You are not logged in.

#1 2009-12-10 17:59:11

davidlondonuk
Member
Registered: 2009-06-24
Posts: 49

rkhunter detects heimdal package as 'adore' rootkit?

Hi,

The recent update of rkhunter (1.3.6) detects heimdal 1.3.1-2 package (kerberos libs) as a potential rootkit named adore- it lists the offending binary as /usr/sbin/kfd.

The executable /usr/sbin/kfd is used to 'securely forward tickets', whatever that means, and has a manpage.

Is this just rkhunter being paranoid or is /usr/sbin/kfd something that should not be there?

Thanks for any advice.

David

Offline

#2 2009-12-10 22:26:46

newt
Member
From: Jakarta - Indonesia
Registered: 2008-10-26
Posts: 13

Re: rkhunter detects heimdal package as 'adore' rootkit?

I found the same.
This is my rkhunter.log :

[05:16:30] Warning: Adore Rootkit                            [ Warning ]
[05:16:30]          File '/usr/sbin/kfd' found

I remove the /usr/sbin/kfd file and reinstall heimdal 1.3.1-2 but I still get the symptom

<newt>


¡ pıdnʇs 'ǝldɯıs ʇı dǝǝʞ

Offline

#3 2009-12-11 04:43:58

bangkok_manouel
Member
From: indicates a starting point
Registered: 2005-02-07
Posts: 1,554

Re: rkhunter detects heimdal package as 'adore' rootkit?

could you guys please also try chkrootkit (it's in the repos) ? according to http://www.chkrootkit.org/ the Adore worm and Adore LKM should be detected. It didn't find anything on 3 of my machines (i686 and x86_64) I can't test the 4th one until tonight...


All design goals must be phrased in such a way that it is hard to use them as slogans to justify stupidity.

Offline

#4 2009-12-11 08:52:00

davidlondonuk
Member
Registered: 2009-06-24
Posts: 49

Re: rkhunter detects heimdal package as 'adore' rootkit?

Hi,

I installed chkrootkit and it did not detect adore. I'm not sure why rkhunter sees the heimdal package (/usr/sbin/kfd) as a threat and chkrootkit does not.

I might email the rkhunter developer and see if it's a real threat or a false positive.

David

Offline

#5 2009-12-15 20:05:36

Toke
Member
From: Stockholm/Sweden
Registered: 2009-02-14
Posts: 12

Re: rkhunter detects heimdal package as 'adore' rootkit?

davidlondonuk wrote:

Hi,

I installed chkrootkit and it did not detect adore. I'm not sure why rkhunter sees the heimdal package (/usr/sbin/kfd) as a threat and chkrootkit does not.

I might email the rkhunter developer and see if it's a real threat or a false positive.

David

Hi

Chkrootkit doesn't detect any rootkit for me, but rkhunter gives the same warning as you got. However, I do have the same version of rkhunter as you.

*worried* neutral

[EDIT]: Checked my 2nd computer, which has a fresh and updated install of Arch Linux, and I got the same warning there. So it better be a false positive. smile

Last edited by Toke (2009-12-15 20:48:55)

Offline

#6 2009-12-15 21:43:35

attila
Member
Registered: 2006-11-14
Posts: 293

Re: rkhunter detects heimdal package as 'adore' rootkit?

The new rkhunter changes a lot in the rkhunter.conf and it is worth to read it. For the problem with kfd you can use this 2 lines to ignore the message but to avtivate filesum for the file:

USER_FILEPROP_FILES_DIRS="/usr/sbin/kfd"
RTKT_FILE_WHITELIST="/usr/sbin/kfd"

Offline

#7 2009-12-29 06:40:45

CPUnltd
Member
From: Milwaukee, WI
Registered: 2009-12-05
Posts: 470
Website

Re: rkhunter detects heimdal package as 'adore' rootkit?

getting similar results... it's also telling me that there's suspicious activity in my syslog config file and it skipped checking running processes. I'm wondering if I am dealing with false positives myself.  System was running wthout a firewall for a bit (and had to kill the firewall for certain pkgbuilds because firestarter seems to block a lot of odd stuff (like gmail), but I am behind opendns through my router (for what that is worth) so I'm not sure how vulnerable I was before installing any firewall at all (went through gshield and attempting to directly setup iptables before settling with firestarter... kinda wondering if I should empty my iptables.conf file and redo the firestarter wizard to see if that helps at all with that... but I'm getting a bit off topic, so I'll end this here tongue)...


Help grow the dev population... have your tech trained and certified!

Offline

#8 2010-01-09 16:47:07

toad
Member
From: if only I knew
Registered: 2008-12-22
Posts: 1,775
Website

Re: rkhunter detects heimdal package as 'adore' rootkit?

Same here:

toad@deskarch 997\32 /sbin > sudo rkhunter --check --rwo
Warning: Checking for prerequisites               [ Warning ]
         The file of stored file properties (rkhunter.dat) does not exist, and should be created. To do this type in 'rkhunter --propupd'.
Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
         is used, all the files on their system are known to be genuine, and installed from a
         reliable source. The rkhunter '--check' option will compare the current file properties
         against previously stored values, and report if any values differ. However, rkhunter
         cannot determine what has caused the change, that is for the user to do.
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable
Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: Bourne-Again shell script text executable
Warning: Adore Rootkit                            [ Warning ]
         File '/usr/sbin/kfd' found
Warning: The syslog daemon is running, but no configuration file can be found.

