Hallo,
ich habe meine rkhunter laufen lassen (Plesk 9.5.2, OpenSuse 11.1).
Im Ergebnis steht
Suspect applications: 3
Könnte vielleicht jemand mit Erfahrung kurz über mein log schauen? Ich habe die Zeilen mit [OK] und [not found] schonmal rausgelöscht.
Hintergrund: Vor wenigen Tagen ist jemand über eine Lücke in meinem OpenX eingedrungen und hatte meine Banner modifiziert. OpenX ist mittlerweile sauber und neu aufgesetzt. Aber dennoch checke ich im Moment alles auf zig weisen.
ClamAV meldet nichts.
Vielen Dank.
Stefan
ich habe meine rkhunter laufen lassen (Plesk 9.5.2, OpenSuse 11.1).
Im Ergebnis steht
Suspect applications: 3
Könnte vielleicht jemand mit Erfahrung kurz über mein log schauen? Ich habe die Zeilen mit [OK] und [not found] schonmal rausgelöscht.
Hintergrund: Vor wenigen Tagen ist jemand über eine Lücke in meinem OpenX eingedrungen und hatte meine Banner modifiziert. OpenX ist mittlerweile sauber und neu aufgesetzt. Aber dennoch checke ich im Moment alles auf zig weisen.
ClamAV meldet nichts.
Code:
[18:18:01] Running Rootkit Hunter version 1.3.4 on h1776406
[18:18:01]
[18:18:01] Info: Start date is Mo 25. Okt 18:18:01 CEST 2010
[18:18:01]
[18:18:01] Checking configuration file and command-line options...
[18:18:01] Info: Detected operating system is 'Linux'
[18:18:01] Info: Found O/S name: 2009091701
[18:18:01] Info: Command line is /usr/local/psa/admin/sbin/modules//watchdog/rkhunter -c --nocolors --configfile /usr/local/psa/etc/modules/watchdog/rkhunter.conf --propupd --createlogfile
[18:18:01] Info: Environment shell is /bin/bash; rkhunter is using bash
[18:18:01] Info: Using configuration file '/usr/local/psa/etc/modules/watchdog/rkhunter.conf'
[18:18:01] Info: Installation directory is '/usr/local/psa'
[18:18:01] Info: Using language 'en'
[18:18:01] Info: Using '/usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db' as the database directory
[18:18:01] Info: Using '/usr/local/psa/var/modules/watchdog/lib/rkhunter/rkhunter/scripts' as the support script directory
[18:18:01] Info: Using '/usr/local/psa/admin/bin/modules/watchdog /usr/local/bin /usr/local/sbin /bin /sbin /usr/bin /usr/sbin /bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec' as the command directories
[18:18:01] Info: Using '/' as the root directory by default
[18:18:01] Info: Using '/usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/tmp' as the temporary directory
[18:18:01] Info: Emailing warnings to 'root@h1776406.stratoserver.net' using command '/bin/mail -s "[rkhunter] Warnings found for ${HOST_NAME}"'
[18:18:01] Info: X will be automatically detected
[18:18:01] Info: Found the 'diff' command: /usr/bin/diff
[18:18:01] Info: Found the 'file' command: /usr/bin/file
[18:18:01] Info: Found the 'find' command: /usr/bin/find
[18:18:01] Info: Found the 'ifconfig' command: /sbin/ifconfig
[18:18:01] Info: Found the 'ip' command: /bin/ip
[18:18:01] Info: Found the 'ldd' command: /usr/bin/ldd
[18:18:01] Info: Found the 'lsattr' command: /usr/bin/lsattr
[18:18:01] Info: Found the 'lsmod' command: /bin/lsmod
[18:18:01] Info: Unable to find the 'lsof' command
[18:18:01] Info: Found the 'mktemp' command: /bin/mktemp
[18:18:01] Info: Found the 'netstat' command: /bin/netstat
[18:18:01] Info: Found the 'perl' command: /usr/bin/perl
[18:18:01] Info: Found the 'ps' command: /bin/ps
[18:18:01] Info: Found the 'pwd' command: /bin/pwd
