Am 29.11.2010, 22:52 Uhr, schrieb John Horne <[email protected]>:
> On Mon, 2010-11-29 at 12:10 +0100, Florian Barth wrote: >> Hello, >> >> my question follows from a security-issue. A machines was attacked >> and /bin/ping was substituted. Why did rkhunter not recognize this >> substitution? It seems to me that /bin/ping is never checked whether >> it was substituted or not. What is the reason for this behavior? From >> my point of view it is important to check all files, where the >> SUID-Bit is set. >> > Originally only commands which were known to have been used in attacks > were checked. We have expanded this a bit, but it does not check all > commands and does not search out for suid commands. > > Since RKH can be quite slow checking a lot of commands, I would suggest > using something actually designed for this purpose such as Aide, > Tripwire or Samhain (if I remember correctly). > > If you really want RKH to monitor it then use the > USER_FILEPROP_FILES_DIR option. > As i said there was an attack with /bin/ping on one of our machines. (Max-Planck-Gesellschaft) We were not able to analyze it exactly, yet. But it looks similar to the known ping-rootkit[1] from 2006. I guess it's already known much longer, because i read an article about it, in a "hackin9"-magazine from 2004! Maybe these issues are important enough to think about checking /bin/ping. Florian [1] http://dl.packetstormsecurity.net/UNIX/penetration/rootkits/pingrootkit.tar.bz2 ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
