rkhunter-1.4.0/0000775000123200012320000000000011750002114013305 5ustar unspawnunspawnrkhunter-1.4.0/installer.sh0000750000123200012320000010010711746343704015653 0ustar unspawnunspawn#!/bin/sh ################################################################################ # # Rootkit Hunter installer # -------------------------- # # Copyright Michael Boelen ( michael AT rootkit DOT nl ) # See LICENSE file for use of this software # ################################################################################ INSTALLER_NAME="Rootkit Hunter installer" INSTALLER_VERSION="1.2.16" INSTALLER_COPYRIGHT="Copyright 2003-2012, Michael Boelen" INSTALLER_LICENSE=" Under active development by the Rootkit Hunter project team. For reporting bugs, updates, patches, comments and questions see: rkhunter.sourceforge.net Rootkit Hunter comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under the terms of the GNU General Public License. See LICENSE for details. " APPNAME="rkhunter" APPVERSION="1.4.0" RKHINST_OWNER="0:0" RKHINST_MODE_EX="0750" RKHINST_MODE_RW="0640" RKHINST_MODE_RWR="0644" RKHINST_LAYOUT="default" RKHINST_ACTION="" RKHINST_ACTION_SEEN=0 USE_CVS=0 ERRCODE=0 OVERWRITE=0 STRIPROOT="" RPM_USING_ROOT=0 TGZ_USING_ROOT=0 TXZ_USING_ROOT=0 DEB_USING_ROOT=0 umask 027 OPERATING_SYSTEM=`uname` UNAMEM=`uname -m` if [ "${OPERATING_SYSTEM}" = "SunOS" ]; then if [ -z "$RANDOM" ]; then # If the 'which' output contains a space, then it is probably an error. if [ -n "`which bash 2>/dev/null | grep -v ' '`" ]; then exec bash $0 $* elif [ -n "`which ksh 2>/dev/null | grep -v ' '`" ]; then exec ksh $0 $* else echo "Unable to find the bash or ksh shell to run the installer. Exiting." exit 1 fi exit 0 fi # We need /usr/xpg4/bin before other directories on Solaris. PATH="/usr/xpg4/bin:${PATH}" fi showHelp() { # Show help / version echo "${INSTALLER_NAME} ${INSTALLER_VERSION}" echo "" echo "Usage: $0 " echo "" echo "Ordered valid parameters:" echo ' --help (-h) : Show this help.' echo " --examples : Show layout examples." echo ' --layout : Choose installation template.' echo " The templates are:" echo ' - default: (FHS compliant; the default)' echo " - /usr" echo " - /usr/local" echo " - oldschool: old version file locations" echo " - custom: supply your own installation directory" echo " - RPM: for building RPM's. Requires \$RPM_BUILD_ROOT." echo " - DEB: for building DEB's. Requires \$DEB_BUILD_ROOT." echo " - TGZ: for building Slackware TGZ's. Requires \$TGZ_BUILD_ROOT." echo " - TXZ: for building Slackware TXZ's. Requires \$TXZ_BUILD_ROOT." echo ' --striproot : Strip path from custom layout (for package maintainers).' echo " --install : Install according to chosen layout." echo " --overwrite : Overwrite the existing configuration file." echo " (Default is to create a separate configuration file.)" echo " --show : Show chosen layout." echo " --remove : Uninstall according to chosen layout." echo " --version : Show the installer version." echo "" return } showExamples() { # Show examples echo "${INSTALLER_NAME}" echo "" echo "Examples:" echo "1. Show layout, files in /usr:" echo " installer.sh --layout /usr --show" echo "" echo "2. Install in /usr/local:" echo " installer.sh --layout /usr/local --install" echo "" echo '3. Install in chosen (custom) directory /opt:' echo " installer.sh --layout custom /opt --install" echo "" echo "4. Install in temporary directory /tmp/rkhunter/usr/local," echo ' with files in /usr/local (for package maintainers):' echo " mkdir -p /tmp/rkhunter/usr/local" echo " installer.sh --layout custom /tmp/rkhunter/usr/local \\" echo " --striproot /tmp/rkhunter --install" echo "" echo "5. Remove files, layout /usr/local:" echo " installer.sh --layout /usr/local --remove" echo "" return } showVersion() { echo "${INSTALLER_NAME} ${INSTALLER_VERSION} ${INSTALLER_LICENSE}"; return; } selectTemplate() { # Take input from the "--install parameter" case "$1" in /usr|/usr/local|default|custom_*|RPM|DEB|TGZ|TXZ) case "$1" in default) PREFIX="/usr/local" ;; custom_*) PREFIX=`echo "${RKHINST_LAYOUT}" | sed 's|custom_||g'` case "${PREFIX}" in .) if [ "${RKHINST_ACTION}" = "install" ]; then echo "Standalone installation into ${PWD}/files" fi ;; .*|/.*|*//*) echo "Invalid layout directory chosen: ${PREFIX}" exit 1 ;; *) test "${PREFIX}" = "/" && PREFIX="" if [ "${RKHINST_ACTION}" = "install" ]; then RKHTMPVAR=`echo "${PATH}" | grep "${PREFIX}/bin"` if [ -z "${RKHTMPVAR}" ]; then echo "" echo "Note: Directory ${PREFIX}/bin is not in your PATH" echo "" fi fi ;; esac ;; RPM) if [ -n "${RPM_BUILD_ROOT}" ]; then if [ "${RPM_BUILD_ROOT}" = "/" ]; then RPM_USING_ROOT=1 PREFIX="/usr/local" else PREFIX="${RPM_BUILD_ROOT}/usr/local" fi else echo "RPM installation chosen but \$RPM_BUILD_ROOT variable not found. Exiting." exit 1 fi ;; DEB) if [ -n "${DEB_BUILD_ROOT}" ]; then if [ "${DEB_BUILD_ROOT}" = "/" ]; then DEB_USING_ROOT=1 PREFIX="/usr" else PREFIX="${DEB_BUILD_ROOT}/usr" fi else echo "DEB installation chosen but \$DEB_BUILD_ROOT variable not found. Exiting." exit 1 fi ;; TGZ) if [ -n "${TGZ_BUILD_ROOT}" ]; then if [ "${TGZ_BUILD_ROOT}" = "/" ]; then TGZ_USING_ROOT=1 PREFIX="/usr" else PREFIX="${TGZ_BUILD_ROOT}/usr" fi else echo "TGZ installation chosen but \$TGZ_BUILD_ROOT variable not found. Exiting." exit 1 fi ;; TXZ) if [ -n "${TXZ_BUILD_ROOT}" ]; then if [ "${TXZ_BUILD_ROOT}" = "/" ]; then TXZ_USING_ROOT=1 PREFIX="/usr" else PREFIX="${TXZ_BUILD_ROOT}/usr" fi else echo "TXZ installation chosen but \$TXZ_BUILD_ROOT variable not found. Exiting." exit 1 fi ;; *) PREFIX="$1" ;; esac case "$1" in RPM|DEB|TGZ|TXZ) ;; *) if [ "${RKHINST_ACTION}" = "install" ]; then if [ -n "${PREFIX}" -a ! -d "${PREFIX}" ]; then echo "Non-existent installation directory chosen: ${PREFIX}" echo "Perhaps run \"mkdir -p ${PREFIX}\" first?" exit 1 fi fi ;; esac case "$1" in /usr/local|custom_*) SYSCONFIGDIR="${PREFIX}/etc" ;; RPM) if [ $RPM_USING_ROOT -eq 1 ]; then SYSCONFIGDIR="/etc" else SYSCONFIGDIR="${RPM_BUILD_ROOT}/etc" fi ;; DEB) if [ $DEB_USING_ROOT -eq 1 ]; then SYSCONFIGDIR="/etc" else SYSCONFIGDIR="${DEB_BUILD_ROOT}/etc" fi ;; TGZ) if [ $TGZ_USING_ROOT -eq 1 ]; then SYSCONFIGDIR="/etc" else SYSCONFIGDIR="${TGZ_BUILD_ROOT}/etc" fi ;; TXZ) if [ $TXZ_USING_ROOT -eq 1 ]; then SYSCONFIGDIR="/etc" else SYSCONFIGDIR="${TXZ_BUILD_ROOT}/etc" fi ;; *) SYSCONFIGDIR="/etc" ;; esac case "$1" in custom_*) LIBDIR="" if [ -z "${PREFIX}" -a "${OPERATING_SYSTEM}" = "Darwin" ]; then test -d "/Library" && LIBDIR="/Library" fi if [ -z "${LIBDIR}" ]; then if [ "${UNAMEM}" = "x86_64" -o "${UNAMEM}" = "ppc64" ]; then LIBDIR="${PREFIX}/lib64" else LIBDIR="${PREFIX}/lib" fi fi BINDIR="${PREFIX}/bin" VARDIR="${PREFIX}/var" if [ -z "${PREFIX}" ]; then if [ ! -d "/share" -a -d "/usr/share" ]; then SHAREDIR="/usr/share" else SHAREDIR="/share" fi else SHAREDIR="${PREFIX}/share" fi ;; RPM) if [ "${UNAMEM}" = "x86_64" -o "${UNAMEM}" = "ppc64" ]; then LIBDIR="${PREFIX}/lib64" else LIBDIR="${PREFIX}/lib" fi BINDIR="${PREFIX}/bin" if [ $RPM_USING_ROOT -eq 1 ]; then VARDIR="/var" else VARDIR="${RPM_BUILD_ROOT}/var" fi SHAREDIR="${PREFIX}/share" ;; DEB) BINDIR="${PREFIX}/bin" LIBDIR="${PREFIX}/lib" if [ $DEB_USING_ROOT -eq 1 ]; then VARDIR="/var" else VARDIR="${DEB_BUILD_ROOT}/var" fi SHAREDIR="${PREFIX}/share" ;; TGZ) if [ "${UNAMEM}" = "x86_64" -o "${UNAMEM}" = "ppc64" ]; then LIBDIR="${PREFIX}/lib64" else LIBDIR="${PREFIX}/lib" fi BINDIR="${PREFIX}/bin" if [ $TGZ_USING_ROOT -eq 1 ]; then VARDIR="/var" else VARDIR="${TGZ_BUILD_ROOT}/var" fi SHAREDIR="${PREFIX}/share" ;; TXZ) if [ "${UNAMEM}" = "x86_64" -o "${UNAMEM}" = "ppc64" ]; then LIBDIR="${PREFIX}/lib64" else LIBDIR="${PREFIX}/lib" fi BINDIR="${PREFIX}/bin" if [ $TXZ_USING_ROOT -eq 1 ]; then VARDIR="/var" else VARDIR="${TXZ_BUILD_ROOT}/var" fi SHAREDIR="${PREFIX}/share" ;; *) if [ -d "${PREFIX}/lib64" ]; then LIBDIR="${PREFIX}/lib64" else LIBDIR="${PREFIX}/lib" fi BINDIR="${PREFIX}/bin" VARDIR="/var" SHAREDIR="${PREFIX}/share" ;; esac ;; oldschool) # The rigid way, like RKH used to be set up. PREFIX="/usr/local" SYSCONFIGDIR="${PREFIX}/etc" LIBDIR="${PREFIX}/${APPNAME}/lib" VARDIR="${LIBDIR}" SHAREDIR="${LIBDIR}" RKHINST_DOC_DIR="${PREFIX}/${APPNAME}/lib/docs" BINDIR="${PREFIX}/bin" ;; *) # None chosen. echo "No template chosen. Exiting." exit 1 ;; esac RKHINST_ETC_DIR="${SYSCONFIGDIR}" RKHINST_BIN_DIR="${BINDIR}" RKHINST_SCRIPT_DIR="${LIBDIR}/${APPNAME}/scripts" RKHINST_MAN_DIR="${SHAREDIR}/man/man8" if [ "${RKHINST_LAYOUT}" = "oldschool" ]; then RKHINST_DB_DIR="${VARDIR}/${APPNAME}/db" RKHINST_TMP_DIR="${VARDIR}/${APPNAME}/tmp" RKHINST_DOC_DIR="${SHAREDIR}/${APPNAME}/docs" elif [ "${RKHINST_LAYOUT}" = "DEB" ]; then RKHINST_DB_DIR="${VARDIR}/lib/${APPNAME}/db" RKHINST_TMP_DIR="${VARDIR}/lib/${APPNAME}/tmp" RKHINST_DOC_DIR="${SHAREDIR}/doc/${APPNAME}" RKHINST_SCRIPT_DIR="${SHAREDIR}/${APPNAME}/scripts" elif [ "${RKHINST_LAYOUT}" = "TXZ" ]; then RKHINST_DB_DIR="${VARDIR}/lib/${APPNAME}/db" RKHINST_TMP_DIR="${VARDIR}/lib/${APPNAME}/tmp" RKHINST_DOC_DIR="${PREFIX}/doc/${APPNAME}-${APPVERSION}" RKHINST_MAN_DIR="${PREFIX}/man/man8" else RKHINST_DB_DIR="${VARDIR}/lib/${APPNAME}/db" RKHINST_TMP_DIR="${VARDIR}/lib/${APPNAME}/tmp" RKHINST_DOC_DIR="${SHAREDIR}/doc/${APPNAME}-${APPVERSION}" fi RKHINST_LANG_DIR="${RKHINST_DB_DIR}/i18n" RKHINST_ETC_FILE="${APPNAME}.conf" RKHINST_BIN_FILES="${APPNAME}" RKHINST_SCRIPT_FILES="check_modules.pl filehashsha.pl stat.pl readlink.sh" RKHINST_DB_FILES="backdoorports.dat mirrors.dat programs_bad.dat suspscan.dat" if [ "${RKHINST_LAYOUT}" = "DEB" ]; then RKHINST_DOC_FILES="ACKNOWLEDGMENTS FAQ README" else RKHINST_DOC_FILES="ACKNOWLEDGMENTS CHANGELOG FAQ LICENSE README" fi RKHINST_MAN_FILES="${APPNAME}.8" return } # Additions we need to be aware / take care of: # any /contrib/ files which should include any RH*L/alike ones: # Additions we need to be aware / take care of wrt RH*L/alike: # /etc/cron.daily/rkhunter (different versions of cronjob) # /etc/sysconfig/rkhunter (config for cronjob) # /etc/logrotate.d/rkhunter showTemplate() { # Take input from the "--install parameter" case "$1" in custom_.) # Dump *everything* in the current dir. echo "Standalone installation into ${PWD}/files" ;; *) NOTPRESENT=" (Directory will be created)" selectTemplate "$1" test -z "${PREFIX}" && RKHTMPVAR="/" || RKHTMPVAR="${PREFIX}" test ! -d "${RKHTMPVAR}" && RKHTMPVAR="${RKHTMPVAR} (Directory does not exist)" echo "Install into: ${RKHTMPVAR}" RKHTMPVAR="${RKHINST_BIN_DIR}" test ! -d "${RKHTMPVAR}" && RKHTMPVAR="${RKHTMPVAR} ${NOTPRESENT}" echo "Application: ${RKHTMPVAR}" RKHTMPVAR="${RKHINST_ETC_DIR}" test ! -d "${RKHTMPVAR}" && RKHTMPVAR="${RKHTMPVAR} ${NOTPRESENT}" if [ $OVERWRITE -eq 0 ]; then echo "Configuration file: ${RKHTMPVAR}" else if [ ! -d "${RKHTMPVAR}" ]; then echo "Configuration file: ${RKHTMPVAR}" else if [ -z "${PREFIX}" ]; then echo "Configuration file: ${RKHINST_ETC_DIR} (Configuration file will be overwritten)" else echo "Configuration file: ${RKHINST_ETC_DIR} (Configuration file will be overwritten)" fi fi fi RKHTMPVAR="${RKHINST_DOC_DIR}" test ! -d "${RKHTMPVAR}" && RKHTMPVAR="${RKHTMPVAR}${NOTPRESENT}" echo "Documents: ${RKHTMPVAR}" RKHTMPVAR="${RKHINST_MAN_DIR}" test ! -d "${RKHTMPVAR}" && RKHTMPVAR="${RKHTMPVAR} ${NOTPRESENT}" echo "Man page: ${RKHTMPVAR}" RKHTMPVAR="${RKHINST_SCRIPT_DIR}" if [ ! -d "${RKHTMPVAR}" ]; then if [ -z "${PREFIX}" ]; then RKHTMPVAR="${RKHTMPVAR} ${NOTPRESENT}" else RKHTMPVAR="${RKHTMPVAR} ${NOTPRESENT}" fi fi echo "Scripts: ${RKHTMPVAR}" RKHTMPVAR="${RKHINST_DB_DIR}" test ! -d "${RKHTMPVAR}" && RKHTMPVAR="${RKHTMPVAR} ${NOTPRESENT}" echo "Databases: ${RKHTMPVAR}" RKHTMPVAR="${RKHINST_TMP_DIR}" test ! -d "${RKHTMPVAR}" && RKHTMPVAR="${RKHTMPVAR} ${NOTPRESENT}" echo "Temporary files: ${RKHTMPVAR}" if [ -n "${STRIPROOT}" ]; then echo ""; echo "Got STRIPROOT=\"${STRIPROOT}\"" fi ;; esac return } useCVS() { # If the 'which' output contains a space, then it is probably an error. SEARCH=`which cvs 2>/dev/null | grep -v ' '` if [ -z "${SEARCH}" ]; then echo "Unable to find the 'cvs' command." exit 1 else cvs -z3 -d:pserver:anonymous@rkhunter.cvs.sourceforge.net:/cvsroot/rkhunter co rkhunter >/dev/null 2>&1 ERRCODE=$? if [ $ERRCODE -eq 0 ]; then echo "Succeeded in getting Rootkit Hunter source from CVS." if [ -d "./files" ]; then rm -rf "./files" fi mv -f rkhunter/files . if [ -d "./files/CVS" ]; then rm -rf "./files/CVS" fi case "${RKHINST_LAYOUT}" in RPM|DEB|TGZ|TXZ) ;; *) for ITEM in `find ./files`; do chown "${RKHINST_OWNER}" "${ITEM}" done ;; esac else echo "Failed to get Rootkit Hunter from CVS: code $ERRCODE" exit 1 fi fi return } ################################################################################# # # Start installation # ################################################################################# doInstall() { DOING_UPDT=0 # Preflight checks echo "Checking system for:" if [ -f "./files/${APPNAME}" ]; then echo " ${INSTALLER_NAME} files: found" if [ $USE_CVS -eq 1 ]; then # You want it, and you got it! # The hottest source in the land... useCVS fi case "${RKHINST_LAYOUT}" in RPM|DEB|TGZ|TXZ) ;; *) for ITEM in `find ./files`; do chown "${RKHINST_OWNER}" "${ITEM}" done ;; esac else echo "Checking system for: ${INSTALLER_NAME} files: FAILED" echo "Installation files not in \"${PWD}/files\". Exiting." exit 1 fi # We only look for one download command. for RKHWEBCMD in wget links elinks lynx curl GET bget; do SEARCH=`which ${RKHWEBCMD} 2>/dev/null | grep -v ' '` if [ -n "${SEARCH}" ]; then echo " A web file download command: ${RKHWEBCMD} found" break fi done if [ -z "${SEARCH}" ]; then echo " A web file download command: None found" echo "" echo " Please install one of wget, links, elinks, lynx, curl, GET or" echo ' bget (from www.cpan.org/authors/id/E/EL/ELIJAH/bget)' echo "" fi # Perl will be found in rkhunter itself. RKHINST_DIRS="$RKHINST_DOC_DIR $RKHINST_MAN_DIR $RKHINST_ETC_DIR $RKHINST_BIN_DIR" RKHINST_DIRS_EXCEP="$RKHINST_SCRIPT_DIR $RKHINST_DB_DIR $RKHINST_TMP_DIR $RKHINST_LANG_DIR" if [ -f "${RKHINST_ETC_DIR}/rkhunter.conf" ]; then echo "Starting update:" DOING_UPDT=1 else echo "Starting installation:" fi case "${RKHINST_LAYOUT}" in RPM|DEB|TGZ|TXZ) ;; *) # Check PREFIX if [ -z "${PREFIX}" ]; then : elif [ -d "${PREFIX}" ]; then if [ -w "${PREFIX}" ]; then echo " Checking installation directory \"$PREFIX\": it exists and is writable." # That's enough for a standalone installation. if [ "${PREFIX}" = "." ]; then chown -R ${RKHINST_OWNER} ./files for DIR in `find ./files -type d -name CVS`; do rm -rf "${DIR}" done for FILE in `find ./files -type f -name Entries -o -name Repository -o -name Root`; do rm -rf "${FILE}" done for ITEM in `find ./files -type f`; do case "${ITEM}" in *.sh|*.pl|*/rkhunter) chmod "${RKHINST_MODE_EX}" "${ITEM}" ;; *) chmod "${RKHINST_MODE_RW}" "${ITEM}" ;; esac done cd ./files PREFIX="${PWD}" echo "LOGFILE=${PREFIX}/rkhunter.log" >>rkhunter.conf echo "TMPDIR=$PREFIX" >>rkhunter.conf echo "DBDIR=$PREFIX" >>rkhunter.conf echo "SCRIPTDIR=$PREFIX" >>rkhunter.conf echo "INSTALLDIR=$PREFIX" >>rkhunter.conf echo "USER_FILEPROP_FILES_DIRS=$PREFIX/rkhunter" >>rkhunter.conf echo "USER_FILEPROP_FILES_DIRS=$PREFIX/rkhunter.conf" >>rkhunter.conf test -f "$PREFIX/rkhunter.conf.local" && echo "USER_FILEPROP_FILES_DIRS=$PREFIX/rkhunter.conf.local" >>rkhunter.conf sed -e "s|-f /etc/rkhunter.conf|-f $PREFIX/rkhunter.conf|g" -e "s|CONFIGFILE=\"/etc|CONFIGFILE=\"$PREFIX|g" rkhunter >rkhunter. mv -f rkhunter. rkhunter chmod "${RKHINST_MODE_EX}" rkhunter echo "Installation complete" exit 0 fi else echo " Checking installation directory \"$PREFIX\": it exists, but it is not writable. Exiting." exit 1 fi elif [ -e "${PREFIX}" ]; then echo " Checking installation directory \"$PREFIX\": it is not a directory. Exiting." exit 1 else echo " Checking installation directory \"$PREFIX\": it does not exist. Exiting." exit 1 fi ;; esac # end Check PREFIX echo " Checking installation directories:" if [ "${RKHINST_LAYOUT}" = "oldschool" ]; then RKHDIR_LIST="${RKHINST_DIRS}" else RKHDIR_LIST="${RKHINST_DIRS} ${LIBDIR} ${VARDIR}/lib" fi umask 022 for DIR in ${RKHDIR_LIST}; do if [ -d "${DIR}" ]; then if [ -w "${DIR}" ]; then echo " Directory ${DIR}: exists and is writable." else echo " Directory ${DIR}: exists, but it is not writable. Exiting." exit 1 fi else mkdir -p ${DIR} >/dev/null 2>&1 ERRCODE=$? if [ $ERRCODE -eq 0 ]; then echo " Directory ${DIR}: creating: OK" else echo " Directory ${DIR}: creating: FAILED: Code $ERRCODE" exit 1 fi fi done umask 027 for DIR in ${RKHINST_DIRS_EXCEP}; do if [ -d "${DIR}" ]; then if [ -w "${DIR}" ]; then echo " Directory ${DIR}: exists and is writable." else echo " Directory ${DIR}: exists, but it is not writable. Exiting." exit 1 fi else mkdir -p ${DIR} >/dev/null 2>&1 ERRCODE=$? if [ $ERRCODE -eq 0 ]; then echo " Directory ${DIR}: creating: OK" else echo " Directory ${DIR}: creating: FAILED: Code $ERRCODE" exit 1 fi fi case "${DIR}" in */${APPNAME}|*/${APPNAME}/*|*/${APPNAME}-${APPVERSION}) chmod "${RKHINST_MODE_EX}" "${DIR}" ;; esac done # # Now do the actual installation. # # Helper scripts, database and man page for FILE in ${RKHINST_SCRIPT_FILES} ${RKHINST_DB_FILES} ${RKHINST_MAN_FILES}; do case "${FILE}" in *.pl|*.sh) cp -f ./files/"${FILE}" "${RKHINST_SCRIPT_DIR}" >/dev/null 2>&1 ERRCODE=$? if [ $ERRCODE -eq 0 ]; then echo " Installing ${FILE}: OK" chmod "${RKHINST_MODE_EX}" "${RKHINST_SCRIPT_DIR}/${FILE}" else echo " Installing ${FILE}: FAILED: Code $ERRCODE" exit 1 fi ;; *.dat) if [ "${FILE}" = "mirrors.dat" -a -f "${RKHINST_DB_DIR}/mirrors.dat" ]; then RKHTMPVAR=`egrep '^(local|remote)=' ${RKHINST_DB_DIR}/mirrors.dat 2>/dev/null` if [ -n "${RKHTMPVAR}" ]; then echo " Installing ${FILE}: Locally modified - not overwritten" continue fi fi cp -f ./files/"${FILE}" "${RKHINST_DB_DIR}" >/dev/null 2>&1 ERRCODE=$? if [ $ERRCODE -eq 0 ]; then echo " Installing ${FILE}: OK" chmod "${RKHINST_MODE_RW}" "${RKHINST_DB_DIR}/${FILE}" else echo " Installing ${FILE}: FAILED: Code $ERRCODE" exit 1 fi ;; *.8) cp -f ./files/"${FILE}" "${RKHINST_MAN_DIR}" >/dev/null 2>&1 ERRCODE=$? if [ $ERRCODE -eq 0 ]; then echo " Installing ${FILE}: OK" chmod "${RKHINST_MODE_RWR}" "${RKHINST_MAN_DIR}/${FILE}" else echo " Installing ${FILE}: FAILED: Code $ERRCODE" exit 1 fi ;; esac done # Application documents for FILE in ${RKHINST_DOC_FILES}; do cp -f ./files/"${FILE}" "${RKHINST_DOC_DIR}" >/dev/null 2>&1 ERRCODE=$? if [ $ERRCODE -eq 0 ]; then echo " Installing ${FILE}: OK" chmod "${RKHINST_MODE_RWR}" "${RKHINST_DOC_DIR}/${FILE}" else echo " Installing ${FILE}: FAILED: Code $ERRCODE" exit 1 fi done # Language support files ERRCODE=0 for FILE in `find ./files/i18n -type f`; do cp "${FILE}" "${RKHINST_LANG_DIR}" >/dev/null 2>&1 ERRCODE=$? test $ERRCODE -ne 0 && break done if [ $ERRCODE -eq 0 ];then echo " Installing language support files: OK" else echo " Installing language support files: FAILED: Code $ERRCODE" exit 1 fi # Application for FILE in ${RKHINST_BIN_FILES}; do case "${RKHINST_LAYOUT}" in RPM|DEB|TGZ|TXZ) cp -f ./files/"${FILE}" "${RKHINST_BIN_DIR}/${FILE}" >/dev/null 2>&1 ERRCODE=$? if [ $ERRCODE -eq 0 ]; then echo " Installing ${FILE}: OK" chmod "${RKHINST_MODE_EX}" "${RKHINST_BIN_DIR}/${FILE}" else echo " Installing ${FILE}: FAILED: Code $ERRCODE" exit 1 fi ;; *) sed -e "s|-f /etc/rkhunter.conf|-f $RKHINST_ETC_DIR/rkhunter.conf|g" -e "s|CONFIGFILE=\"/etc|CONFIGFILE=\"$RKHINST_ETC_DIR|g" ./files/"${FILE}" >"${RKHINST_BIN_DIR}/${FILE}" ERRCODE=$? if [ $ERRCODE -eq 0 ]; then echo " Installing ${FILE}: OK" chmod "${RKHINST_MODE_EX}" "${RKHINST_BIN_DIR}/${FILE}" else echo " Installing ${FILE}: FAILED: Code $ERRCODE" exit 1 fi ;; esac done # Configuration file for FILE in ${RKHINST_ETC_FILE}; do test $OVERWRITE -eq 1 && rm -f "${RKHINST_ETC_DIR}/${FILE}" if [ -f "${RKHINST_ETC_DIR}/${FILE}" ]; then # We need people to make local changes themselves, so # give opportunity and alert. Don't use Perl to get value. if [ -n "$RANDOM" ]; then RANDVAL=$RANDOM else RANDVAL=`date +%Y%m%d%H%M%S 2>/dev/null` if [ -z "${RANDVAL}" ]; then RANDVAL=$$ fi fi NEWFILE="${FILE}.