Topic: Contrib Feedback: Root Kit Hunter

[wellsi]

Root Kit Hunter

Rootkit scanner is scanning tool to ensure you for about 99.9% you\'re clean of nasty tools. This tool scans for rootkits, backdoors and local exploits.

Author(s): Duncan Thomas
Contributor(s):
License: GPL

How To Link: http://no.longer.valid/phpwiki/index.php/RootKitHunter%20how%20to
Topic Page: Intrusion Detection

This thread is for feedback specificaly related to this How To & Contrib.
Reports of success are welcome, as well as any problems and suggested improvements.

[Muzo]

Hi,

What is the difference between duncan's rpm and this how to : http://no.longer.valid/phpwiki/index.php/HowToInstallRootKitHunter ?

Is RKHunter optimized for SME?

[wellsi]

A very good question which I was also thinking of whilst adding Duncan's info to the How To Classification.

I noticed that your (& mbachmann's) HowTo is "Tested on SME Version 5.6 GPL", have you also tested it on 6.0?

Is the core SW the same for both and the only difference being how it is packaged RPM vs TGZ? I can see a benefit of having both (as we have for other packages).

Or are these two different projects?

Could someone check and report back with the details?

[duncan]

There is no real difference - Its just a package I made for easy installation onto my customers machines.

I added a cronjob that runs weekly and emails its findings to admin.

Regards Duncan

[Muzo]

Oh! ok, good job Duncan!  

But i see that RKHunter change quickly, i'll write the how to with 1.0.5 revision, and now the revision number is 1.1.2. Good luck!


Wellsi, i'm still on SME 5.6, but i think mbachmann has a sme 6.0.

Now, if you want to test it, use Duncan RPM, because you can remove the rpm.
If you want to use it in production, i prefere to use tgz file. In tgz there is an installation script. But you can't remove it.(huh... i never try it) And ... i never test an update of my RKHunter 1.0.5 ..

Duncan, i got a question, supposed i install your RPM. Can i update it with last tgz ?

[duncan]

Yes, At this rate I will probably be putting out an rpm per week  

The configs are in a different location on the rpm than the source. I am not sure how that would affect things for you. I will update the package shortly.

Duncan

[mbachmann]

Yes, i run 2 SME 6.0.1 and i have not tested Muzo's contrib on these machines, i just added the cron part in the howto just for completness. I tried Duncan's contrib first and found it working and easy. Actually the cron part is obsolete, because of the rkhunter --cronjob switch in Duncan's rpm.

[wellsi]

Nice to see the active discussion.

I just tested the TGZ install on 6.0.1 it works fine.

Both are now listed together at the Topic Page: Intrusion Detection

The RPM install: ( I have added usage instructions now )
http://no.longer.valid/phpwiki/index.php/RootKitHunter%20how%20to

The TGZ install:
http://no.longer.valid/phpwiki/index.php/HowToInstallRootKitHunter


From the discussion it appears that the RPM would be used for most installs (easy and can be removed).
But that the TGZ is used for getting the latest update (in between releases of the RPM) and for cases where you prefer not to use the RPM.

It would be good to know if the TGZ can be used as an update - and add that to the How-To(s).

You may also want to consider pointing the feedback on the TGZ How-To to this thread (or create a new one).

[Muzo]

Ok, i got an idea.

We used Duncan RPM. To used same things. And I supposed that if Duncan change configuration files place, he has good reasons.

I suggest that to update faster, and let Duncan breath a little   , we used TGZ files, but we must modified install.sh script to put those configuration files in the rigth place (Duncan's rpm place).

Duncan, do you think my idea is realizable?

[duncan]

I would say that if you are currently installing from source - then just stay with that. There is really no need to jump between the two.

The rpm might end up being a hit and miss thing - getting done when I have the time (Which is sometimes really lacking   )

There are times when rpm packages save a huge amount of time. This is not one of them.

