Falsos Positivos de Rkhunter?

Imagen de jjgonzalezrobles
0 puntos

Buenas a todos, y perdonad si he abierto otro tema parecido, aunque el mio es solo para consulta. LLevo usando linux desde hace unos 3 años nunca he sido un paranoico de la seguridad, hasta que he creado mi propio virus, y he desencriptado redes wap, no se nada de programacion y creia que era muy complicado hacer software dañino, a partir de aqui (se que no tiene sentido) me he emparanoyado tanto que he terminado instalando el avast, rkhunter y chkrootkit, y el rkhunter me da dos WARNING, antes de borrar nada queria saber si son de verdad falsos positivos,

/usr/sbin/grpck [ OK ]
/usr/sbin/nologin [ OK ]
/usr/sbin/pwck [ OK ]
/usr/sbin/rsyslogd [ OK ]
/usr/sbin/tcpd [ OK ]
/usr/sbin/unhide [ Warning ]
/usr/sbin/useradd [ OK ]
/usr/sbin/userdel [ OK ]
/usr/sbin/usermod [ OK ]
/usr/sbin/vipw [ OK ]
/usr/sbin/unhide-linux26 [ Warning ]

[Press to continue]

Checking for rootkits...

Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
Balaur Rootkit [ Not found ]
BeastKit Rootkit [ Not found ]
beX2 Rootkit [ Not found ]
BOBKit Rootkit [ Not found ]
CiNIK Worm (Slapper.B variant) [ Not found ]
Danny-Boy's Abuse Kit [ Not found ]
Devil RootKit [ Not found ]
Dica-Kit Rootkit [ Not found ]
Dreams Rootkit [ Not found ]
Duarawkz Rootkit [ Not found ]
Enye LKM [ Not found ]
Flea Linux Rootkit [ Not found ]
FreeBSD Rootkit [ Not found ]
Fuck`it Rootkit [ Not found ]
GasKit Rootkit [ Not found ]
Heroin LKM [ Not found ]
HjC Kit [ Not found ]
ignoKit Rootkit [ Not found ]
ImperalsS-FBRK Rootkit [ Not found ]
IntoXonia-NG Rootkit [ Not found ]
Irix Rootkit [ Not found ]
Kitko Rootkit [ Not found ]
Knark Rootkit [ Not found ]
Li0n Worm [ Not found ]
Lockit / LJK2 Rootkit [ Not found ]
Mood-NT Rootkit [ Not found ]
MRK Rootkit [ Not found ]
Ni0 Rootkit [ Not found ]
Ohhara Rootkit [ Not found ]
Optic Kit (Tux) Worm [ Not found ]
Oz Rootkit [ Not found ]
Phalanx Rootkit [ Not found ]
Phalanx Rootkit (strings) [ Not found ]
Phalanx2 Rootkit [ Not found ]
Phalanx2 Rootkit (extended tests) [ Not found ]
Portacelo Rootkit [ Not found ]
R3dstorm Toolkit [ Not found ]
RH-Sharpe's Rootkit [ Not found ]
RSHA's Rootkit [ Not found ]
Scalper Worm [ Not found ]
Sebek LKM [ Not found ]
Shutdown Rootkit [ Not found ]
SHV4 Rootkit [ Not found ]
SHV5 Rootkit [ Not found ]
Sin Rootkit [ Not found ]
Slapper Worm [ Not found ]
Sneakin Rootkit [ Not found ]
Suckit Rootkit [ Not found ]
SunOS Rootkit [ Not found ]
SunOS / NSDAP Rootkit [ Not found ]
Superkit Rootkit [ Not found ]
TBD (Telnet BackDoor) [ Not found ]
TeLeKiT Rootkit [ Not found ]
T0rn Rootkit [ Not found ]
Trojanit Kit [ Not found ]
Tuxtendo Rootkit [ Not found ]
URK Rootkit [ Not found ]
Vampire Rootkit [ Not found ]
VcKit Rootkit [ Not found ]
Volc Rootkit [ Not found ]
X-Org SunOS Rootkit [ Not found ]
zaRwT.KiT Rootkit [ Not found ]

Performing additional rootkit checks
Suckit Rookit additional checks [ OK ]
Checking for possible rootkit files and directories [ None found ]
Checking for possible rootkit strings [ None found ]

Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for login backdoors [ None found ]
Checking for suspicious directories [ None found ]
Checking for sniffer log files [ None found ]

Performing trojan specific checks
Checking for enabled inetd services [ OK ]

Performing Linux specific checks
Checking loaded kernel modules [ OK ]
Checking kernel module names [ OK ]

[Press to continue]

Checking the network...