${RANDVAL}" cp -f "./files/${FILE}" "${RKHINST_ETC_DIR}/${NEWFILE}" >/dev/null 2>&1 ERRCODE=$? if [ $ERRCODE -eq 0 ]; then echo " Installing ${FILE} in no-clobber mode: OK" chmod "${RKHINST_MODE_RW}" "${RKHINST_ETC_DIR}/${NEWFILE}" else echo " Installing ${FILE} in no-clobber mode: FAILED: Code $ERRCODE" exit 1 fi echo "" >>"${RKHINST_ETC_DIR}/${NEWFILE}" test -z "${PREFIX}" && RKHTMPVAR="/" || RKHTMPVAR="${PREFIX}" echo "INSTALLDIR=${RKHTMPVAR}" >>"${RKHINST_ETC_DIR}/${NEWFILE}" echo "DBDIR=${RKHINST_DB_DIR}" >>"${RKHINST_ETC_DIR}/${NEWFILE}" echo "SCRIPTDIR=${RKHINST_SCRIPT_DIR}" >>"${RKHINST_ETC_DIR}/${NEWFILE}" echo "TMPDIR=${RKHINST_TMP_DIR}" >>"${RKHINST_ETC_DIR}/${NEWFILE}" if [ "$FILE" = "rkhunter.conf" ]; then echo "USER_FILEPROP_FILES_DIRS=${RKHINST_ETC_DIR}/${FILE}" >>"${RKHINST_ETC_DIR}/${NEWFILE}" test -f "${RKHINST_ETC_DIR}/${FILE}.local" && echo "USER_FILEPROP_FILES_DIRS=${RKHINST_ETC_DIR}/${FILE}.local" >>"${RKHINST_ETC_DIR}/${NEWFILE}" fi case "${RKHINST_LAYOUT}" in RPM|DEB|TGZ|TXZ) ;; *) echo " >>>" echo " >>> PLEASE NOTE: inspect for update changes in \"${RKHINST_ETC_DIR}/${NEWFILE}\"," echo " >>> and apply to either \"${RKHINST_ETC_DIR}/${FILE}\" or your local configuration" echo " >>> file before running Rootkit Hunter." echo " >>>" ;; esac else cp -f "./files/${FILE}" "${RKHINST_ETC_DIR}" >/dev/null 2>&1 ERRCODE=$? if [ $ERRCODE -eq 0 ]; then echo " Installing ${FILE}: OK" chmod "${RKHINST_MODE_RW}" "${RKHINST_ETC_DIR}/${FILE}" else echo " Installing ${FILE}: FAILED: Code $ERRCODE" exit 1 fi echo "" >>"${RKHINST_ETC_DIR}/${FILE}" if [ -n "${RPM_BUILD_ROOT}" -a $RPM_USING_ROOT -eq 0 ]; then echo "INSTALLDIR=${PREFIX}" | sed "s|${RPM_BUILD_ROOT}||g" >>"${RKHINST_ETC_DIR}/${FILE}" echo "DBDIR=${RKHINST_DB_DIR}" | sed "s|${RPM_BUILD_ROOT}||g" >>"${RKHINST_ETC_DIR}/${FILE}" echo "SCRIPTDIR=${RKHINST_SCRIPT_DIR}" | sed "s|${RPM_BUILD_ROOT}||g" >>"${RKHINST_ETC_DIR}/${FILE}" echo "TMPDIR=${RKHINST_TMP_DIR}" | sed "s|${RPM_BUILD_ROOT}||g" >>"${RKHINST_ETC_DIR}/${FILE}" echo "USER_FILEPROP_FILES_DIRS=${RKHINST_ETC_DIR}/${FILE}" | sed "s|${RPM_BUILD_ROOT}||g" >>"${RKHINST_ETC_DIR}/${FILE}" elif [ -n "${TGZ_BUILD_ROOT}" -a $TGZ_USING_ROOT -eq 0 ]; then echo "INSTALLDIR=${PREFIX}" | sed "s|${TGZ_BUILD_ROOT}||g" >>"${RKHINST_ETC_DIR}/${FILE}" echo "DBDIR=${RKHINST_DB_DIR}" | sed "s|${TGZ_BUILD_ROOT}||g" >>"${RKHINST_ETC_DIR}/${FILE}" echo "SCRIPTDIR=${RKHINST_SCRIPT_DIR}" | sed "s|${TGZ_BUILD_ROOT}||g" >>"${RKHINST_ETC_DIR}/${FILE}" echo "TMPDIR=${RKHINST_TMP_DIR}" | sed "s|${TGZ_BUILD_ROOT}||g" >>"${RKHINST_ETC_DIR}/${FILE}" echo "USER_FILEPROP_FILES_DIRS=${RKHINST_ETC_DIR}/${FILE}" | sed "s|${TGZ_BUILD_ROOT}||g" >>"${RKHINST_ETC_DIR}/${FILE}" elif [ -n "${TXZ_BUILD_ROOT}" -a $TXZ_USING_ROOT -eq 0 ]; then echo "INSTALLDIR=${PREFIX}" | sed "s|${TXZ_BUILD_ROOT}||g" >>"${RKHINST_ETC_DIR}/${FILE}" echo "DBDIR=${RKHINST_DB_DIR}" | sed "s|${TXZ_BUILD_ROOT}||g" >>"${RKHINST_ETC_DIR}/${FILE}" echo "SCRIPTDIR=${RKHINST_SCRIPT_DIR}" | sed "s|${TXZ_BUILD_ROOT}||g" >>"${RKHINST_ETC_DIR}/${FILE}" echo "TMPDIR=${RKHINST_TMP_DIR}" | sed "s|${TXZ_BUILD_ROOT}||g" >>"${RKHINST_ETC_DIR}/${FILE}" echo "USER_FILEPROP_FILES_DIRS=${RKHINST_ETC_DIR}/${FILE}" | sed "s|${TXZ_BUILD_ROOT}||g" >>"${RKHINST_ETC_DIR}/${FILE}" elif [ -n "${DEB_BUILD_ROOT}" ]; then # Debian builds are handled with a patch during the build process. : else test -z "${PREFIX}" && RKHTMPVAR="/" || RKHTMPVAR="${PREFIX}" echo "INSTALLDIR=${RKHTMPVAR}" >>"${RKHINST_ETC_DIR}/${FILE}" echo "DBDIR=${RKHINST_DB_DIR}" >>"${RKHINST_ETC_DIR}/${FILE}" echo "SCRIPTDIR=${RKHINST_SCRIPT_DIR}" >>"${RKHINST_ETC_DIR}/${FILE}" echo "TMPDIR=${RKHINST_TMP_DIR}" >>"${RKHINST_ETC_DIR}/${FILE}" echo "USER_FILEPROP_FILES_DIRS=${RKHINST_ETC_DIR}/${FILE}" >>"${RKHINST_ETC_DIR}/${FILE}" fi fi done # Strip root from fake root install. if [ -n "${STRIPROOT}" ]; then for FILE in `find "${PREFIX}" -type f`; do STR=`grep "${PREFIX}" "${FILE}"` if [ -n "${STR}" ]; then sed -i "s|${STRIPROOT}||g" "${FILE}" >/dev/null 2>&1 ERRCODE=$? if [ $ERRCODE -eq 0 ]; then echo " Striproot ${FILE}: OK" else echo " Striproot ${FILE}: FAILED: Code $ERRCODE" exit 1 fi fi done fi # Finally copy the passwd/group files to the TMP directory # to avoid warnings when rkhunter is first run. case "${RKHINST_LAYOUT}" in RPM|DEB|TGZ|TXZ) # This is done by a %post section in the spec file / postinst file. ;; *) cp -p /etc/passwd ${RKHINST_TMP_DIR} >/dev/null 2>&1 cp -p /etc/group ${RKHINST_TMP_DIR} >/dev/null 2>&1 ;; esac if [ $DOING_UPDT -eq 1 ]; then echo "Update complete" else echo "Installation complete" fi return } # End doInstall doRemove() { RKHINST_DIRS="$RKHINST_ETC_DIR $RKHINST_BIN_DIR $RKHINST_SCRIPT_DIR $RKHINST_DOC_DIR $RKHINST_DB_DIR $RKHINST_TMP_DIR $RKHINST_LANG_DIR" echo "Starting uninstallation" echo "" # Check the PREFIX if [ -z "${PREFIX}" ]; then : elif [ -d "${PREFIX}" ]; then if [ -w "${PREFIX}" ]; then echo "Checking installation directory \"$PREFIX\": it exists and is writable." else echo "Checking installation directory \"$PREFIX\": it exists, but it is not writable. Exiting." exit 1 fi elif [ -e "${PREFIX}" ]; then echo "Checking installation directory \"$PREFIX\": it exists but it is not a directory. Exiting." exit 1 else echo "Checking installation directory \"$PREFIX\": it does not exist. Exiting." exit 1 fi # Standalone removal involves just deleting the 'files' subdirectory. if [ "$PREFIX" = "." ]; then rm -rf ./files >/dev/null 2>&1 ERRCODE=$? if [ $ERRCODE -eq 0 ]; then echo "Uninstallation complete" else echo "Uninstallation FAILED: Code $ERRCODE" fi return fi echo "Removing installation files:" # Man page for FILE in ${RKHINST_MAN_FILES}; do if [ -f "${RKHINST_MAN_DIR}/${FILE}" ]; then rm -f "${RKHINST_MAN_DIR}/${FILE}" >/dev/null 2>&1 ERRCODE=$? if [ $ERRCODE -eq 0 ]; then echo " Removing ${FILE}: OK" else echo " Removing ${FILE}: FAILED: Code $ERRCODE" fi fi done # Application for FILE in ${RKHINST_BIN_FILES}; do if [ -f "${RKHINST_BIN_DIR}/${FILE}" ]; then rm -f "${RKHINST_BIN_DIR}/${FILE}" >/dev/null 2>&1 ERRCODE=$? if [ $ERRCODE -eq 0 ]; then echo " Removing ${RKHINST_BIN_DIR}/${FILE}: OK" else echo " Removing ${RKHINST_BIN_DIR}/${FILE}: FAILED: Code $ERRCODE" fi fi done # Configuration file for FILE in ${RKHINST_ETC_FILE}; do if [ -f "${RKHINST_ETC_DIR}/${FILE}" ]; then rm -f "${RKHINST_ETC_DIR}/${FILE}" >/dev/null 2>&1 ERRCODE=$? if [ $ERRCODE -eq 0 ]; then echo " Removing ${RKHINST_ETC_DIR}/${FILE}: OK" else echo " Removing ${RKHINST_ETC_DIR}/${FILE}: FAILED: Code $ERRCODE" fi fi echo "" echo "Please remove any ${RKHINST_ETC_DIR}/${FILE}.* files manually." echo "" done # Helper scripts: remove dir # Application documents: remove dir # Databases: remove dir # Language support: remove dir echo "Removing installation directories:" for DIR in ${RKHINST_DIRS}; do case "${DIR}" in */${APPNAME}) if [ -d "${DIR}" ]; then rm -rf "${DIR}" >/dev/null 2>&1 ERRCODE=$? if [ $ERRCODE -eq 0 ]; then echo " Removing ${DIR}: OK" else echo " Removing ${DIR}: FAILED: Code $ERRCODE" fi fi ;; */${APPNAME}-${APPVERSION}) # Anything involving a specific version number # needs to remove all old versions as well. DIR=`dirname "${DIR}"` for RKHAPPDIR in ${DIR}/${APPNAME}-*; do if [ -d "${RKHAPPDIR}" ]; then rm -rf "${RKHAPPDIR}" >/dev/null 2>&1 ERRCODE=$? if [ $ERRCODE -eq 0 ]; then echo " Removing ${RKHAPPDIR}: OK" else echo " Removing ${RKHAPPDIR}: FAILED: Code $ERRCODE" fi fi done ;; */${APPNAME}/*) DIR=`dirname "${DIR}"` if [ -d "${DIR}" ]; then rm -rf "${DIR}" >/dev/null 2>&1 ERRCODE=$? if [ $ERRCODE -eq 0 ]; then echo " Removing ${DIR}: OK" else echo " Removing ${DIR}: FAILED: Code $ERRCODE" fi fi ;; esac done # Could use patch for removing custom $VARDIR $SHAREDIR $PREFIX here. if [ "${RKHINST_LAYOUT}" = "oldschool" ]; then if [ -d "/usr/local/rkhunter" ]; then echo "" echo "Note: The directory '/usr/local/rkhunter' still exists." fi fi # Remove any old log files. rm -f /var/log/rkhunter.log /var/log/rkhunter.log.old >/dev/null 2>&1 echo "" echo "Finished removing files. Please double-check." return } # end doRemove # # Start of the installer # if [ $# -eq 0 ]; then showHelp exit 1 fi while [ $# -ge 1 ]; do case "$1" in h | -h | --help | --usage) showHelp exit 1 ;; -e | --examples) showExamples exit 1 ;; -v | --version) showVersion exit 1 ;; -l | --layout) shift 1 case "$1" in custom) shift 1 if [ -n "$1" ]; then RKHINST_LAYOUT="custom_$1" else echo "No custom layout given. Exiting." exit 1 fi ;; default|oldschool|/usr|/usr/local|RPM|DEB|TGZ|TXZ) RKHINST_LAYOUT="$1" ;; *) echo "Unknown layout given: $1" exit 1 ;; esac ;; -s | --striproot) shift 1 if [ -n "$1" ]; then STRIPROOT="$1" else echo "Striproot requested but no directory name given. Exiting." exit 1 fi ;; --show | --remove | --install) RKHINST_ACTION_SEEN=1 RKHINST_ACTION=`echo "$1" | sed 's/-//g'` ;; -o | --overwrite) OVERWRITE=1 ;; *) echo "Unknown option given: $1" echo "" showHelp exit 1 ;; esac shift done # We only get here when some installation action was to be taken. if [ $RKHINST_ACTION_SEEN -eq 0 ]; then echo "No action given. Exiting." else case "${RKHINST_ACTION}" in show) showTemplate $RKHINST_LAYOUT ;; remove) # Clean active window selectTemplate $RKHINST_LAYOUT clear doRemove ;; install) # Clean active window selectTemplate $RKHINST_LAYOUT clear doInstall ;; esac fi exit 0 rkhunter-1.4.0/files/0000750000123200012320000000000011750002114014400 5ustar unspawnunspawnrkhunter-1.4.0/files/rkhunter.conf0000640000123200012320000011051011673205502017122 0ustar unspawnunspawn# # This is the main configuration file for Rootkit Hunter. # # You can either modify this file directly, or you can create a local # configuration file. The local file must be named 'rkhunter.conf.local', # and must reside in the same directory as this file. Please modify one # or both files to your own requirements. It is suggested that the # command 'rkhunter -C' is run after any changes have been made. # # Please review the documentation before posting bug reports or questions. # To report bugs, obtain updates, or provide patches or comments, please go to: # http://rkhunter.sourceforge.net # # To ask questions about rkhunter, please use the rkhunter-users mailing list. # Note this is a moderated list: please subscribe before posting. # # Lines beginning with a hash (#), and blank lines, are ignored. # End-of-line comments are not supported. # # Most of the following options need only be specified once. If # they appear more than once, then the last one seen will be used. # Some options are allowed to appear more than once, and the text # describing the option will say if this is so. # # Some of the options are space-separated lists of pathnames. If # wildcard characters (globbing) are allowed in the list, then the # text describing the option will say so. # # Space-separated lists may be enclosed by quotes, but these must only # appear at the start and end of the list, not in the middle. # # For example: XXX="abc def gh" (correct) # XXX="abc" "def" "gh" (incorrect) # # # If this option is set to 1, it specifies that the mirrors file # ('mirrors.dat'), which is used when the '--update' and '--versioncheck' # options are used, is to be rotated. Rotating the entries in the file # allows a basic form of load-balancing between the mirror sites whenever # the above options are used. # If the option is set to 0, then the mirrors will be treated as if in # a priority list. That is, the first mirror listed will always be used # first. The second mirror will only be used if the first mirror fails, # the third mirror will only be used if the second mirror fails, and so on. # # If the mirrors file is read-only, then the '--versioncheck' command-line # option can only be used if this option is set to 0. # ROTATE_MIRRORS=1 # # If this option is set to 1, it specifies that when the '--update' # option is used, then the mirrors file is to be checked for updates # as well. If the current mirrors file contains any local mirrors, # these will be prepended to the updated file. # If this option is set to 0, the mirrors file can only be updated # manually. This may be useful if only using local mirrors. # UPDATE_MIRRORS=1 # # The MIRRORS_MODE option tells rkhunter which mirrors are to be # used when the '--update' or '--versioncheck' command-line options # are given. Possible values are: # 0 - use any mirror (the default) # 1 - only use local mirrors # 2 - only use remote mirrors # # Local and remote mirrors can be defined in the mirrors file # by using the 'local=' and 'remote=' keywords respectively. # MIRRORS_MODE=0 # # Email a message to this address if a warning is found when the # system is being checked. Multiple addresses may be specified # simply be separating them with a space. Setting this option to # null disables the option. # # NOTE: This option should be present in the configuration file. # #MAIL-ON-WARNING=me@mydomain root@mydomain MAIL-ON-WARNING="" # # Specify the mail command to use if MAIL-ON-WARNING is set. # # NOTE: Double quotes are not required around the command, but # are required around the subject line if it contains spaces. # MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" # # Specify the temporary directory to use. # # NOTE: Do not use /tmp as your temporary directory. Some # important files will be written to this directory, so be # sure that the directory permissions are tight. # #TMPDIR=/var/lib/rkhunter/tmp # # Specify the database directory to use. # #DBDIR=/var/lib/rkhunter/db # # Specify the script directory to use. # #SCRIPTDIR=/usr/local/lib/rkhunter/scripts # # This option can be used to modify the command directory list used # by rkhunter to locate commands (that is, its PATH). By default # this will be the root PATH, and an internal list of some common # command directories. # # Any directories specified here will, by default, be appended to the # default list. However, if a directory name begins with the '+' # character, then that directory will be prepended to the list (that # is, it will be put at the start of the list). # # This is a space-separated list of directory names. The option may # be specified more than once. # #BINDIR="/bin /usr/bin /sbin /usr/sbin" #BINDIR="+/usr/local/bin +/usr/local/sbin" # # Specify the default language to use. This should be similar # to the ISO 639 language code. # # NOTE: Please ensure that the language you specify is supported. # For a list of supported languages use the following command: # # rkhunter --lang en --list languages # #LANGUAGE=en # # This option is a space-separated list of the languages that are to # be updated when the '--update' option is used. If unset, then all # the languages will be updated. If none of the languages are to be # updated, then set this option to just 'en'. # # The default is for all the languages to be updated. The default # language, specified above, and the English (en) language file will # always be updated regardless of this option. # UPDATE_LANG="" # # Specify the log file pathname. # # NOTE: This option should be present in the configuration file. # LOGFILE=/var/log/rkhunter.log # # Set the following option to 1 if the log file is to be appended to # whenever rkhunter is run. # APPEND_LOG=0 # # Set the following option to 1 if the log file is to be copied when # rkhunter finishes and an error or warning has occurred. The copied # log file name will be appended with the current date and time # (in YYYY-MM-DD_HH:MM:SS format). # For example: rkhunter.log.2009-04-21_00:57:51 # COPY_LOG_ON_ERROR=0 # # Set the following option to enable the rkhunter check start and finish # times to be logged by syslog. Warning messages will also be logged. # The value of the option must be a standard syslog facility and # priority, separated by a dot. For example: # # USE_SYSLOG=authpriv.warning # # Setting the value to 'none', or just leaving the option commented out, # disables the use of syslog. # #USE_SYSLOG=authpriv.notice # # Set the following option to 1 if the second colour set is to be used. # This can be useful if your screen uses black characters on a white # background (for example, a PC instead of a server). # COLOR_SET2=0 # # Set the following option to 0 if rkhunter should not detect if X is # being used. If X is detected as being used, then the second colour # set will automatically be used. # AUTO_X_DETECT=1 # # Set the following option to 1 if it is wanted that any 'Whitelisted' # results are shown in white rather than green. For colour set 2 users, # setting this option will cause the result to be shown in black. # WHITELISTED_IS_WHITE=0 # # The following option is checked against the SSH configuration file # 'PermitRootLogin' option. A warning will be displayed if they do not # match. However, if a value has not been set in the SSH configuration # file, then a value here of 'unset' can be used to avoid warning messages. # This option has a default value of 'no'. # ALLOW_SSH_ROOT_USER=no # # Set this option to '1' to allow the use of the SSH-1 protocol, but note # that theoretically it is weaker, and therefore less secure, than the # SSH-2 protocol. Do not modify this option unless you have good reasons # to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4 # authentication). If the 'Protocol' option has not been set in the SSH # configuration file, then a value of '2' may be set here in order to # suppress a warning message. This option has a default value of '0'. # ALLOW_SSH_PROT_V1=0 # # This setting tells rkhunter the directory containing the SSH configuration # file. This setting will be worked out by rkhunter, and so should not # usually need to be set. # #SSH_CONFIG_DIR=/etc/ssh # # These two options determine which tests are to be performed. # The ENABLE_TESTS option can use the word 'all' to refer to all the # available tests. The DISABLE_TESTS option can use the word 'none' to # mean that no tests are disabled. The list of disabled tests is applied to # the list of enabled tests. Both options are space-separated lists of test # names. The currently available test names can be seen by using the command # 'rkhunter --list tests'. # # The program defaults are to enable all tests and disable none. However, if # either of the options below are specified, then they will override the # program defaults. # # The supplied configuration file has some tests already disabled, and these # are tests that will be used only occasionally, can be considered # "advanced" or that are prone to produce more than the average number of # false-positives. # # Please read the README file for more details about enabling and disabling # tests, the test names, and how rkhunter behaves when these options are used. # ENABLE_TESTS="all" DISABLE_TESTS="suspscan hidden_ports hidden_procs deleted_files packet_cap_apps" # # The HASH_FUNC option can be used to specify the command to use # for the file hash value check. It can be specified as just the # command name or the full pathname. If just the command name is # given, and it is one of MD5, SHA1, SHA224, SHA256, SHA384 or # SHA512, then rkhunter will first look for the relevant command, # such as 'sha256sum', and then for 'sha256'. If neither of these # are found, it will then look to see if a perl module has been # installed which will support the relevant hash function. To see # which perl modules have been installed use the command # 'rkhunter --list perl'. # # The default is SHA1, or MD5 if SHA1 cannot be found. # # Systems using prelinking are restricted to using either the # SHA1 or MD5 function. # # A value of 'NONE' (in uppercase) can be specified to indicate that # no hash function should be used. Rootkit Hunter will detect this and # automatically disable the file hash checks. # # Examples: # For Solaris 9 : HASH_FUNC=gmd5sum # For Solaris 10: HASH_FUNC=sha1sum # For AIX (>5.2): HASH_FUNC="csum -hMD5" # For NetBSD : HASH_FUNC="cksum -a sha512" # # NOTE: If the hash function is changed then you MUST run rkhunter with # the '--propupd' option to rebuild the file properties database. # #HASH_FUNC=sha1sum # # The HASH_FLD_IDX option specifies which field from the HASH_FUNC # command output contains the hash value. The fields are assumed to # be space-separated. The default value is 1, but for *BSD users # rkhunter will, by default, use a value of 4 if the HASH_FUNC option # has not been set. The option value must be an integer greater # than zero. # #HASH_FLD_IDX=4 # # The PKGMGR option tells rkhunter to use the specified package manager # to obtain the file property information. This is used when updating # the file properties file ('rkhunter.dat'), and when running the file # properties check. For RedHat/RPM-based systems, 'RPM' can be used to # get information from the RPM database. For Debian-based systems 'DPKG' # can be used, for *BSD systems 'BSD' can be used, and for Solaris # systems 'SOLARIS' can be used. No value, or a value of 'NONE', # indicates that no package manager is to be used. The default is 'NONE'. # # The current package managers, except 'SOLARIS', store the file hash # values using an MD5 hash function. The Solaris package manager includes # a checksum value, but this is not used by default (see USE_SUNSUM below). # # The 'DPKG' and 'BSD' package managers only provide MD5 hash values. # The 'RPM' package manager additionally provides values for the inode, # file permissions, uid, gid and other values. The 'SOLARIS' also provides # most of the values, similar to 'RPM', but not the inode number. # # For any file not part of a package, rkhunter will revert to using the # HASH_FUNC hash function instead. # # Whenever this option is changed 'rkhunter --propupd' must be run. # #PKGMGR=NONE # # It is possible that a file which is part of a package may be modified # by the administrator. Typically this occurs for configuration files. # However, the package manager may list the file as being modified. For # the RPM package manager this may well depend on how the package was # built. This option specifies those pathnames which are to be exempt # from the package manager verification process, and which will be treated # as non-packaged files. As such, the file properties are still checked. # # This option only takes effect if the PKGMGR option has been set, and # is not 'NONE'. # # This is a space-separated list of pathnames. The option may # be specified more than once. # # Whenever this option is changed 'rkhunter --propupd' must be run. # #PKGMGR_NO_VRFY="" # # This option can be used to tell rkhunter to ignore any prelink # dependency errors for the given commands. However, a warning will also # be issued if the error does not occur for a given command. As such # this option must only be used on commands which experience a persistent # problem. # # Short-term prelink dependency errors can usually be resolved simply by # running the 'prelink' command on the given pathname. # # NOTE: The command 'rkhunter --propupd' must be run whenever this option # is changed. # # This is a space-separated list of command pathnames. The option can be # specified more than once. # #IGNORE_PRELINK_DEP_ERR="/bin/ps /usr/bin/top" # # If the 'SOLARIS' package manager is used, then it is possible to use # the checksum (hash) value stored for a file. However, this is only a # 16-bit checksum, and as such is not nearly as secure as, for example, # a SHA-2 value. For that reason, the checksum is not used by default, # and the hash function given by HASH_FUNC is used instead. To enable # this option, set its value to 1. The Solaris 'sum' command must be # present on the system if this option is used. # #USE_SUNSUM=0 # # This option is a space-separated list of commands, directories and file # pathnames which will be included in the file properties checks. # This option can be specified more than once. # # Whenever this option is changed, 'rkhunter --propupd' must be run. # # Simple command names - for example, 'top' - and directory names are # added to the internal list of directories to be searched for each of # the command names in the command list. Additionally, full pathnames # to files, which need not be commands, may be given. Any files or # directories which are already part of the internal lists will be # silently ignored from the configuration. # # Normal globbing wildcards are allowed, except for simple command names. # For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed. # # Specific files may be excluded by preceding their name with an # exclamation mark (!). For example, '!