[duncan]

I have updated rkhunter to 1.1.3. However - I have changed the install paths to the defaults so those using this rpm will need to remove the original before installing the new package.

rpm -e smeserver-rkhunter
then
rpm -ivh smeserver-rkhunter-1.1.3-1.noarch.rpm

I have done this to make building packages quicker and easier at my end.

Regards Duncan.

[mdo]

Duncan,

I appreciate your work on building the smeserver-rkhunter rpm. I prefer to install rpms on production machines as this makes administration easier.

Can I suggest to change the weekly cron job to include the full path to rkhunter? Rather than

rkhunter --cronjob | /bin/mail xxxx it should be
/usr/local/bin/rkhunter --cronjob | /bin/mail xxxx.

Regards,
Michael Doerner

[duncan]

I have made the change in the latest build - 1.1.4.1

Regards Duncan

[mdo]

Duncan,

Excellent. Many thanks for your update and the ongoing work on that software. It's much appreciated.

Regards,
Michael

[mbachmann]

I second that. Tanks, Duncan.

[lee]

I've just be trying the rkhunter and it's great, thanks Duncan.  Just a couple of points though.

Duncan you have included in your rpm /usr/local/rkhunter/lib/rkhunter/tmp/group and
/usr/local/rkhunter/lib/rkhunter/tmp/passwd which contain a copy of the passwd and group files on your server so the first time rkhunter is run it reports spurious changes.  If these files are omitted then rkhunter just builds the files first time it runs without reporting changes.

Secondly rkhunter doesn't recognise the distribution correctly and so all the md5 checks are skipped thus defeating one of its main features.  This is because 5.6 lacks an /etc/redhat-release file and 6.x has an /etc/redhat-release file but with non-standard text.  rkhunter can be patched to recognise 5.6+ smeserver as RH7.3 fairly easily.  Paste the code below into a file (say /tmp/rkhunter.patch)

Code: [Select]


--- /usr/local/bin/rkhunter     Wed Aug 11 19:26:43 2004
+++ /usr/local/bin/rkhunter.new Wed Aug 11 19:29:51 2004
@@ -1704,6 +1704,13 @@
            fi
        fi

+       # smeserver / e-smith is a RH7 based distro so pretend we saw RH7.3
+       if [ -e "/etc/e-smith-release" ]
+         then
+           full_osname='Red Hat Linux release 7.3 (Valhalla)'
+           valid_os='1'
+           logtext "Info: Found /etc/e-smith-release"
+       fi

        # Debian?
        if [ -e "/etc/debian_version" ]

Then enter

Code: [Select]

patch -p0 </tmp/rkhunter.patchrkhunter should now run md5 checks correctly.  

Thirdly just a note to get rkhunter to give a totally clean bill of health you need to disable the older and insecure ssh version 1 connections.  Most reasonablely up to date clients default to version 2 anyway so disabling version 1 shouldn't cause any problems.
 

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/ssh/sshd_config
echo "Protocol 2" > /etc/e-smith/templates-custom/etc/ssh/sshd_config/20Protocol
/sbin/e-smith/expand-template /etc/ssh/sshd_config
/sbin/service sshd reload

rkhunter should now run without reporting any warnings allowing a lazy admin to just check the bottom of the report for "Some errors has been found while checking. Please perform a manual check on this machine xxxx" if anything does happen.

[duncan]

Oopss, I really should pull my finger out and do something about my buildroot. Fancy shipping an rpm with my usernames and groups.

Thanks for the tip on the patch. I have built, patched and uploaded 1.1.5.1. I should really talk to the USA guys about modifying their script for automatic updates.

