chrootkit not found or in repos????? Topic is solved

[dedanna1029]

Regarding this thread: I thought for sure I'd installed chrootkit but received an email from msec (actually a few) that just say "chrootkit not found", and nothing else.

Well, I started checking it out:

Code: Select all

[root@dedanna ~]# urpmi chrootkit
No package named chrootkit
[root@dedanna ~]# urpmq chroot -a
dchroot
fakechroot
fakechroot-debug
schroot
schroot-debug
[root@dedanna ~]# urpmi dchroot fakechroot fakechroot-debug schroot schroot-debug
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch   
(medium "Core Release (distrib1)")
  btrfs-progs                    0.19         1.20120328.1> i586    (suggested)
  dchroot                        1.4.25       1.mga2        i586   
  fakechroot                     2.9          1.1.mga2      i586   
  liblvm2cmd2.02                 2.02.95      1.mga2        i586    (suggested)
  lvm2                           2.02.95      1.mga2        i586    (suggested)
  schroot                        1.4.25       1.mga2        i586   
(medium "Core Release Debug (distrib2)")
  fakechroot-debug               2.9          1.1.mga2      i586   
  schroot-debug                  1.4.25       1.mga2        i586   
58MB of additional disk space will be used.
11MB of packages will be retrieved.
Proceed with the installation of the 8 packages? (Y/n) n
[root@dedanna ~]#

This in Mageia 2. I'm absolutely sure I've found it before. I stopped the installation of these, because I wasn't sure if they would provide the needed chrootkit or not; I do not need btrfs-progs, or lvm2, as I'm not on btrfs and lvm is just a pain in the arse to me.

I've installed rkhunter, but it's not giving me what I need for msec. On installation of it:

Code: Select all

[root@dedanna ~]# urpmi rkhunter
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch   
(medium "Core Release (distrib1)")
  rkhunter                       1.3.8        3.mga2        noarch 
  unhide                         20110113     1.mga1        i586    (suggested)
858KB of additional disk space will be used.
194KB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) y


    $MIRRORLIST: media/core/release/unhide-20110113-1.mga1.i586.rpm
    $MIRRORLIST: media/core/release/rkhunter-1.3.8-3.mga2.noarch.rpm                                                       
installing unhide-20110113-1.mga1.i586.rpm rkhunter-1.3.8-3.mga2.noarch.rpm from /var/cache/urpmi/rpms                     
Preparing...                     ##########################################################################################
      1/2: rkhunter              ##########################################################################################
[ Rootkit Hunter version 1.3.8 ]
File created: searched for 166 files, found 135
[ Rootkit Hunter version 1.3.8 ]

Checking the local host...

  Performing group and account checks
    Checking for passwd file                                 [ Found ]
    Checking for root equivalent (UID 0) accounts            [ None found ]
    Checking for passwordless accounts                       [ None found ]
    Checking for passwd file changes                         [ Warning ]
    Checking for group file changes                          [ Warning ]
    Checking root account shell history files                [ OK ]

[Press <ENTER> to continue]


System checks summary
=====================

File properties checks...
    All checks skipped

Rootkit checks...
    All checks skipped

Applications checks...
    All checks skipped

The system checks took: 2 seconds

All results have been written to the log file (/var/log/rkhunter.log)

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

      2/2: unhide                ##########################################################################################
----------------------------------------------------------------------
More information on package rkhunter-1.3.8-3.mga2.noarch
rkhunter is a tool to detect rootkits installed on your system and suspicious
file changes. In order for rkhunter to run these checks, it maintains a catalog
of files and their properties installed on your system so it can compare
current files and statusses against the ones recorded in its database.

Out of the box rkhunter is configured to give as few false positives as
possible on a Mageia system. Still, despite this, you might want to change some
of its configuration options yourself to best suit you. The file used for this
is /etc/rkhunter.conf

Upon an initial install, rkhunter will create the databases it needs itself. On
upgrades and during regular use, you may want to update its databases yourself
by executing:
   rkhunter --propupd
before running any other rkhunter checks yourself.