[18:18:01] Info: Found the 'readlink' command: /bin/readlink
[18:18:01] Info: Found the 'sort' command: /bin/sort
[18:18:01] Info: Found the 'stat' command: /bin/stat
[18:18:01] Info: Found the 'strings' command: /usr/bin/strings
[18:18:01] Info: Found the 'uniq' command: /usr/bin/uniq
[18:18:01] Info: System is not using prelinking
[18:18:01] Info: Using the '/usr/bin/sha1sum' command for the file hash checks
[18:18:01] Info: Stored hash values used hash function '/usr/bin/sha1sum'
[18:18:01] Info: Stored hash values used package manager 'RPM' (md5 function)
[18:18:01] Info: The hash function field index is set to 1
[18:18:01] Info: Using package manager 'RPM' to update the file hash values
[18:18:01] Info: Found the 'rpm' command: /bin/rpm
[18:18:01] Info: Using package manager 'RPM' for file property checks
[18:18:01] Info: Found the 'rpm' command: /bin/rpm
[18:18:01] Info: Previous file attributes were stored
[18:18:01] Info: Current file attributes will be stored
[18:18:01] Info: Enabled tests are: all
[18:18:01] Info: Disabled tests are: suspscan hidden_procs deleted_files packet_cap_apps
[18:18:01] Info: Found ksym file '/proc/kallsyms'
[18:18:02]
[18:18:02] Checking if the O/S has changed since last time...
[18:18:02] Info: Nothing seems to have changed
[18:18:02]
[18:18:02] Info: Starting file properties data update...
[18:18:02] Info: Created temporary file '/usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/tmp/rkhunter.dat.SXob13QBx3'
[18:18:02] Collecting O/S info...
[18:18:02] Info: Found system architecture: x86_64
[18:18:02] Info: Found release file: /etc/strato-release
[18:18:02] Info: Found O/S name: 2009091701
[18:18:02] Getting file properties...
[18:18:10] Info: Found 41 files in /bin
[18:18:20] Info: Found 59 files in /usr/bin
[18:18:23] Info: Found 18 files in /sbin
[18:18:25] Info: Found 12 files in /usr/sbin
[18:18:25] Info: Found 0 files in /usr/local/bin
[18:18:25] Info: Found 0 files in /usr/local/sbin
[18:18:25] Info: File updated: searched for 150 files, found 130
[18:18:25] Info: New rkhunter.dat file installed in '/usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db'
[18:18:25]
[18:18:25] Starting system checks...
[18:18:25]
[18:18:25] Checking system commands...
[18:18:25] Info: Starting test name 'system_commands'
[18:18:25]
[18:18:25] Performing 'strings' command checks
[18:18:25] Info: Starting test name 'strings'
[18:18:25] Scanning for string /usr/sbin/ntpsx [ OK ]
...
[18:18:27] Performing 'shared libraries' checks
[18:18:27] Info: Starting test name 'shared_libs'
[18:18:27] Checking for preloading variables [ None found ]
[18:18:27] Checking for preload file [ Not found ]
[18:18:27] Info: Starting test name 'shared_libs_path'
[18:18:27] Checking LD_LIBRARY_PATH variable [ Not found ]
[18:18:27]
[18:18:27] Performing file properties checks
[18:18:27] Info: Starting test name 'properties'
[18:18:27] Checking for prerequisites [ OK ]
...
[18:18:52] Info: Found file '/usr/bin/passwd': it is whitelisted for the 'file immutable-bit' check.
...
[18:19:03] Info: Found file '/sbin/init': it is whitelisted for the 'file immutable-bit' check.
...
...
[18:19:11]
[18:19:11] Checking for rootkits...
[18:19:11] Info: Starting test name 'rootkits'
[18:19:11]
[18:19:11] Performing check of known rootkit files and directories
[18:19:11] Info: Starting test name 'known_rkts'
[18:19:11]
...