/opt/top'. By combining this # with wildcarding, whole directories can be excluded. For example, # '/etc/* /etc/*/* !/etc/rc?.d/*'. This will look for files in the first # two directory levels of '/etc'. However, anything in '/etc/rc0.d', # '/etc/rc1.d', '/etc/rc2.d' and so on, will be excluded. # # NOTE: Only files and directories which have been added by the user, # and are not part of the internal lists, can be excluded. So, for # example, it is not possible to exclude the 'ps' command by using # '!/bin/ps'. These will be silently ignored from the configuration. # #USER_FILEPROP_FILES_DIRS="top /usr/local/sbin !/opt/ps*" #USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf" #USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf.local" #USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/*" #USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/mirrors.dat" #USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/rkhunter*" #USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/i18n/*" # # This option whitelists files and directories from existing, # or not existing, on the system at the time of testing. This # option is used when the configuration file options themselves # are checked, and during the file properties check, the hidden # files and directories checks, and the filesystem check of the # '/dev' directory. # # This is a space-separated list of pathnames. The option may be # specified more than once. The option may use wildcard characters, # but be aware that this is probably not what you want to do as the # wildcarding will be expanded after files have been deleted. As # such deleted files won't be whitelisted if wildcarded. # # NOTE: The user must take into consideration how often the file will # appear and disappear from the system in relation to how often # rkhunter is run. If the file appears, and disappears, too often # then rkhunter may not notice this. All it will see is that the file # has changed. The inode-number and DTM will certainly be different # for each new file, and rkhunter will report this. # #EXISTWHITELIST="" # # Whitelist various attributes of the specified files. # The attributes are those of the 'attributes' test. # Specifying a file name here does not include it being # whitelisted for the write permission test (see below). # # This is a space-separated list of filenames. The option may # be specified more than once. The option may use wildcard # characters. # #ATTRWHITELIST="/bin/ps /usr/bin/date" # # Allow the specified commands to have the 'others' # (world) permission have the write-bit set. # # For example, files with permissions r-xr-xrwx # or rwxrwxrwx. # # This is a space-separated list of filenames. The option may # be specified more than once. The option may use wildcard # characters. # #WRITEWHITELIST="/bin/ps /usr/bin/date" # # Allow the specified commands to be scripts. # # This is a space-separated list of filenames. The option may # be specified more than once. The option may use wildcard # characters. # #SCRIPTWHITELIST="/sbin/ifup /sbin/ifdown" #SCRIPTWHITELIST="/usr/bin/groups" # # Allow the specified commands to have the immutable attribute set. # # This is a space-separated list of filenames. The option may # be specified more than once. The option may use wildcard # characters. # #IMMUTWHITELIST="/sbin/ifup /sbin/ifdown" # # If this option is set to 1, then the immutable-bit test is # reversed. That is, the files are expected to have the bit set. # IMMUTABLE_SET=0 # # Allow the specified hidden directories to be whitelisted. # # This is a space-separated list of directory pathnames. # The option may be specified more than once. The option # may use wildcard characters. # #ALLOWHIDDENDIR="/etc/.java" #ALLOWHIDDENDIR="/dev/.udev /dev/.udevdb /dev/.udev.tdb" #ALLOWHIDDENDIR="/dev/.static" #ALLOWHIDDENDIR="/dev/.initramfs" #ALLOWHIDDENDIR="/dev/.SRC-unix" #ALLOWHIDDENDIR="/dev/.mdadm" # # Allow the specified hidden files to be whitelisted. # # This is a space-separated list of filenames. The option may # be specified more than once. The option may use wildcard # characters. # #ALLOWHIDDENFILE="/etc/.java" #ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz" #ALLOWHIDDENFILE="/etc/.pwd.lock" #ALLOWHIDDENFILE="/etc/.init.state" #ALLOWHIDDENFILE="/lib/.libcrypto.so.0.9.8e.hmac /lib/.libcrypto.so.6.hmac" #ALLOWHIDDENFILE="/lib/.libssl.so.0.9.8e.hmac /lib/.libssl.so.6.hmac" #ALLOWHIDDENFILE="/usr/bin/.fipscheck.hmac" #ALLOWHIDDENFILE="/usr/bin/.ssh.hmac" #ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.1.0.hmac" #ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.hmac" #ALLOWHIDDENFILE="/usr/lib/.libgcrypt.so.11.hmac" #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha1hmac.hmac" #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha256hmac.hmac" #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac" #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac" #ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac" # # Allow the specified processes to use deleted files. The # process name may be followed by a colon-separated list of # full pathnames. The process will then only be whitelisted # if it is using one of the given files. For example: # # ALLOWPROCDELFILE="/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz" # # This is a space-separated list of process names. The option # may be specified more than once. The option may use wildcard # characters, but only in the file names. # #ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc" #ALLOWPROCDELFILE="/usr/libexec/gconfd-2" #ALLOWPROCDELFILE="/usr/sbin/mysqld:/tmp/ib*" # # Allow the specified processes to listen on any network interface. # # This is a space-separated list of process names. The option # may be specified more than once. # #ALLOWPROCLISTEN="/sbin/dhclient /usr/bin/dhcpcd" #ALLOWPROCLISTEN="/usr/sbin/pppoe /usr/sbin/tcpdump" #ALLOWPROCLISTEN="/usr/sbin/snort-plain" #ALLOWPROCLISTEN="/usr/local/bin/wpa_supplicant" # # Allow the specified network interfaces to be in promiscuous mode. # # This is a space-separated list of interface names. The option may # be specified more than once. # #ALLOWPROMISCIF="eth0" # # SCAN_MODE_DEV governs how we scan '/dev' for suspicious files. # The two allowed options are: THOROUGH or LAZY. # If commented out we do a THOROUGH scan which will increase the runtime. # Even though this adds to the running time it is highly recommended to # leave it like this. # #SCAN_MODE_DEV=THOROUGH # # The PHALANX2_DIRTEST option is used to indicate if the Phalanx2 test is to # perform a basic check, or a more thorough check. If the option is set to 0, # then a basic check is performed. If it is set to 1, then all the directries # in the /etc and /usr directories are scanned. The default value is 0. Users # should note that setting this option to 1 will cause the test to take longer # to complete. # PHALANX2_DIRTEST=0 # # Allow the specified files to be present in the /dev directory, # and not regarded as suspicious. # # This is a space-separated list of pathnames. The option may # be specified more than once. The option may use wildcard # characters. # #ALLOWDEVFILE="/dev/shm/pulse-shm-*" #ALLOWDEVFILE="/dev/shm/sem.ADBE_*" # # This setting tells rkhunter where the inetd configuration # file is located. # #INETD_CONF_PATH=/etc/inetd.conf # # Allow the following enabled inetd services. # # This is a space-separated list of service names. The option may # be specified more than once. # # For non-Solaris users the simple service name should be used. # For example: # # INETD_ALLOWED_SVC=echo # # For Solaris 9 users the simple service name should also be used, but # if it is an RPC service, then the executable pathname should be used. # For example: # # INETD_ALLOWED_SVC=imaps # INETD_ALLOWED_SVC="/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd" # # For Solaris 10 users the service/FMRI name should be used. For example: # # INETD_ALLOWED_SVC=/network/rpc/meta # INETD_ALLOWED_SVC=/network/rpc/metamed # INETD_ALLOWED_SVC=/application/font/stfsloader # INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord # #INETD_ALLOWED_SVC=echo # # This setting tells rkhunter where the xinetd configuration # file is located. # #XINETD_CONF_PATH=/etc/xinetd.conf # # Allow the following enabled xinetd services. Whilst it would be # nice to use the service names themselves, at the time of testing # we only have the pathname available. As such, these entries are # the xinetd file pathnames. # # This is a space-separated list of service names. The option may # be specified more than once. # #XINETD_ALLOWED_SVC=/etc/xinetd.d/echo # # This option tells rkhunter the local system startup file pathnames. # The directories will be searched for files. By default rkhunter # will use certain filenames and directories. If the option is set # to 'none', then certain tests will be skipped. # # This is a space-separated list of file and directory pathnames. # The option may be specified more than once. The option may use # wildcard characters. # #STARTUP_PATHS="/etc/rc.d /etc/rc.local" # # This setting tells rkhunter the pathname to the file containing the # user account passwords. This setting will be worked out by rkhunter, # and so should not usually need to be set. Users of TCB shadow files # should not set this option. # #PASSWORD_FILE=/etc/shadow # # Allow the following accounts to be root equivalent. These accounts # will have a UID value of zero. The 'root' account does not need to # be listed as it is automatically whitelisted. # # This is a space-separated list of account names. The option may # be specified more than once. # # NOTE: For *BSD systems you will probably need to use this option # for the 'toor' account. # #UID0_ACCOUNTS="toor rooty" # # Allow the following accounts to have no password. NIS/YP entries do # not need to be listed as they are automatically whitelisted. # # This is a space-separated list of account names. The option may # be specified more than once. # #PWDLESS_ACCOUNTS="abc" # # This setting tells rkhunter the pathname to the syslog configuration # file. This setting will be worked out by rkhunter, and so should not # usually need to be set. A value of 'NONE' can be used to indicate # that there is no configuration file, but that the syslog daemon process # may be running. # # This is a space-separated list of pathnames. The option may # be specified more than once. # #SYSLOG_CONFIG_FILE=/etc/syslog.conf # # This option permits the use of syslog remote logging. # ALLOW_SYSLOG_REMOTE_LOGGING=0 # # Allow the following applications, or a specific version of an application, # to be whitelisted. This option may be specified more than once, and is a # space-separated list consisting of the application names. If a specific # version is to be whitelisted, then the name must be followed by a colon # and then the version number. For example: # # APP_WHITELIST="openssl:0.9.7d gpg httpd:1.3.29" # # Note above that for the Apache web server, the name 'httpd' is used. # #APP_WHITELIST="" # # Scan for suspicious files in directories containing temporary files and # directories posing a relatively higher risk due to user write access. # Please do not enable by default as suspscan is CPU and I/O intensive and prone to # producing false positives. Do review all settings before usage. # Also be aware that running suspscan in combination with verbose logging on, # RKH's default, will show all ignored files. # Please consider adding all directories the user the (web)server runs as has # write access to including the document root (example: "/var/www") and log # directories (example: "/var/log/httpd"). # # This is a space-separated list of directory pathnames. # The option may be specified more than once. # #SUSPSCAN_DIRS="/tmp /var/tmp" # # Directory for temporary files. A memory-based one is better (faster). # Do not use a directory name that is listed in SUSPSCAN_DIRS. # Please make sure you have a tempfs mounted and the directory exists. # SUSPSCAN_TEMP=/dev/shm # # Maximum filesize in bytes. Files larger than this will not be inspected. # Do make sure you have enough space left in your temporary files directory. # SUSPSCAN_MAXSIZE=10240000 # # Score threshold. Below this value no hits will be reported. # A value of "200" seems "good" after testing on malware. Please adjust # locally if necessary. # SUSPSCAN_THRESH=200 # # The following option can be used to whitelist network ports which # are known to have been used by malware. This option may be specified # more than once. The option is a space-separated list of one or more # of four types of whitelisting. These are: # # 1) a 'protocol:port' pair (e.g. TCP:25) # 2) a pathname to an executable (e.g. /usr/sbin/squid) # 3) a combined pathname, protocol and port # (e.g. /usr/sbin/squid:TCP:3801) # 4) an asterisk ('*') # # Only the UDP or TCP protocol may be specified, and the port number # must be between 1 and 65535 inclusive. # # The asterisk can be used to indicate that any executable which rkhunter # can locate as a command, is whitelisted. (See BINDIR in this file.) # # For example: # # PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011" # # NOTE: In order to whitelist a pathname, or use the asterisk option, # the 'lsof' command must be present. # #PORT_WHITELIST="" # # The following option can be used to tell rkhunter where the operating # system 'release' file is located. This file contains information # specifying the current O/S version. RKH will store this information # itself, and check to see if it has changed between each run. If it has # changed, then the user is warned that RKH may issue warning messages # until RKH has been run with the '--propupd' option. # # Since the contents of the file vary according to the O/S distribution, # RKH will perform different actions when it detects the file itself. As # such, this option should not be set unless necessary. If this option is # specified, then RKH will assume the O/S release information is on the # first non-blank line of the file. # #OS_VERSION_FILE="/etc/release" # # The following two options can be used to whitelist files and directories # that would normally be flagged with a warning during the various rootkit # and malware checks. If the file or directory name contains a space, then # the percent character ('%') must be used instead. Only existing files and # directories can be specified, and these must be full pathnames not links. # # Additionally, the RTKT_FILE_WHITELIST option may include a string after the # file name (separated by a colon). This will then only whitelist that string # in that file (as part of the malware checks). For example: # # RTKT_FILE_WHITELIST="/etc/rc.local:hdparm" # # If the option list includes the filename on its own as well, then the file # will be whitelisted from rootkit checks of the files existence, but still # only the specific string within the file will be whitelisted. For example: # # RTKT_FILE_WHITELIST="/etc/rc.local:hdparm /etc/rc.local" # # To whitelist a file from the existence checks, but not from the strings # checks, then include the filename on its own and on its own but with # just a colon appended. For example: # # RTKT_FILE_WHITELIST="/etc/rc.local /etc/rc.local:" # # NOTE: It is recommended that if you whitelist any files, then you include # those files in the file properties check. See the USER_FILEPROP_FILES_DIRS # configuration option. # # These are space-separated lists of file and directory pathnames. # The options may be specified more than once. # #RTKT_DIR_WHITELIST="" #RTKT_FILE_WHITELIST="" # # The following option can be used to whitelist shared library files that would # normally be flagged with a warning during the preloaded shared library check. # These library pathnames usually exist in the '/etc/ld.so.preload' file or in # the LD_PRELOAD environment variable. # # NOTE: It is recommended that if you whitelist any files, then you include # those files in the file properties check. See the USER_FILEPROP_FILES_DIRS # configuration option. # # This is a space-separated list of library pathnames. # The option may be specified more than once. # #SHARED_LIB_WHITELIST="/lib/snoopy.so" # # To force rkhunter to use the supplied script for the 'stat' or 'readlink' # command, then the following two options can be used. The value must be # set to 'BUILTIN'. # # NOTE: IRIX users will probably need to enable STAT_CMD. # #STAT_CMD=BUILTIN #READLINK_CMD=BUILTIN # # In the file properties test any modification date/time is displayed as the # number of epoch seconds. Rkhunter will try and use the 'date' command, or # failing that the 'perl' command, to display the date and time in a # human-readable format as well. This option may be used if some other command # should be used instead. The given command must understand the '%s' and # 'seconds ago' options found in the GNU date command. # # A value of 'NONE' may be used to request that only the epoch seconds be shown. # A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if # it is present. # #EPOCH_DATE_CMD="" # # This setting tells rkhunter the directory containing the available # Linux kernel modules. This setting will be worked out by rkhunter, # and so should not usually need to be set. # #MODULES_DIR="" # # The following option can be set to a command which rkhunter will use when # downloading files from the Internet - that is, when the '--update' or # '--versioncheck' option is used. The command can take options. # # This allows the user to use a command other than the one automatically # selected by rkhunter, but still one which it already knows about. # For example: # # WEB_CMD=curl # # Alternatively, the user may specify