Koozali.org: home of the SME Server

Contrib Feedback: Root Kit Hunter

lee

Contrib Feedback: Root Kit Hunter
« Reply #30 on: September 08, 2004, 12:09:11 PM »
putty / pscp problem

One thing I have hit recently after installing rkhunter is that pcsp uses ssh protocol 1 and the patch to disable version 1 (yes my patch!) messes pscp up with the message "unable to initialise SFTP: could not connect".  If anyboby hits this problem after installing rkhuner to re-enable protocol 1 and get pscp working
Code: [Select]
rm  -f  /etc/e-smith/templates-custom/etc/ssh/sshd_config/20Protocol
/sbin/e-smith/expand-template /etc/ssh/sshd_config
/sbin/service sshd reload
If you are not encountering any problems you're still better off leaving the protential security hole closed.

Regards,
Lee.

Offline sqlerror

  • **
  • 50
  • +0/-0
Re: assistance to determine if I can change these pkg
« Reply #31 on: September 11, 2004, 06:26:11 PM »
Quote from: "dilligaf"
Hi,
I ran the latest rkhunter.
Under the Application version scan I was presented with the following:
GnuPG 1.0.7 Vulnerable http://www.gnupg.org/
Apache 1.3.27 Vulnerable http://www.apache.org/
OpenSSL 0.9.6b Vulnerable http://www.openssl.org/
ProFTPd 1.2.9 Vulnerable http://www.proftpd.org/
I am on SME 6.0.1.
Should I change these pkgs, do I just get the latest from the sites I have appended to the vulnerabilite?
Assistance greatly appreciated.
Dan

Hi, there are rpm's to solve these, all found via www.minddigger.com. Site is in Dutch. Therefore I just paste the link to the rmp's and thank "Harro" of Vexins.com for his work on this:
http://www.vexins.com/downloads/RPMs/
Browse trough the listing to get updates for GnuPG,Apache,OpenSSL and ProFTPd.
A # /sbin/e-smith/db configuration setprop oidentd status disabled and a reboot should keep your system a lot safer.
* Application version scan
   - ClamAV 0.70                                              [ OK ]
   - GnuPG 1.2.4                                              [ OK ]
   - Apache 1.3.31                                            [ OK ]
   - OpenSSL 0.9.6b                                           [ OK ]
   - PHP 4.3.8                                                [ OK ]
   - Procmail MTA 3.22                                        [ OK ]
   - ProFTPd 1.2.10rc3                                        [ OK ]
   - OpenSSH 3.9p1                                            [ OK ]

Sqlerror

lee

Contrib Feedback: Root Kit Hunter
« Reply #32 on: September 16, 2004, 02:44:48 PM »
Hi all,

There is a new version of the rootkit hunter code (1.1.8) available from http://downloads.rootkit.nl/rkhunter-1.1.8.tar.gz (it's certainly a lively project with a release once or twice a month!).

Patched for SME and  it seems to run fine. New version is mainly
minor fixes, interestingly it now has improved support for RHEL3 so should work well with Centos too.

Thanks for locating those upgrade rpms Sqlerror I'll have to have a look through them.

Regards,
Lee.

pwalter

Contrib Feedback: Root Kit Hunter
« Reply #33 on: May 13, 2005, 02:21:12 PM »
Duncan,
Quote from: "duncan"
I have updated to 1.1.7.1.

Regards Duncan

Your latest posted version is 1.1.8-1. If you are matching the www.rootkit.nl version numbers, any chance of you updating to rkhunter 1.2-6 soon? I am a bit suspicious that some systems I monitor have been compromised, but 1.1.8-1 does not report anything ...

Peter

lee

Unoffical kudge upgrade!
« Reply #34 on: May 13, 2005, 03:37:38 PM »
1. cd /tmp

2. wget http://downloads.rootkit.nl/rkhunter-1.2.6.tar.gz

3. tar xvzf rkhunter-1.2.6.tar.gz

4. If using 6.0.1 patch as follows (Mitel e-smith 6 supported natively by rkhunter now!)

Cut the following into a file (say /tmp/rk.patch)

Code: [Select]
diff -Naur rkhunter/files/os.dat rkhunter.new/files/os.dat
--- rkhunter/files/os.dat       2005-05-07 08:56:15.000000000 +0000
+++ rkhunter.new/files/os.dat   2005-05-11 10:42:45.000000000 +0000
@@ -87,6 +87,7 @@
 172:Cobalt Linux release 6.5.1 (Monterey):/usr/bin/md5sum:/bin:
 173:Tao Linux release 1 (Mooch Update 4):/usr/bin/md5sum:/bin:
 174:Trustix Secure Linux release 2.2 (Sunchild):/usr/bin/md5sum:/bin:
+175:SME Server 6.0.1-01:/usr/bin/md5sum:/bin:
 200:FreeBSD 5.0 (i386):/sbin/md5 -q:/usr/local/bin:
 201:FreeBSD 4.7 (i386):/sbin/md5 -q:/usr/local/bin:
 202:FreeBSD 5.1 (i386):/sbin/md5 -q:/usr/local/bin:


then
Code: [Select]
patch -p0 -i /tmp/rk.patch

5. cd rkhunter

6. sh installer.sh

7. Now clean up
Code: [Select]
cd /tmp
rm -fr /tmp/rkhunter
rm -f /tmp/rkhunter-1.2.6.tar.gz
rm -f /tmp/rk.patch


8. Bring the rkhunter database up to date
Code: [Select]
rkhunter --update

9. Check your system
Code: [Select]
rkhunter -c --skip-keypress

Regards,
Lee

pwalter

Contrib Feedback: Root Kit Hunter
« Reply #35 on: May 15, 2005, 02:42:24 PM »
Lee,

