Hallo,
es hat etwas länger gedauert, rkhunter werde ich als cronjob im reporting mode laufen lassen, ist ein richtig gutes Programm! Tiger werde ich auch noch testen.
Stimmt, gelernt habe ich schon einiges, auch falls es nur ein falscher Alarm sein sollte.
Bisher habe ich Whirlpool (whirlpooldeep) als Hash-Algo genutzt, aber nur manuell aktualisiert, und da ich in den letzten 14 Wochen im Krankenhaus war, ..., das werde ich automatisieren und mir diffs regelmäßig zusenden lassen.
meine Dateien sind identisch:
3bacc7d351197e70d4f6d057f44fa830 /usr/bin/find
9914bc770e2551c5ea148b505392c046 /bin/ps
Habe md5sum auch überprüft, ist in Ordnung.
MD5-Kollisionen zu generieren, ist sehr schwer, wenn nicht beliebige Zeichen benutzt werden können, da die Binaries auch funktionieren müssen.
## rkhunter ##
hostXXX:~/STR/sw-archives/rkhunter # rkhunter --update
Running updater...
Mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated
Using mirror
http://mirror07.mirror.rkhunter.org
[DB] Mirror file : Update available
Action: Database updated (current version: 2005050700, new version 2006041300)
[DB] MD5 hashes system binaries : Update available
Action: Database updated (current version: 2006021400, new version 2006022800)
[DB] Operating System information : Update available
Action: Database updated (current version: 2005102800, new version 2006051200)
[DB] MD5 blacklisted tools/binaries : Up to date
[DB] Known good program versions : Update available
Action: Database updated (current version: 2006021400, new version 2006031400)
[DB] Known bad program versions : Update available
Action: Database updated (current version: 2006021400, new version 2006031400)
Ready.
Die Ausgabe von rkhunter ist angehängt, zeigt aber keinen Rootkit, nur zwei versteckte Dateien/Verzeichnisse:
hostXXX:/dev/.udevdb # cat udevd.pid
1990
hostXXX:/dev/.udevdb # cat /etc/.pwd.lock
[empty]
Ich werde bei SSH das Protokoll 1 noch abschalten, OpenSSL war schon gepatcht.
#####################
nmap zeigt bei den beiden Hosts folgendes:
# Nmap 4.10 scan initiated Wed Jul 12 10:02:26 2006 as: nmap --append-output -oN /root/STR/scripts/proxy+id/nmap/nmap_logfile -R -PE -PP -PM -sS --system-dns -F -sV --version-intensity 9 -A -O --osscan-guess --log-errors -v -v --privileged -P0 212.227.83.130
Interesting ports on p15194013.pureserver.info (212.227.83.130):
Not shown: 1201 closed ports
PORT STATE SERVICE VERSION
7/tcp open echo
9/tcp open discard?
13/tcp open daytime Microsoft Windows International daytime
17/tcp open qotd Windows qotd
19/tcp open chargen
20/tcp open ftp-data?
21/tcp open ftp Microsoft ftpd
25/tcp open tcpwrapped
80/tcp open http Microsoft IIS httpd
81/tcp open hosts2-ns?
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 2003 microsoft-ds
1025/tcp open msrpc Microsoft Windows RPC
1026/tcp open msrpc Microsoft Windows RPC
1027/tcp open msrpc Microsoft Windows RPC
1030/tcp open msrpc Microsoft Windows RPC
1212/tcp open lupa?
1433/tcp filtered ms-sql-s
1434/tcp filtered ms-sql-m
1935/tcp open printer
2000/tcp open tcpwrapped
2001/tcp open tcpwrapped
2002/tcp open tcpwrapped
2003/tcp open tcpwrapped
2004/tcp open tcpwrapped
2005/tcp open tcpwrapped
2006/tcp open tcpwrapped
2007/tcp open tcpwrapped
2008/tcp open tcpwrapped
2009/tcp open tcpwrapped
2010/tcp open tcpwrapped
2011/tcp open netbios-ssn
2012/tcp open ttyinfo?
3000/tcp open ppp?
3306/tcp open mysql MySQL 4.0.20a-nt
3389/tcp open microsoft-rdp Microsoft Terminal Service
5 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
[ Fingerprints gekürzt]
Device type: general purpose
Running: Microsoft Windows NT/2K/XP|2003/.NET
OS details: Microsoft Windows 2003 Server, 2003 Server SP1 or XP Pro SP2
OS Fingerprint:
TSeq(Class=TR%IPID=I%TS=0)
T1(Resp=Y%DF=N%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=B0%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
IPID Sequence Generation: Incremental
Service Info: OS: Windows
# Nmap run completed at Wed Jul 12 10:04:59 2006 -- 1 IP address (1 host up) scanned in 153.588 seconds
# Nmap 4.10 scan initiated Wed Jul 12 10:05:00 2006 as: nmap --append-output -oN /root/STR/scripts/proxy+id/nmap/nmap_logfile -R -PE -PP -PM -sS --system-dns -F -sV --version-intensity 9 -A -O --osscan-guess --log-errors -v -v --privileged -P0 67.15.231.35
Interesting ports on paylease.com (67.15.231.35):
Not shown: 1190 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.1
25/tcp open smtp Sendmail 8.13.1/8.13.1
53/tcp closed domain
80/tcp open http Apache httpd 2.0.52 ((Red Hat))
110/tcp open pop3 UW Imap pop3d 2003.83rh
143/tcp open imap UW imapd 2003.338rh
443/tcp open ssl OpenSSL
6000/tcp closed X11
6001/tcp closed X11:1
6002/tcp closed X11:2
6003/tcp closed X11:3
6004/tcp closed X11:4
6005/tcp closed X11:5
6006/tcp closed X11:6
6007/tcp closed X11:7
6008/tcp closed X11:8
6009/tcp closed X11:9
6017/tcp closed xmail-ctrl
6050/tcp closed arcserve
6101/tcp closed VeritasBackupExec
6103/tcp closed RETS-or-BackupExec
6105/tcp closed isdninfo
6106/tcp closed isdninfo
6110/tcp closed softcm
6111/tcp closed spc
6112/tcp closed dtspc
6141/tcp closed meta-corp
6142/tcp closed aspentec-lm
6143/tcp closed watershed-lm
6144/tcp closed statsci1-lm
6145/tcp closed statsci2-lm
6146/tcp closed lonewolf-lm
6147/tcp closed montage-lm
6148/tcp closed ricardo-lm
6400/tcp closed crystalreports
6401/tcp closed crystalenterprise
6502/tcp closed netop-rc
6543/tcp closed mythtv
6544/tcp closed mythtv
6547/tcp closed PowerChutePLUS
6548/tcp closed PowerChutePLUS
6558/tcp closed xdsxdm
6588/tcp closed analogx
6666/tcp closed irc-serv
6667/tcp closed irc
6668/tcp closed irc
6969/tcp closed acmsoda
7000/tcp closed afs3-fileserver
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.10 - 2.6.11
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=2DC353%IPID=Z%TS=U)
T1(Resp=Y%DF=Y%W=16D0%ACK=S++%Flags=AS%Ops=M)
T2(Resp=N)
T3(Resp=N)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=N)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
TCP Sequence Prediction: Class=random positive increments
Difficulty=2999123 (Good luck!)
IPID Sequence Generation: All zeros
Service Info: OS: Unix
# Nmap run completed at Wed Jul 12 10:05:25 2006 -- 1 IP address (1 host up) scanned in 25.671 seconds
##################