Actualizado el domingo, 19 junio, 2016
En este post veremos como proteger nuestra distro de los rootkits. La definición de rootkit segun wikipedia sería esta: Un rootkit permite un acceso de privilegio continuo a una computadora pero que mantiene su presencia activamente oculta al control de los administradores al corromper el funcionamiento normal del sistema operativo o de otras aplicaciones. El término proviene de una concatenación de la palabra inglesa root, que significa ‘raíz’ (nombre tradicional de la cuenta privilegiada en los sistemas operativos Unix) y de la palabra inglesa kit, que significa ‘conjunto de herramientas’ (en referencia a los componentes de software que implementan este programa). El término rootkit tiene connotaciones peyorativas ya que se lo asocia al malware. En otras palabras, usualmente se lo asocia con malware, que se esconde a sí mismo y a otros programas, procesos, archivos, directorios, claves de registro, y puertos que permiten al intruso mantener el acceso a una amplia variedad de sistemas operativos como pueden ser GNU/Linux, Solaris o Microsoft Windows para remotamente comandar acciones o extraer información sensible. Normalmente, un atacante instala un rootkit en una computadora después de primero haber obtenido un acceso al nivel raíz, ya sea por haberse aprovechado de una vulnerabilidad conocida o por haber obtenido una contraseña (ya sea por crackeo de la encriptación o por ingeniería social). Una vez que el rootkit ha sido instalado, permite que el atacante disfrace la siguiente intrusión y mantenga el acceso privilegiado a la computadora por medio de rodeos a los mecanismos normales de autenticación y autorización. Pese a que los rootktis pueden servir con muchos fines, han ganado notoriedad fundamentalmente como malware, escondiendo programas que se apropian de los recursos de las computadoras o que roban contraseñas sin el conocimiento de los administradores y de los usuarios de los sistemas afectados. Los rootkits pueden estar dirigidos al firmware, al hypervisor, al núcleo, ó , más comúnmente, a los programas del usuario. La detección del rootkit es dificultosa pues es capaz de corromper al programa que debería detectarlo. Los métodos de detección incluyen utilizar un sistema operativo alternativo confiable; métodos de base contractual; controles de firma, controles de diferencias y análisis de volcado de memoria. La eliminación del rootkit puede ser complicada o prácticamente imposible, especialmente en los casos en que el rootkit reside en el núcleo; siendo a veces la reinstalación del sistema operativo el único método posible que hay para solucionar el problema.
Procedemos a instalar rkhunter (puedes instalar con apt, zypper, yum, dependerá de tu distribución linux):
sudo aptitude install rkhunter
Como actualizarlo:
rkhunter --propupd
Ejecutar analisis:
rkhunter --check
La aplicación realizara una serie de escaneos y nos pedirá que clickemos la tecla ENTER para continuar. El resultado lo podremos ver en el fichero /var/log/rkhunter.log
Sería algo similar a esto:
