View Single Post
  #7  
Old 31st December 2007, 11:33
aceyzeriat aceyzeriat is offline
Member
 
Join Date: Aug 2007
Location: Paris, France
Posts: 47
Thanks: 4
Thanked 1 Time in 1 Post
Default

Hello,

Here is the output of rkhunter
As you can see some commands seem to have been tampered, I need to find the original version for my FC6 and replace them, is there a "state of the art" way to do that or do I just go to RH mirror, download and copy ?

I had to cut the log file to stay under 10,000 characters, I left the most interresting part.

regards,
Arnaud

[10:10:18] Running Rootkit Hunter version 1.3.0 on server
[10:10:18]
[10:10:18] Info: Start date is Mon Dec 31 10:10:18 CET 2007
[10:10:18]
[10:10:18] Checking configuration file and command-line options...
[10:10:18] Info: Detected operating system is 'Linux'
[10:10:18] Info: Found O/S name: Fedora Core release 6 (Zod)
[10:10:18] Info: Command line is /usr/local/bin/rkhunter --check
[10:10:18] Info: Environment shell is /bin/bash; rkhunter is using bash
[10:10:18] Info: Using configuration file '/etc/rkhunter.conf'
[10:10:18] Info: Installation directory is '/usr/local'
[10:10:18] Info: Using language 'en'
[10:10:19] Info: Using '/var/lib/rkhunter/db' as the database directory
[10:10:19] Info: Using '/usr/local/lib/rkhunter/scripts' as the support script directory
[10:10:19] Info: Using '/usr/lib/qt-3.3/bin /usr/kerberos/sbin /usr/kerberos/bin /usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin /usr/X11R6/bin /root/bin /bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec' as the command directories
[10:10:19] Info: Using '/' as the root directory
[10:10:19] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[10:10:19] Info: No mail-on-warning address configured
[10:10:19] Info: X will automatically be detected
[10:10:19] Info: Using second color set
[10:10:19] Info: Found the 'diff' command: /usr/bin/diff
[10:10:19] Info: Found the 'file' command: /usr/bin/file
[10:10:19] Info: Found the 'find' command: /usr/bin/find
[10:10:19] Info: Found the 'ifconfig' command: /sbin/ifconfig
[10:10:19] Info: Found the 'ip' command: /sbin/ip
[10:10:19] Info: Found the 'ldd' command: /usr/bin/ldd
[10:10:19] Info: Found the 'lsattr' command: /usr/bin/lsattr
[10:10:19] Info: Found the 'lsmod' command: /sbin/lsmod
[10:10:19] Info: Found the 'lsof' command: /usr/sbin/lsof
[10:10:19] Info: Found the 'mktemp' command: /bin/mktemp
[10:10:19] Info: Found the 'netstat' command: /bin/netstat
[10:10:19] Info: Found the 'perl' command: /usr/bin/perl
[10:10:19] Info: Found the 'ps' command: /bin/ps
[10:10:19] Info: Found the 'pwd' command: /bin/pwd
[10:10:19] Info: Found the 'readlink' command: /usr/bin/readlink
[10:10:19] Info: Found the 'sort' command: /bin/sort
[10:10:19] Info: Found the 'stat' command: /usr/bin/stat
[10:10:19] Info: Found the 'strings' command: /usr/bin/strings
[10:10:19] Info: Found the 'uniq' command: /usr/bin/uniq
[10:10:19] Info: System is using prelinking
[10:10:19] Info: Found the 'prelink' command: /usr/sbin/prelink
[10:10:19] Info: Found the 'sestatus' command: /usr/sbin/sestatus

.....

....