a completely new command. However, note # that rkhunter expects the downloaded file to be written to stdout, and that # everything written to stderr is ignored. For example: # # WEB_CMD="/opt/bin/dlfile --timeout 5m -q" # # *BSD users may want to use the 'ftp' command, provided that it supports # the HTTP protocol: # # WEB_CMD="ftp -o -" # #WEB_CMD="" # # Set the following option to 0 if you do not want to receive a warning if # any O/S information has changed since the last run of 'rkhunter --propupd'. # The warnings occur during the file properties check. The default is to # issue a warning if something has changed. # #WARN_ON_OS_CHANGE=1 # # Set the following option to 1 if you want rkhunter to automatically run # a file properties update ('--propupd') if the O/S has changed. Detection # of an O/S change occurs during the file properties check. The default is # not to do an automatic update. # # WARNING: Only set this option if you are sure that the update will work # correctly. That is, that the database directory is writeable, that a valid # hash function is available, and so on. This can usually be checked simply # by running 'rkhunter --propupd' at least once. # #UPDT_ON_OS_CHANGE=0 # # Set the following option to 1 if locking is to be used when rkhunter runs. # The lock is set just before logging starts, and is removed when the program # ends. It is used to prevent items such as the log file, and the file # properties file, from becoming corrupted if rkhunter is running more than # once. The mechanism used is to simply create a lock file in the TMPDIR # directory. If the lock file already exists, because rkhunter is already # running, then the current process simply loops around sleeping for 10 seconds # and then retrying the lock. # # The default is not to use locking. # USE_LOCKING=0 # # If locking is used, then rkhunter may have to wait to get the lock file. # This option sets the total amount of time, in seconds, that rkhunter should # wait. It will retry the lock every 10 seconds, until either it obtains the # lock or the timeout value has been reached. If no value is set, then a # default of 300 seconds (5 minutes) is used. # LOCK_TIMEOUT=300 # # If locking is used, then rkhunter may be doing nothing for some time if it # has to wait for the lock. Some simple messages are echo'd to the users screen # to let them know that rkhunter is waiting for the lock. Set this option to 0 # if the messages are not to be displayed. The default is to show them. # SHOW_LOCK_MSGS=1 # # If the option SCANROOTKITMODE is set to "THOROUGH" the scanrootkit() function # will search (on a per rootkit basis) for filenames in all of the directories (as defined # by the result of running 'find / -xdev'). While still not optimal, as it # still searches for only file names as opposed to file contents, this is one step away # from the rigidity of searching in known (evidence) or default (installation) locations. # # THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT. # # You should only activate this feature as part of a more thorough investigation which # should be based on relevant best practices and procedures. # # Enabling this feature implies you have the knowledge to interpret the results properly. # #SCANROOTKITMODE=THOROUGH # # The following option can be set to the name(s) of the tests the 'unhide' command is # to use. In order to maintain compatibility with older versions of 'unhide', this # option defaults to 'sys'. Options such as '-m' and '-v' may also be specified, but # will only take effect when they are seen. The test names are a space-separated list, # and will be executed in the order given. # #UNHIDE_TESTS="sys" # # If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system, then it # is possible to disable the execution of one of the programs if desired. By default # rkhunter will look for both programs, and execute each of them as they are found. # If the value of this option is 0, then both programs will be executed if they are # present. A value of 1 will disable execution of the C 'unhide' program, and a value # of 2 will disable the Ruby 'unhide.rb' program. The default value is 0. To disable # both programs, then disable the 'hidden_procs' test. # #DISABLE_UNHIDE=0 rkhunter-1.4.0/files/LICENSE0000640000123200012320000004313210507005460015417 0ustar unspawnunspawn GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. rkhunter-1.4.0/files/i18n/0000750000123200012320000000000011750002114015157 5ustar unspawnunspawnrkhunter-1.4.0/files/i18n/zh.utf80000640000123200012320000006770311254021420016426 0ustar unspawnunspawnVersion:2009091601 # # We start with the definitions of the message types and results. There # are very few of these, so including these and all the parts of each # message in one file makes sense and for easier translation. # # The message type MSG_TYPE_PLAIN is used for ordinary messages. It has # no specific value, and is intercepted in the display function. It is # included here for completeness. The index names of MSG_TYPE_ and # MSG_RESULT_ are reserved - no messages can use this as part of its index. # MSG_TYPE_PLAIN: MSG_TYPE_INFO:è¨Šæ¯ MSG_TYPE_WARNING:警告 # # This is the list of message results. # MSG_RESULT_OK:正常 MSG_RESULT_BAD:æ壞 MSG_RESULT_SKIPPED:è·³éŽ MSG_RESULT_WARNING:!注æ„! MSG_RESULT_FOUND:ç™¼ç¾ MSG_RESULT_NOT_FOUND:æ²’ç™¼ç¾ MSG_RESULT_NONE_FOUND:æ²’ç™¼ç¾ MSG_RESULT_ALLOWED:å¯ä»¥ MSG_RESULT_NOT_ALLOWED:ä¸å¯ä»¥ MSG_RESULT_UPD: æ›´æ–°çš„ MSG_RESULT_NO_UPD: æ²’æ›´æ–° MSG_RESULT_UPD_FAILED: 更新失敗 MSG_RESULT_VCHK_FAILED: 版本檢查失敗 # # The messages. # VERSIONLINE:[ $1 版本 $2 ] VERSIONLINE2:在主機 $3 執行 $1 版本 $2 VERSIONLINE3:執行 $1 版本 $2 RKH_STARTDATE:開始時間是 $1 RKH_ENDDATE:çµæŸæ™‚間是 $1 OPSYS:åµæ¸¬åˆ°çš„系統是 '$1' UNAME:Uname 輸出是 '$1' CONFIG_CHECK_START:檢查設定檔åŠå‘½ä»¤åˆ—é¸é …... CONFIG_CMDLINE:命令列是 $1 CONFIG_ENVSHELL:SHELL程å¼æ˜¯ $1; rkhunter 正在使用 $2 CONFIG_CONFIGFILE:rkhunter設定檔是 '$1' CONFIG_INSTALLDIR:安è£ç›®éŒ„是'$1' CONFIG_LANGUAGE:使用的語言是 '$1' CONFIG_DBDIR:資料庫目錄 '$1' CONFIG_SCRIPTDIR:script目錄 '$1' CONFIG_BINDIR:執行檔目錄 '$1' CONFIG_ROOTDIR:根目錄 '$1' CONFIG_TMPDIR:暫存檔目錄 '$1' CONFIG_NO_MAIL_ON_WARN:沒有設置警告信的郵件ä½å€ CONFIG_MOW_DISABLED:根據使用者設定,ä¸ä½¿ç”¨è­¦å‘Šä¿¡ CONFIG_MAIL_ON_WARN:使用命令'$2'給 '$1' 發警告信 CONFIG_SSH_ROOT:Rkhunter çš„é¸é … ALLOW_SSH_ROOT_USERè¢«è¨­ç½®æˆ '$1'. CONFIG_SSH_PROTV1:Rkhunter é¸é …被設置æˆå¯ä»¥ä½¿ç”¨ç‰ˆæœ¬1çš„SSHå”定 CONFIG_X_AUTO:自動檢查X CONFIG_CLRSET2:使用第二個é…色方法 CONFIG_NO_SHOW_SUMMARY:根據使用者設定,ä¸é¡¯ç¤ºç³»çµ±ç¸½çµå ±å‘Š CONFIG_SCAN_MODE_DEV:SCAN_MODE_DEV被設置為'$1' CONFIG_NO_VL:根據使用者設定,ä¸è©³ç´°è¨˜éŒ„ CONFIG_XINETD_PATH:使用 $1 設定檔 '$2' CONFIG_SOL10_INETD:使用Solaris 10 åŠä»¥å¾Œçš„inetd機制 CONFIG_LOCAL_RC_DIR:使用系統的啟動目錄: $1 CONFIG_LOCAL_RC_FILE:使用本地的啟動目錄檔案: $1 CONFIG_ROTATE_MIRRORS:å‚™æ´æª”案將予以轉置 ONFIG_NO_ROTATE_MIRRORS:å‚™æ´æª”案將ä¸è¢«è½‰ç½® CONFIG_UPDATE_MIRRORS:å‚™æ´æª”案將被更新 CONFIG_NO_UPDATE_MIRRORS:å‚™æ´æª”案將ä¸è¢«æ›´æ–° CONFIG_MIRRORS_MODE0:本地和é ç«¯å‚™æ´æª”案將都被使用 CONFIG_MIRRORS_MODE1:åªä½¿ç”¨æœ¬åœ°å‚™æ´æª”案 CONFIG_MIRRORS_MODE2:åªä½¿ç”¨é ç«¯å‚™æ´æª”案 FOUND_CMD:找到 '$1' 命令: $2 NOT_FOUND_CMD:無法找到'$1' 命令 SYS_PRELINK:系統正在使用prelinking SYS_NO_PRELINK:系統ä¸ä½¿ç”¨prelinking HASH_FUNC_PRELINK:為了檔案的 hash 檢查而使用 prelink 命令 (帶 $1) HASH_FUNC_PERL:使用 perl $1 模組來檢查檔案hash HASH_FUNC:checksumç¨‹å¼ '$1' HASH_FUNC_NONE:無法檢查檔案hash : 沒有指定 HASH_FUNC_NONE_PKGMGR:沒有指定檔案hash函數: åªèƒ½ä½¿ç”¨å¥—件管ç†ç¨‹å¼ HASH_FUNC_DISABLED:Hash函數設置為'NONE': 自動使檔案hash檢查無效 HASH_FUNC_OLD:使用hash函數 '$1'儲存hash值 HASH_FUNC_OLD_DISABLED:舊的的hash函數無效: 沒有hash值被儲存 HASH_PKGMGR_OLD::使用套件管ç†ç¨‹å¼'$1'儲存hash值 HASH_PKGMGR_OLD_NONMD5:使用套件管ç†ç¨‹å¼'$1'(md5 function)儲存hash值 HASH_PKGMGR_OLD_UNSET:ä¸ä½¿ç”¨å¥—件管ç†ç¨‹å¼è€Œå„²å­˜hash值 HASH_PKGMGR:使用套件管ç†ç¨‹å¼ '$1' 檢查檔案屬性 HASH_PKGMGR_MD5:使用 MD5 hash 函數命令 '$1' 幫助套件管ç†ç¨‹å¼é€²è¡Œé©—è­‰ HASH_PKGMGR_NOT_SPEC:沒有指定套件管ç†ç¨‹å¼: 使用 hash 函數 '$1' HASH_PKGMGR_NOT_SPEC_PRELINKED:沒有指定套件管ç†ç¨‹å¼: 使用帶 '$1' çš„ prelink 命令 HASH_PKGMGR_USE_VRFY:套件管ç†ç¨‹å¼é©—證將用於檔案屬性的檢查çµæžœ HASH_PKGMGR_NO_USE_VRFY:套件管ç†ç¨‹å¼é©—證將ä¸ç”¨æ–¼æª”案屬性的檢查çµæžœ HASH_FIELD_INDEX:hash 函數的欄ä½ç´¢å¼•è¢«è¨­ç½®ç‚º $1 HASHUPD_DISABLED:Hash 檢查失效: ç›®å‰çš„檔案hash值將ä¸æœƒå„²å­˜ HASHUPD_PKGMGR:使用套件管ç†ç¨‹å¼ '$1' 來更新檔案hash值 HASHUPD_PKGMGR_NONE:沒有指定套件管ç†ç¨‹å¼: 使用hash函數 '$1' HASHUPD_PKGMGR_NONE_PRELINKED:沒有指定套件管ç†ç¨‹å¼: 使用帶'$1'çš„prelink命令 HASHUPD_PKGMGR_NOT_SPEC:沒有指定檔案 hash 更新套件管ç†ç¨‹å¼: 使用 hash 函數 '$1' HASHUPD_PKGMGR_NOT_SPEC_PRELINKED:沒有指定檔案 hash 更新套件管ç†ç¨‹å¼: 使用帶 '$1'çš„ prelink 命令 HASHUPD_PKGMGR_MD5:使用MD5 hash函數命令'$1'作為套件管ç†ç¨‹å¼ HASHUPD_PKGMGR_MD5_PRELINK:使用prelink命令 (帶 $1)作為套件管ç†ç¨‹å¼ ATTRUPD_DISABLED:檔案屬性檢查失效: ç›®å‰çš„檔案屬性將ä¸æœƒå„²å­˜ ATTRUPD_NOSTAT:檔案屬性檢查失效: 沒有發ç¾'stat'命令:ç›®å‰çš„檔案屬性將ä¸æœƒå„²å­˜ ATTRUPD_OK:ç›®å‰çš„檔案屬性將被儲存 ATTRUPD_OLD_DISABLED:舊的檔案屬性無效: 沒有檔案屬性儲存 ATTRUPD_OLD_NOSTAT:舊的檔案屬性無效: 沒有發ç¾'stat'命令: 沒有檔案屬性被儲存 ATTRUPD_OLD_OK:儲存舊的檔案屬性 GRSECINSTALLED:發ç¾æœ‰å®‰è£GRSEC SYSLOG_ENABLED:啟用 syslog - facility/priority 等級是 '$1'. SYSLOG_DISABLED:根據使用者設定,ä¸ä½¿ç”¨ syslog . SYSLOG_NO_LOGGER:無法使用 syslog - 無法找到 'logger' 命令. NAME:$1 PRESSENTER:[按 éµç¹¼çºŒ] TEST_SKIPPED_OS:因為 OS: $2,跳éŽæª¢æŸ¥ '$1' SUMMARY_TITLE1:系統檢查çµæžœ SUMMARY_TITLE2:===================== SUMMARY_PROP_SCAN:檢查檔案屬性... SUMMARY_PROP_REQCMDS:è¦æ±‚的檢查命令失敗 SUMMARY_PROP_COUNT:檢查檔案: $1 SUMMARY_PROP_FAILED:å¯ç–‘檔案: $1 SUMMARY_CHKS_SKIPPED:è·³éŽæ‰€æœ‰æª¢æŸ¥ SUMMARY_RKT_SCAN:檢查Rootkit... SUMMARY_RKT_COUNT:檢查Rootkits : $1 SUMMARY_RKT_FAILED:å¯èƒ½å­˜åœ¨ rootkits: $1 SUMMARY_RKT_NAMES:Rootkit å稱 : $1 SUMMARY_APPS_SCAN:應用程å¼æª¢æŸ¥... SUMMARY_APPS_COUNT:應用程å¼æª¢æŸ¥: $1 SUMMARY_APPS_FAILED:å¯ç–‘的應用程å¼: $1 SUMMARY_SCAN_TIME:檢查系統時間: $1 SUMMARY_NO_SCAN_TIME:檢查系統時間: 無法計算系統時間 SUMMARY_LOGFILE:所有çµæžœå·²è¢«å¯«å…¥åˆ°ç³»çµ±è¨˜éŒ„檔($1) SUMMARY_NO_LOGFILE:沒有建立系統記錄檔. CREATED_TEMP_FILE:建立暫存檔目錄 '$1' MIRRORS_NO_FILE:å‚™æ´æª”案'$1'ä¸å­˜åœ¨ MIRRORS_NO_MIRRORS:å‚™æ´æª”案 '$1' 中沒有需è¦çš„å‚™æ´. MIRRORS_NO_VERSION:å‚™æ´æª”案 '$1'中沒有版本編號 - é‡æ–°è¨­ç½®ç‚º0. MIRRORS_ROTATED:å‚™æ´æª”案 '$1' 已被更新. MIRRORS_SF_DEFAULT:使用 SourceForge å‚™æ´: $1 DOWNLOAD_CMD:執行下載命令 '$1' DOWNLOAD_FAIL:下載失敗 - $1 å‚™æ´æª”案無效. VERSIONCHECK_START:正在檢查 rkhunter 版本... VERSIONCHECK_FAIL_ALL:下載失敗: 無法確定最新的程å¼ç‰ˆæœ¬. VERSIONCHECK_CURRENT:ç›®å‰çš„版本 : $1 VERSIONCHECK_LATEST:最新的版本: $1 VERSIONCHECK_LATEST_FAIL:最新版本: 下載失敗 VERSIONCHECK_UPDT_AVAIL:更新有效 VERSIONCHECK_CONV_FAIL:無法比較版本編號: 程å¼: '$1' Latest: '$2' UPDATE_START:正在檢查rkhunter 的資料檔案... UPDATE_CHECKING_FILE:正在檢查檔案$1 UPDATE_FILE_NO_VERS:檔案 '$1' 沒有有效的版本編號. 正下載一個新的副本. UPDATE_FILE_MISSING:檔案 '$1' éºå¤±æˆ–為空檔. 正下載一個新的副本. UPDATE_DOWNLOAD_FAIL:'$1'下載失敗: 無法確定最新的版本編號. UPDATE_I18N_NO_VERS:無法發ç¾i18n語言檔案版本編號. OSINFO_START:檢查自上次檢查後系統是å¦æœ‰è¢«è®Šæ›´... OSINFO_END:沒有發ç¾ä»»ä½•è®Šæ›´ OSINFO_HOST_CHANGE1:自從上次檢查後,主機å稱已改變 OSINFO_HOST_CHANGE2:舊的主機å稱: $1 新的主機å稱: $2 OSINFO_OSVER_CHANGE1:自上次檢查後,系統å稱或版本已改變 OSINFO_OSVER_CHANGE2:舊的作業系統: $1 新的作業系統: $2 OSINFO_PRELINK_CHANGE:自上次檢查後,使用prelinking系統å¯èƒ½å·²æ”¹è®Šç‚º${1} OSINFO_ARCH_CHANGE1:系統的CPUé¡žåž‹å¯èƒ½å·²æ”¹è®Š OSINFO_ARCH_CHANGE2:舊的CPU: $1 æ–°çš„CPU: $2 OSINFO_MSG1:因為這些改變,檔案屬性檢查å¯èƒ½æœ‰éŒ¯èª¤çš„çµæžœ. OSINFO_MSG2:ä½ å¯èƒ½éœ€è¦ç”¨'--propupd' é¸é …é‡æ–°åŸ·è¡Œrkhunter SET_FILE_PROP_START: file properties正在å–得檔案屬性... SET_FILE_PROP_DIR_FILE_COUNT:在$2發ç¾$1 個檔案 SET_FILE_PROP_FILE_COUNT:檔案 $1: æœå°‹äº† $2 個檔案, ç™¼ç¾ $3 SET_FILE_PROP_FILE_COUNT_NOHASH:F檔案 $1: æœå°‹äº† $2 個檔案, ç™¼ç¾ $3, éºå¤± hashes $4 PROPUPD_START:開始更新檔案屬性資料... PROPUPD_OSINFO_START:正在收集作業系統的訊æ¯... PROPUPD_ARCH_FOUND:發ç¾ç³»çµ±æž¶æ§‹: $1 PROPUPD_REL_FILE:ç™¼ç¾ release 檔案: $1 PROPUPD_NO_REL_FILE:ä¸èƒ½æ‰¾åˆ°release 檔案: LS 輸出顯示: PROPUPD_OSNAME_FOUND:發ç¾ä½œæ¥­ç³»çµ±å稱: $1 PROPUPD_ERROR:安è£æ–°çš„ rkhunter.dat 檔案發生錯誤. 代碼 $1 PROPUPD_NEW_DAT_FILE:æ–°çš„ rkhunter.dat 檔案已安è£åœ¨ '$1' PROPUPD_WARN:警告! 當使用 '--propupd' é¸é …時,使用者必須自行確定 PROPUPD_WARN:系統中所有的檔案是真實的ã€å®‰è£çš„檔案來æºæ˜¯å¯é çš„. PROPUPD_WARN:rkhunter '--check' é¸é …將目å‰çš„æª”æ¡ˆå±¬æ€§èˆ‡å…ˆå‰ PROPUPD_WARN:儲存的值進行å°æ¯”,並且報告任何的變動. 然而, rkhunter PROPUPD_WARN:無法確定是什麼原因造æˆäº†é€™äº›è®Šå‹•ï¼Œéœ€å¾…使用者去確èª. ENABLED_TESTS:啟用的測試是: $1 DISABLED_TESTS:ä¸å•Ÿç”¨çš„測試是: $1 KSYMS_FOUND:ç™¼ç¾ ksym 檔案 '$1' KSYMS_MISSING:所有的 ksyms å’Œ kallsyms 檢查已被å–消 - 這兩種檔案在系統中都ä¸å­˜åœ¨. STARTING_TEST:開始 '$1' 檢查 USER_DISABLED_TEST:使用者已å–消 '$1' 檢查. CHECK_START:開始檢查系統... CHECK_WARNINGS_NOT_FOUND:在檢查系統éŽç¨‹ä¸­æ²’有警告產生. CHECK_WARNINGS_FOUND:檢查系統éŽç¨‹ä¸­ç™¼ç¾ä¸€å€‹æˆ–多個警告. CHECK_WARNINGS_FOUND_RERUN:è«‹é‡æ–°åŸ·è¡Œrkhunter,確èªç³»çµ±è¨˜éŒ„檔已建立. CHECK_WARNINGS_FOUND_CHK_LOG:請檢查系統記錄檔 ($1) CHECK_SYS_COMMANDS:檢查系統命令... STRINGS_CHECK_START:執行 '字串' 命令檢查 STRINGS_SCANNING_OK:掃瞄字串 $1 STRINGS_SCANNING_BAD:掃瞄字串 $1 STRINGS_SCANNING_BAD:'字串' 命令中無法發ç¾å­—串 STRINGS_CHECK:檢查 '字串' 命令 STRINGS_CHECK:è·³éŽæª¢æŸ¥ - æ²’æœ‰ç™¼ç¾ '字串' 命令. FILE_PROP_START:執行檔案屬性檢查 FILE_PROP_CMDS:檢查é‡è¦çš„åŸºæœ¬ç¨‹å¼ FILE_PROP_IMMUT_OS:è·³éŽæ‰€æœ‰çš„ immutable-bit 檢查. 該檢查僅在 Linux 系統下有效. FILE_PROP_SKIP_ATTR:無法找到 'stat' 命令 - 所有的檔案屬性檢查將被跳éŽ. FILE_PROP_SKIP_HASH:所有的檔案 hash 檢查將被跳éŽï¼Œå› ç‚º : FILE_PROP_SKIP_HASH_FUNC:ç›®å‰çš„çš„ hash 函數 ($1) 或者套件管ç†ç¨‹å¼ ($2) 與 hash 函數 ($3)ä¸ç›¸å®¹æˆ–套件管ç†ç¨‹å¼ ($4) 被用於儲存這些值. FILE_PROP_SKIP_HASH_PRELINK:無法找到 'prelink' 命令. FILE_PROP_SKIP_HASH_SHA1:這個系統使用 prelinking, 但是 hash 函數命令 ä¸åƒæ˜¯ SHA1 or MD5. FILE_PROP_SKIP_HASH_LIBSAFE:æ²’ç™¼ç¾ Libsafe , 這å¯èƒ½å°Žè‡´éŒ¯èª¤. 如果å¯èƒ½, 關閉 libsafe 並執行 prelink 命令. 最後, 使用 'rkhunter --propupd'é‡æ–°å»ºç«‹ hash 值. FILE_PROP_SKIP_IMMUT:無法找到 'lsattr' 命令 - 所有的檔案 immutable-bit 檢查將被跳éŽ. FILE_PROP_SKIP_SCRIPT:無法找到 'file' 命令 - 所有script代替檢查將被跳éŽ. FILE_PROP_DAT_MISSING:儲存檔案屬性的檔案 (rkhunter.dat) ä¸å­˜åœ¨, 所以必須建立它. 輸入命令 'rkhunter --propupd'建立. FILE_PROP_DAT_EMPTY:儲存檔案屬性的檔案 (rkhunter.dat) 是空的, 所以必須建立它. 輸入命令 'rkhunter --propupd'建立. FILE_PROP_SKIP_ALL:ç›®å‰å¿½ç•¥æ‰€æœ‰æª”案屬性的檢查. FILE_PROP_FILE_NOT_EXIST:系統中ä¸å­˜åœ¨ '$1' 檔案, 但是它存在於 rkhunter.dat 檔案. FILE_PROP_WL:發ç¾æª”案 '$1': 它存在於白å單中,用於 '$2' 檢查. FILE_PROP_NO_RKH_REC:系統中存在檔案 '$1' , 但是它ä¸å­˜åœ¨æ–¼ the rkhunter.dat 檔案. FILE_PROP_HASH_WL_INVALID:發ç¾æª”案 '$1': 白å單的 hash 值 ($2) 與目å‰çš„çš„ hash 值ä¸ç›¸ç¬¦. FILE_PROP_CHANGED:檔案屬性已改變: FILE_PROP_CHANGED2:檔案: $1 FILE_PROP_NO_PKGMGR_FILE:è·³éŽæª”案 '$1' hash 值: 檔案ä¸å±¬æ–¼è©²å¥—件 FILE_PROP_NO_SYSHASH:沒發ç¾æª”案 '$1'çš„hash值 FILE_PROP_NO_SYSHASH_CMD:Hash 命令輸出: $1 FILE_PROP_NO_SYSHASH_DEPENDENCY:嘗試使用命令 'prelink $1' 修復相ä¾æ€§éŒ¯èª¤. FILE_PROP_SYSHASH_UNAVAIL:ç›®å‰çš„ hash: 無法å–å¾— FILE_PROP_SYSHASH:ç›®å‰çš„ hash: $1 FILE_PROP_RKHHASH:儲存 hash : $1 FILE_PROP_NO_RKHHASH:ä¸èƒ½æ‰¾åˆ°rkhunter.dat中檔案'$1' çš„hash值. FILE_PROP_NO_RKHPERM:ä¸èƒ½æ‰¾åˆ°rkhunter.dat中檔案'$1' 的權é™å€¼. FILE_PROP_PERM_UNAVAIL:ç›®å‰çš„權é™: 無法å–å¾— cvs -d:pserver:anonymous@rkhunter.cvs.sourceforge.net:/cvsroot/rkhunter 儲存的權é™: $1 FILE_PROP_PERM:ç›®å‰çš„權é™: $1 儲存的權é™: $2 FILE_PROP_UID_UNAVAIL:ç›®å‰çš„ uid: 無法å–å¾— 儲存的 uid: $1 FILE_PROP_UID:ç›®å‰çš„ uid: $1 儲存的 uid: $2 FILE_PROP_NO_RKHUID:在檔案rkhunter.dat中沒有找到檔案 '$1' çš„user-id值. FILE_PROP_GID_UNAVAIL:ç›®å‰çš„çš„ gid: 無法å–å¾— 儲存的 gid: $1 FILE_PROP_GID:ç›®å‰çš„çš„ gid: $1 儲存的 gid: $2 FILE_PROP_NO_RKHGID:在檔案rkhunter.dat中沒有找到檔案 '$1' çš„group-id值. FILE_PROP_INODE_UNAVAIL:ç›®å‰çš„çš„ inode: 無法å–å¾— 儲存的 inode: $1 FILE_PROP_INODE:ç›®å‰çš„çš„ inode: $1 儲存的 inode: $2 FILE_PROP_NO_RKHINODE:在檔案rkhunter.dat中沒有找到檔案 '$1' çš„inode值. FILE_PROP_SYSDTM_UNAVAIL:ç›®å‰çš„的檔案修改時間: 無法å–å¾— FILE_PROP_SYSDTM:ç›®å‰çš„檔案修改時間: $1 FILE_PROP_RKHDTM:儲存的檔案修改時間 : $1 FILE_PROP_NO_RKHDTM:在檔案rkhunter.dat中沒有找到檔案 '$1' 的修改時間值. FILE_PROP_NO_SYSATTR:無法å–å¾— '$1' çš„ç›®å‰çš„屬性 FILE_PROP_WRITE:檔案 '$1'被設置為å°æ‰€æœ‰ä½¿ç”¨è€…å¯å¯«. FILE_PROP_SYSPERM_UNAVAIL:無法å–得檔案 '$1' çš„ç›®å‰çš„å¯«æ¬Šé™ FILE_PROP_IMMUT:檔案 '$1' 被設置了 immutable-bit . FILE_PROP_SCRIPT:命令 '$1' 已經被script: $2 代替 FILE_PROP_VRFY:套件管ç†ç¨‹å¼é©—證已失效: FILE_PROP_VRFY_HASH:檔案hash值已改變 FILE_PROP_VRFY_PERM:檔案權é™å·²æ”¹è®Š FILE_PROP_VRFY_UID:檔案的æ“有者屬性已改變 FILE_PROP_VRFY_GID:檔案組屬性已改變 FILE_PROP_VRFY_DTM:檔案的修改時間已改變 CHECK_ROOTKITS:正在檢查rootkit... ROOTKIT_FILES_DIRS_START:開始檢查目å‰å·²çŸ¥çš„rootkit種類和相關目錄 ROOTKIT_FILES_DIRS_NAME_LOG:檢查 ${1}... ROOTKIT_FILES_DIRS_FILE:檢查檔案 '$1' ROOTKIT_FILES_DIRS_DIR:檢查目錄 '$1' ROOTKIT_FILES_DIRS_KSYM:檢查核心符號 '$1' ROOTKIT_FILES_DIRS_FILE_FOUND:發ç¾æª”案 '$1' ROOTKIT_FILES_DIRS_DIR_FOUND:發ç¾ç›®éŒ„ '$1' ROOTKIT_FILES_DIRS_KSYM_FOUND:發ç¾æ ¸å¿ƒç¬¦è™Ÿ '$1' ROOTKIT_FILES_DIRS_STR:檢查字串 '$1' ROOTKIT_FILES_DIRS_STR_FOUND:在檔案 '$2'中發ç¾å­—串'$1' ROOTKIT_FILES_DIRS_NOFILE:檔案 '$1' ä¸å­˜åœ¨! ROOTKIT_FILES_DIRS_SINAR_DIR:檢查 '$1' ROOTKIT_FILES_DIRS_SINAR:在: $1中發ç¾SInAR ROOTKIT_ADD_START:執行其它的rootkit檢查 ROOTKIT_ADD_SUCKIT:Suckit Rookit é¡å¤–的檢查 ROOTKIT_ADD_SUCKIT_LOG:執行Suckit Rookit é¡å¤–的檢查 ROOTKIT_ADD_SUCKIT_LINK:檢查/sbin/init 連çµæ•¸é‡ ROOTKIT_ADD_SUCKIT_LINK_NOCMD:檢查 /sbin/init 連çµæ•¸é‡: æ²’ç™¼ç¾ 'stat' 命令 ROOTKIT_ADD_SUCKIT_LINK_ERR:檢查 /sbin/init 連çµæ•¸é‡: 'stat' 命令錯誤 ROOTKIT_ADD_SUCKIT_LINK_FOUND:檢查 /sbin/init 連çµæ•¸é‡: 數é‡æ˜¯ $1, 它應當是 1 ROOTKIT_ADD_SUCKIT_EXT:檢查隱è—檔案 ROOTKIT_ADD_SUCKIT_EXT_FOUND:檢查隱è—檔案: 發ç¾: $1 ROOTKIT_ADD_SUCKIT_SKDET:執行 skdet 命令 ROOTKIT_ADD_SUCKIT_SKDET_FOUND:執行 skdet 命令: 發ç¾: $1 ROOTKIT_ADD_SUCKIT_SKDET_VER:執行 skdet 命令: 未知版本: $1 ROOTKIT_POSS_FILES_DIRS:檢查å¯èƒ½å­˜åœ¨çš„rootkitåŠå…¶ç›®éŒ„ ROOTKIT_POSS_FILES_DIRS_LOG:執行檢查å¯èƒ½å­˜åœ¨çš„rootkit檔案åŠå…¶ç›®éŒ„ ROOTKIT_POSS_FILES_FILE_FOUND:發ç¾æª”案 '$1'. å¯èƒ½å­˜åœ¨rootkit: $2 ROOTKIT_POSS_FILES_DIR_FOUND:發ç¾ç›®éŒ„ '$1'. å¯èƒ½å­˜åœ¨rootkit: $2 ROOTKIT_POSS_STRINGS:檢查判定rootkitå¯èƒ½å­˜åœ¨çš„字串 ROOTKIT_POSS_STRINGS_LOG:執行檢查判定rootkitå¯èƒ½å­˜åœ¨çš„字串 ROOTKIT_POSS_STRINGS_FOUND:在檔案 '$2'中發ç¾å­—串'$1' . å¯èƒ½é‚„在rootkit: $3 ROOTKIT_MALWARE_START:執行惡æ„軟體檢查 ROOTKIT_MALWARE_SUSP_FILES:檢查執行中的行程是å¦ç‚ºå¯ç–‘的檔案 ROOTKIT_MALWARE_SUSP_FILES_FOUND:發ç¾ä¸€å€‹æˆ–多個這樣的檔案: $1 ROOTKIT_MALWARE_SUSP_FILES_FOUND:檢查 lsof 命令 'lsof -F n -w -n' 的輸出 ROOTKIT_MALWARE_HIDDEN_PROCS:檢查隱è—行程 ROOTKIT_MALWARE_HIDDEN_PROCS_FOUND:發ç¾éš±è—的行程: $1 ROOTKIT_MALWARE_DELETED_FILES:在正執行行程中檢查 deleted 檔案 ROOTKIT_MALWARE_DELETED_FILES_FOUND:以下行程正在使用 deleted 檔案: ROOTKIT_MALWARE_DELETED_FILES_FOUND_DATA:行程: $1 PID: $2 檔案: $3 ROOTKIT_MALWARE_LOGIN_BDOOR:檢查 login 後門 ROOTKIT_MALWARE_LOGIN_BDOOR_LOG:執行檢查 login 後門 ROOTKIT_MALWARE_LOGIN_BDOOR_CHK:檢查 '$1' ROOTKIT_MALWARE_LOGIN_BDOOR_FOUND:ç™¼ç¾ login 後門檔案: $1 ROOTKIT_MALWARE_SUSP_DIR:檢查å¯ç–‘目錄 ROOTKIT_MALWARE_SUSP_DIR_LOG:執行å¯ç–‘目錄的檢查 ROOTKIT_MALWARE_SUSP_DIR_FOUND:發ç¾å¯ç–‘的目錄: $1 ROOTKIT_MALWARE_SFW_INTRUSION:檢查軟體入侵 ROOTKIT_MALWARE_SFW_INTRUSION_FOUND:檔案 '$1' 中套件å«æœ‰å­—串 '$2'. å¯èƒ½å­˜åœ¨rootkit: SHV5 ROOTKIT_MALWARE_SFW_INTRUSION_SKIP:è·³éŽæª¢æŸ¥ - tripwire æ²’æœ‰å®‰è£ ROOTKIT_MALWARE_SNIFFER:檢查 sniffer 系統記錄檔 ROOTKIT_MALWARE_SNIFFER_LOG:執行 sniffer 系統記錄檔的檢查 ROOTKIT_MALWARE_SNIFFER_FOUND:發ç¾å¯ç–‘çš„sniffer 系統記錄檔: $1 ROOTKIT_TROJAN_START:執行木馬程å¼çš„檢查 ROOTKIT_TROJAN_INETD:檢查啟動的 inetd æœå‹™ ROOTKIT_TROJAN_INETD_SKIP:è·³éŽæª¢æŸ¥ - 檔案 '$1' ä¸å­˜åœ¨. ROOTKIT_TROJAN_INETD_FOUND:發ç¾å·²å•Ÿå‹•çš„ inetd æœå‹™: $1 ROOTKIT_TROJAN_XINETD:檢查啟動的 xinetd æœå‹™ ROOTKIT_TROJAN_XINETD_LOG:執行已啟動的 xinetd æœå‹™çš„檢查 ROOTKIT_TROJAN_XINETD_ENABLED:在 '$1' 中檢查已啟動的æœå‹™ ROOTKIT_TROJAN_XINETD_INCLUDE:ç™¼ç¾ 'include $1' 指令 ROOTKIT_TROJAN_XINETD_INCLUDEDIR:ç™¼ç¾ 'includedir $1' 指令 ROOTKIT_TROJAN_XINETD_ENABLED_FOUND:發ç¾å•Ÿå‹•çš„ xinetd æœå‹™: $1 ROOTKIT_TROJAN_XINETD_WHITELIST:發ç¾æœå‹™ '$1': 它ä½æ–¼ $2 白åå–®. ROOTKIT_TROJAN_APACHE:檢查 Apache 的後門 ROOTKIT_TROJAN_APACHE_SKIPPED:è·³éŽApache 後門的檢查: 沒發ç¾Apache 模組和設置目錄. ROOTKIT_TROJAN_APACHE_FOUND:發ç¾Apache 後門模組 'mod_rootme' : $1 ROOTKIT_OS_START:執行 $1 深入的檢查 ROOTKIT_OS_SKIPPED:沒有å¯ç”¨çš„深入檢查 ROOTKIT_OS_BSD_SOCKNET:檢查 sockstat å’Œ netstat 命令 ROOTKIT_OS_BSD_SOCKNET_FOUND: sockstat å’Œ netstat 的輸出發ç¾ä¸åŒ: ROOTKIT_OS_BSD_SOCKNET_OUTPUT:$1 輸出: $2 ROOTKIT_OS_FREEBSD_KLD:檢查 KLD 後門 ROOTKIT_OS_FREEBSD_KLD_FOUND:發ç¾å¯ç–‘çš„ FreeBSD KLD 後門. 