Rootkit Hunter - Ubuntu

This is a discussion on Rootkit Hunter - Ubuntu ; Seems like it is working pretty good ... Date: Mon, 30 Jul 2007 07:36:05 -0700 From: root Subject: [rkhunter] Daily run Scanning for packet capturing applications... [ Warning! ] Warning! Found packet capturing application. Please check the logfile. Scanning for ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Rootkit Hunter

  1. Rootkit Hunter

    Seems like it is working pretty good ...

    Date: Mon, 30 Jul 2007 07:36:05 -0700
    From: root
    Subject: [rkhunter] Daily run

    Scanning for packet capturing applications... [ Warning! ]
    Warning! Found packet capturing application. Please check the logfile.
    Scanning for hidden files... [ Warning! ]
    -----------------------------------------------------------------

    Found warnings:
    [07:36:01] Checking for packet capturing applications... Warning
    [07:36:03] Warning! Process /usr/bin/etherape (24067) listening
    [07:36:03] Warning! Process /usr/sbin/avahi-autoipd (6667) listening
    [07:36:03] Warning! Process /sbin/dhclient3 (5202) listening
    [07:36:03] Warning! Process /sbin/dhclient3 (6672) listening
    [07:36:04] WARNING, found: /etc/.java (directory) /dev/.static (directory) /dev/.udev (directory) /dev/.initramfs (directory)

    -----------------------------------------------------------------

    If you're unsure about the results above, please contact the
    Rootkit Hunter team through the Rootkit Hunter mailinglist
    at rkhunter-users@lists.sourceforge.net.
    Some errors has been found while checking. Please perform a manual check on this machine (TheMightyWurlitzer)

    --
    Posted via a free Usenet account from http://www.teranews.com


  2. Re: Rootkit Hunter

    On 09 Sep 2007 21:49:46 GMT CWO4 Dave Mann
    wrote:

    > Seems like it is working pretty good ...


    But needs some tweaking. (:

    > Date: Mon, 30 Jul 2007 07:36:05 -0700
    > From: root
    > Subject: [rkhunter] Daily run


    > Scanning for packet capturing applications... [ Warning! ]
    > Warning! Found packet capturing application. Please check the logfile.
    > Scanning for hidden files... [ Warning! ]
    > -----------------------------------------------------------------


    > Found warnings:
    > [07:36:01] Checking for packet capturing applications... Warning
    > [07:36:03] Warning! Process /usr/bin/etherape (24067) listening


    http://linux.die.net/man/1/etherape

    > [07:36:03] Warning! Process /usr/sbin/avahi-autoipd (6667) listening


    http://linux.die.net/man/8/avahi-autoipd

    > [07:36:03] Warning! Process /sbin/dhclient3 (5202) listening
    > [07:36:03] Warning! Process /sbin/dhclient3 (6672) listening


    http://www.penguin-soft.com/penguin/...dhclient3.html

    > [07:36:04] WARNING, found: /etc/.java (directory) /dev/.static


    /etc/.java:
    http://www.google.com/search?q=%2Fet...ient=firefox-a

    /dev/.static:
    http://ubuntuforums.org/archive/index.php/t-130215.html

    > (directory) /dev/.udev (directory) /dev/.initramfs (directory)


    http://www.nabble.com/understanding-...-t3710753.html

    --
    Little Girl

    There is no spoon.

  3. Re: Rootkit Hunter

    On Sun, 9 Sep 2007, in the Usenet newsgroup alt.os.linux.ubuntu, in article
    <46e4bc7d$0$18917$4c368faf@roadrunner.com>, Little Girl wrote:

    >Dave Mann wrote:


    >> Seems like it is working pretty good ...


    You may want to review the thread back in November 2005 in alt.os.linux
    and comp.os.linux.misc "rootkit question"

    >But needs some tweaking. (:


    Tweaking as in 'rm -rf /usr/local/rkhunter'

    >> Found warnings:
    >> [07:36:01] Checking for packet capturing applications... Warning


    Dave - it's a script. Search for the string 'Checking for packet
    capturing applications' and see what it's doing

    >> [07:36:04] WARNING, found: /etc/.java (directory) /dev/.static


    and search for that in the script as well.

    >http://www.nabble.com/understanding-...-t3710753.html


    'rkhunter' and 'chkrootkit' are examples of very poorly thought out shell
    scripts that are of little use. I've yet to hear of anyone actually
    finding a real root kit using them, because they are so easy to bypass.
    Both "tools" look for the '55808' worm, by looking for a file named
    /tmp/.../a or /tmp/.../r. Now if the mal-ware author does something
    really unexpected like changing the filename to /tmp/.../A - or indeed
    _ANYTHING_ else, it won't be found. Now, no malware author would be
    that sneaky, right? The scripts also false alarm by using 'grep'
    to look for filenames, and panic if they find the string they are
    searching for - nearly always the string is embedded in something
    otherwise innocent (such as 'adore' - a particularly old worm - in the
    word 'Isadore' - someone's name). Using the -w option to grep might help
    here, but that causes other problems.

    If you want an intrusion detector, look at 'tripwire' or it's modern
    replacement 'aide'.

    Old guy

  4. Re: Rootkit Hunter

    On Mon, 10 Sep 2007 15:10:15 -0500:

    > On Sun, 9 Sep 2007, in the Usenet newsgroup alt.os.linux.ubuntu, in article
    > <46e4bc7d$0$18917$4c368faf@roadrunner.com>, Little Girl wrote:
    >
    >>Dave Mann wrote:

    >
    >>> Seems like it is working pretty good ...

    >
    > You may want to review the thread back in November 2005 in alt.os.linux
    > and comp.os.linux.misc "rootkit question"
    >
    >>But needs some tweaking. (:

    >
    > Tweaking as in 'rm -rf /usr/local/rkhunter'
    >
    >>> Found warnings:
    >>> [07:36:01] Checking for packet capturing applications... Warning

    >
    > Dave - it's a script. Search for the string 'Checking for packet
    > capturing applications' and see what it's doing
    >
    >>> [07:36:04] WARNING, found: /etc/.java (directory) /dev/.static

    >
    > and search for that in the script as well.
    >
    >>http://www.nabble.com/understanding-...-t3710753.html

    >
    > 'rkhunter' and 'chkrootkit' are examples of very poorly thought out shell
    > scripts that are of little use. I've yet to hear of anyone actually
    > finding a real root kit using them, because they are so easy to bypass.
    > Both "tools" look for the '55808' worm, by looking for a file named
    > /tmp/.../a or /tmp/.../r. Now if the mal-ware author does something
    > really unexpected like changing the filename to /tmp/.../A - or indeed
    > _ANYTHING_ else, it won't be found. Now, no malware author would be
    > that sneaky, right? The scripts also false alarm by using 'grep'
    > to look for filenames, and panic if they find the string they are
    > searching for - nearly always the string is embedded in something
    > otherwise innocent (such as 'adore' - a particularly old worm - in the
    > word 'Isadore' - someone's name). Using the -w option to grep might help
    > here, but that causes other problems.
    >
    > If you want an intrusion detector, look at 'tripwire' or it's modern
    > replacement 'aide'.
    >
    > Old guy



    Hi Moe, thanks muchly for the info and guidance. I'll plug in tripwire
    and see what she says.

    Glad I don't need this for my IBM 5101, but the guy already returned to
    the future didn't he?

    Cheers!

    Dave

    --
    Posted via a free Usenet account from http://www.teranews.com


+ Reply to Thread