[10:10:33] /usr/bin/file [ OK ]
[10:10:33] /usr/bin/find [ OK ]
[10:10:33] /usr/bin/GET [ Warning ]
[10:10:33] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
[10:10:33] /usr/bin/groups [ Warning ]
[10:10:33] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
[10:10:33] /usr/bin/head [ OK ]
[10:10:33] /usr/bin/id [ OK ]
[10:10:34] /usr/bin/kill [ OK ]
[10:10:34] /usr/bin/killall [ OK ]
[10:10:34] /usr/bin/last [ OK ]
[10:10:34] /usr/bin/lastlog [ OK ]
[10:10:34] /usr/bin/ldd [ Warning ]
[10:10:34] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
[10:10:34] /usr/bin/less [ OK ]
[10:10:34] /usr/bin/links [ OK ]
[10:10:35] /usr/bin/locate [ OK ]
[10:10:35] /usr/bin/logger [ OK ]
[10:10:35] /usr/bin/lsattr [ OK ]
[10:10:35] /usr/bin/lynx [ OK ]
[10:10:35] /usr/bin/md5sum [ OK ]
[10:10:36] /usr/bin/newgrp [ OK ]
[10:10:36] /usr/bin/passwd [ OK ]
[10:10:36] /usr/bin/perl [ OK ]
[10:10:36] /usr/bin/pstree [ OK ]
[10:10:36] /usr/bin/readlink [ OK ]
[10:10:36] /usr/bin/runcon [ OK ]
[10:10:37] /usr/bin/sha1sum [ OK ]
[10:10:37] /usr/bin/size [ OK ]
[10:10:37] /usr/bin/stat [ OK ]
[10:10:37] /usr/bin/strace [ OK ]
[10:10:37] /usr/bin/strings [ OK ]
[10:10:37] /usr/bin/sudo [ OK ]
[10:10:38] /usr/bin/tail [ OK ]
[10:10:38] /usr/bin/test [ OK ]
[10:10:38] /usr/bin/top [ OK ]
[10:10:38] /usr/bin/tr [ OK ]
[10:10:38] /usr/bin/uniq [ OK ]
[10:10:38] /usr/bin/users [ OK ]
[10:10:39] /usr/bin/vmstat [ OK ]
[10:10:39] /usr/bin/w [ OK ]
[10:10:39] /usr/bin/watch [ OK ]
[10:10:39] /usr/bin/wc [ OK ]
[10:10:39] /usr/bin/wget [ OK ]
[10:10:39] /usr/bin/whatis [ Warning ]
[10:10:39] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
[10:10:39] /usr/bin/whereis [ OK ]
[10:10:40] /usr/bin/which [ OK ]
[10:10:40] /usr/bin/who [ OK ]
[10:10:40] /usr/bin/whoami [ OK ]
[10:10:40] /usr/bin/gawk [ OK ]
[10:10:40] /sbin/chkconfig [ OK ]
[10:10:40] /sbin/depmod [ OK ]
[10:10:41] /sbin/ifconfig [ OK ]
[10:10:41] /sbin/ifdown [ Warning ]
[10:10:41] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[10:10:41] /sbin/ifup [ Warning ]
[10:10:41] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[10:10:41] /sbin/init [ OK ]
[10:10:41] /sbin/insmod [ OK ]
[10:10:41] /sbin/ip [ OK ]
[10:10:42] /sbin/kudzu [ OK ]
[10:10:42] /sbin/lsmod [ OK ]
[10:10:42] /sbin/modinfo [ OK ]
[10:10:42] /sbin/modprobe [ OK ]
[10:10:42] /sbin/nologin [ OK ]
[10:10:42] /sbin/rmmod [ OK ]
[10:10:43] /sbin/runlevel [ OK ]
[10:10:43] /sbin/sulogin [ OK ]
[10:10:43] /sbin/sysctl [ OK ]
[10:10:43] /sbin/syslogd [ OK ]
[10:10:43] /usr/sbin/adduser [ OK ]
[10:10:44] /usr/sbin/chroot [ OK ]
[10:10:44] /usr/sbin/groupadd [ OK ]
[10:10:44] /usr/sbin/groupdel [ OK ]
[10:10:44] /usr/sbin/groupmod [ OK ]
[10:10:44] /usr/sbin/grpck [ OK ]
[10:10:45] /usr/sbin/kudzu [ OK ]
[10:10:45] /usr/sbin/lsof [ OK ]
[10:10:45] /usr/sbin/prelink [ OK ]
[10:10:45] /usr/sbin/pwck [ OK ]
[10:10:46] /usr/sbin/sestatus [ OK ]
[10:10:46] /usr/sbin/tcpd [ OK ]
[10:10:46] /usr/sbin/useradd [ OK ]
[10:10:46] /usr/sbin/userdel [ OK ]
[10:10:46] /usr/sbin/usermod [ OK ]
[10:10:46] /usr/sbin/vipw [ OK ]
[10:10:47] /usr/local/bin/rkhunter [ OK ]
[10:11:31]

....
Reply With Quote