'kldstat -v' 命令顯示字串 '$1' ROOTKIT_OS_FREEBSD_PKGDB:檢查套件資料庫 ROOTKIT_OS_FREEBSD_PKGDB_NOTOK:套件資料庫似乎有å•é¡Œ. ROOTKIT_OS_FREEBSD_PKGDB_NOTOK:這å¯èƒ½ä¸æ˜¯å®‰å…¨å•é¡Œ, 但是執行 'pkgdb -F' å¯èƒ½æœ‰åŠ©æ–¼è¨ºæ–·å•é¡Œ. ROOTKIT_OS_LINUX_LKM:檢查核心模組命令 ROOTKIT_OS_LINUX_LKM_FOUND: lsmod 命令 å’Œ /proc/modules 檔案之間發ç¾ä¸åŒçš„地方: ROOTKIT_OS_LINUX_LKM_OUTPUT:$1 輸出: $2 ROOTKIT_OS_LINUX_LKM_EMPTY: æ²’æœ‰ç™¼ç¾ lsmod 命令 和或 /proc/modules 檔案的輸出: ROOTKIT_OS_LINUX_LKM_MOD_MISSING:模組檔案 '$1' å·²éºå¤±. ROOTKIT_OS_LINUX_LKMNAMES:檢查核心模組å稱 ROOTKIT_OS_LINUX_LKMNAMES_PATH:使用模組路徑å '$1' ROOTKIT_OS_LINUX_LKMNAMES_FOUND:在 '$1'中發ç¾å·²çŸ¥çš„惡æ„核心模組: $2 ROOTKIT_OS_LINUX_LKMNAMES_PATH_MISSING:核心模組目錄 '$1' éºå¤± CHECK_LOCALHOST:檢查本地主機... STARTUP_FILES_START:執行系統開機檢查 STARTUP_HOSTNAME:檢查本地主機å稱 STARTUP_NO_HOSTNAME:沒發ç¾ä¸»æ©Ÿå稱. STARTUP_LOCAL_RC_FILE:檢查本地啟動檔案 STARTUP_FOUND_LOCAL_RC_FILE:發ç¾æœ¬åœ°å•Ÿå‹•æª”案: $1 STARTUP_NO_LOCAL_RC_FILE:沒發ç¾æœ¬åœ°å•Ÿå‹•æª”案. STARTUP_CHECK_LOCAL_RC:檢查本地啟動檔案是å¦æ¶‰åŠæœ‰å®³ç¨‹å¼ STARTUP_CHECK_SYSTEM_RC:檢查系統啟動檔案是å¦æ¶‰åŠæœ‰å®³ç¨‹å¼ STARTUP_CHECK_SYSTEM_RC_FOUND:發ç¾ç³»çµ±å•Ÿå‹•ç›®éŒ„: $1 STARTUP_CHECK_SYSTEM_RC_NONE:沒發ç¾ç³»çµ±å•Ÿå‹•æª”案. ACCOUNTS_START:執行使用者群組和帳號檢查 ACCOUNTS_PWD_FILE_CHECK:檢查密碼檔案 ACCOUNTS_FOUND_PWD_FILE:發ç¾å¯†ç¢¼æª”案: $1 ACCOUNTS_NO_PWD_FILE:密碼檔案 $1 ä¸å­˜åœ¨. ACCOUNTS_UID0:檢查等åŒæ–¼root (UID 0) 帳號 ACCOUNTS_UID0_WL:發ç¾ç­‰åŒæ–¼root 帳號 '$1': 它ä½æ–¼ç™½å單中. ACCOUNTS_UID0_FOUND:帳號 '$1' 是等åŒæ–¼root (UID = 0) ACCOUNTS_SHADOW_FILE:ç™¼ç¾ shadow 檔案: $1 ACCOUNTS_PWDLESS:檢查空密碼的帳號 ACCOUNTS_PWDLESS_FOUND:發ç¾ç©ºå¯†ç¢¼å¸³è™Ÿ: $1 ACCOUNTS_NO_SHADOW_FILE:æ²’ç™¼ç¾ shadow/password 檔案. PASSWD_CHANGES:檢查密碼檔案的變化 PASSWD_CHANGES_NO_TMP:無法檢查密碼檔案的異常: 密碼檔案的副本ä¸å­˜åœ¨. PASSWD_CHANGES_ADDED:有使用者被加到密碼檔案中: PASSWD_CHANGES_REMOVED:有使用者從密碼檔案中移除: GROUP_CHANGES:檢查使用者群組檔案的變化 GROUP_CHANGES_NO_FILE:使用者群組檔案 $1 ä¸å­˜åœ¨. GROUP_CHANGES_NO_TMP:無法檢查使用者群組檔案的變化: 使用者群組檔案的副本ä¸å­˜åœ¨. GROUP_CHANGES_ADDED:有使用者被加進用使用者群組檔案: GROUP_CHANGES_REMOVED:組已被從使用者群組檔案中刪除: HISTORY_CHECK:檢查root帳號的shellæ­·å²è¨˜éŒ„ HISTORY_CHECK_FOUND:Root 帳號 $1 shell æ­·å²è¨˜éŒ„是一個符號連çµ: $2 SYSTEM_CONFIGS_START:執行系統設定檔檢查 SYSTEM_CONFIGS_FILE:檢查 $1 設定檔 SYSTEM_CONFIGS_FILE_FOUND:ç™¼ç¾ $1 設定檔: $2 SYSTEM_CONFIGS_SSH_ROOT:檢查SSH是å¦å¯ç”¨root登入 SYSTEM_CONFIGS_SSH_ROOT_FOUND: SSH å’Œ rkhunter 的設定é¸é ‚應當相åŒ: SYSTEM_CONFIGS_SSH_ROOT_FOUND1:SSH 設定é¸é … 'PermitRootLogin': $1 SYSTEM_CONFIGS_SSH_ROOT_FOUND2:Rkhunter 設定é¸é … 'ALLOW_SSH_ROOT_USER': $1 SYSTEM_CONFIGS_SSH_ROOT_NOTFOUND: 還沒設置SSH 設定é¸é … 'PermitRootLogin' . SYSTEM_CONFIGS_SSH_ROOT_NOTFOUND:é è¨­å€¼å¯èƒ½æ˜¯ 'yes', å¯ç”¨root登入. SYSTEM_CONFIGS_SSH_PROTO:檢查是å¦ä½¿ç”¨ SSH v1版å”定 SYSTEM_CONFIGS_SSH_PROTO_FOUND:SSH的設定檔SSH ($1)已使用SSH v1å”定生效. SYSTEM_CONFIGS_SSH_PROTO_NOTFOUND: SSH 設定é¸é … 'Protocol' 還沒設置. SYSTEM_CONFIGS_SSH_PROTO_NOTFOUND:é è¨­å€¼å¯èƒ½æ˜¯ '2,1', å¯ä»¥ä½¿ç”¨ v1å”定. SYSTEM_CONFIGS_SYSLOG:檢查是å¦åŸ·è¡Œsyslog daemon SYSTEM_CONFIGS_SYSLOG_NOT_RUNNING:syslog daemon 沒有執行. SYSTEM_CONFIGS_SYSLOG_METALOG_RUNNING:The syslog daemon 沒有執行, 但是已經發ç¾ä¸€å€‹metalog daemon. SYSTEM_CONFIGS_SYSLOG_NO_FILE:syslog daemon 正在執行, 但是無法發ç¾è¨­å®šæª”. SYSTEM_CONFIGS_SYSLOG_REMOTE:檢查是å¦å¯ä»¥ä½¿ç”¨ syslog é ç«¯è¨˜éŒ„ SYSTEM_CONFIGS_SYSLOG_REMOTE_FOUND:Syslog 設定檔å¯ä»¥é ç«¯ç™»å…¥: $1 SYSTEM_CONFIGS_SYSLOG_REMOTE_ALLOWED:Rkhunter 設定é¸é … 'ALLOW_SYSLOG_REMOTE_LOGGING' 已經生效. FILESYSTEM_START:執行檔案系統檢查中....è«‹ç¨å¾….... FILESYSTEM_DEV_CHECK:/dev å¯ç–‘檔案類型檢查 FILESYSTEM_DEV_CHECK_NO_DEV:/dev ä¸å­˜åœ¨. FILESYSTEM_DEV_FILE_WL:發ç¾æª”案 '$1': 它存在於白å單中. FILESYSTEM_DEV_FILE_FOUND:在 ${1}中發ç¾å¯ç–‘檔案: FILESYSTEM_HIDDEN_DIR_WL:發ç¾éš±è—的目錄'$1': 它存在於白å單中.å單中. FILESYSTEM_HIDDEN_FILE_WL:Found hidden file '$1': it is whitelisted. FILESYSTEM_HIDDEN_CHECK:檢查隱è—的檔案和目錄 FILESYSTEM_HIDDEN_DIR_FOUND:發ç¾éš±è—的目錄: $1 FILESYSTEM_HIDDEN_FILE_FOUND:發ç¾éš±è—的檔案: $1 CHECK_APPS:檢查應用程å¼çš„版本... APPS_NONE_FOUND:發ç¾æœªçŸ¥çš„æ‡‰ç”¨ç¨‹å¼ - è·³éŽæ‰€æœ‰çš„檢查. APPS_DAT_MISSING:è·³éŽæ‰€æœ‰çš„應用程å¼ç‰ˆæœ¬æª¢æŸ¥. APPS_DAT_MISSING:ä¸å®‰å…¨æ‡‰ç”¨ç¨‹å¼ç‰ˆæœ¬ (programs_bad.dat) éºå¤±æˆ–為空. APPS_DAT_MISSING:如果它已經被刪除, 你得執行 'rkhunter --update'. APPS_NOT_FOUND:沒發ç¾æ‡‰ç”¨ç¨‹å¼ '$1' . APPS_CHECK:檢查 $1 的版本 APPS_CHECK_VERSION_UNKNOWN:無法å–å¾— '$1'的版本編號. APPS_CHECK_VERSION_FOUND:發ç¾æ‡‰ç”¨ç¨‹å¼ '$1' 版本編號 '$2' . APPS_CHECK_VERSION_WL:發ç¾æ‡‰ç”¨ç¨‹å¼ '$1' 版本 '$2': 這個版本ä½æ–¼ç™½åå–®. APPS_CHECK_WHOLE_VERSION_USED:無法å–å¾— '$1'的版本編號: 版本é¸é …顯示: $2 APPS_CHECK_FOUND:æ‡‰ç”¨ç¨‹å¼ '$1', 版本編號 '$2', å·²éŽæ™‚, 有潛在的安全風險. APPS_TOTAL_COUNT:應用程å¼æª¢æŸ¥: 在 $2 個應用程å¼ä¸­, 有 $1 個è¦æ³¨æ„ CHECK_NETWORK:檢查網路... NETWORK_PORTS_START:執行後門通訊埠的檢查 NETWORK_PORTS_FILE_MISSING:è·³éŽæ‰€æœ‰å¾Œé–€é€šè¨ŠåŸ çš„檢查. NETWORK_PORTS_FILE_MISSING:已知後門通訊埠檔案 (backdoorports.dat) éºå¤±æˆ–為空白. NETWORK_PORTS_FILE_MISSING:如果它已被刪除,你必須執行命令 'rkhunter --update'. NETWORK_PORTS_FILE_NO_NETSTAT:è·³éŽæ‰€æœ‰å¾Œé–€é€šè¨ŠåŸ çš„檢查. NETWORK_PORTS_FILE_NO_NETSTAT:無法找到 'netstat' 命令 NETWORK_PORTS:檢查 $1 通訊埠 ${2} NETWORK_PORTS_FOUND:網路 $1 通訊埠 $2 已被使用. å¯èƒ½çš„rootkit: $3 NETWORK_PORTS_FOUND:執行 'netstat -an' 命令去檢查它. NETWORK_INTERFACE_START:執行網路介é¢çš„檢查 NETWORK_PROMISC_CHECK:檢查 promiscuous ä»‹é¢ NETWORK_PROMISC_NO_IFCONFIG:Promiscuous 網路介é¢è¢«è·³éŽ - 無法找到 'ifconfig' 命令. NETWORK_PROMISC_NO_IP:使用'ip' 命令檢查Promiscuous ç¶²è·¯ä»‹é¢ - 無法找到 'ip' 命令. NETWORK_PROMISC_IF:å¯èƒ½çš„promiscuous 介é¢: NETWORK_PROMISC_IF_1:'ifconfig' 命令輸出: $1 NETWORK_PROMISC_IF_2:'ip' 命令輸出: $1 NETWORK_PACKET_CAP_CHECK:檢查å°åŒ…æ””æˆªç¨‹å¼ NETWORK_PACKET_CAP_CHECK_NO_FILE:å°åŒ…攔截程å¼çš„æª¢æŸ¥è¢«è·³éŽ - 檔案 '$1' éºå¤±. NETWORK_PACKET_CAP_FOUND:行程 '$1' (PID $2) 正在網路上監è½. NETWORK_PACKET_CAP_WL:發ç¾è¡Œç¨‹ '$1': 它存在於白å單中. SHARED_LIBS_START:執行 '函å¼åº«' 的檢查 SHARED_LIBS_PRELOAD_VAR:檢查é å…ˆè¼‰å…¥çš„變數 SHARED_LIBS_PRELOAD_VAR_FOUND:發ç¾é å…ˆè¼‰å…¥çš„變數: $1 SHARED_LIBS_PRELOAD_FILE:檢查é å…ˆè¼‰å…¥çš„檔案 SHARED_LIBS_PRELOAD_FILE_FOUND:發ç¾library preload 檔案: $1 SHARED_LIBS_PATH:檢查 LD_LIBRARY_PATH 變數 SHARED_LIBS_PATH_BAD: LD_LIBRARY_PATH 環境變數被設置,它會影響二進ä½ç¨‹å¼: 被設置為: $1 SUSPSCAN_CHECK:檢查具有å¯ç–‘內容的檔案 SUSPSCAN_DIR_NOT_EXIST:目錄 '$1' ä¸å­˜åœ¨. SUSPSCAN_INSPECT:檔案 '$1' (score: $2) 套件å«æœ‰å¯ç–‘的內容,它將被檢查. SUSPSCAN_START:執行帶有å¯ç–‘內容檔案的檢查 SUSPSCAN_DIRS:待檢查的目錄是: $1 SUSPSCAN_NO_DIRS:沒有指定目錄: 使用用é è¨­ ($1) SUSPSCAN_TEMP:使用暫存檔目錄: $1 SUSPSCAN_NO_TEMP:沒指定暫存檔案目錄: 使用用é è¨­çš„ ($1) SUSPSCAN_TEMP_NOT_EXIST:The suspscan 暫存檔目錄ä¸å­˜åœ¨: $1 SUSPSCAN_TEMP_NO_WRITE:The suspscan 暫存目錄無寫入權: $1 SUSPSCAN_SIZE:å¯æª¢æŸ¥çš„æœ€å¤§æª”æ¡ˆå¤§å° (以ä½å…ƒçµ„為單ä½): '$1' SUSPSCAN_NO_SIZE:沒指定最大的檔案大å°: 使用é è¨­å€¼($1) SUSPSCAN_SIZE_INVALID:æ­¤Suspscan 最大的檔案大å°ç„¡æ•ˆ: $1 SUSPSCAN_THRESH:ç©åˆ†ä¸Šé™è¨­ç½®ç‚º: $1 SUSPSCAN_NO_THRESH:沒有指定ç©åˆ†ä¸Šé™: 使用é è¨­å€¼ ($1) SUSPSCAN_THRESH_INVALID:æ­¤ Suspscan ç©åˆ†ä¸Šé™æ˜¯ç„¡æ•ˆçš„: $1 SUSPSCAN_DIR_CHECK:檢查目錄: '$1' SUSPSCAN_DIR_CHECK_NO_FILES:沒有é©ç•¶çš„檔案檢查. SUSPSCAN_FILE_CHECK:檔案檢查: Name: '$1' Score: $2 SUSPSCAN_FILE_CHECK_DEBUG:檔案檢查: Name: '$1' Score: $2 Hitcount: $3 Hits: ($4) SUSPSCAN_FILE_SKIPPED_EMPTY:忽略檔案: 空白: '$1' SUSPSCAN_FILE_SKIPPED_LINK:忽略檔案: 符號連接檔: '$1' SUSPSCAN_FILE_SKIPPED_TYPE:忽略檔案: 錯誤類型: '$1': '$2' SUSPSCAN_FILE_SKIPPED_SIZE:忽略檔案: 太大: '$1' SUSPSCAN_FILE_LINK_CHANGE:發ç¾ç¬¦è™Ÿé€£æŽ¥æª”: '$1' -> '$2' LIST_TESTS:有效的測試å稱: LIST_GROUPED_TESTS:分組檢查å稱: LIST_LANGS:å¯ç”¨çš„語言: LIST_RTKTS:檢查rootkit # #If any problem related with this zh version message,please mail to #ols3@lxer.idv.tw. I will fix them as soon as possible. #如果有任何關於ç¹é«”中文版本翻譯的å•é¡Œï¼Œè«‹è¯ç¹« ols3@lxer.idv.tw #我將會盡快予以修正. # #本翻譯檔åƒè€ƒè‡ªlinux_fqh@yahoo.com.cn所譯的簡體版本,特此感è¬ä»–. # rkhunter-1.4.0/files/i18n/en0000640000123200012320000010635211711310057015521 0ustar unspawnunspawnVersion:2012012901 # # We start with the definitions of the message types and results. There # are very few of these, so including these and all the parts of each # message in one file makes sense and for easier translation. # # The message type MSG_TYPE_PLAIN is used for ordinary messages. It has # no specific value, and is intercepted in the display function. It is # included here for completeness. The index names of MSG_TYPE_ and # MSG_RESULT_ are reserved - no messages can use this as part of its index. # MSG_TYPE_PLAIN: MSG_TYPE_INFO:Info MSG_TYPE_WARNING:Warning # # This is the list of message results. # MSG_RESULT_OK:OK MSG_RESULT_SKIPPED:Skipped MSG_RESULT_WARNING:Warning MSG_RESULT_FOUND:Found MSG_RESULT_NOT_FOUND:Not found MSG_RESULT_NONE_FOUND:None found MSG_RESULT_ALLOWED:Allowed MSG_RESULT_NOT_ALLOWED:Not allowed MSG_RESULT_UNSET:Not set MSG_RESULT_WHITELISTED:Whitelisted MSG_RESULT_UPD:Updated MSG_RESULT_NO_UPD:No update MSG_RESULT_UPD_FAILED:Update failed MSG_RESULT_VCHK_FAILED:Version check failed # # The messages. # VERSIONLINE:[ $1 version $2 ] VERSIONLINE2:Running $1 version $2 on $3 VERSIONLINE3:Running $1 version $2 RKH_STARTDATE:Start date is $1 RKH_ENDDATE:End date is $1 OPSYS:Detected operating system is '$1' UNAME:Uname output is '$1' CONFIG_CHECK_START:Checking configuration file and command-line options... CONFIG_CMDLINE:Command line is $1 CONFIG_DEBUGFILE:Debug file is $1 CONFIG_ENVSHELL:Environment shell is $1; rkhunter is using $2 CONFIG_CONFIGFILE:Using configuration file '$1' CONFIG_LOCALCONFIGFILE:Using local configuration file '$1' CONFIG_INSTALLDIR:Installation directory is '$1' CONFIG_LANGUAGE:Using language '$1' CONFIG_DBDIR:Using '$1' as the database directory CONFIG_SCRIPTDIR:Using '$1' as the support script directory CONFIG_BINDIR:Using '$1' as the command directories CONFIG_TMPDIR:Using '$1' as the temporary directory CONFIG_NO_MAIL_ON_WARN:No mail-on-warning address configured CONFIG_MOW_DISABLED:Disabling use of mail-on-warning at users request CONFIG_MAIL_ON_WARN:Emailing warnings to '$1' using command '$2' CONFIG_SSH_ROOT:Rkhunter option ALLOW_SSH_ROOT_USER set to '$1'. CONFIG_SSH_PROTV1:Rkhunter option ALLOW_SSH_PROT_V1 set to '$1'. CONFIG_X_AUTO:X will be automatically detected CONFIG_CLRSET2:Using second color set CONFIG_NO_SHOW_SUMMARY:Disabling system check summary at users request CONFIG_SCAN_MODE_DEV:SCAN_MODE_DEV set to '$1' CONFIG_NO_VL:Disabling verbose logging at users request CONFIG_XINETD_PATH:Using $1 configuration file '$2' CONFIG_SOL10_INETD:Using Solaris 10 and later inetd mechanism CONFIG_STARTUP_PATHS:Using system startup paths: $1 CONFIG_ROTATE_MIRRORS:The mirrors file will be rotated CONFIG_NO_ROTATE_MIRRORS:The mirrors file will not be rotated CONFIG_UPDATE_MIRRORS:The mirrors file will be updated CONFIG_NO_UPDATE_MIRRORS:The mirrors file will not be updated CONFIG_MIRRORS_MODE0:Both local and remote mirrors will be used CONFIG_MIRRORS_MODE1:Only local mirrors will be used CONFIG_MIRRORS_MODE2:Only remote mirrors will be used FOUND_CMD:Found the '$1' command: $2 NOT_FOUND_CMD:Unable to find the '$1' command CMD_ERROR:The command '$1' gave error code $2. SYS_PRELINK:System is using prelinking SYS_NO_PRELINK:System is not using prelinking SYS_SELINUX:SELinux is enabled SYS_NO_SELINUX:SELinux is disabled HASH_FUNC_PRELINK:Using the prelink command (with $1) for the file hash checks HASH_FUNC_PERL:Using the perl $1 module for the file hash checks HASH_FUNC_PERL_SHA:Using the perl $1 module (with $2) for the file hash checks HASH_FUNC:Using the '$1' command for the file hash checks HASH_FUNC_NONE:File hash checks disabled: NONE specified HASH_FUNC_NONE_PKGMGR:File hash function NONE specified: only package manager will be used HASH_FUNC_DISABLED:Hash function set to 'NONE': automatically disabling file hash checks HASH_FUNC_OLD:Stored hash values used hash function '$1' HASH_FUNC_OLD_DISABLED:Previous hash function was disabled: no hash values were stored HASH_PKGMGR_OLD:Stored hash values used package manager '$1' HASH_PKGMGR_OLD_UNSET:Stored hash values did not use a package manager HASH_PKGMGR:Using package manager '$1' for file property checks HASH_PKGMGR_MD5:Using MD5 hash function command '$1' to assist package manager verification HASH_PKGMGR_SUM:Using the stored 16-bit checksum for package verification HASH_PKGMGR_NOT_SPEC:No package manager specified: using hash function '$1' HASH_PKGMGR_NOT_SPEC_PRELINKED:No package manager specified: using prelink command with '$1' HASH_FIELD_INDEX:The hash function field index is set to $1 HASHUPD_DISABLED:Hash checks disabled: current file hash values will not be stored HASHUPD_PKGMGR:Using package manager '$1' to update the file hash values HASHUPD_PKGMGR_NOT_SPEC:No file hash update package manager specified: using hash function '$1' HASHUPD_PKGMGR_NOT_SPEC_PRELINKED:No file hash update package manager specified: using prelink command with '$1' ATTRUPD_DISABLED:File attribute checks disabled: current file attributes will not be stored ATTRUPD_NOSTATCMD:File attribute checks disabled: no 'stat' command found: current file attributes will not be stored ATTRUPD_OK:Current file attributes will be stored ATTRUPD_OLD_DISABLED:Previous file attributes were disabled: no file attributes were stored ATTRUPD_OLD_NOSTATCMD:Previous file attributes were disabled: no 'stat' command found: no file attributes were stored ATTRUPD_OLD_OK:Previous file attributes were stored RKHDAT_ADD_NEW_ENTRY:Adding file entry to the 'rkhunter.dat' file: $1 RKHDAT_DEL_OLD_ENTRY:Deleting non-existent file entry from the 'rkhunter.dat' file: $1 SYSLOG_ENABLED:Using syslog for some logging - facility/priority level is '$1'. SYSLOG_DISABLED:Disabling use of syslog at users request. SYSLOG_NO_LOGGER:Disabling use of syslog - unable to find 'logger' command. NAME:$1 PRESSENTER:[Press to continue] TEST_SKIPPED_OS:Test '$1' skipped due to O/S: $2 SUMMARY_TITLE1:System checks summary SUMMARY_TITLE2:===================== SUMMARY_PROP_SCAN:File properties checks... SUMMARY_PROP_REQCMDS:Required commands check failed SUMMARY_PROP_COUNT:Files checked: $1 SUMMARY_PROP_FAILED:Suspect files: $1 SUMMARY_CHKS_SKIPPED:All checks skipped SUMMARY_RKT_SCAN:Rootkit checks... SUMMARY_RKT_COUNT:Rootkits checked : $1 SUMMARY_RKT_FAILED:Possible rootkits: $1 SUMMARY_RKT_NAMES:Rootkit names : $1 SUMMARY_APPS_SCAN:Applications checks... SUMMARY_APPS_COUNT:Applications checked: $1 SUMMARY_APPS_FAILED:Suspect applications: $1 SUMMARY_SCAN_TIME:The system checks took: $1 SUMMARY_NO_SCAN_TIME:The system check took: Unable to determine clock time SUMMARY_LOGFILE:All results have been written to the log file ($1) SUMMARY_NO_LOGFILE:No log file created. SUMMARY_LOGFILE_COPIED:Log file copied to $1 CREATED_TEMP_FILE:Created temporary file '$1' MIRRORS_NO_FILE:The mirrors file does not exist: $1 MIRRORS_NO_MIRRORS:The mirrors file has no required mirrors in it: $1 MIRRORS_NO_VERSION:The mirrors file has no version number - resetting to zero: $1 MIRRORS_ROTATED:The mirrors file has been rotated: $1 MIRRORS_SF_DEFAULT:Using the SourceForge mirror: $1 DOWNLOAD_CMD:Executing download command '$1' DOWNLOAD_FAIL:Download failed - $1 mirror(s) left. VERSIONCHECK_START:Checking rkhunter version... VERSIONCHECK_FAIL_ALL:Download failed: Unable to determine the latest program version number. VERSIONCHECK_CURRENT:This version : $1 VERSIONCHECK_LATEST:Latest version: $1 VERSIONCHECK_LATEST_FAIL:Latest version: Download failed VERSIONCHECK_UPDT_AVAIL:Update available VERSIONCHECK_CONV_FAIL:Unable to compare version numbers: Program: '$1' Latest: '$2' UPDATE_START:Checking rkhunter data files... UPDATE_CHECKING_FILE:Checking file $1 UPDATE_FILE_NO_VERS:File '$1' has no valid version number. Downloading a new copy. UPDATE_FILE_MISSING:File '$1' is missing or empty. Downloading a new copy. UPDATE_DOWNLOAD_FAIL:Download of '$1' failed: Unable to determine the latest version number. UPDATE_I18N_NO_VERS:No i18n language file version numbers can be found. UPDATE_SKIPPED:Language file update skipped at users request. OSINFO_START:Checking if the O/S has changed since last time... OSINFO_END:Nothing seems to have changed. OSINFO_HOST_CHANGE1:The host name has changed since the last run: OSINFO_HOST_CHANGE2:Old host value: $1 New value: $2 OSINFO_OSVER_CHANGE1:The O/S name or version has changed since the last run: OSINFO_OSVER_CHANGE2:Old O/S value: $1 New value: $2 OSINFO_PRELINK_CHANGE:The system has changed to ${1}using prelinking since the last run. OSINFO_ARCH_CHANGE1:The system seems to have changed CPU type: OSINFO_ARCH_CHANGE2:Old CPU value: $1 New value: $2 OSINFO_MSG1:Because of the change(s) the file properties checks may give some false-positive results. OSINFO_MSG2:You may need to re-run rkhunter with the '--propupd' option. OSINFO_DO_UPDT:The file properties file will be automatically updated. SET_FILE_PROP_START:Getting file properties... SET_FILE_PROP_DIR_FILE_COUNT:Found $1 files in $2 SET_FILE_PROP_FILE_COUNT:File $1: searched for $2 files, found $3 SET_FILE_PROP_FILE_COUNT_BL:File $1: searched for $2 files, found $3, broken links $4 SET_FILE_PROP_FILE_COUNT_PROPOPT:File $1: searched for $2 files, found $3 of $4 SET_FILE_PROP_FILE_COUNT_PROPOPT_BL:File $1: searched for $2 files, found $3 of $4, broken links $5 SET_FILE_PROP_FILE_COUNT_NOHASH:File $1: searched for $2 files, found $3, missing hashes $4 SET_FILE_PROP_FILE_COUNT_NOHASH_BL:File $1: searched for $2 files, found $3, missing hashes $4, broken links $5 SET_FILE_PROP_FILE_COUNT_NOHASH_PROPOPT:File $1: searched for $2 files, found $3 of $4, missing hashes $5 SET_FILE_PROP_FILE_COUNT_NOHASH_PROPOPT_BL:File $1: searched for $2 files, found $3 of $4, missing hashes $5, broken links $6 PROPUPD_START:Starting file properties data update... PROPUPD_OSINFO_START:Collecting O/S info... PROPUPD_ARCH_FOUND:Found system architecture: $1 PROPUPD_REL_FILE:Found release file: $1 PROPUPD_NO_REL_FILE:Unable to find a release file: LS output shows: PROPUPD_OSNAME_FOUND:Found O/S name: $1 PROPUPD_ERROR:Error installing new rkhunter.dat file. Code $1 PROPUPD_NEW_DAT_FILE:New rkhunter.dat file installed in '$1' PROPUPD_WARN:WARNING! It is the users responsibility to ensure that when the '--propupd' option PROPUPD_WARN:is used, all the files on their system are known to be genuine, and installed from a PROPUPD_WARN:reliable source. The rkhunter '--check' option will compare the current file properties PROPUPD_WARN:against previously stored values, and report if any values differ. However, rkhunter PROPUPD_WARN:cannot determine what has caused the change, that is for the user to do. ENABLED_TESTS:Enabled tests are: $1 DISABLED_TESTS:Disabled tests are: $1 USER_FILE_LIST:Including user files for file properties check: USER_CMD_LIST:Including user commands for file properties check: USER_DIR_LIST:Including user directories for file properties check: USER_EXCLUDE_PROP:Excluding from file properties check: KSYMS_FOUND:Found ksym file '$1' KSYMS_UNAVAIL:All ksyms and kallsyms checks will be skipped - the file is unreadable. KSYMS_MISSING:All ksyms and kallsyms checks will be skipped - neither file is present on the system. STARTING_TEST:Starting test name '$1' USER_DISABLED_TEST:Test '$1' disabled at users request. CHECK_START:Starting system checks... CHECK_WARNINGS_NOT_FOUND:No warnings were found while checking the system. CHECK_WARNINGS_FOUND:One or more warnings have been found while checking the system. CHECK_WARNINGS_FOUND_RERUN:Please re-run rkhunter, ensuring that a log file is created. CHECK_WARNINGS_FOUND_CHK_LOG:Please check the log file ($1) CHECK_SYS_COMMANDS:Checking system commands... STRINGS_CHECK_START:Performing 'strings' command checks STRINGS_SCANNING_OK:Scanning for string $1 STRINGS_SCANNING_BAD:Scanning for string $1 STRINGS_SCANNING_BAD:String not found in 'strings' command STRINGS_CHECK:Checking 'strings' command STRINGS_CHECK:Check skipped - no 'strings' command found. FILE_PROP_START:Performing file properties checks FILE_PROP_CMDS:Checking for prerequisites FILE_PROP_IMMUT_OS:Skipping all immutable-bit checks. This check is only available for Linux systems. FILE_PROP_IMMUT_SET:The immutable-bit check will be reversed. FILE_PROP_SKIP_ATTR:Unable to find 'stat' command - all file attribute checks will be skipped. FILE_PROP_SKIP_HASH:All file hash checks will be skipped because: FILE_PROP_SKIP_HASH_FUNC:The current hash function ($1) or package manager ($2) is incompatible with the hash function ($3) or package manager ($4) used to store the values. FILE_PROP_SKIP_HASH_PRELINK:Unable to find 'prelink' command. FILE_PROP_SKIP_HASH_SHA1:This system uses prelinking, but the hash function command does not look like SHA1 or MD5. FILE_PROP_SKIP_HASH_LIBSAFE:Libsafe was found, which can cause errors. If possible, disable libsafe and then run the prelink command. Finally, recreate the hash values using 'rkhunter --propupd'. FILE_PROP_SKIP_IMMUT:Unable to find 'lsattr' command - all file immutable-bit checks will be skipped. FILE_PROP_SKIP_IMMUT_CMD:No output from the '$1' command - all file immutable-bit checks will be skipped. FILE_PROP_SKIP_SCRIPT:Unable to find 'file' command - all script replacement checks will be skipped. FILE_PROP_SKIP_FILE_CMD:No output from the 'file' command - all script replacement checks will be skipped. FILE_PROP_NO_OS_WARNING:Warnings of any O/S change have been disabled at the users request. FILE_PROP_OS_CHANGED:The local host configuration or operating system has changed. FILE_PROP_DAT_MISSING:The file of stored file properties (rkhunter.dat) does not exist, and should be created. To do this type in 'rkhunter --propupd'. FILE_PROP_DAT_EMPTY:The file of stored file properties (rkhunter.dat) is empty, and should be created. To do this type in 'rkhunter --propupd'. FILE_PROP_SKIP_ALL:All file property checks are now being skipped. FILE_PROP_DAT_MISSING_INFO:The file properties check will still run as there are checks that can be performed without the rkhunter.dat file. FILE_PROP_FILE_NOT_EXIST:The file '$1' does not exist on the system, but it is present in the rkhunter.dat file. FILE_PROP_WL:Found file '$1': it is whitelisted for the '$2' check. FILE_PROP_WL_STR:Found file '$1' and string '$2': they are whitelisted for the '$3' check. FILE_PROP_WL_DIR:Found directory '$1': it is whitelisted for the '$2' check. FILE_PROP_NO_RKH_REC:The file '$1' exists on the system, but it is not present in the rkhunter.dat file. FILE_PROP_CHANGED:The file properties have changed: FILE_PROP_CHANGED2:File: $1 FILE_PROP_NO_PKGMGR_FILE:File '$1' hash value skipped: file does not belong to a package FILE_PROP_NO_SYSHASH:No hash value found for file '$1' FILE_PROP_NO_SYSHASH_BL:The file is a broken link: $1 FILE_PROP_BROKEN_LINK_WL_TGT:Found a broken link, but the targets existence is whitelisted: '$1' FILE_PROP_NO_SYSHASH_CMD:Hash command