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

toad@deskarch 998\33 /sbin >

chkrootkit came up with:

Searching for suspect PHP files... /usr/bin/find: `head' terminated by signal 13
/usr/bin/find: `head' terminated by signal 13

The last line is repeated about a zillion times before it tells me that nothing is found.

David, did you write that email?


never trust a toad...
::Grateful ArchDonor::
::Grateful Wikipedia Donor::

Offline

#9 2010-01-10 12:24:38

r0b0t
Member
From: /tmp
Registered: 2009-05-24
Posts: 376

Re: rkhunter detects heimdal package as 'adore' rootkit?

Here is my log (also installed the last rkhunter 1.6.3)

[13:55:33] /usr/bin/ldd                                      [ Warning ]
[13:55:34] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable
[13:55:57] /usr/sbin/adduser                                 [ Warning ]
[13:55:57] Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: Bourne-Again shell script text executable
[13:56:24] Warning: Adore Rootkit                            [ Warning ]
[13:56:25]          File '/usr/sbin/kfd' found
 Checking for hidden files and directories       [ Warning ]
[14:00:46] Warning: Hidden directory found: /dev/.udev

And the syslog-ng is not running wtf?

an analyse at virustotal results clean as you can see
http://www.virustotal.com/analisis/b579 … 1263125975

Offline

#10 2010-01-10 12:42:45

attila
Member
Registered: 2006-11-14
Posts: 293

Re: rkhunter detects heimdal package as 'adore' rootkit?

r0b0t wrote:

And the syslog-ng is not running wtf?

Look for SYSLOG_CONFIG_FILE in rkhunter.conf. For your other problems you should look for SCRIPTWHITELIST.

Sorry to say but i'm a little bit wonderung abut that everyone is surprised that a program as rkhunter tends to give more warnings instead of less. The most things can be handled in the config file which have nice comments about the most parameters.

Offline

#11 2010-01-10 12:56:09

r0b0t
Member
From: /tmp
Registered: 2009-05-24
Posts: 376

Re: rkhunter detects heimdal package as 'adore' rootkit?

attila wrote:
r0b0t wrote:

And the syslog-ng is not running wtf?

Look for SYSLOG_CONFIG_FILE in rkhunter.conf. For your other problems you should look for SCRIPTWHITELIST.

Sorry to say but i'm a little bit wonderung abut that everyone is surprised that a program as rkhunter tends to give more warnings instead of less. The most things can be handled in the config file which have nice comments about the most parameters.

Sow, is a false \ positive? (agree?)

Offline

#12 2010-01-10 13:11:58

loafer
Member
From: the pub
Registered: 2009-04-14
Posts: 1,723

Re: rkhunter detects heimdal package as 'adore' rootkit?

It seems like a false positive to me.  Perhaps the fact it is detected stems an old problem reported here

http://lwn.net/Articles/103366/


All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.

Offline

#13 2010-01-10 18:15:18

attila
Member
Registered: 2006-11-14
Posts: 293

Re: rkhunter detects heimdal package as 'adore' rootkit?

r0b0t wrote:

Sow, is a false \ positive? (agree?)

No i don't agree because i find the information about the scripts helpfull.Have you ever look at the homepage of rkhunter to see how much distributions it supports because than it is easy to understand that at example the destination of the syslog config file could only be a compromise. What is the problem with this? If you don't want to think about such things why do you use such a tool and do you really know more about a possible rootkit than the developper of rkhunter?

Sorry, but all your "false" reports could be easy solved by yourself in the config file and in truth we discuss about why do you don't read the informations which comes with the program. So no funny "sow" will overcock this and if you want to do some good thing than send the aur maintainer a config file (or a patch) to solve your "false" messages.

Offline

#14 2010-01-27 04:44:58

Allan
Developer
From: Brisbane, AU
Registered: 2007-06-09
Posts: 10,428
Website

Re: rkhunter detects heimdal package as 'adore' rootkit?

BTW, this is a definite false positive.  rkhunter sees any /usr/sbin/kfd file as the Arode rootkit.  e.g. move that file and all is good.  Create and empty file with that name, Adore rootkit warning.

Offline

#15 2010-02-11 07:00:58

hitest
Member
From: B.C., Canada
Registered: 2009-12-27
Posts: 67

Re: rkhunter detects heimdal package as 'adore' rootkit?

Allan wrote:

BTW, this is a definite false positive.  rkhunter sees any /usr/sbin/kfd file as the Arode rootkit.  e.g. move that file and all is good.  Create and empty file with that name, Adore rootkit warning.

Thanks for this post.  I appreciate that!  rkhunter picked up the Adore rootkit for me as well, but, chkrootkit did not pick it up.


hitest
Arch, Slackware, OpenBSD
Registered Linux User #284243

Offline

Board footer

Powered by FluxBB