A question to those using this. Would you prefer to see an email notification that results from

/usr/local/bin/rkhunter --cronjob --quiet | /bin/mail admin

Regards Duncan

[lee]

Hi guys,

I've gone for the lazy admin option of:

Code: [Select]

#!/usr/bin/perl -w
#
# Run a rkhunter scan and email admin if something interesting found
#
use strict;
use constant TRUE         => 1;
use constant FALSE        => not TRUE;
use constant SUBJECT      => "$ENV{HOSTNAME} weekly rkhunter check";
use constant EMAIL        => 'admin';
use constant ONLY_ON_FAIL => TRUE;
use constant FULL_REPORT  => TRUE;
my $command='/usr/local/bin/rkhunter --cronjob'.(FULL_REPORT?'':' --quiet');
my $results=$command;
if(not ONLY_ON_FAIL or $results=~/warning/i){
        open(OUTPUT,'|/bin/mail -s "'.SUBJECT.'" '.EMAIL)
                or die "$0: Can't send email $?";
        print OUTPUT $results;
        close(OUTPUT);
}

So I'm only sent an email if there is anything wrong but when it does email it sends the whole report for me to look through.  One advantage is that once you have rkhunter running clean you can  move the script from a weekly check up to a more frequent scan, daily or even hourly depending on your degree of paranoia, giving a faster notification of an potential security problem.

Regards,
Lee

[mdo]

Re: md5 checks

Thanks Lee and Duncan for the updates but I suspect that (even with the latest version 1.1.5) md5 checks are not working here?

Rootkit Hunter 1.1.5 is running
Determining OS... Ready
Checking binaries
....
- Scan results --

MD5
MD5 compared: 0
Incorrect MD5 checksums: 0

Lee
from your patch
logtext "Info: Found /etc/e-smith-release"

is this info going into the rkhunter's logfile (email)? I cannot find that.

cat /etc/e-smith-release
SME Server 6.0.1-01

so this file does exist.

Any ideas?

Thanks,
Michael

[lee]

Well they do kinda work but ...

When rkhunter does its md5 checks it does two sets of checks, one against a white list of programs that should match a set of good programs checksums, the other against a black list of known bad program checksums that are placed on the system by rootkits.    There are sets of white/black lists per operating system / distribution.  Neither RH7 nor SME have a white list of good MD5 checksums so that is why you get" MD5 compared: 0" appear at the end, rkhunter has successfully scanned down an  empty list!  rkhunter does however scan system files against the MD5 checksums of known rootkit hacked versions for RH7 (1.1.4 with my patch or version 1.1.5 onwards).

The found "Info: Found /etc/e-smith-release" does go into the logfile but rkhunter only writes to its logfile (default: /var/log/rkhunter.log) if the program is run with the '--createlogfile' option (rkhunter --help gives the syntax breakdown)..

[mdo]

Many thanks for the clarification and your help Lee, everything works as explained (ver 1.1.5 here, used the createlogfile option).

Regards,
Michael

[duncan]

Hi all,

I think I will make use of the perl script and go to a daily run on the next release. It will mean adding the ssh template - but I cant see that as being a drama.

Thanks Lee for the additions - they clean things up nicely.

Regards Duncan

[lee]

Michael is hard at work with another new version of rkhunter (1.1.6) available at http://freshmeat.net/redir/rkhunter/46074/url_tgz/rkhunter-1.1.6.tar.gz.  It seems to run fine on 6.0.1 (once patched for sme) although it reports an increasing number of programs - GnuPG, Apache, OpenSSL and ProFTPd - as vulnerable and needing upgrading to later versions to avoid being security holes.  Guess I'll hide that bit from the suits until I've had a chance to source and test some upgrade rpms .

Lee

[lee]

Also I note that the --update option seems to have been fixed and as long as /usr/local/etc/rkhunter.conf has lines:  

LATESTVERSION=/rkhunter_latest.dat
UPDATEFILEINFO=/rkhunter_fileinfo.dat

(upgrading seemed to preserve a version of the conf file that didn't have this leading to errors during update). I've updated that little perl script to run an update before checking the system.