output: $1 FILE_PROP_NO_SYSHASH_DEPENDENCY:Try running the command 'prelink $1' to resolve dependency errors. FILE_PROP_IGNORE_PRELINK_DEP_ERR:Ignoring prelink dependency error for file '$1' FILE_PROP_SYSHASH_UNAVAIL:Current hash: Unavailable FILE_PROP_SYSHASH_UNAVAIL_BL:Current hash: Unavailable (possible broken link) FILE_PROP_SYSHASH:Current hash: $1 FILE_PROP_RKHHASH:Stored hash : $1 FILE_PROP_NO_RKHHASH:No hash value found for file '$1' in the rkhunter.dat file. FILE_PROP_NO_RKHPERM:No file permissions value found for file '$1' in the rkhunter.dat file. FILE_PROP_PERM_UNAVAIL:Current permissions: Unavailable Stored permissions: $1 FILE_PROP_PERM:Current permissions: $1 Stored permissions: $2 FILE_PROP_UID_UNAVAIL:Current uid: Unavailable Stored uid: $1 FILE_PROP_UID:Current uid: $1 Stored uid: $2 FILE_PROP_NO_RKHUID:No user-id value found for file '$1' in the rkhunter.dat file. FILE_PROP_GID_UNAVAIL:Current gid: Unavailable Stored gid: $1 FILE_PROP_GID:Current gid: $1 Stored gid: $2 FILE_PROP_NO_RKHGID:No group-id value found for file '$1' in the rkhunter.dat file. FILE_PROP_INODE_UNAVAIL:Current inode: Unavailable Stored inode: $1 FILE_PROP_INODE:Current inode: $1 Stored inode: $2 FILE_PROP_NO_RKHINODE:No inode value found for file '$1' in the rkhunter.dat file. FILE_PROP_SIZE_UNAVAIL:Current size: Unavailable Stored size: $1 FILE_PROP_SIZE:Current size: $1 Stored size: $2 FILE_PROP_NO_RKHSIZE:No size value found for file '$1' in the rkhunter.dat file. FILE_PROP_SYSDTM_UNAVAIL:Current file modification time: Unavailable FILE_PROP_SYSDTM:Current file modification time: $1 FILE_PROP_RKHDTM:Stored file modification time : $1 FILE_PROP_NO_RKHDTM:No file modification time value found for file '$1' in the rkhunter.dat file. FILE_PROP_NO_SYSATTR:Unable to obtain current properties for file '$1' FILE_PROP_WRITE:Write permission is set on file '$1' for all users. FILE_PROP_SYSPERM_UNAVAIL:Unable to obtain current write permission for file '$1' FILE_PROP_IMMUT:File '$1' has the immutable-bit set. FILE_PROP_IMMUT_NOT_SET:File '$1' does not have the immutable-bit set. FILE_PROP_SCRIPT:The command '$1' has been replaced by a script: $2 FILE_PROP_SCRIPT_RKH:The command '$1' has been replaced and is not a script: $2 FILE_PROP_VRFY:Package manager verification has failed: FILE_PROP_VRFY_HASH:The file hash value has changed FILE_PROP_VRFY_PERM:The file permissions have changed FILE_PROP_VRFY_UID:The file owner has changed FILE_PROP_VRFY_GID:The file group has changed FILE_PROP_VRFY_DTM:The file modification time has changed FILE_PROP_VRFY_SIZE:The file size has changed FILE_PROP_EPOCH_DATE_CMD:Using '$1' to process epoch second times. CHECK_ROOTKITS:Checking for rootkits... ROOTKIT_FILES_DIRS_START:Performing check of known rootkit files and directories ROOTKIT_FILES_DIRS_NAME_LOG:Checking for ${1}... ROOTKIT_FILES_DIRS_FILE:Checking for file '$1' ROOTKIT_FILES_DIRS_DIR:Checking for directory '$1' ROOTKIT_FILES_DIRS_KSYM:Checking for kernel symbol '$1' ROOTKIT_FILES_DIRS_FILE_FOUND:File '$1' found ROOTKIT_FILES_DIRS_DIR_FOUND:Directory '$1' found ROOTKIT_FILES_DIRS_KSYM_FOUND:Kernel symbol '$1' found ROOTKIT_FILES_DIRS_STR:Checking for string '$1' ROOTKIT_FILES_DIRS_STR_FOUND:Found string '$1' in file '$2' ROOTKIT_FILES_DIRS_NOFILE:The file '$1' does not exist! ROOTKIT_FILES_DIRS_SINAR_DIR:Checking in '$1' ROOTKIT_FILES_DIRS_SINAR:Found SInAR in: $1 ROOTKIT_LINK_COUNT:Checking hard link count on '$1' ROOTKIT_LINK_COUNT_FAIL:Hard link count from '$1' command: $2 ROOTKIT_LINK_COUNT_CMDERR:Error from '$1' command when checking '$2' ROOTKIT_PHALANX2_LINK_COUNT_FAIL:Hard link check on '$1' failed ROOTKIT_PHALANX2_PROC:Checking process list for process 'ata/0' ROOTKIT_PHALANX2_PROC_FOUND:Found running process 'ata/0' ROOTKIT_PHALANX2_PROC_PPID:Expected 'kthread' parent PID '$1' found parent PID '$2' ROOTKIT_PHALANX2_PROC_PS_ERR:Running 'ps' returned unexpected results: possibly unsupported cmdline arguments. ROOTKIT_ADD_START:Performing additional rootkit checks ROOTKIT_ADD_SUCKIT:Suckit Rookit additional checks ROOTKIT_ADD_SUCKIT_LOG:Performing Suckit Rookit additional checks ROOTKIT_ADD_SUCKIT_LINK_NOCMD:Checking '/sbin/init' link count: no 'stat' command found ROOTKIT_ADD_SUCKIT_LINK_FOUND:Checking '/sbin/init' link count: count is $1, it should be 1 ROOTKIT_ADD_SUCKIT_EXT:Checking for hidden file extensions ROOTKIT_ADD_SUCKIT_EXT_FOUND:Checking for hidden file extensions: found: $1 ROOTKIT_ADD_SUCKIT_SKDET:Running skdet command ROOTKIT_ADD_SUCKIT_SKDET_FOUND:Running skdet command: found: $1 ROOTKIT_ADD_SUCKIT_SKDET_VER:Running skdet command: unknown version: $1 ROOTKIT_POSS_FILES_DIRS:Checking for possible rootkit files and directories ROOTKIT_POSS_FILES_DIRS_LOG:Performing check of possible rootkit files and directories ROOTKIT_POSS_FILES_FILE_FOUND:Found file '$1'. Possible rootkit: $2 ROOTKIT_POSS_FILES_DIR_FOUND:Found directory '$1'. Possible rootkit: $2 ROOTKIT_POSS_STRINGS:Checking for possible rootkit strings ROOTKIT_POSS_STRINGS_LOG:Performing check for possible rootkit strings ROOTKIT_POSS_STRINGS_FOUND:Found string '$1' in file '$2'. Possible rootkit: $3 ROOTKIT_MALWARE_START:Performing malware checks ROOTKIT_MALWARE_SUSP_FILES:Checking running processes for suspicious files ROOTKIT_MALWARE_SUSP_FILES_FOUND:The following processes are using suspicious files: ROOTKIT_MALWARE_SUSP_FILES_FOUND_UID:UID: $1 PID: $2 ROOTKIT_MALWARE_SUSP_FILES_FOUND_CMD:Command: $1 ROOTKIT_MALWARE_SUSP_FILES_FOUND_PATH:Pathname: $1 ROOTKIT_MALWARE_SUSP_FILES_FOUND_RTKT:Possible Rootkit: $1 ROOTKIT_MALWARE_HIDDEN_PROCS:Checking for hidden processes ROOTKIT_MALWARE_HIDDEN_PROCS_NOUNHIDE:The use of '$1' has been disabled at the users request ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_VERS:Found 'unhide' command version: $1 ROOTKIT_MALWARE_HIDDEN_PROCS_UNHIDE_CMD:Using command '$1' ROOTKIT_MALWARE_HIDDEN_PROCS_UNH_ERR:'unhide' not executed: invalid configured test names: $1 ROOTKIT_MALWARE_HIDDEN_PROCS_RUBY_ERR:The 'unhide.rb' command gave an error: ROOTKIT_MALWARE_HIDDEN_PROCS_FOUND:Hidden processes found: ROOTKIT_MALWARE_DELETED_FILES:Checking running processes for deleted files ROOTKIT_MALWARE_DELETED_FILES_FOUND:The following processes are using deleted files: ROOTKIT_MALWARE_DELETED_FILES_FOUND_DATA:Process: $1 PID: $2 File: $3 ROOTKIT_MALWARE_DELETED_FILES_WL:Found process '$1' using file '$2': it is whitelisted. ROOTKIT_MALWARE_LOGIN_BDOOR:Checking for login backdoors ROOTKIT_MALWARE_LOGIN_BDOOR_LOG:Performing check for login backdoors ROOTKIT_MALWARE_LOGIN_BDOOR_CHK:Checking for '$1' ROOTKIT_MALWARE_LOGIN_BDOOR_FOUND:Found login backdoor file: $1 ROOTKIT_MALWARE_SUSP_DIR:Checking for suspicious directories ROOTKIT_MALWARE_SUSP_DIR_LOG:Performing check for suspicious directories ROOTKIT_MALWARE_SUSP_DIR_FOUND:Found suspicious directory: $1 ROOTKIT_MALWARE_SFW_INTRUSION:Checking for software intrusions ROOTKIT_MALWARE_SFW_INTRUSION_FOUND:The file '$1' contains the string '$2'. Possible rootkit: SHV5 ROOTKIT_MALWARE_SFW_INTRUSION_SKIP:Check skipped - tripwire not installed ROOTKIT_MALWARE_SNIFFER:Checking for sniffer log files ROOTKIT_MALWARE_SNIFFER_LOG:Performing check for sniffer log files ROOTKIT_MALWARE_SNIFFER_FOUND:Found possible sniffer log file: $1 ROOTKIT_TROJAN_START:Performing trojan specific checks ROOTKIT_TROJAN_INETD:Checking for enabled inetd services ROOTKIT_TROJAN_INETD_SKIP:Check skipped - file '$1' does not exist. ROOTKIT_TROJAN_INETD_FOUND:Found enabled inetd service: $1 ROOTKIT_TROJAN_XINETD:Checking for enabled xinetd services ROOTKIT_TROJAN_XINETD_LOG:Performing check for enabled xinetd services ROOTKIT_TROJAN_XINETD_ENABLED:Checking '$1' for enabled services ROOTKIT_TROJAN_XINETD_INCLUDE:Found 'include $1' directive ROOTKIT_TROJAN_XINETD_INCLUDEDIR:Found 'includedir $1' directive ROOTKIT_TROJAN_XINETD_ENABLED_FOUND:Found enabled xinetd service: $1 ROOTKIT_TROJAN_XINETD_WHITELIST:Found service '$1': it is $2 whitelisted. ROOTKIT_TROJAN_APACHE:Checking for Apache backdoor ROOTKIT_TROJAN_APACHE_SKIPPED:Apache backdoor check skipped: Apache modules and configuration directories not found. ROOTKIT_TROJAN_APACHE_FOUND:Apache backdoor module 'mod_rootme' found: $1 ROOTKIT_OS_START:Performing $1 specific checks ROOTKIT_OS_SKIPPED:No specific tests available ROOTKIT_OS_BSD_SOCKNET:Checking sockstat and netstat commands ROOTKIT_OS_BSD_SOCKNET_FOUND:Differences found between sockstat and netstat output: ROOTKIT_OS_BSD_SOCKNET_OUTPUT:$1 output (ports in use): $2 ROOTKIT_OS_FREEBSD_KLD:Checking for KLD backdoors ROOTKIT_OS_FREEBSD_KLD_FOUND:Found possible FreeBSD KLD backdoor. 'kldstat -v' command shows string '$1' ROOTKIT_OS_FREEBSD_PKGDB:Checking package database ROOTKIT_OS_FREEBSD_PKGDB_NOTOK:The package database seems to have inconsistencies. ROOTKIT_OS_FREEBSD_PKGDB_NOTOK:This may not be a security issue, but running 'pkgdb -F' may help diagnose the problem. ROOTKIT_OS_DFLY_PKGDB_NOTOK:The package database seems to have inconsistencies. ROOTKIT_OS_DFLY_PKGDB_NOTOK:This may not be a security issue, but running 'pkg_admin check' may help diagnose the problem. ROOTKIT_OS_LINUX_LKM:Checking loaded kernel modules ROOTKIT_OS_LINUX_LKM_FOUND:Differences found between the lsmod command and the /proc/modules file: ROOTKIT_OS_LINUX_LKM_OUTPUT:$1 output: $2 ROOTKIT_OS_LINUX_LKM_EMPTY:No output found from the lsmod command or the /proc/modules file: ROOTKIT_OS_LINUX_LKM_MOD_MISSING:The modules file '$1' is missing. ROOTKIT_OS_LINUX_LKMNAMES:Checking kernel module names ROOTKIT_OS_LINUX_LKMNAMES_PATH:Using modules pathname of '$1' ROOTKIT_OS_LINUX_LKMNAMES_FOUND:Known bad kernel module found in '$1': $2 ROOTKIT_OS_LINUX_LKMNAMES_PATH_MISSING:The kernel modules directory '$1' is missing or empty. CHECK_LOCALHOST:Checking the local host... STARTUP_FILES_START:Performing system boot checks STARTUP_HOSTNAME:Checking for local host name STARTUP_NO_HOSTNAME:No host name found. STARTUP_CHECK_FILES_EXIST:Checking for system startup files STARTUP_NONE_GIVEN:User specified 'NONE' for startup file pathnames STARTUP_CHECK_FILES_MALWARE:Checking system startup files for malware STARTUP_CHECK_NO_RC_FILES:No system startup files found. ACCOUNTS_START:Performing group and account checks ACCOUNTS_PWD_FILE_CHECK:Checking for passwd file ACCOUNTS_FOUND_PWD_FILE:Found password file: $1 ACCOUNTS_NO_PWD_FILE:Password file $1 does not exist. ACCOUNTS_UID0:Checking for root equivalent (UID 0) accounts ACCOUNTS_UID0_WL:Found root equivalent account '$1': it is whitelisted. ACCOUNTS_UID0_FOUND:Account '$1' is root equivalent (UID = 0) ACCOUNTS_SHADOW_FILE:Found shadow file: $1 ACCOUNTS_SHADOW_TCB:Found TCB shadow file directory: $1 ACCOUNTS_PWDLESS:Checking for passwordless accounts ACCOUNTS_PWDLESS_WL:Found passwordless account '$1': it is whitelisted. ACCOUNTS_PWDLESS_FOUND:Found passwordless account in $1 file: $2 ACCOUNTS_NO_SHADOW_FILE:No shadow/password file found. PASSWD_CHANGES:Checking for passwd file changes PASSWD_CHANGES_NO_TMP:Unable to check for passwd file differences: no copy of the passwd file exists. PWD_CHANGES_IDADD:User '$1' has been added to the passwd file. PWD_CHANGES_IDREM:User '$1' has been removed from the passwd file. PWD_CHANGES_FOUND:Changes found in the passwd file for user '$1': PWDGRP_CHANGES_UNK:Unknown field found in the $1 file: Old field: '$2' New field: '$3' PWD_CHANGES_PWD:The passwd has changed from '$1' to '$2' PWD_CHANGES_UID:The UID has changed from '$1' to '$2' PWD_CHANGES_GID:The GID has changed from '$1' to '$2' PWD_CHANGES_COMM:The account comment has changed from '$1' to '$2' PWD_CHANGES_HOME:The home directory has changed from '$1' to '$2' PWD_CHANGES_SHL:The login shell has changed from '$1' to '$2' GROUP_CHANGES:Checking for group file changes GROUP_CHANGES_NO_FILE:Group file $1 does not exist. GROUP_CHANGES_NO_TMP:Unable to check for group file differences: no copy of the group file exists. GROUP_CHANGES_FOUND:Changes found in the group file for group '$1': GROUP_CHANGES_IDADD:Group '$1' has been added to the group file. GROUP_CHANGES_IDREM:Group '$1' has been removed from the group file. GROUP_CHANGES_PWD:The group passwd has changed from '$1' to '$2' GROUP_CHANGES_GID:The group number has changed from '$1' to '$2' GROUP_CHANGES_GRPREM:User '$1' has been removed from the group GROUP_CHANGES_GRPADD:User '$1' has been added to the group HISTORY_CHECK:Checking root account shell history files HISTORY_CHECK_FOUND:Root account $1 shell history file is a symbolic link: $2 SYSTEM_CONFIGS_START:Performing system configuration file checks SYSTEM_CONFIGS_FILE:Checking for $1 configuration file SYSTEM_CONFIGS_FILE_FOUND:Found $1 configuration file: $2 SYSTEM_CONFIGS_SSH_ROOT:Checking if SSH root access is allowed SYSTEM_CONFIGS_SSH_ROOT_FOUND:The SSH and rkhunter configuration options should be the same: SYSTEM_CONFIGS_SSH_ROOT_FOUND1:SSH configuration option 'PermitRootLogin': $1 SYSTEM_CONFIGS_SSH_ROOT_FOUND2:Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': $1 SYSTEM_CONFIGS_SSH_ROOT_NOTFOUND:The SSH configuration option 'PermitRootLogin' has not been set. SYSTEM_CONFIGS_SSH_ROOT_NOTFOUND:The default value may be 'yes', to allow root access. SYSTEM_CONFIGS_SSH_PROTO:Checking if SSH protocol v1 is allowed SYSTEM_CONFIGS_SSH_PROTO_DIFF1:SSH configuration option 'Protocol': $1 SYSTEM_CONFIGS_SSH_PROTO_DIFF2:Rkhunter configuration option 'ALLOW_SSH_PROT_V1': $1 SYSTEM_CONFIGS_SSH_PROTO_NOTFOUND:The SSH configuration option 'Protocol' has not been set. SYSTEM_CONFIGS_SSH_PROTO_NOTFOUND:The default value may be '2,1', to allow the use of protocol version 1. SYSTEM_CONFIGS_SYSLOG:Checking for running syslog daemon SYSTEM_CONFIGS_SYSLOG_NOT_RUNNING:The syslog daemon is not running. SYSTEM_CONFIGS_SYSLOG_METALOG_RUNNING:The syslog daemon is not running, but a metalog daemon has been found. SYSTEM_CONFIGS_SYSLOG_SOCKLOG_RUNNING:The syslog daemon is not running, but a socklog daemon has been found. SYSTEM_CONFIGS_SYSLOG_NO_FILE:The syslog daemon is running, but no configuration file can be found. SYSTEM_CONFIGS_SYSLOG_REMOTE:Checking if syslog remote logging is allowed SYSTEM_CONFIGS_SYSLOG_REMOTE_LOG:Configuration file allows remote logging: $1 SYSTEM_CONFIGS_SYSLOG_REMOTE_FOUND:$1 configuration file allows remote logging: $2 SYSTEM_CONFIGS_SYSLOG_REMOTE_ALLOWED:Rkhunter configuration option 'ALLOW_SYSLOG_REMOTE_LOGGING' has been enabled. FILESYSTEM_START:Performing filesystem checks FILESYSTEM_DEV_CHECK:Checking /dev for suspicious file types FILESYSTEM_DEV_CHECK_NO_DEV:/dev does not exist. FILESYSTEM_DEV_FILE_WL:Found file '$1': it is whitelisted. FILESYSTEM_DEV_FILE_FOUND:Suspicious file types found in ${1}: FILESYSTEM_HIDDEN_DIR_WL:Found hidden directory '$1': it is whitelisted. FILESYSTEM_HIDDEN_FILE_WL:Found hidden file '$1': it is whitelisted. FILESYSTEM_HIDDEN_CHECK:Checking for hidden files and directories FILESYSTEM_HIDDEN_DIR_FOUND:Hidden directory found: '$1' FILESYSTEM_HIDDEN_FILE_FOUND:Hidden file found: $1 CHECK_APPS:Checking application versions... APPS_NONE_FOUND:No known applications found - all version checks skipped. APPS_DAT_MISSING:The file of unsecure application versions is missing or empty: $1 APPS_DAT_MISSING:Run 'rkhunter --update' to restore the default file. APPS_DAT_NOTAFILE:The file of unsecure application versions is not a file: $1 APPS_NOT_FOUND:Application '$1' not found. APPS_CHECK:Checking version of $1 APPS_CHECK_WL:Found application '$1': it is whitelisted. APPS_CHECK_VERSION_UNKNOWN:Unable to obtain version number for '$1'. APPS_CHECK_VERSION_FOUND:Application '$1' version '$2' found. APPS_CHECK_VERSION_WL:Found application '$1' version '$2': this version is whitelisted. APPS_CHECK_WHOLE_VERSION_USED:Unable to obtain version number for '$1': version option gives: $2 APPS_CHECK_FOUND:Application '$1', version '$2', is out of date, and possibly a security risk. APPS_TOTAL_COUNT:Applications checked: $1 out of $2 CHECK_NETWORK:Checking the network... NETWORK_PORTS_START:Performing checks on the network ports NETWORK_PORTS_BACKDOOR:Checking for backdoor ports NETWORK_PORTS_BACKDOOR_LOG:Performing check for backdoor ports NETWORK_PORTS_FILE_MISSING:The file of known backdoor ports is missing or empty: $1 NETWORK_PORTS_FILE_MISSING:Run 'rkhunter --update' to restore the default file. NETWORK_PORTS_FILE_NOTAFILE:The file of known backdoor ports is not a file: $1 NETWORK_PORTS_UNKNOWN_NETSTAT:All backdoor port checks skipped. NETWORK_PORTS_UNKNOWN_NETSTAT:Unknown netstat command format with this O/S. NETWORK_PORTS_DISABLE_PATHS:Disabling pathnames and '*' in PORT_WHITELIST setting: no 'lsof' command present. NETWORK_PORTS_ENABLE_TRUSTED:Trusted pathnames are enabled for port whitelisting. NETWORK_PORTS_BACKDOOR_CHK:Checking for $1 port $2 NETWORK_PORTS_PATH_WHITELIST:Network $1 port $2 is being used by $3: the pathname is whitelisted. NETWORK_PORTS_TRUSTED_WHITELIST:Network $1 port $2 is being used by $3: the pathname is trusted. NETWORK_PORTS_PORT_WHITELIST:Network $1 port $2 found: the port is whitelisted. NETWORK_PORTS_BKDOOR_FOUND:Network $1 port $2 is being used${3}. Possible rootkit: $4 NETWORK_PORTS_BKDOOR_FOUND:Use the 'lsof -i' or 'netstat -an' command to check this. NETWORK_HIDDEN_PORTS:Checking for hidden ports NETWORK_HIDDEN_PORTS_FOUND:Hidden ports found: NETWORK_HIDDEN_PORTS_CHK:Port number: $1:$2 NETWORK_HIDDEN_PORTS_CHK_NAME:Port number: $1:$2 is being used by $3 NETWORK_HIDDEN_PORTS_PATH_WHITELIST:Hidden $1 port $2 is being used by $3: the pathname is whitelisted. NETWORK_HIDDEN_PORTS_TRUSTED_WHITELIST:Hidden $1 port $2 is being used by $3: the pathname is trusted. NETWORK_HIDDEN_PORTS_PORT_WHITELIST:Hidden $1 port $2 found: the port is whitelisted. NETWORK_INTERFACE_START:Performing checks on the network interfaces NETWORK_PROMISC_WLIST:Network interfaces allowed to be in promiscuous mode: $1 NETWORK_PROMISC_CHECK:Checking for promiscuous interfaces NETWORK_PROMISC_NO_IFCONFIG:Promiscuous network interface check skipped - unable to find the 'ifconfig' command. NETWORK_PROMISC_NO_IP:Promiscuous network interface check using 'ip' command skipped - unable to find the 'ip' command. NETWORK_PROMISC_IF:Possible promiscuous interfaces: NETWORK_PROMISC_IF_1:'ifconfig' command output: NETWORK_PROMISC_IF_2:'ip' command output: NETWORK_PACKET_CAP_CHECK:Checking for packet capturing applications NETWORK_PACKET_CAP_CHECK_NO_FILE:Packet capturing application check skipped - the '$1' file is missing. NETWORK_PACKET_CAP_FOUND:Process '$1' (PID $2) is listening on the network. NETWORK_PACKET_CAP_WL:Found process '$1': it is whitelisted. SHARED_LIBS_START:Performing 'shared libraries' checks SHARED_LIBS_PRELOAD_VAR:Checking for preloading variables SHARED_LIBS_PRELOAD_VAR_FOUND:Found library preload variable(s): $1 SHARED_LIBS_PRELOAD_FILE:Checking for preloaded libraries SHARED_LIBS_PRELOAD_LIB_FOUND:Found preloaded shared library: $1 SHARED_LIBS_PRELOAD_FILE_FOUND:Found library preload file: $1 SHARED_LIBS_PRELOAD_LIB_WLIST:Found preloaded shared library '$1': it is whitelisted. SHARED_LIBS_PATH:Checking LD_LIBRARY_PATH variable SHARED_LIBS_PATH_BAD:The LD_LIBRARY_PATH environment variable is set and can influence binaries: set to: $1 SUSPSCAN_CHECK:Checking for files with suspicious contents SUSPSCAN_DIR_NOT_EXIST:The directory '$1' does not exist. SUSPSCAN_INSPECT:File '$1' (score: $2) contains some suspicious content and should be checked. SUSPSCAN_START:Performing check of files with suspicious contents SUSPSCAN_DIRS:Directories to check are: $1 SUSPSCAN_NO_DIRS:No directories specified: using defaults ($1) SUSPSCAN_TEMP:Temporary directory to use: $1 SUSPSCAN_NO_TEMP:No temporary directory specified: using default ($1) SUSPSCAN_SIZE:Maximum file size to check (in bytes): $1 SUSPSCAN_NO_SIZE:No maximum file size specified: using default ($1) SUSPSCAN_THRESH:Score threshold is set to: $1 SUSPSCAN_NO_THRESH:No score threshold specified: using default ($1) SUSPSCAN_DIR_CHECK:Checking directory: '$1' SUSPSCAN_FILE_CHECK:File checked: Name: '$1' Score: $2 SUSPSCAN_FILE_CHECK_DEBUG:File checked: Name: '$1' Score: $2 Hitcount: $3 Hits: ($4) SUSPSCAN_FILE_SKIPPED_EMPTY:File ignored: empty: '$1' SUSPSCAN_FILE_SKIPPED_LINK:File ignored: symbolic link: '$1' SUSPSCAN_FILE_SKIPPED_TYPE:File ignored: wrong type: '$1': '$2' SUSPSCAN_FILE_SKIPPED_SIZE:File ignored: too big: '$1' SUSPSCAN_FILE_LINK_CHANGE:Symbolic link found: '$1' -> '$2' SUSPSCAN_DAT_MISSING:The data file of suspicious contents is missing or empty: $1 SUSPSCAN_DAT_MISSING:Run 'rkhunter --update' to restore the default file. SUSPSCAN_DAT_NOTAFILE:The data file of suspicious contents is not a file: $1 LIST_TESTS:Current test names: LIST_GROUPED_TESTS:Grouped test names: LIST_LANGS:Current languages: LIST_PERL:Perl module