[18:19:31]
[18:19:31] Performing additional rootkit checks
[18:19:31] Info: Starting test name 'additional_rkts'
[18:19:31]
[18:19:31] Performing Suckit Rookit additional checks
[18:19:31] Checking hard link count on '/sbin/init' [ OK ]
[18:19:31] Checking for hidden file extensions [ None found ]
[18:19:31] Running skdet command [ Skipped ]
[18:19:31] Info: Unable to find the 'skdet' command
[18:19:31] Suckit Rookit additional checks [ OK ]
[18:19:32]
[18:19:32] Performing check of possible rootkit files and directories
[18:19:32] Info: Starting test name 'possible_rkt_files'
[18:19:32] Checking for file '/dev/sdr0' [ Not found ]
[18:19:32] Checking for file '/tmp/.syshackfile' [ Not found ]
[18:19:32] Checking for file '/tmp/.bash_history' [ Not found ]
[18:19:32] Checking for file '/usr/info/.clib' [ Not found ]
[18:19:32] Checking for file '/usr/sbin/tcp.log' [ Not found ]
[18:19:32] Checking for file '/usr/bin/take/pid' [ Not found ]
[18:19:32] Checking for file '/sbin/create' [ Not found ]
[18:19:32] Checking for file '/dev/ttypz' [ Not found ]
[18:19:32] Checking for directory '/usr/bin/take' [ Not found ]
[18:19:32] Checking for directory '/usr/src/.lib' [ Not found ]
[18:19:32] Checking for directory '/usr/share/man/man1/.1c' [ Not found ]
[18:19:32] Checking for directory '/lib/lblip.tk' [ Not found ]
[18:19:32] Checking for directory '/usr/sbin/...' [ Not found ]
[18:19:32] Checking for directory '/usr/share/.gun' [ Not found ]
[18:19:32] Checking for possible rootkit files and directories [ None found ]
[18:19:32]
[18:19:32] Performing check for possible rootkit strings
[18:19:32] Info: Starting test name 'possible_rkt_strings'
[18:19:32] Info: Using system startup paths: /etc/init.d /etc/inittab
[18:19:32] Checking for string '/dev/proc/fuckit' [ Not found ]
[18:19:32] Checking for string 'FUCK' [ Not found ]
[18:19:32] Checking for string 'backdoor' [ Not found ]
[18:19:32] Checking for string 'vt200' [ Not found ]
[18:19:32] Checking for string '/usr/bin/xstat' [ Not found ]
[18:19:33] Checking for string '/bin/envpc' [ Not found ]
[18:19:33] Checking for string 'L4m3r0x' [ Not found ]
[18:19:33] Checking for string '/usr/lib/.tbd' [ Not found ]
[18:19:33] Checking for string '/dev/ptyxx/.file' [ Not found ]
[18:19:33] Checking for string '/dev/sgk' [ Not found ]
[18:19:33] Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[18:19:33] Checking for string '/usr/lib/.tbd' [ Not found ]
[18:19:33] Checking for string '/dev/proc/fuckit' [ Not found ]
[18:19:33] Checking for string '/lib/.sso' [ Not found ]
[18:19:33] Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[18:19:33] Checking for string '/dev/caca' [ Not found ]
[18:19:33] Checking for string '/dev/ttyoa' [ Not found ]
[18:19:33] Checking for string 'syg' [ Not found ]
[18:19:33] Checking for string '/dev/pts/01' [ Not found ]
[18:19:33] Checking for string 'tw33dl3' [ Not found ]
[18:19:33] Checking for string 'psniff' [ Not found ]
[18:19:33] Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
[18:19:33] Checking for string '/dev/ptyxx' [ Not found ]
[18:19:34] Checking for string '/dev/xdta' [ Not found ]
[18:19:34] Checking for string '/usr/lib/.tbd' [ Not found ]
[18:19:34] Checking for string 'in.inetd' [ Not found ]
[18:19:35] Checking for string '#<HIDE_.*>' [ Not found ]
[18:19:35] Checking for string 'bin/xchk' [ Not found ]
[18:19:35] Checking for string 'bin/xsf' [ Not found ]
[18:19:35] Checking for possible rootkit strings [ None found ]
[18:19:35]
[18:19:35] Performing malware checks
[18:19:36] Info: Starting test name 'malware'
[18:19:36]
[18:19:36] Info: Test 'deleted_files' disabled at users request.