Code: [Select]

#!/usr/bin/perl -w
#
# Run a rkhunter scan and email admin if something interesting found
#
use strict;
use constant TRUE         => 1;
use constant FALSE        => not TRUE;
use constant SUBJECT      => "$ENV{HOSTNAME} daily rkhunter check";
use constant EMAIL        => 'admin';
use constant ONLY_ON_FAIL => TRUE;
use constant FULL_REPORT  => TRUE;
use constant UPDATE       => TRUE;
if(UPDATE){
system('/usr/local/bin/rkhunter --update 2>&1 >/dev/null')
}
my $command='/usr/local/bin/rkhunter --cronjob'.(FULL_REPORT?'':' --quiet');
my $results=$command;
if(not ONLY_ON_FAIL or $results=~/warning/i){
        open(OUTPUT,'|/bin/mail -s "'.SUBJECT.'" '.EMAIL)
                or die "$0: Can't send email $?";
        print OUTPUT $results;
        close(OUTPUT);
}

Lee

[duncan]

I have added 1.1.6 to the directory.

It now uses the above script (cheers and beers for Lee) on a daily basis and adds a ssh template fragment to disable ssh V1 connections.

rpm -e to remove the weekly script
rpm -ivh to install the new package

Regards Duncan

[lee]

Hi Duncan,

Tried out your latest rpm on a couple of machines and it all works great (5.6/6.0.1).  Thanks for all your work.

Lee

[lee]

Hi all,

There is a new version of the rootkit hunter code (1.1.7) available from the freshmeat site http://freshmeat.net/redir/rkhunter/46074/url_tgz/rkhunter-1.1.7.tar.gz.  Patched for sme the program and it seems to run fine.  New version checks for passwordless logins as well as extra rootkits.

Regards,
Lee.

[dilligaf]

Hi,
I ran the latest rkhunter.
Under the Application version scan I was presented with the following:
GnuPG 1.0.7 Vulnerable http://www.gnupg.org/
Apache 1.3.27 Vulnerable http://www.apache.org/
OpenSSL 0.9.6b Vulnerable http://www.openssl.org/
ProFTPd 1.2.9 Vulnerable http://www.proftpd.org/
I am on SME 6.0.1.
Should I change these pkgs, do I just get the latest from the sites I have appended to the vulnerabilite?
Assistance greatly appreciated.
Dan

[duncan]

I have updated to 1.1.7.1.

Regards Duncan

[lee]

Hi Dan,

You could have a go at upgrading those applications although I'd work on a development not on a production machine at first if I were you (I note that for ProFTPd SME is using the current production release of the code and 1.2.10 is a development version though it does contain a bug fix that would seem to effect SME security if I'm reading the advisory correctly cuz SME does use CIDRs in defining local networks which is where the bug creeps in).

There is now an SME security team and an updates team forming on contribs.org (http://forums.contribs.org/index.php?topic=23856.0) and it's likely that these kinds of updates will be addressed shortly or if you are doing the upgrading work anyway you could consider joining one of those groups and contributing your updates of the standard packages.


Duncan,
Your rpm works well here, thanks again.

Regards,
Lee

[lee]

putty / pscp problem

One thing I have hit recently after installing rkhunter is that pcsp uses ssh protocol 1 and the patch to disable version 1 (yes my patch!) messes pscp up with the message "unable to initialise SFTP: could not connect".  If anyboby hits this problem after installing rkhuner to re-enable protocol 1 and get pscp working

Code: [Select]

rm  -f  /etc/e-smith/templates-custom/etc/ssh/sshd_config/20Protocol
/sbin/e-smith/expand-template /etc/ssh/sshd_config
/sbin/service sshd reload If you are not encountering any problems you're still better off leaving the protential security hole closed.

Regards,
Lee.