[08:31:00] Running Rootkit Hunter version 1.4.2 on linux-sf0e [08:31:00] [08:31:00] Info: Start date is Sun Jun 28 08:31:00 CEST 2015 [08:31:00] [08:31:00] Checking configuration file and command-line options... [08:31:00] Info: Detected operating system is 'Linux' [08:31:01] Info: Found O/S name: openSUSE 13.2 (x86_64) [08:31:01] Info: Command line is /usr/bin/rkhunter --no-mail-on-warning --cronjob --report-warnings-only --append-log --pkgmgr RPM --createlogfile /var/log/rkhunter.log [08:31:01] Info: Environment shell is /bin/sh; rkhunter is using bash [08:31:01] Info: Using configuration file '/etc/rkhunter.conf' [08:31:01] Info: Using local configuration directory '/etc/rkhunter.d': 1 file found [08:31:01] Info: Installation directory is '/usr' [08:31:01] Info: Using language 'en' [08:31:01] Info: Using '/var/lib/rkhunter/db' as the database directory [08:31:01] Info: Using '/usr/lib64/rkhunter/scripts' as the support script directory [08:31:01] Info: Using '/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin' as the command directories [08:31:01] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory [08:31:01] Info: Disabling use of mail-on-warning at users request [08:31:01] Info: X will be automatically detected [08:31:01] Info: Found the 'basename' command: /bin/basename [08:31:01] Info: Found the 'diff' command: /usr/bin/diff [08:31:01] Info: Found the 'dirname' command: /usr/bin/dirname [08:31:01] Info: Found the 'file' command: /usr/bin/file [08:31:01] Info: Found the 'find' command: /bin/find [08:31:01] Info: Found the 'ifconfig' command: /sbin/ifconfig [08:31:01] Info: Found the 'ip' command: /bin/ip [08:31:01] Info: Found the 'ipcs' command: /usr/bin/ipcs [08:31:01] Info: Found the 'ldd' command: /usr/bin/ldd [08:31:01] Info: Found the 'lsattr' command: /usr/bin/lsattr [08:31:01] Info: Found the 'lsmod' command: /bin/lsmod [08:31:01] Info: Found the 'lsof' command: /usr/bin/lsof [08:31:01] Info: Found the 'mktemp' command: /bin/mktemp [08:31:01] Info: Found the 'netstat' command: /bin/netstat [08:31:01] Info: Found the 'perl' command: /usr/bin/perl [08:31:01] Info: Found the 'pgrep' command: /bin/pgrep [08:31:01] Info: Found the 'ps' command: /bin/ps [08:31:02] Info: Found the 'pwd' command: /bin/pwd [08:31:02] Info: Found the 'readlink' command: /bin/readlink [08:31:02] Info: Found the 'stat' command: /bin/stat [08:31:02] Info: Found the 'strings' command: /usr/bin/strings [08:31:02] Info: System is not using prelinking [08:31:02] Info: Using the '/usr/bin/sha1sum' command for the file hash checks [08:31:02] Info: Stored hash values used hash function '/usr/bin/sha1sum' [08:31:02] Info: Stored hash values used package manager 'RPM' [08:31:02] Info: The hash function field index is set to 1 [08:31:02] Info: Using package manager 'RPM' for file property checks [08:31:02] Info: Found the 'rpm' command: /bin/rpm [08:31:02] Info: Previous file attributes were stored [08:31:02] Info: Enabled tests are: all [08:31:02] Info: Disabled tests are: suspscan hidden_ports hidden_procs deleted_files packet_cap_apps [08:31:02] Info: Including user files for file properties check: [08:31:02] /etc/rkhunter.conf [08:31:02] /etc/rkhunter.d/00-opensuse.conf [08:31:02] Info: Current logging will be appended to the log file [08:31:02] Info: Found ksym file '/proc/kallsyms' [08:31:02] Info: Using 'date' to process epoch second times [08:31:02] [08:31:02] Checking if the O/S has changed since