[18:19:36] Info: Starting test name 'running_procs'
[18:19:36] Checking running processes for suspicious files [ Skipped ]
[18:19:36] Info: Unable to find the 'lsof' command
[18:19:36]
[18:19:36] Info: Test 'hidden_procs' disabled at users request.
[18:19:36]
[18:19:36] Info: Test 'suspscan' disabled at users request.
[18:19:36]
[18:19:36] Performing check for login backdoors
[18:19:36] Info: Starting test name 'other_malware'
[18:19:36] Checking for '/bin/.login' [ Not found ]
[18:19:36] Checking for '/sbin/.login' [ Not found ]
[18:19:36] Checking for login backdoors [ None found ]
[18:19:36]
[18:19:36] Performing check for suspicious directories
[18:19:36] Checking for directory '/usr/X11R6/bin/.,/copy' [ Not found ]
[18:19:36] Checking for directory '/dev/rd/cdb' [ Not found ]
[18:19:36] Checking for suspicious directories [ None found ]
[18:19:36]
[18:19:36] Checking for software intrusions [ Skipped ]
[18:19:36] Info: Check skipped - tripwire not installed
[18:19:36]
[18:19:36] Performing check for sniffer log files
[18:19:36] Checking for file '/usr/lib/libice.log' [ Not found ]
[18:19:36] Checking for sniffer log files [ None found ]
[18:19:36]
[18:19:36] Performing trojan specific checks
[18:19:36] Info: Starting test name 'trojans'
[18:19:36] Checking for enabled inetd services [ Skipped ]
[18:19:36] Info: Check skipped - file '/etc/inetd.conf' does not exist.
[18:19:36]
[18:19:36] Performing check for enabled xinetd services
[18:19:36] Info: Using xinetd configuration file '/etc/xinetd.conf'
[18:19:36] Checking '/etc/xinetd.conf' for enabled services [ None found ]
[18:19:36] Found 'includedir /etc/xinetd.d' directive
[18:19:36] Checking '/etc/xinetd.d/chargen' for enabled services [ None found ]
[18:19:36] Checking '/etc/xinetd.d/chargen-udp' for enabled services [ None found ]
[18:19:36] Checking '/etc/xinetd.d/daytime' for enabled services [ None found ]
[18:19:36] Checking '/etc/xinetd.d/daytime-udp' for enabled services [ None found ]
[18:19:36] Checking '/etc/xinetd.d/discard' for enabled services [ None found ]
[18:19:36] Checking '/etc/xinetd.d/discard-udp' for enabled services [ None found ]
[18:19:36] Checking '/etc/xinetd.d/echo' for enabled services [ None found ]
[18:19:36] Checking '/etc/xinetd.d/echo-udp' for enabled services [ None found ]
[18:19:36] Checking '/etc/xinetd.d/ftp_psa' for enabled services [ Warning ]
[18:19:37] Checking '/etc/xinetd.d/netstat' for enabled services [ None found ]
[18:19:37] Checking '/etc/xinetd.d/rsync' for enabled services [ None found ]
[18:19:37] Checking '/etc/xinetd.d/servers' for enabled services [ None found ]
[18:19:37] Checking '/etc/xinetd.d/services' for enabled services [ None found ]
[18:19:37] Checking '/etc/xinetd.d/systat' for enabled services [ None found ]
[18:19:37] Checking '/etc/xinetd.d/time' for enabled services [ None found ]
[18:19:37] Checking '/etc/xinetd.d/time-udp' for enabled services [ None found ]
[18:19:37] Checking for enabled xinetd services [ Warning ]
[18:19:37] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
[18:19:37] Info: Apache backdoor check skipped: Apache modules and configuration directories not found.