[sqlerror]

Hi,
I ran the latest rkhunter.
Under the Application version scan I was presented with the following:
GnuPG 1.0.7 Vulnerable http://www.gnupg.org/
Apache 1.3.27 Vulnerable http://www.apache.org/
OpenSSL 0.9.6b Vulnerable http://www.openssl.org/
ProFTPd 1.2.9 Vulnerable http://www.proftpd.org/
I am on SME 6.0.1.
Should I change these pkgs, do I just get the latest from the sites I have appended to the vulnerabilite?
Assistance greatly appreciated.
Dan

Hi, there are rpm's to solve these, all found via www.minddigger.com. Site is in Dutch. Therefore I just paste the link to the rmp's and thank "Harro" of Vexins.com for his work on this:
http://www.vexins.com/downloads/RPMs/
Browse trough the listing to get updates for GnuPG,Apache,OpenSSL and ProFTPd.
A # /sbin/e-smith/db configuration setprop oidentd status disabled and a reboot should keep your system a lot safer.
* Application version scan
   - ClamAV 0.70                                              [ OK ]
   - GnuPG 1.2.4                                              [ OK ]
   - Apache 1.3.31                                            [ OK ]
   - OpenSSL 0.9.6b                                           [ OK ]
   - PHP 4.3.8                                                [ OK ]
   - Procmail MTA 3.22                                        [ OK ]
   - ProFTPd 1.2.10rc3                                        [ OK ]
   - OpenSSH 3.9p1                                            [ OK ]

Sqlerror

[lee]

Hi all,

There is a new version of the rootkit hunter code (1.1. available from http://downloads.rootkit.nl/rkhunter-1.1.8.tar.gz (it's certainly a lively project with a release once or twice a month!).

Patched for SME and  it seems to run fine. New version is mainly
minor fixes, interestingly it now has improved support for RHEL3 so should work well with Centos too.

Thanks for locating those upgrade rpms Sqlerror I'll have to have a look through them.

Regards,
Lee.

[pwalter]

Duncan,

I have updated to 1.1.7.1.

Regards Duncan

Your latest posted version is 1.1.8-1. If you are matching the www.rootkit.nl version numbers, any chance of you updating to rkhunter 1.2-6 soon? I am a bit suspicious that some systems I monitor have been compromised, but 1.1.8-1 does not report anything ...

Peter

[lee]

1. cd /tmp

2. wget http://downloads.rootkit.nl/rkhunter-1.2.6.tar.gz

3. tar xvzf rkhunter-1.2.6.tar.gz

4. If using 6.0.1 patch as follows (Mitel e-smith 6 supported natively by rkhunter now!)

Cut the following into a file (say /tmp/rk.patch)

Code: [Select]

diff -Naur rkhunter/files/os.dat rkhunter.new/files/os.dat
--- rkhunter/files/os.dat       2005-05-07 08:56:15.000000000 +0000
+++ rkhunter.new/files/os.dat   2005-05-11 10:42:45.000000000 +0000
@@ -87,6 +87,7 @@
 172:Cobalt Linux release 6.5.1 (Monterey):/usr/bin/md5sum:/bin:
 173:Tao Linux release 1 (Mooch Update 4):/usr/bin/md5sum:/bin:
 174:Trustix Secure Linux release 2.2 (Sunchild):/usr/bin/md5sum:/bin:
+175:SME Server 6.0.1-01:/usr/bin/md5sum:/bin:
 200:FreeBSD 5.0 (i386):/sbin/md5 -q:/usr/local/bin:
 201:FreeBSD 4.7 (i386):/sbin/md5 -q:/usr/local/bin:
 202:FreeBSD 5.1 (i386):/sbin/md5 -q:/usr/local/bin:

then

Code: [Select]

patch -p0 -i /tmp/rk.patch

5. cd rkhunter

6. sh installer.sh

7. Now clean up

Code: [Select]

cd /tmp
rm -fr /tmp/rkhunter
rm -f /tmp/rkhunter-1.2.6.tar.gz
rm -f /tmp/rk.patch

8. Bring the rkhunter database up to date

Code: [Select]

rkhunter --update

9. Check your system

Code: [Select]

rkhunter -c --skip-keypress

Regards,
Lee

[pwalter]

Lee,

Thanks for responding. I followed your instructions closely, but the "patch" command reports:

Code: [Select]


can't find file to patch at input line 4
Perhaps you should have used the -p or --strip option?
The text leading up to this was:
--------------------------
|diff -Naur rkhunter/files/os.dat rkhunter.new/files/os.dat
|--- rkhunter/files/os.dat       2005-05-07 08:56:15.000000000 +0000
|+++ rkhunter.new/files/os.dat   2005-05-11 10:42:45.000000000 +0000
--------------------------
File to patch:


Patch then stops awaiting input. How do I fix this?