Performing check for backdoor ports
Checking for UDP port 2001 [ Not found ]
Checking for TCP port 2006 [ Not found ]
Checking for TCP port 2128 [ Not found ]
Checking for TCP port 14856 [ Not found ]
Checking for TCP port 47107 [ Not found ]
Checking for TCP port 60922 [ Not found ]

Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]

[Press to continue]

Checking the local host...

Performing system boot checks
Checking for local host name [ Found ]
Checking for system startup files [ Found ]
Checking system startup files for malware [ None found ]

Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ None found ]
Checking for group file changes [ None found ]
Checking root account shell history files [ OK ]

Performing system configuration file checks
Checking for SSH configuration file [ Not found ]
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]

Performing filesystem checks
Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ Warning ]

[Press to continue]

Checking application versions...

Checking version of GnuPG [ OK ]
Checking version of OpenSSL [ OK ]

System checks summary
=====================

File properties checks...
Files checked: 129
Suspect files: 2

Rootkit checks...
Rootkits checked : 111
Possible rootkits: 0

Applications checks...
Applications checked: 2
Suspect applications: 0

The system checks took: 1 minute and 26 seconds

All results have been written to the logfile (/var/log/rkhunter.log)

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

Gracias...

Imagen de ercherramon
+1
0
-1

Googleando encontre esta info:

Unhide es una herramienta forense que permite descubrir procesos y puertos TCP/UDP ocultos por rootkits / LKMs o cualquier otra tecnica de ocultacion.

//Unhide (ps)

Permite identificar procesos que hayan sido ocultados. Implementa tres tecnicas:

* Comparacion de la informacion obtenida por /bin/ps frente a los directorios en /proc

* Comparacion de la informacion visible por /bin/ps frente a la que se puede obtener utilizando diversas sycalls del sistema (syscall scanning)

* Ocupacion por fuerta bruta del espacio de PIDs disponibles en el sistema (PIDs bruteforcing)

// Unhide-TCP

Permite identificar puertos TCP/UDP que esten a la escucha pero no aparezcan listados en /bin/netstat haciendo brute forcing sobre el espacio de puertos TCP/UDP disponibles en el sistema.

"The Mere Man Sees What Appears To The Eyes"

+1
0
-1

"The Mere Man Sees What Appears To The Eyes"

Imagen de jjgonzalezrobles
+1
0
-1

Vale, unhide es un falso positivo, como no podia ser otra cosa. hice la prueba desistalando e instalando unhide y me volvia a decir lo mismo el rkhunter.

Se pegan de leches.

GRacias por el comentario

+1
0
-1
Imagen de Malakaraconk
+1
0
-1

Checking system commands...

Performing 'strings' command checks
Checking 'strings' command [ OK ]

Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]

Performing file properties checks
Checking for prerequisites [ OK ]
/bin/bash [ OK ]
/bin/cat [ Warning ]
/bin/chmod [ Warning ]
/bin/chown [ Warning ]
/bin/cp [ Warning ]
/bin/date [ Warning ]
/bin/df [ Warning ]

/bin/dmesg [ OK ]
/bin/echo [ Warning ]
/bin/ed [ OK ]
/bin/egrep [ OK ]
/bin/fgrep [ OK ]
/bin/fuser [ OK ]
/bin/grep [ OK ]
/bin/ip [ OK ]
/bin/kill [ OK ]
/bin/less [ OK ]
/bin/login [ OK ]
/bin/ls [ Warning ]
/bin/lsmod [ OK ]
/bin/mktemp [ Warning ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/mv [ Warning ]
/bin/netstat [ OK ]
/bin/ps [ OK ]
/bin/pwd [ Warning ]
/bin/readlink [ Warning ]
/bin/sed [ OK ]
/bin/sh [ OK ]
/bin/su [ OK ]
/bin/touch [ Warning ]
/bin/uname [ Warning ]

/bin/which [ OK ]
/bin/dash [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/basename [ Warning ]
/usr/bin/chattr [ OK ]
/usr/bin/cut [ Warning ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ Warning ]
/usr/bin/dpkg [ Warning ]
/usr/bin/dpkg-query [ Warning ]
/usr/bin/du [ Warning ]
/usr/bin/env [ Warning ]

/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/GET [ Warning ]
/usr/bin/groups [ Warning ]
/usr/bin/head [ Warning ]
/usr/bin/id [ Warning ]