----------------------------------------------------------------------
[root@dedanna ~]#

And, with rkhunter, what's up with all these "disabled at user's request"s? I haven't even run or configured it yet to request or not request! Shouldn't these things be on by default?

Code: Select all

[root@dedanna ~]# cat /var/log/rkhunter.log
[09:10:11] Running Rootkit Hunter version 1.3.8 on dedanna
[09:10:11]
[09:10:11] Info: Start date is Tue Apr  9 09:10:11 BST 2013
[09:10:11]
[09:10:11] Checking configuration file and command-line options...
[09:10:11] Info: Detected operating system is 'Linux'
[09:10:11] Info: Found O/S name: Mageia 2
[09:10:11] Info: Command line is /usr/sbin/rkhunter --enable group_changes,passwd_changes
[09:10:11] Info: Environment shell is /bin/bash; rkhunter is using bash
[09:10:11] Info: Using configuration file '/etc/rkhunter.conf'
[09:10:11] Info: Installation directory is '/var'
[09:10:11] Info: Using language 'en'
[09:10:11] Info: Using '/var/lib/rkhunter/db' as the database directory
[09:10:12] Info: Using '/var/lib/rkhunter/scripts' as the support script directory
[09:10:12] Info: Using '/sbin /bin /usr/sbin /usr/bin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec' as the command directories
[09:10:12] Info: Using '/' as the root directory by default
[09:10:12] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[09:10:12] Info: No mail-on-warning address configured
[09:10:12] Info: X will be automatically detected
[09:10:12] Info: Using second color set
[09:10:12] Info: Found the 'basename' command: /bin/basename
[09:10:12] Info: Found the 'diff' command: /usr/bin/diff
[09:10:12] Info: Found the 'dirname' command: /usr/bin/dirname
[09:10:12] Info: Found the 'file' command: /usr/bin/file
[09:10:12] Info: Found the 'find' command: /bin/find
[09:10:12] Info: Found the 'ifconfig' command: /sbin/ifconfig
[09:10:12] Info: Found the 'ip' command: /sbin/ip
[09:10:12] Info: Found the 'ldd' command: /usr/bin/ldd
[09:10:12] Info: Found the 'lsattr' command: /usr/bin/lsattr
[09:10:12] Info: Found the 'lsmod' command: /sbin/lsmod
[09:10:12] Info: Unable to find the 'lsof' command
[09:10:12] Info: Found the 'mktemp' command: /bin/mktemp
[09:10:12] Info: Found the 'netstat' command: /bin/netstat
[09:10:12] Info: Found the 'perl' command: /usr/bin/perl
[09:10:13] Info: Found the 'pgrep' command: /usr/bin/pgrep
[09:10:13] Info: Found the 'ps' command: /bin/ps
[09:10:13] Info: Found the 'pwd' command: /bin/pwd
[09:10:13] Info: Found the 'readlink' command: /usr/bin/readlink
[09:10:13] Info: Found the 'stat' command: /bin/stat
[09:10:13] Info: Found the 'strings' command: /usr/bin/strings
[09:10:13] Info: Enabled tests are: group_accounts group_changes local_host passwd_changes
[09:10:13] Info: Disabled tests are: deleted_files hidden_ports hidden_procs packet_cap_apps suspscan
[09:10:13] Info: Found ksym file '/proc/kallsyms'
[09:10:13] Info: Using 'date' to process epoch second times.
[09:10:13] Info: Locking is not being used
[09:10:13]
[09:10:13] Starting system checks...
[09:10:13]
[09:10:13] Info: Test 'system_commands' disabled at users request.
[09:10:13]
[09:10:13] Info: Test 'rootkits' disabled at users request.
[09:10:13]
[09:10:13] Info: Test 'network' disabled at users request.
[09:10:13]
[09:10:13] Info: Starting test name 'local_host'
[09:10:13] Checking the local host...
[09:10:13]
[09:10:13] Info: Test 'startup_files' disabled at users request.
[09:10:14]
[09:10:14] Info: Starting test name 'group_accounts'
[09:10:14] Performing group and account checks
[09:10:14]   Checking for passwd file                        [ Found ]
[09:10:14] Info: Found password file: /etc/passwd
[09:10:14]   Checking for root equivalent (UID 0) accounts   [ None found ]
[09:10:14] Info: Found shadow file: /etc/shadow
[09:10:14]   Checking for passwordless accounts              [ None found ]
[09:10:14]
[09:10:14] Info: Starting test name 'passwd_changes'
[09:10:14]   Checking for passwd file changes                [ Warning ]
[09:10:14] Warning: Unable to check for passwd file differences: no copy of the passwd file exists.
[09:10:14]
[09:10:14] Info: Starting test name 'group_changes'
[09:10:14]   Checking for group file changes                 [ Warning ]
[09:10:15] Warning: Unable to check for group file differences: no copy of the group file exists.
[09:10:15]   Checking root account shell history files       [ OK ]
[09:10:15]
[09:10:15] Info: Test 'system_configs' disabled at users request.
[09:10:15]
[09:10:15] Info: Test 'filesystem' disabled at users request.
[09:10:15]
[09:10:15] Info: Test 'apps' disabled at users request.
[09:10:15]
[09:10:15] System checks summary
[09:10:15] =====================
[09:10:15]
[09:10:15] File properties checks...
[09:10:15] All checks skipped
[09:10:15]
[09:10:15] Rootkit checks...
[09:10:15] All checks skipped
[09:10:15]
[09:10:15] Applications checks...
[09:10:15] All checks skipped
[09:10:15]
[09:10:15] The system checks took: 2 seconds
[09:10:16]
[09:10:16] Info: End date is Tue Apr  9 09:10:16 BST 2013
[root@dedanna ~]#