Peter

[lee]

It means you have to be careful to watch the cd commands in the little procedure I gave  

The patch (which includes the path names) assumes that you remain in the tmp directory after untarring rkhunter and don't cd into the directory after extracting. Go back to the /tmp directory (or if you using a different work directory you want the directory above the rkhunter directory) and apply the patch again.

L.

[mdo]

Lee,

I am doing exactly what you describe and I AM located in /tmp at the moment of executing the patch command - but I see the same problem that Peter describes.

Regards,
Michael

[lee]

Damn which means I screwed up and missed the -p0 option from my notes!

Code: [Select]

patch -p0 -i /tmp/rk.patch

(note that's a zero not the letter O after the -p)

L.

[mdo]

Yep, all looking good now. Thanks.
Michael

[pwalter]

Lee,

I concur. Everything is OK now. Thank you very much.

Peter

[spittingfire]

Hi All,

Your help will be greatly appreciated.  After I upgraded my openssl after running rkhunter I'm now unable to SSH into my server.  Did I miss something after the upgrading of the software?  Now when I try to login the server pretty much is unable to authenticate me.  It's the same username and p/w used to login to everything else (user manager, webmail, etc) just not working with SSH.  Yes I'm running Protocol 2 and SME-Server 6.5RC1.

[lee]

The latest version of rkhunter is available.

This version now supports SME 6.0.1 natively as well as Mitel SME 6.0

To upgrade to rkhunter 1.2.7  

Code: [Select]

cd /tmp
wget http://freshmeat.net/redir/rkhunter/46074/url_tgz/rkhunter-1.2.7.tar.gz
tar xvzf rkhunter-1.2.7.tar.gz
cd /tmp/rkhunter
sh installer.sh
cd /tmp
rm -fr /tmp/rkhunter
rm -f /tmp/rkhunter-1.2.7.tar.gz
rkhunter --update
rkhunter -c --skip-keypress

Lee.

[pwalter]

Lee,

Thank you very much. Installation went flawlessly.

Peter

[moleboy]

To upgrade to rkhunter 1.2.7  

Code: [Select]

cd /tmp
wget http://freshmeat.net/redir/rkhunter/46074/url_tgz/rkhunter-1.2.7.tar.gz
tar xvzf rkhunter-1.2.7.tar.gz
cd /tmp/rkhunter
sh installer.sh
cd /tmp
rm -fr /tmp/rkhunter
rm -f /tmp/rkhunter-1.2.7.tar.gz
rkhunter --update
rkhunter -c --skip-keypress

Am I correct in thinking that for a brand new installation you first install Duncan's RPM and then perform the above?

Or just install as per above instructions without the RPM?

Any advice gratefully received.

[CharlieBrady]

I ran the latest rkhunter.
Under the Application version scan I was presented with the following:
GnuPG 1.0.7 Vulnerable http://www.gnupg.org/
Apache 1.3.27 Vulnerable http://www.apache.org/
OpenSSL 0.9.6b Vulnerable http://www.openssl.org/
ProFTPd 1.2.9 Vulnerable http://www.proftpd.org/

It's quite likely that rkhunter is not telling you the full truth. Because RedHat adds security patches to old versions rather than switching to the latest version, you *cannot* determine whether any application is vulnerable just by checking its version number.

You can bypass this very naive behaviour by rkhunter by giving the --skip-application-check flag.

[RedHead]

To upgrade to rkhunter 1.2.7  
<cut>

Am I correct in thinking that for a brand new installation you first install Duncan's RPM and then perform the above?

Or just install as per above instructions without the RPM?

Any advice gratefully received.

Just a newbie question..
Where do I find the Dungan rpm?
Because the name Dungan isn't there in the contribs and I can't find a matching name.