On 09 Sep 2007 21:49:46 GMT CWO4 Dave Mann
wrote:

> Seems like it is working pretty good ...

But needs some tweaking. (:

> Date: Mon, 30 Jul 2007 07:36:05 -0700
> From: root
> Subject: [rkhunter] Daily run

> Scanning for packet capturing applications... [ Warning! ]
> Warning! Found packet capturing application. Please check the logfile.
> Scanning for hidden files... [ Warning! ]
> -----------------------------------------------------------------

> Found warnings:
> [07:36:01] Checking for packet capturing applications... Warning
> [07:36:03] Warning! Process /usr/bin/etherape (24067) listening

http://linux.die.net/man/1/etherape

> [07:36:03] Warning! Process /usr/sbin/avahi-autoipd (6667) listening

http://linux.die.net/man/8/avahi-autoipd

> [07:36:03] Warning! Process /sbin/dhclient3 (5202) listening
> [07:36:03] Warning! Process /sbin/dhclient3 (6672) listening

http://www.penguin-soft.com/penguin/...dhclient3.html

> [07:36:04] WARNING, found: /etc/.java (directory) /dev/.static

/etc/.java:
http://www.google.com/search?q=%2Fet...ient=firefox-a

/dev/.static:
http://ubuntuforums.org/archive/index.php/t-130215.html

> (directory) /dev/.udev (directory) /dev/.initramfs (directory)

http://www.nabble.com/understanding-...-t3710753.html

--
Little Girl

There is no spoon.

On Sun, 9 Sep 2007, in the Usenet newsgroup alt.os.linux.ubuntu, in article
<46e4bc7d$0$18917$4c368faf@roadrunner.com>, Little Girl wrote:

>Dave Mann wrote:

>> Seems like it is working pretty good ...

You may want to review the thread back in November 2005 in alt.os.linux
and comp.os.linux.misc "rootkit question"

>But needs some tweaking. (:

Tweaking as in 'rm -rf /usr/local/rkhunter'

>> Found warnings:
>> [07:36:01] Checking for packet capturing applications... Warning

Dave - it's a script. Search for the string 'Checking for packet
capturing applications' and see what it's doing

>> [07:36:04] WARNING, found: /etc/.java (directory) /dev/.static

and search for that in the script as well.

>http://www.nabble.com/understanding-...-t3710753.html

'rkhunter' and 'chkrootkit' are examples of very poorly thought out shell
scripts that are of little use. I've yet to hear of anyone actually
finding a real root kit using them, because they are so easy to bypass.
Both "tools" look for the '55808' worm, by looking for a file named
/tmp/.../a or /tmp/.../r. Now if the mal-ware author does something
really unexpected like changing the filename to /tmp/.../A - or indeed
_ANYTHING_ else, it won't be found. Now, no malware author would be
that sneaky, right? The scripts also false alarm by using 'grep'
to look for filenames, and panic if they find the string they are
searching for - nearly always the string is embedded in something
otherwise innocent (such as 'adore' - a particularly old worm - in the
word 'Isadore' - someone's name). Using the -w option to grep might help
here, but that causes other problems.

If you want an intrusion detector, look at 'tripwire' or it's modern
replacement 'aide'.

Old guy

On Mon, 10 Sep 2007 15:10:15 -0500:

> On Sun, 9 Sep 2007, in the Usenet newsgroup alt.os.linux.ubuntu, in article
> <46e4bc7d$0$18917$4c368faf@roadrunner.com>, Little Girl wrote:
>
>>Dave Mann wrote:
>
>>> Seems like it is working pretty good ...
>
> You may want to review the thread back in November 2005 in alt.os.linux
> and comp.os.linux.misc "rootkit question"
>
>>But needs some tweaking. (:
>
> Tweaking as in 'rm -rf /usr/local/rkhunter'
>
>>> Found warnings:
>>> [07:36:01] Checking for packet capturing applications... Warning
>
> Dave - it's a script. Search for the string 'Checking for packet
> capturing applications' and see what it's doing
>
>>> [07:36:04] WARNING, found: /etc/.java (directory) /dev/.static
>
> and search for that in the script as well.
>
>>http://www.nabble.com/understanding-...-t3710753.html
>
> 'rkhunter' and 'chkrootkit' are examples of very poorly thought out shell
> scripts that are of little use. I've yet to hear of anyone actually
> finding a real root kit using them, because they are so easy to bypass.
> Both "tools" look for the '55808' worm, by looking for a file named
> /tmp/.../a or /tmp/.../r. Now if the mal-ware author does something
> really unexpected like changing the filename to /tmp/.../A - or indeed
> _ANYTHING_ else, it won't be found. Now, no malware author would be
> that sneaky, right? The scripts also false alarm by using 'grep'
> to look for filenames, and panic if they find the string they are
> searching for - nearly always the string is embedded in something
> otherwise innocent (such as 'adore' - a particularly old worm - in the
> word 'Isadore' - someone's name). Using the -w option to grep might help
> here, but that causes other problems.
>
> If you want an intrusion detector, look at 'tripwire' or it's modern
> replacement 'aide'.
>
> Old guy


Hi Moe, thanks muchly for the info and guidance. I'll plug in tripwire
and see what she says.

Glad I don't need this for my IBM 5101, but the guy already returned to
the future didn't he?

Cheers!

Dave

--
Posted via a free Usenet account from http://www.teranews.com