installation status: LIST_RTKTS:Rootkits checked for: LOCK_USED:Locking is being used: timeout is $1 seconds LOCK_UNUSED:Locking is not being used LOCK_WAIT:Waiting for lock file LOCK_FAIL:Unable to get the lock file: rkhunter has not run! rkhunter-1.4.0/files/i18n/cn0000640000123200012320000007007711254021420015516 0ustar unspawnunspawnVersion:2009091601 # # We start with the definitions of the message types and results. There # are very few of these, so including these and all the parts of each # message in one file makes sense and for easier translation. # # The message type MSG_TYPE_PLAIN is used for ordinary messages. It has # no specific value, and is intercepted in the display function. It is # included here for completeness. The index names of MSG_TYPE_ and # MSG_RESULT_ are reserved - no messages can use this as part of its index. # MSG_TYPE_PLAIN: MSG_TYPE_INFO:ä¿¡æ¯ MSG_TYPE_WARNING:警告 # # This is the list of message results. # MSG_RESULT_OK:正常 MSG_RESULT_SKIPPED:跳过 MSG_RESULT_WARNING:警告 MSG_RESULT_FOUND:å‘现 MSG_RESULT_NOT_FOUND:没å‘现 MSG_RESULT_NONE_FOUND:没å‘现 MSG_RESULT_ALLOWED:å…许 MSG_RESULT_NOT_ALLOWED:ä¸å…许 MSG_RESULT_UNSET:没设置 MSG_RESULT_UPD: æ›´æ–°çš„ MSG_RESULT_NO_UPD: 没更新 MSG_RESULT_UPD_FAILED: 更新失败 MSG_RESULT_VCHK_FAILED: 版本检查失败 # # The messages. # VERSIONLINE:[ $1 版本 $2 ] VERSIONLINE2:è¿è¡Œ $1 版本 $2 在 $3 VERSIONLINE3:è¿è¡Œ $1 版本 $2 RKH_STARTDATE:开始时间是 $1 RKH_ENDDATE:结æŸæ—¶é—´æ˜¯ $1 OPSYS:探测到的系统是 '$1' UNAME:Uname 输出是 '$1' CONFIG_CHECK_START:检查é…置文件åŠå‘½ä»¤è¡Œé€‰é¡¹... CONFIG_CMDLINE:命令行是 $1 CONFIG_ENVSHELL:环境 shell 是 $1; rkhunter 正在使用 $2 CONFIG_CONFIGFILE:正在使用é…置文件 '$1' CONFIG_INSTALLDIR:安装目录是'$1' CONFIG_LANGUAGE:使用语言是 '$1' CONFIG_DBDIR:使用 '$1' 作为数æ®åº“目录 CONFIG_SCRIPTDIR:使用 '$1' 支æŒè„šæœ¬ç›®å½• CONFIG_BINDIR:使用 '$1' 作为命令目录 CONFIG_ROOTDIR:使用 '$1' 作为root 目录 CONFIG_TMPDIR:使用 '$1' 作为临时文件夹 CONFIG_NO_MAIL_ON_WARN:没有é…ç½®è­¦å‘Šä¿¡çš„åœ°å€ CONFIG_MOW_DISABLED:æ ¹æ®ç”¨æˆ·è¦æ±‚,ä¸ä½¿ç”¨è­¦å‘Šä¿¡ CONFIG_MAIL_ON_WARN:使用命令'$2'ç»™ '$1' å‘警告信 CONFIG_SSH_ROOT:Rkhunter 的选项 ALLOW_SSH_ROOT_USERè¢«è®¾ç½®æˆ '$1'. CONFIG_SSH_PROTV1:Rkhunter 选项 ALLOW_SSH_PROT_V1 设置为 '$1'. CONFIG_X_AUTO:自动检测X CONFIG_CLRSET2:使用第二é…色方案 CONFIG_NO_SHOW_SUMMARY:æ ¹æ®ç”¨æˆ·è¦æ±‚ä¸æ£€æµ‹ç³»ç»Ÿæ€»å†µ CONFIG_SCAN_MODE_DEV:SCAN_MODE_DEV被设置为'$1' CONFIG_NO_VL:æ ¹æ®ç”¨æˆ·è¦æ±‚ä¸è®°å½•è¯¦ç»†çš„日志 CONFIG_XINETD_PATH:使用 $1 é…置文件 '$2' CONFIG_SOL10_INETD:使用Solaris 10 åŠä»¥åŽçš„inetd机制 CONFIG_LOCAL_RC_DIR:使用系统的å¯åŠ¨ç›®å½•: $1 CONFIG_LOCAL_RC_FILE:使用本地的å¯åŠ¨ç›®å½•æ–‡ä»¶: $1 CONFIG_ROTATE_MIRRORS:é•œåƒæ–‡ä»¶å°†è¢« rotated ONFIG_NO_ROTATE_MIRRORS:é•œåƒæ–‡ä»¶å°†ä¸è¢«rotated CONFIG_UPDATE_MIRRORS:é•œåƒæ–‡ä»¶å°†è¢«æ›´æ–° CONFIG_NO_UPDATE_MIRRORS:é•œåƒæ–‡ä»¶å°†ä¸è¢«æ›´æ–° CONFIG_MIRRORS_MODE0:本地和远程镜åƒæ–‡ä»¶å°†éƒ½è¢«ä½¿ç”¨ CONFIG_MIRRORS_MODE1:åªä½¿ç”¨æœ¬åœ°é•œåƒæ–‡ä»¶ CONFIG_MIRRORS_MODE2:åªä½¿ç”¨è¿œç¨‹é•œåƒæ–‡ä»¶ FOUND_CMD:找到 '$1' 命令: $2 NOT_FOUND_CMD:无法找到'$1' 命令 CMD_ERROR:命令 '$1' é‡åˆ°é”™è¯¯ç  $2. SYS_PRELINK:系统正在使用prelinking SYS_NO_PRELINK:系统没用prelinking SYS_SELINUX:SELinux å·²å¯ç”¨ SYS_NO_SELINUX:SELinux 没å¯ç”¨ HASH_FUNC_PRELINK:为了文件的 hash 检测而使用 prelink 命令 (带 $1) HASH_FUNC_PERL:使用 perl $1 模å—æ¥æ£€æŸ¥æ–‡ä»¶hash HASH_FUNC:使用 '$1'命令检查文件hash HASH_FUNC_NONE:无法检查文件hash : 没指定 HASH_FUNC_NONE_PKGMGR:没有指定文件hash函数: åªèƒ½ä½¿ç”¨åŒ…管ç†å™¨ HASH_FUNC_DISABLED:Hash函数设置为'NONE': 自动使文件hash检查无效 HASH_FUNC_OLD:使用hash函数 '$1'储存hash值 HASH_FUNC_OLD_DISABLED:原先的hash函数无效: 没有hash值值被ä¿å­˜ HASH_PKGMGR_OLD:使用包管ç†å™¨'$1'(md5 function)存储hash值 HASH_PKGMGR_OLD_UNSET:没使用包管ç†å™¨å­˜å‚¨hash值 HASH_PKGMGR:使用包管ç†å™¨ '$1' 检查文件属性 HASH_PKGMGR_MD5:使用 MD5 hash 函数命令 '$1' 辅助包管ç†å™¨çš„éªŒè¯ HASH_PKGMGR_NOT_SPEC:没有指定包管ç†å™¨: 使用 hash 函数 '$1' HASH_PKGMGR_NOT_SPEC_PRELINKED:没有指定包管ç†å™¨: 使用带 '$1' çš„ prelink 命令 HASH_FIELD_INDEX:hash 函数的域索引被设置为 $1 HASHUPD_DISABLED:Hash 检测失效: 当å‰æ–‡ä»¶hash值将ä¸ä¼šä¿å­˜ HASHUPD_PKGMGR:使用包管ç†å™¨ '$1' æ¥æ›´æ–°æ–‡ä»¶hash值 HASHUPD_PKGMGR_NOT_SPEC:没有指定文件 hash 更新包管ç†å™¨: 使用 hash 函数 '$1' HASHUPD_PKGMGR_NOT_SPEC_PRELINKED:没有指定文件 hash 更新包管ç†å™¨: 使用带 '$1'çš„ prelink 命令 ATTRUPD_DISABLED:文件属性检测失效: 当å‰æ–‡ä»¶å±žæ€§å°†ä¸ä¼šä¿å­˜ ATTRUPD_NOSTATCMD:文件属性检测失效: 没有å‘现'stat'命令:当å‰æ–‡ä»¶å±žæ€§å°†ä¸ä¼šä¿å­˜ ATTRUPD_OK:当å‰æ–‡ä»¶å±žæ€§å°†è¢«ä¿å­˜ ATTRUPD_OLD_DISABLED:原先文件属性无效: 没有文件属性ä¿å­˜ ATTRUPD_OLD_NOSTATCMD:原先文件属性无效: 没有å‘现'stat'命令: 没有文件属性被ä¿å­˜ ATTRUPD_OLD_OK:原先文件属性被ä¿å­˜ GRSECINSTALLED:å‘现安装有grsecurity SYSLOG_ENABLED:因为一些logging使用 syslog - facility/priority 级别是 '$1'. SYSLOG_DISABLED:æ ¹æ®ç”¨æˆ·è¦æ±‚ä¸ä½¿ç”¨ syslog . SYSLOG_NO_LOGGER:无法使用 syslog - 无法找到 'logger' 命令. NAME:$1 PRESSENTER:[敲 键继续] TEST_SKIPPED_OS:因为 O/S: $2,检测 '$1' 被跳过 SUMMARY_TITLE1:ç³»ç»Ÿæ£€æµ‹æ¦‚è¦ SUMMARY_TITLE2:===================== SUMMARY_PROP_SCAN:检测文件属性... SUMMARY_PROP_REQCMDS:请求的检测命令失败 SUMMARY_PROP_COUNT:检测文件: $1 SUMMARY_PROP_FAILED:å¯ç–‘文件: $1 SUMMARY_CHKS_SKIPPED:跳过所有检测 SUMMARY_RKT_SCAN:检测Rootkit... SUMMARY_RKT_COUNT:检测Rootkits : $1 SUMMARY_RKT_FAILED:å¯èƒ½å­˜åœ¨ rootkits: $1 SUMMARY_RKT_NAMES:Rootkit å称 : $1 SUMMARY_APPS_SCAN:应用程åºæ£€æµ‹... SUMMARY_APPS_COUNT:应用程åºæ£€æµ‹: $1 SUMMARY_APPS_FAILED:å¯ç–‘的应用程åº: $1 SUMMARY_SCAN_TIME:检查系统用时: $1 SUMMARY_NO_SCAN_TIME:检查系统用时: 无法计算时钟时间 SUMMARY_LOGFILE:所有结果已被写入到日志文件($1) SUMMARY_NO_LOGFILE:没有创建日志文件. CREATED_TEMP_FILE:创建临时文件夹 '$1' MIRRORS_NO_FILE:镜象文件'$1'ä¸å­˜åœ¨ MIRRORS_NO_MIRRORS:é•œåƒæ–‡ä»¶ '$1' 中没有需è¦çš„é•œåƒ. MIRRORS_NO_VERSION:镜象文件 '$1'ä¸­æ²¡æœ‰ç‰ˆæœ¬å· - é‡æ–°è®¾ç½®ä¸º0. MIRRORS_ROTATED:镜象文件 '$1' 已被更新. MIRRORS_SF_DEFAULT:使用 SourceForge é•œåƒ: $1 DOWNLOAD_CMD:执行下载命令 '$1' DOWNLOAD_FAIL:下载失败 - $1 镜象文件无效. VERSIONCHECK_START:正在检查 rkhunter 版本... VERSIONCHECK_FAIL_ALL:下载失败: 无法确定最新的程åºç‰ˆæœ¬. VERSIONCHECK_CURRENT:本版本 : $1 VERSIONCHECK_LATEST:最新的版本: $1 VERSIONCHECK_LATEST_FAIL:最新版本: 下载失败 VERSIONCHECK_UPDT_AVAIL:更新有效 VERSIONCHECK_CONV_FAIL:无法比较版本å·: 程åº: '$1' Latest: '$2' UPDATE_START:正在检查rkhunter çš„æ•°æ®æ–‡ä»¶... UPDATE_CHECKING_FILE:正在检查文件$1 UPDATE_FILE_NO_VERS:文件 '$1' 没有有效的版本å·. 正下载一个新的副本. UPDATE_FILE_MISSING:文件 '$1' 丢失或为空. 正下载一个新的副本. UPDATE_DOWNLOAD_FAIL:'$1'下载失败: 无法确定最新的版本å·. UPDATE_I18N_NO_VERS:无法å‘现i18n语言文件版本å·. OSINFO_START:检查自上次检测åŽç³»ç»Ÿæ˜¯å¦å·²æ”¹å˜... OSINFO_END:没å‘现任何东西已å˜åŒ– OSINFO_HOST_CHANGE1:自上检测åŽï¼Œhostå称已改å˜: OSINFO_HOST_CHANGE2:旧的host值: $1 新的值: $2 OSINFO_OSVER_CHANGE1:自上次检测åŽï¼Œç³»ç»Ÿå称或版本已改å˜: OSINFO_OSVER_CHANGE2:旧的O/S值: $1 新的值: $2 OSINFO_PRELINK_CHANGE:自上次检测åŽï¼Œä½¿ç”¨prelinking系统å¯èƒ½å·²æ”¹å˜ä¸º${1}: OSINFO_ARCH_CHANGE1:系统的CPU类型å¯èƒ½å·²å˜åŒ–: OSINFO_ARCH_CHANGE2:旧的CPU值: $1 新的值: $2 OSINFO_MSG1:因为这些改å˜ï¼Œæ–‡ä»¶å±žæ€§æ£€æµ‹å¯èƒ½å¾—出错误的结果. OSINFO_MSG2:ä½ å¯èƒ½éœ€è¦ç”¨'--propupd' 选项é‡æ–°è¿è¡Œrkhunter SET_FILE_PROP_START: file properties正在获å–文件属性... SET_FILE_PROP_DIR_FILE_COUNT:在$2å‘现$1 个文件 SET_FILE_PROP_FILE_COUNT:文件 $1: æœç´¢äº† $2 个文件, å‘现 $3 SET_FILE_PROP_FILE_COUNT_NOHASH:F文件 $1: æœç´¢äº† $2 个文件, å‘现 $3, 丢失 hashes $4 PROPUPD_START:开始更新文件属性数æ®... PROPUPD_OSINFO_START:正在收集 O/S ä¿¡æ¯... PROPUPD_ARCH_FOUND:å‘现系统体系: $1 PROPUPD_REL_FILE:å‘现 release 文件: $1 PROPUPD_NO_REL_FILE:ä¸èƒ½æ‰¾åˆ°release 文件: LS output shows: PROPUPD_OSNAME_FOUND:å‘现 O/S å称: $1 PROPUPD_ERROR:安装新的 rkhunter.dat 文件å‘生错误. ä»£ç  $1 PROPUPD_NEW_DAT_FILE:æ–°çš„ rkhunter.dat 文件已安装在 '$1' PROPUPD_WARN:警告! 当使用 '--propupd' é€‰é¡¹æ—¶ç”¨æˆ·å¿…é¡»è´Ÿè´£ç¡®ä¿ PROPUPD_WARN:系统中所有的文件已知是真实的, 并且是安装于å¯é çš„ PROPUPD_WARN:æºæ–‡ä»¶. rkhunter '--check' 选项将当å‰æ–‡ä»¶å±žæ€§ä¸Žå…ˆå‰ PROPUPD_WARN:ä¿å­˜çš„值进行对比,并且报告任何å˜åŒ–的值. 然而, rkhunter PROPUPD_WARN:无法确定是什么导致了这个å˜åŒ–,它有待用户去确认. ENABLED_TESTS:生效的测试是: $1 DISABLED_TESTS:失效的测试是: $1 KSYMS_FOUND:å‘现 ksym 文件 '$1' KSYMS_MISSING:所有的 ksyms å’Œ kallsyms 检测已被å–消 - 这两ç§æ–‡ä»¶åœ¨ç³»ç»Ÿä¸­éƒ½ä¸å­˜åœ¨. STARTING_TEST:开始 '$1' 检测 USER_DISABLED_TEST:用户已å–消 '$1' 检测t. CHECK_START:开始检测系统... CHECK_WARNINGS_NOT_FOUND:在检测系统过程中没有报警产生. CHECK_WARNINGS_FOUND:检测系统过程中å‘现一个或多个报警. CHECK_WARNINGS_FOUND_RERUN:请é‡æ–°è¿è¡Œrkhunter,确认日志文件已创建. CHECK_WARNINGS_FOUND_CHK_LOG:请检查日志文件 ($1) CHECK_SYS_COMMANDS:检查系统命令... STRINGS_CHECK_START:执行 '字符串' 命令检测 STRINGS_SCANNING_OK:扫æ字符串 $1 STRINGS_SCANNING_BAD:扫æ字符串 $1 STRINGS_SCANNING_BAD:'字符串' 命令中无法å‘现字符串 STRINGS_CHECK:检测 '字符串' 命令 STRINGS_CHECK:跳过检测 - 没有å‘现 '字符串' 命令. FILE_PROP_START:执行文件属性检测 FILE_PROP_CMDS:检测先决æ¡ä»¶ FILE_PROP_IMMUT_OS:跳过所有的 immutable-bit 检测. 该检测仅仅在 Linux 系统下有效. FILE_PROP_SKIP_ATTR:无法找到 'stat' 命令 - 所有的文件属性检测将被跳过. FILE_PROP_SKIP_HASH:所有的文件 hash 检测将被跳过,因为 : FILE_PROP_SKIP_HASH_FUNC:当å‰çš„ hash 函数 ($1) 或者包管ç†å™¨ ($2) 与 hash 函数 ($3)ä¸å…¼å®¹æˆ–包管ç†å™¨ ($4) 被用于ä¿å­˜è¿™äº›å€¼. FILE_PROP_SKIP_HASH_PRELINK:无法找到 'prelink' 命令. FILE_PROP_SKIP_HASH_SHA1:这个系统使用 prelinking, 但是 hash 函数命令 ä¸åƒæ˜¯ SHA1 or MD5. FILE_PROP_SKIP_HASH_LIBSAFE:没å‘现 Libsafe , è¿™å¯èƒ½å¯¼è‡´é”™è¯¯. 如果å¯èƒ½, 让 libsafe 失效并è¿è¡Œ prelink 命令. 最åŽ, 使用 'rkhunter --propupd'é‡æ–°åˆ›å»º hash 值. FILE_PROP_SKIP_IMMUT:无法找到 'lsattr' 命令 - 所有的文件 immutable-bit 检测将被跳过. FILE_PROP_SKIP_SCRIPT:无法找到 'file' 命令 - 所有脚本代替检测将被跳过. FILE_PROP_OS_CHANGED:本地hosté…置或æ“作系统已ç»æ”¹å˜. FILE_PROP_DAT_MISSING:ä¿å­˜æ–‡ä»¶å±žæ€§çš„文件 (rkhunter.dat) ä¸å­˜åœ¨, 所以必须创建它. 输入命令 'rkhunter --propupd'创建. FILE_PROP_DAT_EMPTY:ä¿å­˜æ–‡ä»¶å±žæ€§çš„文件 (rkhunter.dat) 是空的, 所以必须创建它. 输入命令 'rkhunter --propupd'创建. FILE_PROP_SKIP_ALL:现忽略所有文件属性的检测. FILE_PROP_FILE_NOT_EXIST:系统中ä¸å­˜åœ¨ '$1' 文件, 但是它列于 rkhunter.dat 文件. FILE_PROP_WL:å‘现文件 '$1': 它列于白åå•ä¸­ç”¨äºŽ '$2' 检测. FILE_PROP_WL_DIR:å‘现目录 '$1': 针对于 '$2' 检测,它列于白åå•. FILE_PROP_NO_RKH_REC:系统中存在文件 '$1' , 但是它ä¸åˆ—于 the rkhunter.dat 文件. FILE_PROP_CHANGED:文件属性已改å˜: FILE_PROP_CHANGED2:文件: $1 FILE_PROP_NO_PKGMGR_FILE:跳过文件 '$1' hash 值: 文件ä¸å±žäºŽè¯¥åŒ… FILE_PROP_NO_SYSHASH:没å‘现文件 '$1'çš„hash值 FILE_PROP_NO_SYSHASH_CMD:Hash 命令输出: $1 FILE_PROP_NO_SYSHASH_DEPENDENCY:å°è¯•ä½¿ç”¨å‘½ä»¤ 'prelink $1' ä¿®å¤ä¾èµ–错误. FILE_PROP_SYSHASH_UNAVAIL:å½“å‰ hash: æ— æ³•èŽ·å– FILE_PROP_SYSHASH:å½“å‰ hash: $1 FILE_PROP_RKHHASH:ä¿å­˜ hash : $1 FILE_PROP_NO_RKHHASH:ä¸èƒ½æ‰¾åˆ°rkhunter.dat中文件'$1' çš„hash值. FILE_PROP_NO_RKHPERM:ä¸èƒ½æ‰¾åˆ°rkhunter.dat中文件'$1' çš„æƒé™å€¼. FILE_PROP_PERM_UNAVAIL:当å‰æƒé™: æ— æ³•èŽ·å– å‚¨å­˜çš„æƒé™: $1 FILE_PROP_PERM:当å‰æƒé™: $1 储存的æƒé™: $2 FILE_PROP_UID_UNAVAIL:å½“å‰ uid: æ— æ³•èŽ·å– å‚¨å­˜çš„ uid: $1 FILE_PROP_UID:å½“å‰ uid: $1 储存的 uid: $2 FILE_PROP_NO_RKHUID:在文件rkhunter.dat中没有找到文件 '$1' çš„user-id值. FILE_PROP_GID_UNAVAIL:当å‰çš„ gid: æ— æ³•èŽ·å– ä¿å­˜çš„ gid: $1 FILE_PROP_GID:当å‰çš„ gid: $1 ä¿å­˜çš„ gid: $2 FILE_PROP_NO_RKHGID:在文件rkhunter.dat中没有找到文件 '$1' çš„group-id值. FILE_PROP_INODE_UNAVAIL:当å‰çš„ inode: æ— æ³•èŽ·å– ä¿å­˜çš„ inode: $1 FILE_PROP_INODE:当å‰çš„ inode: $1 ä¿å­˜çš„ inode: $2 FILE_PROP_NO_RKHINODE:在文件rkhunter.dat中没有找到文件 '$1' çš„inode值. FILE_PROP_SIZE_UNAVAIL:当å‰å¤§å°: æ— æ³•èŽ·å– å­˜å‚¨çš„å¤§å°: $1 FILE_PROP_SIZE:当å‰å¤§å°: $1 存储的大å°: $2 FILE_PROP_NO_RKHSIZE:在 rkhunter.dat 文件中没å‘现文件 '$1' 的大å°å€¼. FILE_PROP_SYSDTM_UNAVAIL:当å‰çš„文件修改时间: æ— æ³•èŽ·å– FILE_PROP_SYSDTM:当å‰æ–‡ä»¶ä¿®æ”¹æ—¶é—´: $1 FILE_PROP_RKHDTM:ä¿å­˜çš„文件修改时间 : $1 FILE_PROP_NO_RKHDTM:在文件rkhunter.dat中没有找到文件 '$1' 的修改时间值. FILE_PROP_NO_SYSATTR:æ— æ³•èŽ·å– '$1' 的当å‰å±žæ€§ FILE_PROP_WRITE:文件 '$1'被设置为对所有用户å¯å†™. FILE_PROP_SYSPERM_UNAVAIL:无法获å–文件 '$1' 的当å‰å†™æƒé™ FILE_PROP_IMMUT:文件 '$1' 被设置了 immutable-bit . FILE_PROP_SCRIPT:命令 '$1' å·²ç»è¢«è„šæœ¬: $2 代替 FILE_PROP_SCRIPT_RKH:命令 '$1' 已被替æ¢, ä¸æ˜¯è„šæœ¬: $2 FILE_PROP_VRFY:包管ç†å™¨éªŒè¯å·²å¤±æ•ˆ: FILE_PROP_VRFY_HASH:文件hashå€¼å·²æ”¹å˜ FILE_PROP_VRFY_PERM:文件æƒé™å·²æ”¹å˜ FILE_PROP_VRFY_UID:æ–‡ä»¶çš„æ‹¥æœ‰è€…å±žæ€§å·²æ”¹å˜ FILE_PROP_VRFY_GID:æ–‡ä»¶ç»„å±žæ€§å·²æ”¹å˜ FILE_PROP_VRFY_DTM:æ–‡ä»¶çš„ä¿®æ”¹æ—¶é—´å·²æ”¹å˜ FILE_PROP_VRFY_SIZE:文件大å°å·²ç»æ”¹å˜ CHECK_ROOTKITS:正在检查rootkit... ROOTKIT_FILES_DIRS_START:执行已知rootkit和目录的检查 ROOTKIT_FILES_DIRS_NAME_LOG:检查 ${1}... ROOTKIT_FILES_DIRS_FILE:检查文件 '$1' ROOTKIT_FILES_DIRS_DIR:检查目录 '$1' ROOTKIT_FILES_DIRS_KSYM:æ£€æŸ¥å†…æ ¸ç¬¦å· '$1' ROOTKIT_FILES_DIRS_FILE_FOUND:å‘现文件 '$1' ROOTKIT_FILES_DIRS_DIR_FOUND:å‘现目录 '$1' ROOTKIT_FILES_DIRS_KSYM_FOUND:å‘çŽ°å†…æ ¸ç¬¦å· '$1' ROOTKIT_FILES_DIRS_STR:检查字符串 '$1' ROOTKIT_FILES_DIRS_STR_FOUND:在文件 '$2'中å‘现字符串'$1' ROOTKIT_FILES_DIRS_NOFILE:文件 '$1' ä¸å­˜åœ¨! ROOTKIT_FILES_DIRS_SINAR_DIR:检查 '$1' ROOTKIT_FILES_DIRS_SINAR:在: $1中å‘现SInAR ROOTKIT_ADD_START:执行辅助的rootkit检测 ROOTKIT_ADD_SUCKIT:Suckit Rookit 辅助检测 ROOTKIT_ADD_SUCKIT_LOG:执行Suckit Rookit 辅助检测 ROOTKIT_ADD_SUCKIT_LINK:检测/sbin/init é“¾æŽ¥æ•°é‡ ROOTKIT_ADD_SUCKIT_LINK_NOCMD:检测 /sbin/init 链接数é‡: 没å‘现 'stat' 命令 ROOTKIT_ADD_SUCKIT_LINK_ERR:检测 /sbin/init 链接数é‡: 'stat' 命令错误 ROOTKIT_ADD_SUCKIT_LINK_FOUND:检测 /sbin/init 链接数é‡: æ•°é‡æ˜¯ $1, 它应当是 1 ROOTKIT_ADD_SUCKIT_EXT:检测éšè—文件扩展 ROOTKIT_ADD_SUCKIT_EXT_FOUND:检测éšè—文件扩展: å‘现: $1 ROOTKIT_ADD_SUCKIT_SKDET:è¿è¡Œ skdet 命令 ROOTKIT_ADD_SUCKIT_SKDET_FOUND:è¿è¡Œ skdet 命令: å‘现: $1 ROOTKIT_ADD_SUCKIT_SKDET_VER:è¿è¡Œ skdet 命令: 未知版本: $1 ROOTKIT_POSS_FILES_DIRS:检查å¯èƒ½å­˜åœ¨çš„rootkitåŠå…¶ç›®å½• ROOTKIT_POSS_FILES_DIRS_LOG:执行检查å¯èƒ½å­˜åœ¨çš„rootkit文件åŠå…¶ç›®å½• ROOTKIT_POSS_FILES_FILE_FOUND:å‘现文件 '$1'. å¯èƒ½å­˜åœ¨rootkit: $2 ROOTKIT_POSS_FILES_DIR_FOUND:å‘现目录 '$1'. å¯èƒ½å­˜åœ¨rootkit: $2 ROOTKIT_POSS_STRINGS:检测判定rootkitå¯èƒ½å­˜åœ¨çš„字符串 ROOTKIT_POSS_STRINGS_LOG:执行检测判定rootkitå¯èƒ½å­˜åœ¨çš„字符串 ROOTKIT_POSS_STRINGS_FOUND:在文件 '$2'中å‘现字符串'$1' . å¯èƒ½è¿˜åœ¨rootkit: $3 ROOTKIT_MALWARE_START:执行æ¶æ„软件检测 ROOTKIT_MALWARE_SUSP_FILES:检测正在è¿è¡Œè¿›ç¨‹çš„å¯ç–‘文件 ROOTKIT_MALWARE_SUSP_FILES_FOUND:å‘现一个或多个这样的文件: $1 ROOTKIT_MALWARE_SUSP_FILES_FOUND:检测 lsof 命令 'lsof -F n -w -n' 的输出 ROOTKIT_MALWARE_HIDDEN_PROCS:检测éšè—进程 ROOTKIT_MALWARE_HIDDEN_PROCS_FOUND:å‘现éšè—的进程: $1 ROOTKIT_MALWARE_DELETED_FILES:在正è¿è¡Œè¿›ç¨‹ä¸­æ£€æµ‹ deleted 文件 ROOTKIT_MALWARE_DELETED_FILES_FOUND:以下进程正在使用 deleted 文件: ROOTKIT_MALWARE_DELETED_FILES_FOUND_DATA:进程: $1 PID: $2 文件: $3 ROOTKIT_MALWARE_LOGIN_BDOOR:检测 login åŽé—¨ ROOTKIT_MALWARE_LOGIN_BDOOR_LOG:执行检测 login åŽé—¨ ROOTKIT_MALWARE_LOGIN_BDOOR_CHK:检测 '$1' ROOTKIT_MALWARE_LOGIN_BDOOR_FOUND:å‘现 login åŽé—¨æ–‡ä»¶: $1 ROOTKIT_MALWARE_SUSP_DIR:检测å¯ç–‘目录 ROOTKIT_MALWARE_SUSP_DIR_LOG:执行å¯ç–‘目录的检测 ROOTKIT_MALWARE_SUSP_DIR_FOUND:å‘现å¯ç–‘的目录: $1 ROOTKIT_MALWARE_SFW_INTRUSION:检测软件入侵 ROOTKIT_MALWARE_SFW_INTRUSION_FOUND:文件 '$1' 中包å«æœ‰å­—符串 '$2'. å¯èƒ½å­˜åœ¨rootkit: SHV5 ROOTKIT_MALWARE_SFW_INTRUSION_SKIP:跳过检测 - tripwire 没有安装 ROOTKIT_MALWARE_SNIFFER:检测 sniffer 日志文件 ROOTKIT_MALWARE_SNIFFER_LOG:执行 sniffer 日志文件的检测 ROOTKIT_MALWARE_SNIFFER_FOUND:å‘现å¯ç–‘çš„sniffer 日志文件: $1 ROOTKIT_TROJAN_START:执行木马详细检测 ROOTKIT_TROJAN_INETD:检测å¯åŠ¨çš„ inetd æœåŠ¡ ROOTKIT_TROJAN_INETD_SKIP:跳过检测 - 文件 '$1' ä¸å­˜åœ¨. ROOTKIT_TROJAN_INETD_FOUND:å‘现已å¯åŠ¨çš„ inetd æœåŠ¡: $1 ROOTKIT_TROJAN_XINETD:检测å¯åŠ¨çš„ xinetd æœåŠ¡ ROOTKIT_TROJAN_XINETD_LOG:执行已å¯åŠ¨çš„ xinetd æœåŠ¡çš„检测 ROOTKIT_TROJAN_XINETD_ENABLED:在 '$1' 中检测已å¯åŠ¨çš„æœåŠ¡ ROOTKIT_TROJAN_XINETD_INCLUDE:å‘现 'include $1' 指令 ROOTKIT_TROJAN_XINETD_INCLUDEDIR:å‘现 'includedir $1' 指令 ROOTKIT_TROJAN_XINETD_ENABLED_FOUND:å‘现å¯åŠ¨çš„ xinetd æœåŠ¡: $1 ROOTKIT_TROJAN_XINETD_WHITELIST:å‘现æœåŠ¡ '$1': 它ä½äºŽ $2 白åå•. ROOTKIT_TROJAN_APACHE:检测 Apache çš„åŽé—¨ ROOTKIT_TROJAN_APACHE_SKIPPED:跳过Apache åŽé—¨çš„检测: 没å‘现Apache 模å—å’Œé…置目录. ROOTKIT_TROJAN_APACHE_FOUND:å‘现Apache åŽé—¨æ¨¡å— 'mod_rootme' : $1 ROOTKIT_OS_START:执行 $1 详细的检测 ROOTKIT_OS_SKIPPED:没有å¯ç”¨çš„详细检测 ROOTKIT_OS_BSD_SOCKNET:检测 sockstat å’Œ netstat 命令 ROOTKIT_OS_BSD_SOCKNET_FOUND: sockstat å’Œ netstat 的输出å‘现ä¸åŒ: ROOTKIT_OS_BSD_SOCKNET_OUTPUT:$1 输出: $2 ROOTKIT_OS_FREEBSD_KLD:检测 KLD åŽé—¨ ROOTKIT_OS_FREEBSD_KLD_FOUND:å‘现å¯ç–‘çš„ FreeBSD KLD åŽé—¨. 'kldstat -v' 命令显示字符串 '$1' ROOTKIT_OS_FREEBSD_PKGDB:检测包数æ®åº“ ROOTKIT_OS_FREEBSD_PKGDB_NOTOK:包数æ®åº“似乎有矛盾. ROOTKIT_OS_FREEBSD_PKGDB_NOTOK:è¿™å¯èƒ½ä¸æ˜¯å®‰å…¨é—®é¢˜, 但是è¿è¡Œ 'pkgdb -F' å¯èƒ½æœ‰åŠ©äºŽè¯Šæ–­é—®é¢˜. ROOTKIT_OS_LINUX_LKM:检测内核模å—命令 ROOTKIT_OS_LINUX_LKM_FOUND: lsmod 命令 å’Œ /proc/modules 文件之间å‘现ä¸åŒçš„地方: ROOTKIT_OS_LINUX_LKM_OUTPUT:$1 输出: $2 ROOTKIT_OS_LINUX_LKM_EMPTY: 没有å‘现 lsmod 命令 和或 /proc/modules 文件的输出: ROOTKIT_OS_LINUX_LKM_MOD_MISSING:模å—文件 '$1' 已丢失. ROOTKIT_OS_LINUX_LKMNAMES:检测内核模å—å称 ROOTKIT_OS_LINUX_LKMNAMES_PATH:使用模å—路径å '$1' ROOTKIT_OS_LINUX_LKMNAMES_FOUND:在 '$1'中å‘现已知的æ¶æ„内核模å—: $2 ROOTKIT_OS_LINUX_LKMNAMES_PATH_MISSING:内核模å—目录 '$1' 丢失 CHECK_LOCALHOST:检测本地host... STARTUP_FILES_START:执行系统boot检测 STARTUP_HOSTNAME:检测本地hostå称 STARTUP_NO_HOSTNAME:没å‘现hostå. STARTUP_LOCAL_RC_FILE:检测本地å¯åŠ¨æ–‡ä»¶ STARTUP_FOUND_LOCAL_RC_FILE:å‘现本地å¯åŠ¨æ–‡ä»¶: $1 STARTUP_NO_LOCAL_RC_FILE:没å‘现本地å¯åŠ¨æ–‡ä»¶. STARTUP_CHECK_LOCAL_RC:检测本地å¯åŠ¨æ–‡ä»¶æ˜¯å¦æ¶‰åŠæœ‰å®³ç¨‹åº STARTUP_CHECK_SYSTEM_RC:检测系统å¯åŠ¨æ–‡ä»¶æ˜¯å¦æ¶‰åŠæœ‰å®³ç¨‹åº STARTUP_CHECK_SYSTEM_RC_FOUND:å‘现系统å¯åŠ¨ç›®å½•: $1 STARTUP_CHECK_SYSTEM_RC_NONE:没å‘现系统å¯åŠ¨æ–‡ä»¶. ACCOUNTS_START:执行用户组和å¸æˆ·æ£€æµ‹ ACCOUNTS_PWD_FILE_CHECK:检测密ç æ–‡ä»¶ ACCOUNTS_FOUND_PWD_FILE:å‘现密ç æ–‡ä»¶: $1 ACCOUNTS_NO_PWD_FILE:密ç æ–‡ä»¶ $1 ä¸å­˜åœ¨. ACCOUNTS_UID0:检测等效root (UID 0) å¸æˆ· ACCOUNTS_UID0_WL:å‘现等效root å¸æˆ· '$1': 它ä½äºŽç™½åå•ä¸­. ACCOUNTS_UID0_FOUND:å¸æˆ· '$1' 是等效root (UID = 0) ACCOUNTS_SHADOW_FILE:å‘现 shadow 文件: $1 ACCOUNTS_PWDLESS:检测空密ç çš„å¸æˆ· ACCOUNTS_PWDLESS_WL:å‘现空密ç å¸æˆ· '$1': 它列于白åå•. ACCOUNTS_PWDLESS_FOUND:å‘现空密ç å¸æˆ·: $1 ACCOUNTS_NO_SHADOW_FILE:没å‘现 shadow/password 文件. PASSWD_CHANGES:检测密ç æ–‡ä»¶çš„å˜åŒ– PASSWD_CHANGES_NO_TMP:无法检测密ç æ–‡ä»¶çš„异常: 密ç æ–‡ä»¶çš„副本ä¸å­˜åœ¨. PASSWD_CHANGES_ADDED:有用户被加到密ç æ–‡ä»¶ä¸­: PASSWD_CHANGES_REMOVED:有用户从密ç æ–‡ä»¶ä¸­ç§»é™¤: GROUP_CHANGES:检测用户组文件的å˜åŒ– GROUP_CHANGES_NO_FILE:用户组文件 $1 ä¸å­˜åœ¨. GROUP_CHANGES_NO_TMP:无法检测用户组文件的å˜åŒ–: 用户组文件的副本ä¸å­˜åœ¨. GROUP_CHANGES_ADDED:有用户被加进用用户组文件: GROUP_CHANGES_REMOVED:组已被从用户组文件中删除: HISTORY_CHECK:检测rootå¸æˆ·çš„shell历å²æ–‡ä»¶ HISTORY_CHECK_FOUND:Root å¸æˆ· $1 shell 历å²æ–‡ä»¶æ˜¯ä¸€ä¸ªç¬¦å·é“¾æŽ¥: $2 SYSTEM_CONFIGS_START:执行系统é…置文件检测 SYSTEM_CONFIGS_FILE:检测é…置文件 $1 SYSTEM_CONFIGS_FILE_FOUND:å‘现 $1 é…置文件: $2 SYSTEM_CONFIGS_SSH_ROOT:检测SSH是å¦å…许root访问 SYSTEM_CONFIGS_SSH_ROOT_FOUND: SSH å’Œ rkhunter çš„é…置选顶应当相åŒ: SYSTEM_CONFIGS_SSH_ROOT_FOUND1:SSH é…置选项 'PermitRootLogin': $1 SYSTEM_CONFIGS_SSH_ROOT_FOUND2:Rkhunter é…置选项 'ALLOW_SSH_ROOT_USER': $1 SYSTEM_CONFIGS_SSH_ROOT_NOTFOUND: 还没设置SSH é…置选项 'PermitRootLogin' . SYSTEM_CONFIGS_SSH_ROOT_NOTFOUND:默认值å¯èƒ½æ˜¯ 'yes', å…许root访问. SYSTEM_CONFIGS_SSH_PROTO:检测是å¦å…许 SSH v1版åè®® SYSTEM_CONFIGS_SSH_PROTO_FOUND:SSHçš„é…置文件SSH ($1)已让SSH 版本1å议生效. SYSTEM_CONFIGS_SSH_PROTO_NOTFOUND: SSH é…置选项 'Protocol' 还没设置. SYSTEM_CONFIGS_SSH_PROTO_NOTFOUND:默认值å¯èƒ½æ˜¯ '2,1', å…许使用 版本11åè®®. SYSTEM_CONFIGS_SYSLOG:检测是å¦è¿è¡Œsyslog daemon SYSTEM_CONFIGS_SYSLOG_NOT_RUNNING:syslog daemon 没有è¿è¡Œ. SYSTEM_CONFIGS_SYSLOG_METALOG_RUNNING:syslog daemon 没有è¿è¡Œ, 但是已ç»å‘现一个metalog daemon. SYSTEM_CONFIGS_SYSLOG_SOCKLOG_RUNNING:syslog daemon 没有è¿è¡Œ, 但是已ç»å‘现一个socklog daemon. SYSTEM_CONFIGS_SYSLOG_NO_FILE:syslog daemon 正在è¿è¡Œ, 但是无法å‘现é…置文件. SYSTEM_CONFIGS_SYSLOG_REMOTE:检测是å¦å…许 syslog remote logging SYSTEM_CONFIGS_SYSLOG_REMOTE_FOUND:Syslog é…置文件å…许远程登陆: $1 SYSTEM_CONFIGS_SYSLOG_REMOTE_ALLOWED:Rkhunter é…置选项 'ALLOW_SYSLOG_REMOTE_LOGGING' å·²ç»ç”Ÿæ•ˆ. FILESYSTEM_START:执行文件系统检测 FILESYSTEM_DEV_CHECK:/dev 作为å¯ç–‘文件类型检测 FILESYSTEM_DEV_CHECK_NO_DEV:/dev ä¸å­˜åœ¨. FILESYSTEM_DEV_FILE_WL:å‘现文件 '$1': 它列于白åå•ä¸­. FILESYSTEM_DEV_FILE_FOUND:在 ${1}中å‘现å¯ç–‘文件类型: FILESYSTEM_HIDDEN_DIR_WL:å‘现éšè—的目录'$1': 它列于白åå•ä¸­. FILESYSTEM_HIDDEN_FILE_WL:å‘现éšè—文件 '$1': 它列于白åå•ä¸­. FILESYSTEM_HIDDEN_CHECK:检测éšè—的文件和目录 FILESYSTEM_HIDDEN_DIR_FOUND:å‘现éšè—的目录: $1 FILESYSTEM_HIDDEN_FILE_FOUND:å‘现éšè—的文件: $1 CHECK_APPS:检测应用程åºçš„版本... APPS_NONE_FOUND:å‘çŽ°æœ«çŸ¥åº”ç”¨ç¨‹åº - 跳过所有的检测. APPS_DAT_MISSING:跳过所有的应用程åºç‰ˆæœ¬æ£€æµ‹. APPS_DAT_MISSING:ä¸å®‰å…¨åº”用程åºç‰ˆæœ¬ (programs_bad.dat) 丢失或为空. APPS_DAT_MISSING:如果它已ç»è¢«åˆ é™¤, ä½ å¾—è¿è¡Œ 'rkhunter --update'. APPS_NOT_FOUND:没å‘çŽ°åº”ç”¨ç¨‹åº '$1' . APPS_CHECK:检测版本 $1 APPS_CHECK_WL:å‘çŽ°åº”ç”¨ç¨‹åº '$1': 它列于白åå•ä¸­. APPS_CHECK_VERSION_UNKNOWN:æ— æ³•èŽ·å– '$1'的版本å·. APPS_CHECK_VERSION_FOUND:å‘çŽ°åº”ç”¨ç¨‹åº '$1' ç‰ˆæœ¬å· '$2' . APPS_CHECK_VERSION_WL:å‘çŽ°åº”ç”¨ç¨‹åº '$1' 版本 '$2': 这个版本ä½äºŽç™½åå•. APPS_CHECK_WHOLE_VERSION_USED:æ— æ³•èŽ·å– '$1'的版本å·: 版本选项赋予: $2 APPS_CHECK_FOUND:åº”ç”¨ç¨‹åº '$1', ç‰ˆæœ¬å· '$2', 已过时, 有潜在的安全风险. APPS_TOTAL_COUNT:应用程åºæ£€æµ‹: $1 out of $2 CHECK_NETWORK:检测网络... NETWORK_PORTS_START:执行åŽé—¨ç«¯å£çš„检测 NETWORK_PORTS_FILE_MISSING:跳过所有åŽé—¨ç«¯å£çš„检测. NETWORK_PORTS_FILE_MISSING:已知åŽé—¨ç«¯å£æ–‡ä»¶ (backdoorports.dat) 丢失或为空白. NETWORK_PORTS_FILE_MISSING:如果它已被删除,你必须è¿è¡Œå‘½ä»¤ 'rkhunter --update'. NETWORK_PORTS_UNKNOWN_NETSTAT:跳过所有åŽé—¨ç«¯å£çš„检测. NETWORK_PORTS_UNKNOWN_NETSTAT:æ­¤æ“作系统中无法识别该netstat命令格å¼. NETWORK_PORTS_DISABLE_PATHS:在PORT_WHITELIST 设置中'*' 和路径å无效: 'lsof' 命令ä¸å­˜åœ¨. NETWORK_PORTS_ENABLE_TRUSTED:å¯ä¿¡ä»»çš„路径å已在端å£ç™½åå•ä¸­å¯ç”¨. NETWORK_PORTS:为 $1 æ£€æµ‹ç«¯å£ $2 NETWORK_PORTS_PATH_WHITELIST:网络 $1 ç«¯å£ $2 正在被 $3 使用: 路径å列于白åå•. NETWORK_PORTS_TRUSTED_WHITELIST:网络 $1 ç«¯å£ $2 正在被 $3 使用: 路径å是å¯ä¿¡ä»»çš„. NETWORK_PORTS_PORT_WHITELIST:网络 $1 ç«¯å£ $2 正在被使用: 端å£åˆ—于白åå•ä¸­. NETWORK_PORTS_FOUND:网络 $1 ç«¯å£ $2 正在被使用${3}. å¯èƒ½æ˜¯rootkit: $4 NETWORK_PORTS_FOUND:使用 'lsof -i' 或 'netstat -an' 命令检测它. NETWORK_INTERFACE_START:执行网络接å£çš„检测 NETWORK_PROMISC_CHECK:检测 promiscuous æŽ¥å£ NETWORK_PROMISC_NO_IFCONFIG:Promiscuous 网络接å£è¢«è·³è¿‡ - 无法找到 'ifconfig' 命令. NETWORK_PROMISC_NO_IP:使用'ip' 命令检测Promiscuous ç½‘ç»œæŽ¥å£ - 无法找到 'ip' 命令. NETWORK_PROMISC_IF:å¯èƒ½promiscuous 接å£: NETWORK_PROMISC_IF_1:'ifconfig' 命令输出: $1 NETWORK_PROMISC_IF_2:'ip' 命令输出: $1 