last time... [08:31:02] Info: Nothing seems to have changed. [08:31:02] Info: Locking is not being used [08:31:02] [08:31:02] Starting system checks... [08:31:02] [08:31:02] Info: Starting test name 'system_commands' [08:31:02] Checking system commands... [08:31:03] [08:31:03] Info: Starting test name 'strings' [08:31:03] Performing 'strings' command checks [08:31:03] Scanning for string /usr/sbin/ntpsx [ OK ] [08:31:03] Scanning for string /usr/sbin/.../bkit-ava [ OK ] [08:31:03] Scanning for string /usr/sbin/.../bkit-d [ OK ] [08:31:03] Scanning for string /usr/sbin/.../bkit-shd [ OK ] [08:31:03] Scanning for string /usr/sbin/.../bkit-f [ OK ] [08:31:03] Scanning for string /usr/include/.../proc.h [ OK ] [08:31:03] Scanning for string /usr/include/.../.bash_history [ OK ] [08:31:03] Scanning for string /usr/include/.../bkit-get [ OK ] [08:31:03] Scanning for string /usr/include/.../bkit-dl [ OK ] [08:31:03] Scanning for string /usr/include/.../bkit-screen [ OK ] [08:31:03] Scanning for string /usr/include/.../bkit-sleep [ OK ] [08:31:03] Scanning for string /usr/lib/.../bkit-adore.o [ OK ] [08:31:04] Scanning for string /usr/lib/.../ls [ OK ] [08:31:04] Scanning for string /usr/lib/.../netstat [ OK ] [08:31:04] Scanning for string /usr/lib/.../lsof [ OK ] [08:31:04] Scanning for string /usr/lib/.../bkit-ssh/bkit-shdcfg [ OK ] [08:31:04] Scanning for string /usr/lib/.../bkit-ssh/bkit-shhk [ OK ] [08:31:04] Scanning for string /usr/lib/.../bkit-ssh/bkit-pw [ OK ] [08:31:04] Scanning for string /usr/lib/.../bkit-ssh/bkit-shrs [ OK ] [08:31:04] Scanning for string /usr/lib/.../bkit-ssh/bkit-mots [ OK ] [08:31:04] Scanning for string /usr/lib/.../uconf.inv [ OK ] [08:31:04] Scanning for string /usr/lib/.../psr [ OK ] [08:31:04] Scanning for string /usr/lib/.../find [ OK ] [08:31:04] Scanning for string /usr/lib/.../pstree [ OK ] [08:31:04] Scanning for string /usr/lib/.../slocate [ OK ] [08:31:04] Scanning for string /usr/lib/.../du [ OK ] [08:31:05] Scanning for string /usr/lib/.../top [ OK ] [08:31:05] Scanning for string /usr/sbin/... [ OK ] [08:31:05] Scanning for string /usr/include/... [ OK ] [08:31:05] Scanning for string /usr/include/.../.tmp [ OK ] [08:31:05] Scanning for string /usr/lib/... [ OK ] [08:31:05] Scanning for string /usr/lib/.../.ssh [ OK ] [08:31:05] Scanning for string /usr/lib/.../bkit-ssh [ OK ] [08:31:05] Scanning for string /usr/lib/.bkit- [ OK ] [08:31:05] Scanning for string /tmp/.bkp [ OK ] [08:31:05] Scanning for string /tmp/.cinik [ OK ] [08:31:05] Scanning for string /tmp/.font-unix/.cinik [ OK ] [08:31:05] Scanning for string /lib/.sso [ OK ] [08:31:05] Scanning for string /lib/.so [ OK ] [08:31:05] Scanning for string /var/run/...dica/clean [ OK ] [08:31:05] Scanning for string /var/run/...dica/dxr [ OK ] [08:31:06] Scanning for string /var/run/...dica/read [ OK ] [08:31:06] Scanning for string /var/run/...dica/write [ OK ] [08:31:06] Scanning for string /var/run/...dica/lf [ OK ] [08:31:06] Scanning for string /var/run/...dica/xl [ OK ] [08:31:06] Scanning for string /var/run/...dica/xdr [ OK ] [08:31:06] Scanning for string /var/run/...dica/psg [ OK ] [08:31:06] Scanning for string /var/run/...dica/secure [ OK ] [08:31:06] Scanning for string /var/run/...dica/rdx [ OK ] [08:31:06] Scanning for string /var/run/...dica/va [ OK ] [08:31:06] Scanning for string /var/run/...dica/cl.sh [ OK ] [08:31:06] Scanning for string /var/run/...dica/last.log [ OK ] [08:31:06] Scanning for string /usr/bin/.etc [ OK ] [08:31:06] Scanning for string /etc/sshd_config [ OK ] [08:31:06] Scanning for string /etc/ssh_host_key [ OK ] [08:31:06] Scanning for string /etc/ssh_random_seed [ OK ] [08:31:06] Scanning for string /dev/ptyp [ OK ] [08:31:06] Scanning for string /dev/ptyq [ OK ] [08:31:06] Scanning for string /dev/ptyr [ OK ] [08:31:07] Scanning for string /dev/ptys [ OK ] [08:31:07] Scanning for string /dev/ptyt [ OK ] [08:31:07] Scanning for string /dev/fd/.88/freshb-bsd [ OK ] [08:31:07] Scanning for string /dev/fd/.88/fresht [ OK ] [08:31:07] Scanning for string /dev/fd/.88/zxsniff [ OK ] [08:31:07] Scanning for string /dev/fd/.88/zxsniff.log [ OK ] [08:31:07] Scanning for string /dev/fd/.99/.ttyf00 [ OK ] [08:31:07] Scanning for string /dev/fd/.99/.ttyp00 [ OK ] [08:31:07] Scanning for string /dev/fd/.99/.ttyq00 [ OK ] [08:31:07] Scanning for string /dev/fd/.99/.ttys00 [ OK ] [08:31:07] Scanning for string /dev/fd/.99/.pwsx00 [ OK ] [08:31:07] Scanning for string /etc/.acid [ OK ] [08:31:08] Scanning for string /usr/lib/.fx/sched_host.2 [ OK ] [08:31:08] Scanning for string /usr/lib/.fx/random_d.2 [ OK ] [08:31:08] Scanning for string /usr/lib/.fx/set_pid.2 [ OK ] [08:31:08] Scanning for string /usr/lib/.fx/setrgrp.2 [ OK ] [08:31:08] Scanning for string /usr/lib/.fx/TOHIDE [ OK ] [08:31:08] Scanning for string /usr/lib/.fx/cons.saver [ OK ] [08:31:08] Scanning for string /usr/lib/.fx/adore/ava/ava [ OK ] [08:31:08] Scanning for string /usr/lib/.fx/adore/adore/adore.ko [ OK ] [08:31:08] Scanning for string /bin/sysback [ OK ] [08:31:08] Scanning for string /usr/local/bin/sysback [ OK ] [08:31:09] Scanning for string /usr/lib/.tbd [ OK ] [08:31:09] Scanning for string /dev/.lib/lib/lib/t0rns [ OK ] [08:31:09] Scanning for string /dev/.lib/lib/lib/du [ OK ] [08:31:09] Scanning for string /dev/.lib/lib/lib/ls [ OK ] [08:31:09] Scanning for string /dev/.lib/lib/lib/t0rnsb [ OK ]Software/ [08:31:09] Scanning for string /dev/.lib/lib/lib/ps [ OK ] [08:31:09] Scanning for string /dev/.lib/lib/lib/t0rnp [ OK ] [08:31:09] Scanning for string /dev/.lib/lib/lib/find [ OK ] [08:31:09] Scanning for string /dev/.lib/lib/lib/ifconfig [ OK ] [08:31:09] Scanning for string /dev/.lib/lib/lib/pg [ OK ] [08:31:09] Scanning for string /dev/.lib/lib/lib/ssh.tgz [ OK ] [08:31:10] Scanning for string /dev/.lib/lib/lib/top [ OK ] [08:31:10] Scanning for string /dev/.lib/lib/lib/sz [ OK ] [08:31:10] Scanning for string /dev/.lib/lib/lib/login [ OK ] [08:31:10] Scanning for string /dev/.lib/lib/lib/in.fingerd [ OK ] [08:31:10] Scanning for string /dev/.lib/lib/lib/1i0n.sh [ OK ] [08:31:10] Scanning for string /dev/.lib/lib/lib/pstree [ OK ] [08:31:10] Scanning for string /dev/.lib/lib/lib/in.telnetd [ OK ] [08:31:10] Scanning for string /dev/.lib/lib/lib/mjy [ OK ] [08:31:10] Scanning for string /dev/.lib/lib/lib/sush [ OK ] [08:31:10] Scanning for string /dev/.lib/lib/lib/tfn [ OK ] [08:31:10] Scanning for string /dev/.lib/lib/lib/name [ OK ] [08:31:11] Scanning for string /dev/.lib/lib/lib/getip.sh [ OK ] [08:31:11] Scanning for string /usr/info/.torn/sh* [ OK ] [08:31:11] Scanning for string /usr/src/.puta/.1addr [ OK ] [08:31:11] Scanning for string /usr/src/.puta/.1file [ OK ] [08:31:11] Scanning for string /usr/src/.puta/.1proc [ OK ] [08:31:11] Scanning for string /usr/src/.puta/.1logz [ OK ] [08:31:11] Scanning for string /usr/info/.t0rn [ OK ] [08:31:11] Scanning for string /dev/.lib [ OK ] [08:31:11] Scanning for string /dev/.lib/lib [ OK ] [08:31:11] Scanning for string /dev/.lib/lib/lib [ OK ] [08:31:11] Scanning for string /dev/.lib/lib/lib/dev [ OK ] [08:31:11] Scanning for string /dev/.lib/lib/scan [ OK ] [08:31:11] Scanning for string /usr/src/.puta [ OK ] [08:31:11] Scanning for string /usr/man/man1/man1 [ OK ] [08:31:12] Scanning for string /usr/man/man1/man1/lib [ OK ] [08:31:12] Scanning for string /usr/man/man1/man1/lib/.lib [ OK ] [08:31:12] Scanning for string /usr/man/man1/man1/lib/.lib/.backup [ OK ] [08:31:12] [08:31:12] Info: Starting test name 'shared_libs' [08:31:12] Performing 'shared libraries' checks [08:31:12] Checking for preloading variables [ None found ] [08:31:12] Checking for preloaded libraries [ None found ] [08:31:12] [08:31:12] Info: Starting test name 'shared_libs_path' [08:31:12] Checking LD_LIBRARY_PATH variable [ Not found ] [08:31:12] [08:31:12] Info: Starting test name 'properties' [08:31:12] Performing file properties checks [08:31:12] Checking for prerequisites [ OK ] [08:31:14] /bin/awk [ OK ] [08:31:15] /bin/basename [ OK ] [08:31:16] /bin/bash [ OK ] [08:31:16] /bin/cat [ OK ] [08:31:17] /bin/chmod [ OK ] [08:31:17] /bin/chown [ OK ] [08:31:18] /bin/cp [ OK ] [08:31:18] /bin/csh [ OK ] [08:31:19] /bin/date [ OK ] [08:31:19] /bin/df [ OK ] [08:31:20] /bin/dmesg [ OK ] [08:31:20] /bin/echo [ OK ] [08:31:21] /bin/ed [ Warning ] [08:31:21] Warning: The file properties have changed: [08:31:21] File: /bin/ed [08:31:21] Current inode: 711164 Stored inode: 672285 [08:31:22] /bin/egrep [ OK ] [08:31:22] /bin/fgrep [ OK ] [08:31:22] /bin/find [ OK ] [08:31:23] /bin/fuser [ OK ] [08:31:23] /bin/grep [ OK ] [08:31:25] /bin/ip [ Warning ] [08:31:25] Warning: The file properties have changed: [08:31:25] File: /bin/ip [08:31:25] Current inode: 737814 Stored inode: 148467 [08:31:25] /bin/kill [ OK ] [08:31:26] /bin/logger [ OK ] [08:31:26] /bin/login [ OK ] [08:31:27] /bin/ls [ OK ] [08:31:27] /bin/lsmod [ OK ] [08:31:28] /bin/mail [ OK ] [08:31:28] /bin/md5sum [ OK ] [08:31:28] /bin/mktemp [ OK ] [08:31:29] /bin/more [ OK ] [08:31:29] /bin/mount [ OK ] [08:31:30] /bin/mv [ OK ] [08:31:30] /bin/netstat [ OK ] [08:31:31] /bin/pgrep [ OK ] [08:31:31] /bin/ping [ OK ] [08:31:32] /bin/pkill [ OK ] [08:31:32] /bin/ps [ OK ] [08:31:33] /bin/pwd [ OK ] [08:31:33] /bin/readlink [ OK ] [08:31:34] /bin/rpm [ OK ] [08:31:34] /bin/sed [ OK ] [08:31:35] /bin/sh [ OK ] [08:31:36] /bin/sort [ OK ] [08:31:36] /bin/stat [ OK ] [08:31:37] /bin/su [ OK ] [08:31:38] /bin/touch [ OK ] [08:31:38] /bin/uname [ OK ] [08:31:39] /bin/gawk [ OK ] [08:31:39] /bin/tcsh [ OK ] [08:31:40] /bin/kmod [ OK ] [08:31:41] /bin/systemd [ OK ] [08:31:42] /bin/systemctl [ OK ] [08:31:42] /usr/bin/awk [ OK ] [08:31:43] /usr/bin/basename [ OK ] [08:31:43] /usr/bin/cat [ OK ] [08:31:44] /usr/bin/chattr [ Warning ] [08:31:44] Warning: The file properties have changed: [08:31:44] File: /usr/bin/chattr [08:31:44] Current inode: 726646 Stored inode: 537513 [08:31:45] /usr/bin/chkconfig [ OK ] [08:31:46] /usr/bin/chmod [ OK ] [08:31:46] /usr/bin/chown [ OK ] [08:31:47] /usr/bin/chroot [ OK ] [08:31:47] /usr/bin/cp [ OK ] [08:31:47] /usr/bin/csh [ OK ] [08:31:48] /usr/bin/curl [ Warning ] [08:31:48] Warning: The file properties have changed: [08:31:48] File: /usr/bin/curl [08:31:48] Current inode: 738098 Stored inode: 367847 [08:31:49] /usr/bin/cut [ OK ] [08:31:49] /usr/bin/date [ OK ] [08:31:50] /usr/bin/df [ OK ] [08:31:50] /usr/bin/diff [ OK ] [08:31:50] /usr/bin/dirname [ OK ] [08:31:51] /usr/bin/dmesg [ OK ] [08:31:51] /usr/bin/du [ OK ] [08:31:52] /usr/bin/echo [ OK ] [08:31:52] /usr/bin/ed [ Warning ] [08:31:52] Warning: The file properties have changed: [08:31:52] File: /usr/bin/ed [08:31:52] Current inode: 711165 Stored inode: 672286 [08:31:53] /usr/bin/egrep [ OK ] [08:31:53] /usr/bin/env [ OK ] [08:31:53] /usr/bin/fgrep [ OK ] [08:31:54] /usr/bin/file [ OK ] [08:31:54] /usr/bin/find [ OK ] [08:31:55] /usr/bin/grep [ OK ] [08:31:55] /usr/bin/groups [ OK ] [08:31:55] /usr/bin/head [ OK ] [08:31:56] /usr/bin/id [ OK ] [08:31:56] /usr/bin/kill [ OK ] [08:31:57] /usr/bin/killall [ OK ] [08:31:57] /usr/bin/last [ OK ] [08:31:58] /usr/bin/lastlog [ OK ] [08:31:59] /usr/bin/ldd [ Warning ] [08:31:59] Warning: The file properties have changed: [08:31:59] File: /usr/bin/ldd [08:31:59] Current inode: 749139 Stored inode: 538525 [08:31:59] /usr/bin/less [ OK ] [08:32:00] /usr/bin/locate [ OK ] [08:32:00] /usr/bin/logger [ OK ] [08:32:01] /usr/bin/ls [ OK ] [08:32:01] /usr/bin/lsattr [ Warning ] [08:32:01] Warning: The file properties have changed: [08:32:01] File: /usr/bin/lsattr [08:32:01] Current inode: 726647 Stored inode: 537514 [08:32:01] /usr/bin/lsmod [ OK ] [08:32:02] /usr/bin/lsof [ Warning ] [08:32:02] Warning: The file properties have changed: [08:32:02] File: /usr/bin/lsof [08:32:02] Current inode: 711182 Stored inode: 672314 [08:32:03] /usr/bin/lynx [ OK ] [08:32:03] /usr/bin/mail [ OK ] [08:32:04] /usr/bin/md5sum [ OK ] [08:32:04] /usr/bin/mktemp [ OK ] [08:32:05] /usr/bin/more [ OK ] [08:32:05] /usr/bin/mount [ OK ] [08:32:06] /usr/bin/mv [ OK ] [08:32:06] /usr/bin/newgrp [ OK ] [08:32:07] /usr/bin/passwd [ OK ] [08:32:08] /usr/bin/perl [ OK ] [08:32:08] /usr/bin/pgrep [ OK ] [08:32:08] /usr/bin/ping [ OK ] [08:32:09] /usr/bin/pkill [ OK ] [08:32:09] /usr/bin/ps [ OK ] [08:32:09] /usr/bin/pstree [ OK ] [08:32:10] /usr/bin/pwd [ OK ] [08:32:10] /usr/bin/readlink [ OK ] [08:32:11] /usr/bin/rkhunter [ OK ] [08:32:11] /usr/bin/runcon [ OK ] [08:32:12] /usr/bin/sed [ OK ] [08:32:12] /usr/bin/sh [ OK ] [08:32:13] /usr/bin/sha1sum [ OK ] [08:32:13] /usr/bin/sha224sum [ OK ] [08:32:14] /usr/bin/sha256sum [ OK ] [08:32:14] /usr/bin/sha384sum [ OK ] [08:32:15] /usr/bin/sha512sum [ OK ] [08:32:18] /usr/bin/size [ OK ] [08:32:19] /usr/bin/sort [ OK ] [08:32:20] /usr/bin/ssh [ OK ] [08:32:20] /usr/bin/stat [ OK ] [08:32:21] /usr/bin/strace [ OK ] [08:32:21] /usr/bin/strings [ OK ] [08:32:21] /usr/bin/su [ OK ] [08:32:22] /usr/bin/sudo [ OK ] [08:32:22] /usr/bin/tail [ OK ] [08:32:23] /usr/bin/telnet [ OK ] [08:32:23] /usr/bin/test [ OK ] [08:32:23] /usr/bin/top [ OK ] [08:32:24] /usr/bin/touch [ OK ] [08:32:24] /usr/bin/tr [ OK ] [08:32:25] /usr/bin/uname [ OK ] [08:32:25] /usr/bin/uniq [ OK ] [08:32:26] /usr/bin/users [ OK ] [08:32:26] /usr/bin/vmstat [ OK ] [08:32:27] /usr/bin/w [ OK ] [08:32:27] /usr/bin/watch [ OK ] [08:32:27] /usr/bin/wc [ OK ] [08:32:28] /usr/bin/wget [ OK ] [08:32:28] /usr/bin/whatis [ OK ] [08:32:29] /usr/bin/whereis [ OK ] [08:32:29] /usr/bin/which [ OK ] [08:32:30] /usr/bin/who [ OK ] [08:32:30] /usr/bin/whoami [ OK ] [08:32:31] /usr/bin/gawk [ OK ] [08:32:31] /usr/bin/tcsh [ OK ] [08:32:32] /usr/bin/kmod [ OK ] [08:32:32] /usr/bin/mailx [ OK ] [08:32:33] /usr/bin/systemctl [ OK ] [08:32:33] /sbin/checkproc [ OK ] [08:32:34] /sbin/chkconfig [ OK ] [08:32:34] /sbin/depmod [ OK ] [08:32:35] /sbin/fsck [ OK ] [08:32:36] /sbin/ifconfig [ OK ] [08:32:36] /sbin/ifdown [ OK ] [08:32:36] /sbin/ifstatus [ OK ] [08:32:37] /sbin/ifup [ OK ] [08:32:37] /sbin/init [ OK ] [08:32:38] /sbin/insmod [ OK ] [08:32:38] /sbin/ip [ Warning ] [08:32:38] Warning: The file properties have changed: [08:32:38] File: /sbin/ip [08:32:38] Current inode: 737822 Stored inode: 148475 [08:32:39] /sbin/lsmod [ OK ] [08:32:39] /sbin/modinfo [ OK ] [08:32:40] /sbin/modprobe [ OK ] [08:32:40] /sbin/nologin [ OK ] [08:32:41] /sbin/rmmod [ OK ] [08:32:41] /sbin/route [ OK ] [08:32:42] /sbin/runlevel [ OK ] [08:32:43] /sbin/sysctl [ OK ] [08:32:45] /usr/sbin/cron [ OK ] [08:32:45] /usr/sbin/depmod [ OK ] [08:32:46] /usr/sbin/fsck [ OK ] [08:32:47] /usr/sbin/groupadd [ OK ] [08:32:47] /usr/sbin/groupdel [ OK ] [08:32:47] /usr/sbin/groupmod [ OK ] [08:32:48] /usr/sbin/grpck [ OK ] [08:32:48] /usr/sbin/ifup [ OK ] [08:32:49] /usr/sbin/insmod [ OK ] [08:32:49] /usr/sbin/ip [ Warning ] [08:32:49] Warning: The file properties have changed: [08:32:49] File: /usr/sbin/ip [08:32:49] Current inode: 737829 Stored inode: 148482 [08:32:50] /usr/sbin/lsmod [ OK ] [08:32:51] /usr/sbin/modinfo [ OK ] [08:32:51] /usr/sbin/modprobe [ OK ] [08:32:52] /usr/sbin/nologin [ OK ] [08:32:53] /usr/sbin/pwck [ OK ] [08:32:53] /usr/sbin/rmmod [ OK ] [08:32:54] /usr/sbin/sshd [ OK ] [08:32:55] /usr/sbin/sulogin [ OK ] [08:32:55] /usr/sbin/sysctl [ OK ] [08:32:56] /usr/sbin/useradd [ OK ] [08:32:56] /usr/sbin/userdel [ OK ] [08:32:57] /usr/sbin/usermod [ OK ] [08:32:57] /usr/sbin/vipw [ OK ] [08:32:58] /usr/sbin/xinetd [ OK ] [08:33:14] /usr/lib/systemd/systemd [ OK ] [08:33:15] /etc/rkhunter.conf [ OK ] [08:33:15] /etc/rkhunter.d/00-opensuse.conf [ OK ] [08:33:20] [08:33:20] Info: Starting test name 'rootkits' [08:33:20] Checking for rootkits... [08:33:20] [08:33:20] Info: Starting test name 'known_rkts' [08:33:20] Performing check of known rootkit files and directories [08:33:20] [08:33:20] Checking for 55808 Trojan - Variant A... [08:33:20] Checking for file '/tmp/.../r' [ Not found ] [08:33:20] Checking for file '/tmp/.../a' [ Not found ] [08:33:20] 55808 Trojan - Variant A [ Not found ] [08:33:20] [08:33:20] Checking for ADM Worm... [08:33:20] Checking for string 'w0rm' [ Not found ] [08:33:20] ADM Worm [ Not found ] [08:33:20] [08:33:20] Checking for AjaKit Rootkit... [08:33:20] Checking for file '/dev/tux/.addr' [ Not found ] [08:33:20] Checking for file '/dev/tux/.proc' [ Not found ] [08:33:21] Checking for file '/dev/tux/.file' [ Not found ] [08:33:21] Checking for file '/lib/.libgh-gh/cleaner' [ Not found ] [08:33:21] Checking for file '/lib/.libgh-gh/Patch/patch' [ Not found ] [08:33:21] Checking for file '/lib/.libgh-gh/sb0k' [ Not found ] [08:33:21] Checking for directory '/dev/tux' [ Not found ] [08:33:21] Checking for directory '/lib/.libgh-gh' [ Not found ] [08:33:21] AjaKit Rootkit [ Not found ] [08:33:21] [08:33:21] Checking for Adore Rootkit... [08:33:21] Checking for file '/usr/secure' [ Not found ] [08:33:21] Checking for file '/usr/doc/sys/qrt' [ Not found ] [08:33:21] Checking for file '/usr/doc/sys/run' [ Not found ] [08:33:21] Checking for file '/usr/doc/sys/crond' [ Not found ] [08:33:22] Checking for file '/usr/sbin/kfd' [ Not found ] [08:33:22] Checking for file '/usr/doc/kern/var' [ Not found ] [08:33:22] Checking for file '/usr/doc/kern/string.o' [ Not found ] [08:33:22] Checking for file '/usr/doc/kern/ava' [ Not found ] [08:33:22] Checking for file '/usr/doc/kern/adore.o' [ Not found ] [08:33:22] Checking for file '/var/log/ssh/old' [ Not found ] [08:33:22] Checking for directory '/lib/security/.config/ssh' [ Not found ] [08:33:22] Checking for directory '/usr/doc/kern' [ Not found ] [08:33:22] Checking for directory '/usr/doc/backup' [ Not found ] [08:33:22] Checking for directory '/usr/doc/backup/txt' [ Not found ] [08:33:22] Checking for directory '/lib/backup' [ Not found ] [08:33:22] Checking for directory '/lib/backup/txt' [ Not found ] [08:33:22] Checking for directory '/usr/doc/work' [ Not found ] [08:33:23] Checking for directory '/usr/doc/sys' [ Not found ] [08:33:23] Checking for directory '/var/log/ssh' [ Not found ] [08:33:23] Checking for directory '/usr/doc/.spool' [ Not found ] [08:33:23] Checking for directory '/usr/lib/kterm' [ Not found ] [08:33:23] Adore Rootkit [ Not found ] [08:33:23] [08:33:23] Checking for aPa Kit... [08:33:23] Checking for file '/usr/share/.aPa' [ Not found ] [08:33:23] aPa Kit [ Not found ] [08:33:23] [08:33:23] Checking for Apache Worm... [08:33:23] Checking for file '/bin/.log' [ Not found ] [08:33:23] Apache Worm [ Not found ] [08:33:23] [08:33:23] Checking for Ambient (ark) Rootkit... [08:33:23] Checking for file '/usr/lib/.ark?' [ Not found ] [08:33:23] Checking for file '/dev/ptyxx/.log' [ Not found ] [08:33:23] Checking for file '/dev/ptyxx/.file' [ Not found ] [08:33:23] Checking for file '/dev/ptyxx/.proc' [ Not found ] [08:33:24] Checking for file '/dev/ptyxx/.addr' [ Not found ] [08:33:24] Checking for directory '/dev/ptyxx' [ Not found ] [08:33:24] Ambient (ark) Rootkit [ Not found ] [08:33:24] [08:33:24] Checking for Balaur Rootkit... [08:33:24] Checking for file '/usr/lib/liblog.o' [ Not found ] [08:33:24] Checking for directory '/usr/lib/.kinetic' [ Not found ] [08:33:24] Checking for directory '/usr/lib/.egcs' [ Not found ] [08:33:24] Checking for directory '/usr/lib/.wormie' [ Not found ] [08:33:24] Balaur Rootkit [ Not found ] ........................................... [19:21:51] Info: Starting test name 'system_configs' [19:21:51] Performing system configuration file checks [19:22:57] [19:22:57] Info: End date is mié jul 1 19:22:57 CEST 2015