I KNOW I've had chrootkit installed to Mageia 2 already! I'm totally in mode on this, and need it! Any ideas? Is it part of one of those other packages above? I know I could run urpmq -i on each one, but,,, somehow I don't think I'd come up with anything helpful. What else can I use that will report to msec and email me?

Thanks.

Edit: In fact, eh, get it over with:

Code: Select all

[root@dedanna ~]# urpmq -i dchroot
Name        : dchroot
Version     : 1.4.25
Release     : 1.mga2
Group       : Development/Other
Size        : 1129132                      Architecture: i586
Source RPM  : schroot-1.4.25-1.mga2.src.rpm
URL         : http://packages.debian.org/schroot
Summary     : Older tool similar to schroot
Description :
dchroot allows users to execute commands or interactive shells in different
chroots. Users can move between chroots as necessary. Enhanced functionality
is available in the next generation tool called schroot.

[root@dedanna ~]#
[root@dedanna ~]# urpmq -i schroot
Name        : schroot
Version     : 1.4.25
Release     : 1.mga2
Group       : Development/Other
Size        : 3135878                      Architecture: i586
Source RPM  : schroot-1.4.25-1.mga2.src.rpm
URL         : http://packages.debian.org/schroot
Summary     : Execute commands in a chroot environment
Description :
schroot allows users to execute commands or interactive shells in
different chroots.  Any number of named chroots may be created, and
access permissions given to each, including root access for normal
users, on a per-user or per-group basis.  Additionally, schroot can
switch to a different user in the chroot, using PAM for
authentication and authorisation.
All operations are logged for security.

Several different types of chroot are supported, including normal
directories in the filesystem, and also block devices.  Sessions,
persistent chroots created on the fly from files (tar with optional
compression and zip) and LVM snapshots are also supported.

schroot supports kernel personalities, allowing the programs run
inside the chroot to have a different personality.  For example,
running 32-bit chroots on 64-bit systems, or even running binaries
from alternative operating systems such as SVR4 or Xenix.

schroot also integrates with sbuild, to allow building packages with
all supported chroot types, including session-managed chroot types
such as LVM snapshots.

schroot shares most of its options with dchroot, but offers vastly
more functionality.

