Rootkit Hunter


Fedora Core 4 Rootkit Hunter Ƥߤޤ

Ȥˤ¹

ʲ¹Է̤ȤβǤ

Rootkit Hunter 1.2.7 is running

Determining OS... Unknown
Warning: This operating system is not fully supported!
Warning: Cannot find md5_not_known
All MD5 checks will be skipped!

OS Unknown ȽФޤʤΤ MD5 ˴ؤåϹԤʤȤΤȤǤ̤ΥƥǻʤȤ̤ɽޤ

Determining OS... Ready

MD5 åԤʤΤǡåפƤޤࡣ

* System tools
     Skipped!

Ϥ /bin ʲΥեåƤޤ⤵줿ƥΥե򥹥󤹤ȡ

* System tools
  Performing 'known good' check...
   /bin/cat                                                   [ BAD ]
   /bin/chmod                                                 [ BAD ]
   /bin/chown                                                 [ BAD ]
   /bin/dmesg                                                 [ OK ]
   /bin/egrep                                                 [ BAD ]

ʴ [ BAD ]ȽФƤޤ

MD5 å⤵ȤȤǼΥʡ

Fedora Core 4 MD5 б롣

бˤϡΥե񤭴ɬפޤ֤Ÿǥ쥯ȥ files Ȥǥ쥯ȥ꤬ꡢ os.dat ޤ

rkhunter/files/os.dat

Ǥ

vi ǥʤɤǥե򳫤 97 ܤ˼ιԤޤ

178:Fedora Core release 4 (Stentz) (i386):/usr/bin/md5sum:/bin:

ե¸顢rkhunter ǥ쥯ȥꡢ⤦٥󥹥ȡԤޤ

# cd ..
# ./installer.sh

Ȥϡ⤦ Rookit Hunter ¹Ԥ Fedora Core 4 ǧޤ

⤦ټ¹Է̤ɤǤߤ

Υޥɤ¹Ԥơ쵤˥å򤫤ޤ

# /usr/local/bin/rkhunter -c --skip-keypress
Rootkit Hunter 1.2.7 is running

Determining OS... Ready

٤ OS ǧޤ

Checking binaries - ޥɷγǧ

ޥɤ md5sum ͤåƲ⤵ƤʤγǧǤʤ褦ǤʤȤꡢΥޥϥǥƥȤƤΤƤޥǤġġˡ

Checking binaries
* Selftests
     Strings (command)                                        [ OK ]


* System tools
Info: prelinked files found
  Performing 'known bad' check...
   /bin/cat                                                   [ OK ]
   /bin/chmod                                                 [ OK ]
   /bin/chown                                                 [ OK ]
   /bin/csh                                                   [ OK ]
   /bin/date                                                  [ OK ]
   /bin/df                                                    [ OK ]
   /bin/dmesg                                                 [ OK ]
   /bin/echo                                                  [ OK ]
   /bin/ed                                                    [ OK ]
   /bin/egrep                                                 [ OK ]
   /bin/env                                                   [ OK ]
   /bin/fgrep                                                 [ OK ]
   /bin/grep                                                  [ OK ]
   /bin/kill                                                  [ OK ]
   /bin/login                                                 [ OK ]
   /bin/ls                                                    [ OK ]
   /bin/more                                                  [ OK ]
   /bin/mount                                                 [ OK ]
   /bin/netstat                                               [ OK ]
   /bin/ps                                                    [ OK ]
   /bin/sh                                                    [ OK ]
   /bin/sort                                                  [ OK ]
   /bin/su                                                    [ OK ]
   /sbin/chkconfig                                            [ OK ]
   /sbin/depmod                                               [ OK ]
   /sbin/ifconfig                                             [ OK ]
   /sbin/ifdown                                               [ OK ]
   /sbin/ifup                                                 [ OK ]
   /sbin/init                                                 [ OK ]
   /sbin/insmod                                               [ OK ]
   /sbin/ip                                                   [ OK ]
   /sbin/lsmod                                                [ OK ]
   /sbin/modinfo                                              [ OK ]
   /sbin/modprobe                                             [ OK ]
   /sbin/nologin                                              [ OK ]
   /sbin/rmmod                                                [ OK ]
   /sbin/runlevel                                             [ OK ]
   /sbin/sulogin                                              [ OK ]
   /sbin/sysctl                                               [ OK ]
   /sbin/syslogd                                              [ OK ]
   /usr/bin/chattr                                            [ OK ]
   /usr/bin/du                                                [ OK ]
   /usr/bin/file                                              [ OK ]
   /usr/bin/find                                              [ OK ]
   /usr/bin/groups                                            [ OK ]
   /usr/bin/head                                              [ OK ]
   /usr/bin/kill                                              [ OK ]
   /usr/bin/killall                                           [ OK ]
   /usr/bin/last                                              [ OK ]
   /usr/bin/lastlog                                           [ OK ]
   /usr/bin/less                                              [ OK ]
   /usr/bin/locate                                            [ OK ]
   /usr/bin/logger                                            [ OK ]
   /usr/bin/lsattr                                            [ OK ]
   /usr/bin/md5sum                                            [ OK ]
   /usr/bin/passwd                                            [ OK ]
   /usr/bin/pstree                                            [ OK ]
   /usr/bin/sha1sum                                           [ OK ]
   /usr/bin/size                                              [ OK ]
   /usr/bin/slocate                                           [ OK ]
   /usr/bin/stat                                              [ OK ]
   /usr/bin/strace                                            [ OK ]
   /usr/bin/strings                                           [ OK ]
   /usr/bin/test                                              [ OK ]
   /usr/bin/top                                               [ OK ]
   /usr/bin/users                                             [ OK ]
   /usr/bin/vmstat                                            [ OK ]
   /usr/bin/w                                                 [ OK ]
   /usr/bin/watch                                             [ OK ]
   /usr/bin/wc                                                [ OK ]
   /usr/bin/wget                                              [ OK ]
   /usr/bin/whatis                                            [ OK ]
   /usr/bin/whereis                                           [ OK ]
   /usr/bin/which                                             [ OK ]
   /usr/bin/who                                               [ OK ]
   /usr/bin/whoami                                            [ OK ]
   /usr/sbin/adduser                                          [ OK ]
   /usr/sbin/chroot                                           [ OK ]
   /usr/sbin/kudzu                                            [ OK ]
   /usr/sbin/tcpd                                             [ OK ]
   /usr/sbin/useradd                                          [ OK ]
   /usr/sbin/usermod                                          [ OK ]
   /usr/sbin/vipw                                             [ OK ]
   /usr/sbin/xinetd                                           [ OK ]
  Performing 'known good' check...

