FreeBSD Server Administration

« Arbitrary Code Execution Vulnerability in Awstats 6.4 | Main | Install Awstats 6.5 Without Ports »

August 17, 2005

Rootkit Hunter - Another Root Kits Checking Tool

I have tried chkrootkit, and I think it's a very good tool. The book "Mastering FreeBSD and OpenBSD Security", a security bible to me, only mentioned Rootkit Hunter, so I decide to give it a try.

Install
# cd /usr/ports/security/rkhunter/
# make install clean
# rehash

Check for database updates
# rkhunter --update

Perform a complete scan
# rkhunter -c

I got two warnings: one is the hidden directory /usr/.snap, the other one is the toor account, both are actually normal for FreeBSD system. Full report is attached below.

Compared to chkrootkit, the checking process takes longer and seems more thorough, the output looks better with color highlight.

For crob job, its FAQ suggests using the parameter "--quite" to only print the warning messages, but the output is undesirable:

# rkhunter -c --cronjob --quiet
Line:
[ Warning! ]
Line: [ Warning! ]
[ Warning! (some users in root group) ]


To perform a daily scan, the cron job looks like:

MAIL root
0 3 * * * /usr/local/bin/rkhunter -c --cronjob
(Execute at 3:00am)


Sample output

Determining OS... Ready

Checking binaries
* Selftests
Strings (command) [ OK ]

* System tools
Performing 'known good' check...
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/kill [ OK ]
/bin/ls [ OK ]
/bin/ps [ OK ]
/sbin/dmesg [ OK ]
/sbin/ifconfig [ OK ]
/sbin/init [ OK ]
/sbin/mount [ OK ]
/sbin/sysctl [ OK ]
/usr/bin/egrep [ OK ]
/usr/bin/env [ OK ]
/usr/bin/fgrep [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/grep [ OK ]
/usr/bin/groups [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/login [ OK ]
/usr/bin/netstat [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/su [ OK ]
/usr/bin/users [ OK ]
/usr/bin/w [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/usr/sbin/chown [ OK ]
/usr/sbin/cron [ OK ]
/usr/sbin/syslogd [ OK ]
/usr/sbin/watch [ OK ]

Check rootkits
* Default files and directories
Rootkit '55808 Trojan - Variant A'... [ OK ]
ADM Worm... [ OK ]
Rootkit 'AjaKit'... [ OK ]
Rootkit 'aPa Kit'... [ OK ]
Rootkit 'Apache Worm'... [ OK ]
Rootkit 'Ambient (ark) Rootkit'... [ OK ]
Rootkit 'Balaur Rootkit'... [ OK ]
Rootkit 'BeastKit'... [ OK ]
Rootkit 'beX2'... [ OK ]
Rootkit 'BOBKit'... [ OK ]
Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
Rootkit 'Danny-Boy's Abuse Kit'... [ OK ]
Rootkit 'Devil RootKit'... [ OK ]
Rootkit 'Dica'... [ OK ]
Rootkit 'Dreams Rootkit'... [ OK ]
Rootkit 'Duarawkz'... [ OK ]
Rootkit 'Flea Linux Rootkit'... [ OK ]
Rootkit 'FreeBSD Rootkit'... [ OK ]
Rootkit 'Fuck`it Rootkit'... [ OK ]
Rootkit 'GasKit'... [ OK ]
Rootkit 'Heroin LKM'... [ OK ]
Rootkit 'HjC Kit'... [ OK ]
Rootkit 'ignoKit'... [ OK ]
Rootkit 'ImperalsS-FBRK'... [ OK ]
Rootkit 'Irix Rootkit'... [ OK ]
Rootkit 'Kitko'... [ OK ]
Rootkit 'Knark'... [ OK ]
Rootkit 'Li0n Worm'... [ OK ]
Rootkit 'Lockit / LJK2'... [ OK ]
Rootkit 'MRK'... [ OK ]
Rootkit 'Ni0 Rootkit'... [ OK ]
Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
Rootkit 'Optic Kit (Tux)'... [ OK ]
Rootkit 'Oz Rootkit'... [ OK ]
Rootkit 'Portacelo'... [ OK ]
Rootkit 'R3dstorm Toolkit'... [ OK ]
Rootkit 'RH-Sharpe's rootkit'... [ OK ]
Rootkit 'RSHA's rootkit'... [ OK ]
Sebek LKM [ OK ]
Rootkit 'Scalper Worm'... [ OK ]
Rootkit 'Shutdown'... [ OK ]
Rootkit 'SHV4'... [ OK ]
Rootkit 'SHV5'... [ OK ]
Rootkit 'Sin Rootkit'... [ OK ]
Rootkit 'Slapper'... [ OK ]
Rootkit 'Sneakin Rootkit'... [ OK ]
Rootkit 'Suckit Rootkit'... [ OK ]
Rootkit 'SunOS Rootkit'... [ OK ]
Rootkit 'Superkit'... [ OK ]
Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
Rootkit 'TeLeKiT'... [ OK ]
Rootkit 'T0rn Rootkit'... [ OK ]
Rootkit 'Trojanit Kit'... [ OK ]
Rootkit 'Tuxtendo'... [ OK ]
Rootkit 'URK'... [ OK ]
Rootkit 'VcKit'... [ OK ]
Rootkit 'Volc Rootkit'... [ OK ]
Rootkit 'X-Org SunOS Rootkit'... [ OK ]
Rootkit 'zaRwT.KiT Rootkit'... [ OK ]