/usr/bin/killall [ OK ]
/usr/bin/last [ OK ]
/usr/bin/lastlog [ OK ]
/usr/bin/ldd [ OK ]
/usr/bin/less [ OK ]
/usr/bin/locate [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/lsof [ OK ]
/usr/bin/md5sum [ Warning ]
/usr/bin/mlocate [ OK ]
/usr/bin/newgrp [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/perl [ OK ]
/usr/bin/pgrep [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/rkhunter [ OK ]
/usr/bin/rpm [ OK ]
/usr/bin/runcon [ Warning ]
/usr/bin/sha1sum [ Warning ]
/usr/bin/sha224sum [ Warning ]
/usr/bin/sha256sum [ Warning ]
/usr/bin/sha384sum [ Warning ]
/usr/bin/sha512sum [ Warning ]
/usr/bin/size [ Warning ]
/usr/bin/sort [ Warning ]
/usr/bin/stat [ Warning ]

/usr/bin/strace [ OK ]
/usr/bin/strings [ Warning ]
/usr/bin/sudo [ Warning ]
/usr/bin/tail [ Warning ]
/usr/bin/test [ Warning ]

/usr/bin/top [ OK ]
/usr/bin/touch [ Warning ]
/usr/bin/tr [ Warning ]
/usr/bin/uniq [ Warning ]
/usr/bin/users [ Warning ]

/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wc [ Warning ]
/usr/bin/wget [ Warning ]

/usr/bin/whatis [ OK ]
/usr/bin/whereis [ OK ]
/usr/bin/which [ OK ]
/usr/bin/who [ Warning ]
/usr/bin/whoami [ Warning ]

/usr/bin/gawk [ OK ]
/usr/bin/lwp-request [ Warning ]
/usr/bin/w.procps [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/ifdown [ Warning ]
/sbin/ifup [ Warning ]
/sbin/init [ Warning ]

/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/rmmod [ OK ]
/sbin/runlevel [ Warning ]
/sbin/sulogin [ OK ]
/sbin/sysctl [ OK ]
/usr/sbin/adduser [ OK ]
/usr/sbin/chroot [ Warning ]
/usr/sbin/cron [ OK ]
/usr/sbin/groupadd [ OK ]
/usr/sbin/groupdel [ OK ]
/usr/sbin/groupmod [ OK ]
/usr/sbin/grpck [ OK ]
/usr/sbin/nologin [ OK ]
/usr/sbin/pwck [ OK ]
/usr/sbin/rsyslogd [ OK ]
/usr/sbin/tcpd [ OK ]
/usr/sbin/useradd [ OK ]
/usr/sbin/userdel [ OK ]
/usr/sbin/usermod [ OK ]
/usr/sbin/vipw [ OK ]
/usr/sbin/unhide-linux26 [ OK ]

[Press to continue]

Checking the local host...

Performing system boot checks
Checking for local host name [ Found ]
Checking for system startup files [ Found ]

Checking system startup files for malware [ None found ]

Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ None found ]
Checking for group file changes [ None found ]
Checking root account shell history files [ OK ]

Performing system configuration file checks
Checking for SSH configuration file [ Not found ]
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]

Checking if syslog remote logging is allowed [ Not allowed ]

Performing filesystem checks
Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ Warning ]

[Press to continue]

System checks summary
=====================

File properties checks...
Files checked: 131
Suspect files: 53

Rootkit checks...
Rootkits checked : 242
Possible rootkits: 0

Applications checks...
All checks skipped

The system checks took: 2 minutes and 21 seconds

All results have been written to the log file (/var/log/rkhunter.log)

Luego hice un:

# unhide proc

pero no salio nada

seguido hice un:

# unhide sys

[*]Searching for Hidden processes through getpriority() scanning

[*]Searching for Hidden processes through getpgid() scanning

[*]Searching for Hidden processes through getsid() scanning

[*]Searching for Hidden processes through sched_getaffinity() scanning

[*]Searching for Hidden processes through sched_getparam() scanning

[*]Searching for Hidden processes through sched_getscheduler() scanning

[*]Searching for Hidden processes through sched_rr_get_interval() scanning

[*]Searching for Hidden processes through sysinfo() scanning

y luego:

# unhide brute 

Found HIDDEN PID: 7108
Found HIDDEN PID: 27017

no se que me da que la cosa muy bien no esta... agradezco cualquier comentario

un saludo

+1
0
-1