Check rootkits - 롼ȥåȤγǧ

ϲƥ˥롼ȥåȤȤޤƤʤγǧǤ

餺¤ǤΤͭ̾ʥ롼ȥåȤǤ͡

Check rootkits
* Default files and directories
   Rootkit '55808 Trojan - Variant A'...                      [ OK ]
   ADM Worm...                                                [ OK ]
   Rootkit 'AjaKit'...                                        [ OK ]
   Rootkit 'aPa Kit'...                                       [ OK ]
   Rootkit 'Apache Worm'...                                   [ OK ]
   Rootkit 'Ambient (ark) Rootkit'...                         [ OK ]
   Rootkit 'Balaur Rootkit'...                                [ OK ]
   Rootkit 'BeastKit'...                                      [ OK ]
   Rootkit 'beX2'...                                          [ OK ]
   Rootkit 'BOBKit'...                                        [ OK ]
   Rootkit 'CiNIK Worm (Slapper.B variant)'...                [ OK ]
   Rootkit 'Danny-Boy's Abuse Kit'...                         [ OK ]
   Rootkit 'Devil RootKit'...                                 [ OK ]
   Rootkit 'Dica'...                                          [ OK ]
   Rootkit 'Dreams Rootkit'...                                [ OK ]
   Rootkit 'Duarawkz'...                                      [ OK ]
   Rootkit 'Flea Linux Rootkit'...                            [ OK ]
   Rootkit 'FreeBSD Rootkit'...                               [ OK ]
   Rootkit 'Fuck`it Rootkit'...                               [ OK ]
   Rootkit 'GasKit'...                                        [ OK ]
   Rootkit 'Heroin LKM'...                                    [ OK ]
   Rootkit 'HjC Kit'...                                       [ OK ]
   Rootkit 'ignoKit'...                                       [ OK ]
   Rootkit 'ImperalsS-FBRK'...                                [ OK ]
   Rootkit 'Irix Rootkit'...                                  [ OK ]
   Rootkit 'Kitko'...                                         [ OK ]
   Rootkit 'Knark'...                                         [ OK ]
   Rootkit 'Li0n Worm'...                                     [ OK ]
   Rootkit 'Lockit / LJK2'...                                 [ OK ]
   Rootkit 'MRK'...                                           [ OK ]
   Rootkit 'Ni0 Rootkit'...                                   [ OK ]
   Rootkit 'RootKit for SunOS / NSDAP'...                     [ OK ]
   Rootkit 'Optic Kit (Tux)'...                               [ OK ]
   Rootkit 'Oz Rootkit'...                                    [ OK ]
   Rootkit 'Portacelo'...                                     [ OK ]
   Rootkit 'R3dstorm Toolkit'...                              [ OK ]
   Rootkit 'RH-Sharpe's rootkit'...                           [ OK ]
   Rootkit 'RSHA's rootkit'...                                [ OK ]
   Sebek LKM                                                  [ OK ]
   Rootkit 'Scalper Worm'...                                  [ OK ]
   Rootkit 'Shutdown'...                                      [ OK ]
   Rootkit 'SHV4'...                                          [ OK ]
   Rootkit 'SHV5'...                                          [ OK ]
   Rootkit 'Sin Rootkit'...                                   [ OK ]
   Rootkit 'Slapper'...                                       [ OK ]
   Rootkit 'Sneakin Rootkit'...                               [ OK ]
   Rootkit 'Suckit Rootkit'...                                [ OK ]
   Rootkit 'SunOS Rootkit'...                                 [ OK ]
   Rootkit 'Superkit'...                                      [ OK ]
   Rootkit 'TBD (Telnet BackDoor)'...                         [ OK ]
   Rootkit 'TeLeKiT'...                                       [ OK ]
   Rootkit 'T0rn Rootkit'...                                  [ OK ]
   Rootkit 'Trojanit Kit'...                                  [ OK ]
   Rootkit 'Tuxtendo'...                                      [ OK ]
   Rootkit 'URK'...                                           [ OK ]
   Rootkit 'VcKit'...                                         [ OK ]
   Rootkit 'Volc Rootkit'...                                  [ OK ]
   Rootkit 'X-Org SunOS Rootkit'...                           [ OK ]
   Rootkit 'zaRwT.KiT Rootkit'...                             [ OK ]