Thanks for responding. I followed your instructions closely, but the "patch" command reports:
Code: [Select]

can't find file to patch at input line 4
Perhaps you should have used the -p or --strip option?
The text leading up to this was:
--------------------------
|diff -Naur rkhunter/files/os.dat rkhunter.new/files/os.dat
|--- rkhunter/files/os.dat       2005-05-07 08:56:15.000000000 +0000
|+++ rkhunter.new/files/os.dat   2005-05-11 10:42:45.000000000 +0000
--------------------------
File to patch:


Patch then stops awaiting input. How do I fix this?

Peter

lee

Contrib Feedback: Root Kit Hunter
« Reply #36 on: May 16, 2005, 10:56:21 AM »
It means you have to be careful to watch the cd commands in the little procedure I gave  :-)

The patch (which includes the path names) assumes that you remain in the tmp directory after untarring rkhunter and don't cd into the directory after extracting. Go back to the /tmp directory (or if you using a different work directory you want the directory above the rkhunter directory) and apply the patch again.

L.

Offline mdo

  • *
  • 355
  • +0/-0
Contrib Feedback: Root Kit Hunter
« Reply #37 on: May 16, 2005, 11:33:09 AM »
Lee,

I am doing exactly what you describe and I AM located in /tmp at the moment of executing the patch command - but I see the same problem that Peter describes.

Regards,
Michael
...

lee

Contrib Feedback: Root Kit Hunter
« Reply #38 on: May 16, 2005, 11:46:40 AM »
Damn which means I screwed up and missed the -p0 option from my notes!

Code: [Select]
patch -p0 -i /tmp/rk.patch

(note that's a zero not the letter O after the -p)

L.

Offline mdo

  • *
  • 355
  • +0/-0
Contrib Feedback: Root Kit Hunter
« Reply #39 on: May 16, 2005, 11:55:19 AM »
Yep, all looking good now. Thanks.
Michael
...

pwalter

Contrib Feedback: Root Kit Hunter
« Reply #40 on: May 16, 2005, 03:17:40 PM »
Lee,

I concur. Everything is OK now. Thank you very much.

Peter

spittingfire

SSH Login problems after openssl upgrade
« Reply #41 on: May 16, 2005, 09:35:57 PM »
Hi All,

Your help will be greatly appreciated.  After I upgraded my openssl after running rkhunter I'm now unable to SSH into my server.  Did I miss something after the upgrading of the software?  Now when I try to login the server pretty much is unable to authenticate me.  It's the same username and p/w used to login to everything else (user manager, webmail, etc) just not working with SSH.  Yes I'm running Protocol 2 and SME-Server 6.5RC1.

lee

New rkhunter
« Reply #42 on: May 24, 2005, 01:08:03 PM »
The latest version of rkhunter is available.

This version now supports SME 6.0.1 natively as well as Mitel SME 6.0

To upgrade to rkhunter 1.2.7  

Code: [Select]
cd /tmp
wget http://freshmeat.net/redir/rkhunter/46074/url_tgz/rkhunter-1.2.7.tar.gz
tar xvzf rkhunter-1.2.7.tar.gz
cd /tmp/rkhunter
sh installer.sh
cd /tmp
rm -fr /tmp/rkhunter
rm -f /tmp/rkhunter-1.2.7.tar.gz
rkhunter --update
rkhunter -c --skip-keypress


Lee.

pwalter

Contrib Feedback: Root Kit Hunter
« Reply #43 on: May 24, 2005, 02:16:17 PM »
Lee,

Thank you very much. Installation went flawlessly.

Peter

moleboy

Re: New rkhunter
« Reply #44 on: June 18, 2005, 05:44:53 AM »
Quote from: "lee"

To upgrade to rkhunter 1.2.7  
Code: [Select]
cd /tmp
wget http://freshmeat.net/redir/rkhunter/46074/url_tgz/rkhunter-1.2.7.tar.gz
tar xvzf rkhunter-1.2.7.tar.gz
cd /tmp/rkhunter
sh installer.sh
cd /tmp
rm -fr /tmp/rkhunter
rm -f /tmp/rkhunter-1.2.7.tar.gz
rkhunter --update
rkhunter -c --skip-keypress



Am I correct in thinking that for a brand new installation you first install Duncan's RPM and then perform the above?

Or just install as per above instructions without the RPM?

Any advice gratefully received.