[root@dedanna ~]#

... Neither does what I need it to!

[rolf]

For the simple matter of the package, I think you're looking for

Code: Select all

[rolf@localhost ~]$ urpmq -i chkrootkit
Name        : chkrootkit
Version     : 0.49
Release     : 5
Group       : Monitoring
Size        : 4705908                      Architecture: x86_64
Source RPM  : chkrootkit-0.49-5.src.rpm
URL         : http://www.chkrootkit.org/
Summary     : Check rootkits
Description :
Chkrootkit is a tool to locally check for signs of a rootkit.


[dedanna1029]

Yes, of which as said above, is not found in repos or anywhere, right off the bat in the very first code line, and in the title of the thread. Answer the question. If you can't, I'll wait for Jim.

[rolf]

Yes, of which as said above, is not found in repos or anywhere, right off the bat in the very first code line, and in the title of the thread. Answer the question. If you can't, I'll wait for Jim.

Maybe read what I wrote, for a change. chrootkit is different from chkrootkit

[viking60]

That is a very god point.

Your link indicates that you are looking for chkrootkit dedanna, and there was a bug where it actually had disappeared but that was fixed.
https://bugs.mageia.org/show_bug.cgi?id=736
So it looks like it is a question of using the right name.
rkhunter will also do the job...

[jkerr82508]

When that bug report was made, chkrootkit hadn't been removed, it hadn't been imported yet.
(April 2011 was before the release of Mageia 1.)

chkrootkit is definitely in the Mageia 2 core repo.

Jim

[viking60]

Yes I think we can call for a [RESOLVED] tag here
Edit: Is this solved dedanna?

[dedanna1029]

I won't know until tomorrow or the next day. Got tired of being mailed every single day, so moved everything that is daily to weekly.

[dedanna1029]

[msec] *** Security Check on dedanna.mydomain.xxx, Apr 12 04:03:35 ***
Inbox
x
root

Apr 12 (1 day ago)

to me
*** Security Check, Apr 12 04:03:35 ***
*** Check type: daily ***
*** Check executed from: /etc/cron.daily/msec ***
Report summary:
Test started: Apr 12 04:03:35
Test finished: Apr 12 04:03:40
Total of configured firewall rules: 3
Chkrootkit check: skipped (chkrootkit not found)
Total local users: 39
Total local group: 68

Detailed report:

Chkrootkit check skipped: chkrootkit not found

Even more disturbing is that it's still running dailies, or attempting to, even after I've emptied out the whole daily folder. This is the last mail I got, and had installed chkrootkit before this (*I think*). I'm going to give it another mail, then go from there to be sure.

Edit: Looking at the time of my last post in this thread, it appears I had not installed chkrootkit before I got this mail, so I will have to wait for the next mail to see how it does now. I suppose I could set it back to dailies for now, just to see.

[viking60]

Can you run chkrootkit in a terminal as root?

[dedanna1029]

I found a chkrootkit.daily.today file in /var/log/security. I ran a cat on it, and it had run, but it didn't email me today.

So, I dunno. I don't get why it didn't mail me - msec was done at 4:03:something this morning.

So, this still isn't doing what I want it to. I double-checked that I had it set up to email me in mcc - yup, it's set to.

I also don't get why all this happened in the first place, when I *was* getting perfectly thorough reports in email, then all of a sudden, every email was useless, saying that the chkrootkit or whatever wasn't "there" all of a sudden. I didn't uninstall a fecking thing for this to happen out of the blue. Now, nothing's working right. If I have one thing, I don't have the other. IT *WAS* FINE, with BOTH operating smoothly, msec AND mail.

[dedanna1029]

FINALLY it's mailed me, after not receiving anything at all yesterday. It had a full weekly check for everything, I woke up this morning to notifications on my desktop that it had done diff check, and about five others. Checked mail. Everything in there in one email.

I've moved daily back into the daily folder (had done that just before last post), we'll see what it does tomorrow on the regular 4 a.m. check. If that mails me, I'll mark solved.