* Suspicious files and malware
   Scanning for known rootkit strings                         [ OK ]
   Scanning for known rootkit files                           [ OK ]
   Testing running processes...                               [ OK ]
   Miscellaneous Login backdoors                              [ OK ]
   Miscellaneous directories                                  [ OK ]
   Software related files                                     [ OK ]
   Sniffer logs                                               [ OK ]

* Trojan specific characteristics
   shv4
     Checking /etc/rc.d/rc.sysinit
       Test 1                                                 [ Clean ]
       Test 2                                                 [ Clean ]
       Test 3                                                 [ Clean ]
     Checking /etc/inetd.conf                                 [ Not found ]
     Checking /etc/xinetd.conf                                [ Clean ]

* Suspicious file properties
   chmod properties
     Checking /bin/ps                                         [ Clean ]
     Checking /bin/ls                                         [ Clean ]
     Checking /usr/bin/w                                      [ Clean ]
     Checking /usr/bin/who                                    [ Clean ]
     Checking /bin/netstat                                    [ Clean ]
     Checking /bin/login                                      [ Clean ]
   Script replacements
     Checking /bin/ps                                         [ Clean ]
     Checking /bin/ls                                         [ Clean ]
     Checking /usr/bin/w                                      [ Clean ]
     Checking /usr/bin/who                                    [ Clean ]
     Checking /bin/netstat                                    [ Clean ]
     Checking /bin/login                                      [ Clean ]

* OS dependant tests

   Linux
     Checking loaded kernel modules...                        [ OK ]
     Checking files attributes                                [ OK ]
     Checking LKM module path                                 [ OK ]

Networking - ͥåȥγǧ

Υ롼ȥåȤХåɥѤݡȤåƤޤפǤ

Networking
* Check: frequently used backdoors
  Port 2001: Scalper Rootkit                                  [ OK ]
  Port 2006: CB Rootkit                                       [ OK ]
  Port 2128: MRK                                              [ OK ]
  Port 14856: Optic Kit (Tux)                                 [ OK ]
  Port 47107: T0rn Rootkit                                    [ OK ]
  Port 60922: zaRwT.KiT                                       [ OK ]

* Interfaces
     Scanning for promiscuous interfaces                      [ OK ]

System checks - ƥγǧ

еưΥץȷʤΤʤǧޤ

System checks
* Allround tests
   Checking hostname... Found. Hostname is sion
   Checking for passwordless user accounts... OK
   Checking for differences in user accounts... OK. No changes.
   Checking for differences in user groups... OK. No changes.
   Checking boot.local/rc.local file...
     - /etc/rc.local                                          [ OK ]
     - /etc/rc.d/rc.local                                     [ OK ]
     - /usr/local/etc/rc.local                                [ Not found ]
     - /usr/local/etc/rc.d/rc.local                           [ Not found ]
     - /etc/conf.d/local.start                                [ Not found ]
     - /etc/init.d/boot.local                                 [ Not found ]
   Checking rc.d files...
     Processing........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........................................
               ........
   Result rc.d files check                                    [ OK ]
   Checking history files
     Bourne Shell                                             [ OK ]