[18:19:37]
[18:19:37] Performing Linux specific checks
[18:19:37] Info: Starting test name 'os_specific'
[18:19:37] Checking loaded kernel modules [ OK ]
[18:19:37] Info: Using modules pathname of '/lib/modules/2.6.27.48-0.3-default'
[18:19:37] Checking kernel module names [ OK ]
[18:19:37]
[18:19:37] Checking the network...
[18:19:37] Info: Starting test name 'network'
[18:19:37] Info: Starting test name 'ports'
[18:19:37]
[18:19:37] Performing check for backdoor ports
[18:19:37] Info: Disabling pathnames and '*' in PORT_WHITELIST setting: no 'lsof' command present.
[18:19:38] Checking for TCP port 1524 [ Not found ]
[18:19:38] Checking for TCP port 1984 [ Not found ]
[18:19:38] Checking for UDP port 2001 [ Not found ]
[18:19:39] Checking for TCP port 2006 [ Not found ]
[18:19:39] Checking for TCP port 2128 [ Not found ]
[18:19:39] Checking for TCP port 6666 [ Not found ]
[18:19:40] Checking for TCP port 6667 [ Not found ]
[18:19:40] Checking for TCP port 6668 [ Not found ]
[18:19:41] Checking for TCP port 6669 [ Not found ]
[18:19:41] Checking for TCP port 7000 [ Not found ]
[18:19:41] Checking for TCP port 13000 [ Not found ]
[18:19:42] Checking for TCP port 14856 [ Not found ]
[18:19:42] Checking for TCP port 25000 [ Not found ]
[18:19:42] Checking for TCP port 29812 [ Not found ]
[18:19:43] Checking for TCP port 31337 [ Not found ]
[18:19:43] Checking for TCP port 33369 [ Not found ]
[18:19:43] Checking for TCP port 47107 [ Not found ]
[18:19:44] Checking for TCP port 47018 [ Not found ]
[18:19:44] Checking for TCP port 60922 [ Not found ]
[18:19:44] Checking for TCP port 62883 [ Not found ]
[18:19:45] Checking for TCP port 65535 [ Not found ]
[18:19:45]
[18:19:45] Performing checks on the network interfaces
[18:19:45] Info: Starting test name 'promisc'
[18:19:45] Checking for promiscuous interfaces [ None found ]
[18:19:45]
[18:19:45] Info: Test 'packet_cap_apps' disabled at users request.
[18:19:45]
[18:19:45] Checking the local host...
[18:19:45] Info: Starting test name 'local_host'
[18:19:45]
[18:19:45] Performing system boot checks
[18:19:45] Info: Starting test name 'startup_files'
[18:19:45] Checking for local host name [ Found ]
[18:19:45] Info: Starting test name 'startup_malware'
[18:19:45] Checking for system startup files [ Found ]
[18:19:46] Checking system startup files for malware [ None found ]
[18:19:46]
[18:19:46] Performing group and account checks
[18:19:46] Info: Starting test name 'group_accounts'
[18:19:46] Checking for passwd file [ Found ]
[18:19:46] Info: Found password file: /etc/passwd
[18:19:46] Checking for root equivalent (UID 0) accounts [ None found ]
[18:19:46] Info: Found shadow file: /etc/shadow
[18:19:46] Checking for passwordless accounts [ None found ]
[18:19:46] Info: Starting test name 'passwd_changes'
[18:19:46] Checking for passwd file changes [ None found ]
[18:19:46] Info: Starting test name 'group_changes'
[18:19:46] Checking for group file changes [ None found ]
[18:19:46] Checking root account shell history files [ OK ]
[18:19:46]
[18:19:46] Performing system configuration file checks
[18:19:46] Info: Starting test name 'system_configs'
[18:19:47] Checking for SSH configuration file [ Found ]
[18:19:47] Info: Found SSH configuration file: /etc/ssh/sshd_config
[18:19:47] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'unset'.