* Suspicious files and malware
Scanning for known rootkit strings [ OK ]
Scanning for known rootkit files [ OK ]
Testing running processes... [ Skipped ]
Miscellaneous Login backdoors [ OK ]
Miscellaneous directories [ OK ]
Software related files [ OK ]
Sniffer logs [ OK ]

* Trojan specific characteristics
shv4
Checking /etc/rc.d/rc.sysinit [ Not found ]
Checking /etc/inetd.conf [ Clean ]
Checking /etc/xinetd.conf [ Skipped ]

* Suspicious file properties
chmod properties
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /usr/bin/netstat [ Clean ]
Script replacements
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /usr/bin/netstat [ Clean ]

* OS dependant tests
FreeBSD
Checking presence of KLD signatures [ OK ]
Comparing output sockstat and netstat [ OK ]

Networking
* Check: frequently used backdoors
Port 2001: Scalper Rootkit [ OK ]
Port 2006: CB Rootkit [ OK ]
Port 2128: MRK [ OK ]
Port 14856: Optic Kit (Tux) [ OK ]
Port 47107: T0rn Rootkit [ OK ]
Port 60922: zaRwT.KiT [ OK ]

* Interfaces
Scanning for promiscuous interfaces [ OK ]

System checks
* Allround tests
Checking hostname... Found. Hostname is zhen.pftalk.com
Checking for passwordless user accounts... Skipped
Checking for differences in user accounts... [ NA ]
Checking for differences in user groups... Creating file It seems this is your first time.
Checking boot.local/rc.local file...
- /etc/rc.local [ Not found ]
- /etc/rc.d/rc.local [ Not found ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
- /etc/init.d/boot.local [ Not found ]
Checking rc.d files...
Processing........................................
........................................
........................................
....
Result rc.d files check [ OK ]
Checking history files
Bourne Shell [ Not Found ]

* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ Warning! ]
---------------
/usr/.snap
---------------
Please inspect: /usr/.snap (directory)

Application advisories
* Application scan
Checking Apache2 modules ... [ Not found ]
Checking Apache configuration ... [ OK ]

* Application version scan
- Apache 1.3.33 [ OK ]
- Bind DNS 9.3.0 [ Unknown ]
- OpenSSL 0.9.7d [ OK ]
- PHP 4.3.11 [ OK ]
- ProFTPd 1.2.10 [ OK ]
- OpenSSH 3.8.1p1 [ OK ]

Your system contains some unknown version numbers. Please run Rootkit Hunter
with the --update parameter or fill in the contact form (www.rootkit.nl)

Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ Warning! (some users in root group) ]
info: toor:0

* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... [ OK (Remote root login disabled) ]
Checking for allowed protocols... [ OK (Only SSH2 allowed) ]
info: found no option, most times default value is used.

* Check: Events and Logging
Search for syslog configuration... [ OK ]
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]

---------------------------- Scan results ----------------------------
MD5
MD5 compared: 30
Incorrect MD5 checksums: 0

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 0

Scanning took 176 seconds


Category : Security

Posted by FreeBSD Newbie at August 17, 2005 11:35 AM

Comments

Something you failed to mention. When you CD to the port and type make install clean a screen pops up asking for options. These are not included in yout tutorial.

Thanks

Michael

Posted by Michael Guy at February 20, 2008 02:50 AM

Maybe it's added in a later version.

Posted by FreeBSD Newbie at February 20, 2008 03:47 AM

Post a comment



(Optional, will not be shown to the public)

Remember Me?