* Filesystem checks
   Checking /dev for suspicious files...                      [ OK ]
   Scanning for hidden files...                               [ Warning! ]
---------------
 /dev/.udevdb /etc/.pwd.lock
---------------
Please inspect:  /dev/.udevdb (directory)

äȡǤϱեȤ /dev/.udevdb /etc/.pwd.lock Ҥä Warning!(ٹ)ФƤޤޤ

  • /dev/.udevdb (ǥ쥯ȥ)ͥ뤬ȤǥХΤΥǥ쥯ȥʤΤʤΥǥ쥯ȥ꼫ȤˤĤƤ򻲾
  • /etc/.pwd.lock - /etc/passwd Υåѥե롣ʤ

Application advisories - ץꥱؤΥɥХ

С󤬸Ťäٹ𤬽ФޤΥեϤޤǧƤʤ褦Ǥ

Application advisories
* Application scan
   Checking Apache2 modules ...                               [ Not found ]
   Checking Apache configuration ...                          [ OK ]

* Application version scan
   - GnuPG 1.4.1                                              [ OK ]
   - Apache 2.0.54                                            [ Unknown ]
   - Bind DNS 9.3.1                                           [ Unknown ]
   - OpenSSL 0.9.7f                                           [ Unknown ]
   - PHP 5.0.4                                                [ Unknown ]
   - PHP 4.3.11                                               [ OK ]
   - Procmail MTA 3.22                                        [ OK ]
   - OpenSSH 4.0p1                                            [ OK ]

Your system contains some unknown version numbers. Please run Rootkit Hunter
with the --update parameter or fill in the contact form (www.rootkit.nl)

ʤߤ Fedora Core 4 ǤϤʤ˿ꥷƥåȤŤȻŦƤޤޤġġʴޤк򤷤ޤ

   - Bind DNS 8.3.3                                           [ Old or patched version ]
   - OpenSSL 0.9.5a                                           [ Unknown ]
   - PHP 4.3.9                                                [ Old or patched version ]
   - Procmail MTA 3.14                                        [ Old or patched version ]
   - Procmail MTA 3.14                                        [ Old or patched version ]
   - ProFTPd 1.2.6                                            [ OK ]
   - OpenSSH t                                                [ Unknown ]

Security advisories - ƥΥɥХ

Ǥ root ΥĤŦƤޤޤ

Security advisories
* Check: Groups and Accounts
   Searching for /etc/passwd...                               [ Found ]
   Checking users with UID '0' (root)...                      [ OK ]

* Check: SSH
   Searching for sshd_config...
   Found /etc/ssh/sshd_config
   Checking for allowed root login... Watch out Root login possible. Possible risk!
    info:
    Hint: See logfile for more information about this issue
    Checking for allowed protocols...                          [ Warning (SSH v1 allowed) ]

* Check: Events and Logging
   Search for syslog configuration...                         [ OK ]
   Checking for running syslog slave...                       [ OK ]
   Checking for logging to remote system...                   [ OK (no remote logging) ]

ŦƤΤϡ

   Found /etc/ssh/sshd_config
   Checking for allowed root login... Watch out Root login possible. Possible risk!

ʬ

⡼Ȥľ root ǥ󤹤뤳Ȥ̵Τǡ/etc/ssh/sshd_config ѹޤ

PermitRootLogin no

ιԤեɲä sshd κƵưǤ

# /etc/init.d/sshd restart
sshd :                                             [  OK  ]
sshd ư:                                             [  OK  ]

񤭴ʤȤɽѤޤ

   Found /etc/ssh/sshd_config
   Checking for allowed root login...                         [ OK (Remote root login disabled) ]

Scan results -

Ǵ˽ФΤ̡

MD5
MD5 compared: 0
Incorrect MD5 checksums: 0

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 0

Scanning took 69 seconds

ɤʤȤȡ 69 äޤ衢ȤɽƤޤRootkit ϸФޤǤ¿Ǥ

ʤߤˡ⤷ Rootkit äꥷƥζ줬ȡΤ褦ɽˤʤޤ

MD5
MD5 compared: 49
Incorrect MD5 checksums: 24

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 4

Τ褦ʾ֤ǤС®䤫˥ͥåȥޥڤΥOS κƥ󥹥ȡʥ꡼󥤥󥹥ȡˤ򤹤뤳Ȥ򤪾ᤷޤʤ¾ΥޥͥåȥﳲФʤ褦ˤ뤿Ǥ


ȥå   Խ ʬ Хåå ź ʣ ̾ѹ   ñ측 ǽ   إ   ǽRSS
Last-modified: Tue, 19 Jul 2005 00:24:39 JST (6850d)