[18:19:47] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '2'.
[18:19:47] Checking if SSH root access is allowed [ Not set ]
[18:19:47] Checking if SSH protocol v1 is allowed [ Not allowed ]
[18:19:47] Checking for running syslog daemon [ Found ]
[18:19:47] Checking for syslog configuration file [ Found ]
[18:19:47] Info: Found syslog configuration file: /etc/syslog-ng/syslog-ng.conf
[18:19:47] Checking if syslog remote logging is allowed [ Not allowed ]
[18:19:47]
[18:19:47] Performing filesystem checks
[18:19:47] Info: Starting test name 'filesystem'
[18:19:47] Info: SCAN_MODE_DEV set to 'THOROUGH'
[18:19:47] Checking /dev for suspicious file types [ Warning ]
[18:19:47] Warning: Suspicious file types found in /dev:
[18:19:47] /dev/shm/sysconfig/if-eth0: ASCII text
[18:19:47] /dev/shm/sysconfig/ifup-eth0: ASCII text
[18:19:47] /dev/shm/sysconfig/ifup-lo: ASCII text
[18:19:47] /dev/shm/sysconfig/if-lo: ASCII text
[18:19:47] /dev/shm/sysconfig/network: ASCII text
[18:19:48] /dev/shm/sysconfig/config-lo: ASCII text
[18:19:48] /dev/shm/sysconfig/config-eth0: ASCII text
[18:19:48] /dev/shm/sysconfig/new-stamp-2: ASCII text
[18:19:48] /dev/shm/sysconfig/new-stamp-3: ASCII text
[18:19:48] Checking for hidden files and directories [ Warning ]
[18:19:48] Warning: Hidden directory found: /dev/.udev
[18:19:48]
[18:19:48] Checking application versions...
[18:19:48] Info: Starting test name 'apps'
[18:19:49] Info: Application 'exim' not found.
[18:19:49] Checking version of GnuPG [ OK ]
[18:19:49] Info: Application 'gpg' version '2.0.9' found.
[18:19:49] Info: Application 'httpd' not found.
[18:19:49] Checking version of Bind DNS [ Warning ]
[18:19:49] Warning: Application 'named', version '9.5.0', is out of date, and possibly a security risk.
[18:19:49] Checking version of OpenSSL [ Warning ]
[18:19:50] Warning: Application 'openssl', version '0.9.8h', is out of date, and possibly a security risk.
[18:19:50] Checking version of PHP [ OK ]
[18:19:50] Info: Application 'php' version '5.2.14' found.
[18:19:50] Info: Application 'procmail' not found.
[18:19:50] Checking version of ProFTPd [ Skipped ]
[18:19:50] Info: Unable to obtain version number for 'proftpd': version option gives: ProFTPD Version 1.3.2e
[18:19:50] Checking version of OpenSSH [ Warning ]
[18:19:50] Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk.
[18:19:50] Info: Applications checked: 6 out of 9
[18:19:50]
[18:19:50] System checks summary
[18:19:50] =====================
[18:19:50]
[18:19:50] File properties checks...
[18:19:50] Files checked: 130
[18:19:50] Suspect files: 0
[18:19:50]
[18:19:50] Rootkit checks...
[18:19:50] Rootkits checked : 112
[18:19:50] Possible rootkits: 0
[18:19:50]
[18:19:50] Applications checks...
[18:19:50] Applications checked: 6
[18:19:50] Suspect applications: 3
[18:19:50]
[18:19:50] The system checks took: 1 minute and 25 seconds
[18:19:50]
[18:19:50] Info: End date is Mo 25. Okt 18:19:50 CEST 2010Vielen Dank.
Stefan