( /usr/local/bin/rkhunter --versioncheck

211

/usr/local/bin/rkhunter --update

212

/usr/local/bin/rkhunter --cronjob --report-warnings-only

213

) | /bin/mail -s 'rkhunter Daily Run' root

214

=========================================================

215

Or add a line in your /etc/crontab file directly.

216

217

218

Errors from external software

219

220

E1 - I use prelinking, but after performing some updates all binaries are 'BAD' when checking

221

with Rootkit Hunter, what to do?

222

Most times the prelinking database has to be rebuild (prelinking will optimize your binaries

223

and libraries). This is because after every change in 1 of the binaries (or libraries), it needs

224

to optimize all files again. On Red Hat / Fedora, run:

225

# /etc/cron.daily/prelink

226

227

228

229

I get warnings from PHP, like:

230

PHP Warning: Function registration failed - duplicate name - pg_update in Unknown on line 0

231

232

Most times this is because you have updated the Apache version of PHP, but forgot to update/recompile

233

the CLI (console version) of PHP. So recompile/update it and retry.

234

235

236

Update problems/questions

237

238

239

Rootkit Hunter tells me I have multiple versions installed, how it this possible?

240

241

Most times you install a tool and upgrade it later. Sometimes if you use a 'non-official' updater

242

(let's say from an external party, build from source/using a installer like RPM/DEB/TGZ), the

243

binaries will be installed in another place than the original. So there are two binaries with the

244

same name, but on another place (/usr/bin and /usr/local/bin for example). You have to check which

245

binaries are old and can be safely removed/replaced (tip: make a copy / use replace, instead of

246

removing).

247

248

249

250

Although Rootkit Hunter tells me my binaries do have the correct hashes (=OK), the logfile

251

shows a lot of incorrect items. How is that possible?

252

Because the main program is a shell script, a lot of small utilities are used to read the database

253

(in fact a CSV-alike file). The output you see in the logfile is debug information and contains of

254

a lot of extra information. Because every line of the hash database will be read and compared with

255

the real hash of the binary, it will have some good and bad hashes for one single binary (because

256

the multiple versions of a single binary). Every line will be available in the logfile too, so if

257

a hash DOESN'T match with the binary, it will log this too. If ONE of the multiple hashes match,

258

you don't have to worry about the 'failed' lines.

259

260

261

262

How can I run Rootkit Hunter on a daily basis?

263

Add it as a cronjob to /etc/crontab. Example:

264

30 5 * * * root </path>/rkhunter -c --cronjob <more options>

265

Rootkit Hunter will now run at 5:30 (AM)

266

267

268

269

My operating system isn't supported! Can you add support for it?

270

A: Yes and no. Please join the rkhunter-users mailinglist and tell us which operating system you're using

271

include system architecture.

272

273

274

275

Can I be notified when a new release will be available?

276

A: Yes you can, please join the rkhunter-announce mailinglist (low volume) or subscribe to the Freshmeat

277

project page: http://freshmeat.net/projects/rkhunter/. If you're a Sourceforge user like us you can also

278

monitor the project for changes. Luckily the Sourceforge is *that* easy to use I don't need to give you

279

instructions ;-p

280

281

282

283

What is the best way to run Rootkit Hunter from the crontab?

284

A: Add a cronjob with the parameters '-c --quiet --cronjob'. It will run Rootkit Hunter without colors and

285

without layout characterics (--cronjob). Rootkit Hunter will only show text when it founds some warnings

286

or errors. Very nice when you own a lot of machines and don't want to have a huge amount of mail ;-)

287

288

289

290

Can I help with the development of this project?

291

Everyone can help, period.

292

- Help your fellow Rootkit Hunter users on the rkhunter-users mailinglist,

293

- Send a copy of an undetected rootkit so it can be added and help others,

294

- Are you a package maintainer? Please submit your changes so *everyone* can benefit from it,

295

- Are you an enduser? Ultimately FOSS, and so RKH, depends on *you*. Contributing is *your*

296

responsability, not someone elses. Whatever you contribute constructively is very much welcome:

297

contribute or discuss enhancing Rootkit Hunter with us, submit a patch or discuss enhancements,

298

file a bug report, test the application by using it on your servers.

299

300

301

302

I like your software! How can I thank you?

303

Simple. By contributing.

304

305

306

See http://rkhunter.sourceforge.net for the latest and complete FAQ.

307

(when the site is updated, OK)

308

309

310

Older »