NETWORK_PACKET_CAP_CHECK:检测 æ•°æ®æŠ¥æ•æ‰ç¨‹åº NETWORK_PACKET_CAP_CHECK_NO_FILE:æ•°æ®åŒ…检测程åºæ£€æµ‹è¢«è·³è¿‡ - 文件 '$1' 丢失. NETWORK_PACKET_CAP_FOUND:进程 '$1' (PID $2) 正在网络上监å¬. NETWORK_PACKET_CAP_WL:å‘现进程 '$1': 它列于白åå•ä¸­. SHARED_LIBS_START:执行 '共享库' 的检测 SHARED_LIBS_PRELOAD_VAR:检测预装载å˜é‡ SHARED_LIBS_PRELOAD_VAR_FOUND:å‘现预装载å˜é‡: $1 SHARED_LIBS_PRELOAD_FILE:检测预装文件 SHARED_LIBS_PRELOAD_FILE_FOUND:å‘现library preload 文件: $1 SHARED_LIBS_PATH:检测 LD_LIBRARY_PATH å˜é‡ SHARED_LIBS_PATH_BAD: LD_LIBRARY_PATH 环境å˜é‡è¢«è®¾ç½®ï¼Œå®ƒä¼šå½±å“二进制程åº: 被设置为: $1 SUSPSCAN_CHECK:检测具有å¯ç–‘ contents 的文件 SUSPSCAN_DIR_NOT_EXIST:目录 '$1' ä¸å­˜åœ¨. SUSPSCAN_INSPECT:文件 '$1' (score: $2) 包å«ä¸€äº›å¯ç–‘的内容,它将被检测. SUSPSCAN_START:执行带有å¯ç–‘contents文件的检测 SUSPSCAN_DIRS:待检测目录是: $1 SUSPSCAN_NO_DIRS:没有指定目录: 使用用默认 ($1) SUSPSCAN_TEMP:使用临时文件夹: $1 SUSPSCAN_NO_TEMP:没指定临刊文件夹: 使用用默认的 ($1) SUSPSCAN_TEMP_NOT_EXIST:suspscan 临时目录ä¸å­˜åœ¨: $1 SUSPSCAN_TEMP_NO_WRITE:suspscan 临时目录ä¸å¯å†™: $1 SUSPSCAN_SIZE:检测的最大文件大å°(byte为å•ä½): '$1' SUSPSCAN_NO_SIZE:没指定最大的文件大å°: 使用默认值($1) SUSPSCAN_SIZE_INVALID:The suspscan 最大文件大å°æ— æ•ˆ: $1 SUSPSCAN_THRESH:Score 上é™è¢«è®¾ç½®ä¸º: $1 SUSPSCAN_NO_THRESH:没有指定 score 上é™: 使用默认值 ($1) SUSPSCAN_THRESH_INVALID:The suspscan score 上é™æ˜¯æ— æ•ˆçš„: $1 SUSPSCAN_DIR_CHECK:检查目录: '$1' SUSPSCAN_DIR_CHECK_NO_FILES:没有åˆé€‚的文件检查. SUSPSCAN_FILE_CHECK:文件检测: Name: '$1' Score: $2 SUSPSCAN_FILE_CHECK_DEBUG:文件检测: Name: '$1' Score: $2 Hitcount: $3 Hits: ($4) SUSPSCAN_FILE_SKIPPED_EMPTY:忽略文件: 空白: '$1' SUSPSCAN_FILE_SKIPPED_LINK:忽略文件: 符å·è¿žæŽ¥: '$1' SUSPSCAN_FILE_SKIPPED_TYPE:忽略文件: 错误类型: '$1': '$2' SUSPSCAN_FILE_SKIPPED_SIZE:忽略文件: 太大: '$1' SUSPSCAN_FILE_LINK_CHANGE:å‘现符å·è¿žæŽ¥: '$1' -> '$2' LIST_TESTS:有效的测试å: LIST_GROUPED_TESTS:分组检测å称: LIST_LANGS:å¯ç”¨çš„语言: LIST_RTKTS:检测rootkit # #If any problem related with this cn version message,please mail to #linux_fqh@yahoo.com.cn.I will fix them as soon as possible. #如果有任何关于本中文版信æ¯çš„问题,请è”ç³»linux_fqh@yahoo.com.cn #我将尽快修正它们 # rkhunter-1.4.0/files/i18n/de0000640000123200012320000010606511467622250015521 0ustar unspawnunspawnVersion:2010111401 # # We start with the definitions of the message types and results. There # are very few of these, so including these and all the parts of each # message in one file makes sense and for easier translation. # # The message type MSG_TYPE_PLAIN is used for ordinary messages. It has # no specific value, and is intercepted in the display function. It is # included here for completeness. The index names of MSG_TYPE_ and # MSG_RESULT_ are reserved - no messages can use this as part of its index. # MSG_TYPE_PLAIN: MSG_TYPE_INFO:Information MSG_TYPE_WARNING:Warnung # # This is the list of message results. # MSG_RESULT_OK:OK MSG_RESULT_SKIPPED:Ãœbersprungen MSG_RESULT_WARNING:Warnung MSG_RESULT_FOUND:Gefunden MSG_RESULT_NOT_FOUND:Nicht gefunden MSG_RESULT_NONE_FOUND:Nichts gefunden MSG_RESULT_ALLOWED:Erlaubt MSG_RESULT_NOT_ALLOWED:Nicht erlaubt MSG_RESULT_UNSET:Nicht gesetzt MSG_RESULT_UPD:aktualisiert MSG_RESULT_NO_UPD:Keine Aktualisierung MSG_RESULT_UPD_FAILED:Aktualisierung fehlgeschlagen MSG_RESULT_VCHK_FAILED:Versions-Ãœberprüfung fehlgeschlagen # # The messages. # VERSIONLINE:[ $1 Version $2 ] VERSIONLINE2:Running $1 in Version $2 auf $3 VERSIONLINE3:Running $1 in Version $2 RKH_STARTDATE:Start Datum ist $1 RKH_ENDDATE:Enddatum ist $1 OPSYS:Erkanntes Betriebssystem ist '$1' UNAME:Ausgabe des Befehls uname ist '$1' CONFIG_CHECK_START:Ãœberprüfe Konfigurationsdatei und Kommandozeilen-Optionen... CONFIG_CMDLINE:Kommandozeile ist $1 CONFIG_DEBUGFILE:Debug-Datei ist $1 CONFIG_ENVSHELL:Umgebungsshell ist $1; rkhunter verwendet $2 CONFIG_CONFIGFILE:Verwende Konfigurationsdatei '$1' CONFIG_INSTALLDIR:Installationsverzeichnis ist '$1' CONFIG_LANGUAGE:Verwende die Sprache '$1' CONFIG_DBDIR:Verwende '$1' als Datenbank-Verzeichnis CONFIG_SCRIPTDIR:Verwende '$1' als Script-Verzeichnis CONFIG_BINDIR:Verwende '$1' als Kommando-Verzeichnis CONFIG_ROOTDIR:Verwende '$1' als Root-Verzeichnis CONFIG_ROOTDIR_DFLT:Verwende '/' standardmäßig als Root-Verzeichnis CONFIG_TMPDIR:Verwende '$1' als temporäres Verzeichnis CONFIG_NO_MAIL_ON_WARN:Keine E-Mail-Adresse für Benachrichtigungen konfiguriert CONFIG_MOW_DISABLED:Deaktiviere das Versenden von Benachrichtigungs-E-Mails aufgrund von Benutzer-Vorgaben CONFIG_MAIL_ON_WARN:Versenden von Benachrichtigungen von '$1' mittels dem Kommando '$2' CONFIG_SSH_ROOT:Rkhunter Option ALLOW_SSH_ROOT_USER wurde auf '$1' geändert. CONFIG_SSH_PROTV1:Rkhunter Option ALLOW_SSH_PROT_V1 wurde auf '$1' geändert. CONFIG_X_AUTO:X wird automatisch erkannt CONFIG_CLRSET2:Verwende zweites Farbset CONFIG_NO_SHOW_SUMMARY:Deaktiviere die Zusammenfassung der System-Ãœberprüfung aufgrund von Benutzer-Vorgaben CONFIG_SCAN_MODE_DEV:SCAN_MODE_DEV gesetzt auf '$1' CONFIG_NO_VL:Deaktiviere erweiterte Ausgaben aufgrund von Benutzer-Vorgaben CONFIG_XINETD_PATH:Verwende $1 Konfigurations-Datei '$2' CONFIG_SOL10_INETD:Verwende Solaris 10 und spätere Inetd-Mechanismen CONFIG_STARTUP_PATHS:Verwende System-Pfade: $1 CONFIG_ROTATE_MIRRORS:Die Liste der Spiegel-Server wird rotiert CONFIG_NO_ROTATE_MIRRORS:Die Liste der Spiegel-Server wird nicht rotiert CONFIG_UPDATE_MIRRORS:Die Liste der Spiegel-Server wird upgedatet CONFIG_NO_UPDATE_MIRRORS:Die Liste der Spiegel-Server wird nicht upgedatet CONFIG_MIRRORS_MODE0:Sowohl lokale als auch entfernte Spiegel-Server werden verwendet CONFIG_MIRRORS_MODE1:Nur lokale Spiegel-Server werden verwendet CONFIG_MIRRORS_MODE2:Nur entfernte Spiegel-Server werden verwendet FOUND_CMD:Das Kommando '$1' wurde gefunden: $2 NOT_FOUND_CMD:Das Kommando '$1' konnte nicht gefunden werden CMD_ERROR:Das Kommando '$1' gab den Fehlercode '$2' zurück. SYS_PRELINK:System verwendet prelinking SYS_NO_PRELINK:System verwendet kein prelinking SYS_SELINUX:SELinux ist aktiviert SYS_NO_SELINUX:SELinux ist deaktiviert HASH_FUNC_PRELINK:Verwende prelink-Kommando (mit $1) für Datei-Hash Ãœberprüfungen HASH_FUNC_PERL:Verwende das Perl-Modul $1 für Datei-Hash Ãœberprüfungen HASH_FUNC:Verwende das Kommando '$1' für Datei-Hash Ãœberprüfungen HASH_FUNC_NONE:Datei-Hash Ãœberprüfungen deaktiviert: NONE konfiguriert HASH_FUNC_NONE_PKGMGR:Datei-Hash Ãœberprüfungen mit NONE konfiguriert: es wird nur der Paketmanager verwendet HASH_FUNC_DISABLED:Hash-Funktion auf 'NONE' gesetzt: Datei-Hash Ãœberprüfungen automatisch deaktiviert HASH_FUNC_OLD:Gespeicherte Hash-Werte erzeugt mit der Hash-Funktion '$1' HASH_FUNC_OLD_DISABLED:Vorangegangene Hash-Funktion wurde deaktiviert: keine Hash-Werte gespeichert HASH_PKGMGR_OLD:Gespeicherte Hash-Werte verwendeten den Paketmanager '$1' (md5-Funktion) HASH_PKGMGR_OLD_UNSET:Gespeicherte Hash-Werte verwendeten nicht den Paketmanager HASH_PKGMGR:Verwende den Paketmanager '$1' für die Ãœberprüfung der Dateieigenschaften HASH_PKGMGR_MD5:Verwende MD5 Hash-Funktion mit dem Kommando '$1' zur Unterstützung der Paketmanager-Ãœberprüfung HASH_PKGMGR_NOT_SPEC:Kein Paketmanager koniguriert: verwende die Hash-Funktion '$1' HASH_PKGMGR_NOT_SPEC_PRELINKED:Kein Paketmanager konfiguriert: verwende das prelink-Kommando mit '$1' HASH_FIELD_INDEX: Der Index der Hash-Funktion wurde auf $1 gesetzt HASHUPD_DISABLED:Hash-Ãœberprüfung deaktiviert: Hash-Werte der aktuellen Dateien werden nicht gespeichert HASHUPD_PKGMGR:Verwende den Paketmanager '$1' zum Erneuern der Hash-Werte HASHUPD_PKGMGR_NOT_SPEC:Keine Hash-Update-Funktion für Dateien via Paketmanager konfiguriert: verwende die Hash-Funktion '$1' HASHUPD_PKGMGR_NOT_SPEC_PRELINKED:Keine Hash-Update-Funktion für Dateien via Paketmanager konfiguriert: verwende prelink-Kommando mit '$1' ATTRUPD_DISABLED:Ãœberprüfung der Datei-Attribute deaktiviert: aktuelle Datei-Attribute werden nicht gespeichert ATTRUPD_NOSTATCMD:Ãœberprüfung der Datei-Attribute deaktiviert: kein 'stat'-Kommando gefunden: aktuelle Datei-Attribute werden nicht gespeichert ATTRUPD_OK:aktuelle Datei-Attribute werden gespeichert ATTRUPD_OLD_DISABLED:Vorherige Datei-Attribute waren deaktiviert: keine Speicherung der Attribute ATTRUPD_OLD_NOSTATCMD:Vorherige Datei-Attribute waren deaktiviert: kein 'stat'-Kommando gefunden: keine Speicherung der Attribute ATTRUPD_OLD_OK:Vorherige Datei-Attribute wurden gespeichert GRSECINSTALLED:Installation von grsecurity gefunden SYSLOG_ENABLED:Verwende syslog für das Logging - Prioritätsebene ist '$1'. SYSLOG_DISABLED:Deaktiviere die Benutzung von syslog aufgrund von Benutzer-Vorgaben SYSLOG_NO_LOGGER:Deaktiviere die Benutzung von syslog - das 'logger'-Kommando kann nicht gefunden werden. NAME:$1 PRESSENTER:[ um fortzufahren] TEST_SKIPPED_OS:Test '$1' übersprungen wegen des Betriebssystems: $2 SUMMARY_TITLE1:Zusammenfassung der Systemüberprüfung SUMMARY_TITLE2:===================================== SUMMARY_PROP_SCAN:Dateieigenschaften-Ãœberprüfung... SUMMARY_PROP_REQCMDS:Ãœberprüfung der erforderlichen Befehle fehlgeschlagen SUMMARY_PROP_COUNT:Dateien überprüft: $1 SUMMARY_PROP_FAILED:Verdächtige Dateien: $1 SUMMARY_CHKS_SKIPPED:Alle Ãœberprüfungen übersprungen SUMMARY_RKT_SCAN:Rootkit-Ãœberprüfungen... SUMMARY_RKT_COUNT:Rootkits überprüft : $1 SUMMARY_RKT_FAILED:Mögliche Rootkits: $1 SUMMARY_RKT_NAMES:Rootkit Namen : $1 SUMMARY_APPS_SCAN:Anwendungs-Ãœberprüfungen... SUMMARY_APPS_COUNT:Anwendungen überprüft: $1 SUMMARY_APPS_FAILED:Verdächtige Anwendungen: $1 SUMMARY_SCAN_TIME:Dauer der System-Ãœberprüfung: $1 SUMMARY_NO_SCAN_TIME:Dauer der System-Ãœberprüfung: auslesen der Uhrzeit nicht möglich SUMMARY_LOGFILE:Alle Ergebnisse wurden in die Log-Datei geschrieben ($1) SUMMARY_NO_LOGFILE:Keine Log-Datei erstellt. CREATED_TEMP_FILE:Temporäre Datei '$1' erstellt MIRRORS_NO_FILE:Die Datei '$1' (Liste der Spiegel-Server) existiert nicht. MIRRORS_NO_MIRRORS:Die Datei '$1' enthält keine benötigten Spiegel-Server. MIRRORS_NO_VERSION:Die Datei '$1' (Liste der Spiegel-Server) enthält keine Versionsnummer - zurück gesetzt auf null. MIRRORS_ROTATED:Die Datei '$1' (Liste der Spiegel-Server) wurde rotiert. MIRRORS_SF_DEFAULT:Verwende den Sourceforge-Spiegel-Server: $1 DOWNLOAD_CMD:Ausführen des Download-Kommandos '$1' DOWNLOAD_FAIL:Download fehlgeschlagen - $1 Spiegel-Server übrig. VERSIONCHECK_START:Ãœberprüfung der Version von rkhunter... VERSIONCHECK_FAIL_ALL:Download fehlgeschlagen: die neueste Versionsnummer des Programms kann nicht bestimmt werden. VERSIONCHECK_CURRENT:This version : $1 VERSIONCHECK_LATEST:Latest version: $1 VERSIONCHECK_LATEST_FAIL:Neueste Version: Download fehlgeschlagen VERSIONCHECK_UPDT_AVAIL:Update verfügbar VERSIONCHECK_CONV_FAIL:Vergleich der Versionsnummern nicht möglich: Programm: '$1' Neueste: '$2' UPDATE_START:Ãœberprüfung der Daten-Dateien von rkhunter... UPDATE_CHECKING_FILE:Ãœberprüfe Datei $1 UPDATE_FILE_NO_VERS:Datei '$1' enthält keine gültige Versionsnummer. Lade eine neue Kopie herunter. UPDATE_FILE_MISSING:Datei '$1' ist nicht vorhanden oder leer. Lade eine neue Kopie herunter. UPDATE_DOWNLOAD_FAIL:Download von '$1' fehlgeschlagen: die neueste Versionsnummer kann nicht bestimmt werden. UPDATE_I18N_NO_VERS:Keine Versionsnummern einer i18n-Sprachdatei gefunden. OSINFO_START:Ãœberprüfung, ob sich das Betriebssystem seit der letzten Ãœberprüfung geändert hat... OSINFO_END:Anscheinend hat sich nichts geändert OSINFO_HOST_CHANGE1:Der Hostname hat sich seit der letzten Ãœberprüfung geändert: OSINFO_HOST_CHANGE2:ehemaliger Hostname: $1 neuer Hostname: $2 OSINFO_OSVER_CHANGE1:Das Betriebssystem hat sich seit der letzten Ãœberprüfung geändert: OSINFO_OSVER_CHANGE2:ehemaliges Betriebssystem: $1 neues Betriebssystem: $2 OSINFO_PRELINK_CHANGE:Das System änderte sich zu ${1}using prelinking seit der letzten Ãœberprüfung. OSINFO_ARCH_CHANGE1:Anscheinend hat sich der Prozessor-Typ geändert: OSINFO_ARCH_CHANGE2:ehemaliger Prozessor-Wert: $1 neuer Wert: $2 OSINFO_MSG1:Aufgrund der Änderung(en) kann die Dateieigenschaften-Ãœberprüfung einige fehlerhafte Warnungsmeldungen erzeugen. OSINFO_MSG2:Eventuell müssen Sie rkhunter mit der Option '--propupd' erneut starten. SET_FILE_PROP_START:Auslesen der Datei-Eigenschaften... SET_FILE_PROP_DIR_FILE_COUNT:$1 Dateien in $2 gefunden SET_FILE_PROP_FILE_COUNT:Datei aktualisiert: gesucht wurden $2 Dateien, gefunden wurden $3 SET_FILE_PROP_FILE_COUNT_PROPOPT:Datei $1: gesucht nach $2 Dateien, gefunden wurden $3 von $4 SET_FILE_PROP_FILE_COUNT_NOHASH:Datei $1: gesucht nach $2 Dateien, gefunden wurden $3, keine Hash-Wert für $4 SET_FILE_PROP_FILE_COUNT_NOHASH_PROPOPT:Datei $1: gesucht nach $2 Dateien, gefunden wurden $3 von $4, keine Hash-Werte für $5 PROPUPD_START:Starte update der Dateieigenschaften... PROPUPD_OSINFO_START:Sammle Informationen zum Betriebsystem... PROPUPD_ARCH_FOUND:System-Architektur gefunden: $1 PROPUPD_REL_FILE:Release-Datei gefunden: $1 PROPUPD_NO_REL_FILE:Release-Datei konnte nicht gefunden werden: LS-Ausgabe zeigt: PROPUPD_OSNAME_FOUND:Name des Betriebssystems gefunden: $1 PROPUPD_ERROR:Fehler bei der Installation der neuen rkhunter.dat-Datei. Code $1 PROPUPD_NEW_DAT_FILE:Neue rkhunter.dat-Datei installiert in '$1' PROPUPD_WARN:WARNUNG! Es liegt in der Verantwortung des Benutzers, dafür zu sorgen, dass, wenn die '--propupd' Option PROPUPD_WARN:genutzt wird, alle Dateien auf dem System authentisch sind und aus einer verlässlichen Quelle PROPUPD_WARN:installiert wurden. Die rkhunter '--check' Option wird die Dateieigenschaften der derzeitigen Dateien PROPUPD_WARN:mit vorher gespeicherten Werten vergleichen und Unterschiede melden. Rkhunter kann nicht heraus PROPUPD_WARN:finden, was die Ursache für den Unterschied ist, dies liegt im Aufgabenbereich des Benutzers. ENABLED_TESTS:Aktivierte Tests: $1 DISABLED_TESTS:Deaktivierte Tests: $1 KSYMS_FOUND:ksym-Datei gefunden '$1' KSYMS_MISSING:Alle ksyms und kallsyms Ãœberprüfungen werden übersprungen - keine der Dateien exisitert auf dem System. STARTING_TEST:Beginne mit dem Test '$1' USER_DISABLED_TEST:Test '$1' deaktiviert aufgrund von Benutzer-Vorgaben CHECK_START:Starte System-Ãœberprüfungen... CHECK_WARNINGS_NOT_FOUND:Keine Warnungen während der System-Ãœberprüfung gefunden. CHECK_WARNINGS_FOUND:Eine oder mehrere Warnungen während der System-Ãœberprüfung gefunden. CHECK_WARNINGS_FOUND_RERUN:Bitte starten Sie rkhunter erneut, um sicherzustellen, dass die Log-Datei erstellt wird. CHECK_WARNINGS_FOUND_CHK_LOG:Bitte überprüfen Sie die Log-Datei ($1) CHECK_SYS_COMMANDS:Ãœberprüfen der System-Kommandos... STRINGS_CHECK_START:Ãœberprüfung des 'strings'-Kommando STRINGS_SCANNING_OK:Suche nach der Zeichenkette $1 STRINGS_SCANNING_BAD:Suche nach der Zeichenkette $1 STRINGS_SCANNING_BAD:Zeichenkette nicht gefunden im 'strings'-Kommando STRINGS_CHECK:Ãœberprüfen des 'strings'-Kommando STRINGS_CHECK:Ãœberprüfung übersprungen - kein 'strings'-Kommando gefunden. FILE_PROP_START:Ãœberprüfung der Dateieigenschaften FILE_PROP_CMDS:Ãœberprüfen der Abhängigkeiten FILE_PROP_IMMUT_OS:Ãœberspringe alle immutable-bit Ãœberprüfungen. Diese Ãœberprüfung ist nur für Linux-Systeme verfügbar. FILE_PROP_SKIP_ATTR:'stat'-Kommando nicht gefunden - alle Ãœberprüfungen der Dateieigenschaften werden übersprungen. FILE_PROP_SKIP_HASH:Alle Ãœberprüfungen der Hash-Werte werden übersprungen weil: FILE_PROP_SKIP_HASH_FUNC:Die derzeitige Hash-Funktion ($1) oder der Paketmanager ($2) sind nicht kompatibel mit der Hash-Funktion ($3) oder dem Paketmananger ($4), die benutzt wurden um die Werte zu speichern. FILE_PROP_SKIP_HASH_PRELINK:'prelink'-Kommando wurde nicht gefunden. FILE_PROP_SKIP_HASH_SHA1:Dieses System benutzt prelinking, aber die das Kommando für die Hash-Funktion sieht nicht nach SHA1 oder MD5 aus. FILE_PROP_SKIP_HASH_LIBSAFE:Libsafe wurde gefunden, dies kann Fehler verursachen. Deaktivieren Sie, sofern möglich, libsafe und starten das prelink-Kommando erneut. Abschließend die Hash-Werte erneuern mittels 'rkhunter --propupd'. FILE_PROP_SKIP_IMMUT:'lsattr'-Kommando wurde nicht gefunden - alle immutable-bit Ãœberprüfungen werden übersprungen. FILE_PROP_SKIP_SCRIPT:'file'-Kommando wurde nicht gefunden - Alle Skript-Ersetzungs-Ãœberprüfungen werden übersprungen.. FILE_PROP_OS_CHANGED:Die lokale Host-Konfiguration oder das Betriebssystem hat sich geändert. FILE_PROP_DAT_MISSING:Die Datei mit den gespeicherten Dateieigenschaften (rkhunter.dat) existiert nicht und muss erstellt werden. Um dies zu veranlassen führen Sie 'rkhunter --propupd' aus. FILE_PROP_DAT_EMPTY:Die Datei mit den gespeicherten Dateieigenschaften (rkhunter.dat) ist leer und muss erstellt werden. Um dies zu veranlassen führen Sie 'rkhunter --propupd' aus. FILE_PROP_SKIP_ALL:Alle Ãœberprüfungen der Dateieigenschaften werden von nun an übersprungen. FILE_PROP_FILE_NOT_EXIST:Die Datei '$1' existiert nicht auf dem System, ist jedoch in der Datei rkhunter.dat erfasst. FILE_PROP_WL:Datei '$1' gefunden: diese ist mittels Whitelist freigegeben für '$2' Ãœberprüfung. FILE_PROP_WL_DIR:Verzeichnis '$1' gefunden: dieses ist mittels Whitelist freigegeben für '$2' Ãœberprüfung. FILE_PROP_NO_RKH_REC:Die Datei '$1' existiert auf dem System, aber nicht in der rkhunter.dat Datei. FILE_PROP_CHANGED:Dateieigenschaften haben sich geändert: FILE_PROP_CHANGED2:Datei: $1 FILE_PROP_NO_PKGMGR_FILE:Datei '$1' Hash-Wert übersprungen: Datei gehört nicht zum Paket FILE_PROP_NO_SYSHASH:Kein Hash-Wert für Datei '$1' gefunden FILE_PROP_NO_SYSHASH_CMD:Hash-Kommando Ausgabe: $1 FILE_PROP_NO_SYSHASH_DEPENDENCY:Versuche das 'prelink'-Kommando auszuführen um Abhängigkeits-Fehler zu aufzulösen. FILE_PROP_SYSHASH_UNAVAIL:Aktueller Hash-Wert: nicht verfügbar FILE_PROP_SYSHASH:Aktueller Hash-Wert: $1 FILE_PROP_RKHHASH:Gespeicherter Hash-Wert: $1 FILE_PROP_NO_RKHHASH:Kein Hash-Wert gefunden für die Datei '$1' in der rkhunter.dat Datei. FILE_PROP_NO_RKHPERM:Keinen Wert für die Dateiberechtigungen der Datei '$1' in der Datei rkhunter.dat gefunden. FILE_PROP_PERM_UNAVAIL:Aktuelle Dateiberechtigungen: nicht verfügbar Gespeicherte Berechtigungen: $1 FILE_PROP_PERM:Aktuelle Dateiberechtigungen: $1 Gespeicherte Berechtigungen: $2 FILE_PROP_UID_UNAVAIL:Aktuelle UID: nicht verfügbar Gespeicherte UID: $1 FILE_PROP_UID:Aktuelle UID: $1 Gespeicherte UID: $2 FILE_PROP_NO_RKHUID:Kein Wert für die Benutzer-ID (UID) der Datei '$1' in der Datei rkhunter.dat gefunden. FILE_PROP_GID_UNAVAIL:Aktuelle GID: nicht verfügbar Gespeicherte GID: $1 FILE_PROP_GID:Aktuelle GID: $1 Gespeicherte GID: $2 FILE_PROP_NO_RKHGID:Kein Wert für die Gruppen-ID (GID) der Datei '$1' in der Datei rkhunter.dat gefunden. FILE_PROP_INODE_UNAVAIL:Aktueller Knoten (inode): nicht verfügbar Gespeicherter Knoten (inode): $1 FILE_PROP_INODE:Aktueller Knoten (inode): $1 Gespeicherter Knoten (inode): $2 FILE_PROP_NO_RKHINODE:Kein Wert für den Knoten (inode) der Datei '$1' in der Datei rkhunter.dat gefunden. FILE_PROP_SIZE_UNAVAIL:Aktuelle Dateigröße: nicht verfügbar Gespeicherte Dateigröße: $1 FILE_PROP_SIZE:Aktuelle Dateigröße: $1 Gespeicherte Dateigröße: $2 FILE_PROP_NO_RKHSIZE:Keinen Wert für die Größe der Datei '$1' in der Datei rkhunter.dat gefunden. FILE_PROP_SYSDTM_UNAVAIL:Aktuelle Zeit der letzten Dateiänderung: nicht verfügbar FILE_PROP_SYSDTM:Aktuelle Zeit der letzten Dateiänderung: $1 FILE_PROP_RKHDTM:Gespeicherte Zeit der letzten Dateiänderung : $1 FILE_PROP_NO_RKHDTM:Keinen Wert für die Zeit der letzten Dateiänderung in der Datei rkhunter.dat gefunden. FILE_PROP_NO_SYSATTR:Aktuelle Dateieigenschaften der Datei '$1' konnten nicht ausgelesen werden FILE_PROP_WRITE:Schreibberechtigung der Datei '$1' gilt für alle Benutzer. FILE_PROP_SYSPERM_UNAVAIL:Aktuelle Schreibberechtigung der Datei '$1' konnte nicht ausgelesen werden FILE_PROP_IMMUT:Die Datei '$1' hat das immutable-bit gesetzt. FILE_PROP_SCRIPT:Das Kommando '$1' wurde durch ein Skript ersetzt: $2 FILE_PROP_SCRIPT_RKH:Das Kommando '$1' wurde ersetzt und ist kein Skript: $2 FILE_PROP_VRFY:Prüfung mittels Paketmanager fehlgeschlagen: FILE_PROP_VRFY_HASH:Der Hash-Wert der Datei hat sich geändert FILE_PROP_VRFY_PERM:Die Dateiberechtigungen haben sich geändert FILE_PROP_VRFY_UID:Der Besitzer der Datei hat sich geändert FILE_PROP_VRFY_GID:Die Gruppe der Datei hat sich verändert FILE_PROP_VRFY_DTM:Zeit des letzten Zugriffs hat sich geändert FILE_PROP_VRFY_SIZE:Dateigröße hat sich geändert CHECK_ROOTKITS:Ãœberprüfe auf Rootkits... ROOTKIT_FILES_DIRS_START:Führe die Ãœberprüfung auf bekannte Rootkit-Dateien und -Verzeichnisse aus ROOTKIT_FILES_DIRS_NAME_LOG:Ãœberprüfe auf ${1}... ROOTKIT_FILES_DIRS_FILE:Ãœberprüfe auf Datei '$1' ROOTKIT_FILES_DIRS_DIR:Ãœberprüfe auf Verzeichnis '$1' ROOTKIT_FILES_DIRS_KSYM:Ãœberprüfe auf Kernel-Symbol '$1' ROOTKIT_FILES_DIRS_FILE_FOUND:Datei'$1' gefunden ROOTKIT_FILES_DIRS_DIR_FOUND:Verzeichnis '$1' gefunden ROOTKIT_FILES_DIRS_KSYM_FOUND:Kernel-Symbol '$1' gefunden ROOTKIT_FILES_DIRS_STR:Ãœberprüfe auf Zeichenkette '$1' ROOTKIT_FILES_DIRS_STR_FOUND:Zeichenkette '$1' in Datei '$2' gefunden ROOTKIT_FILES_DIRS_NOFILE:Die Datei '$1' existiert nicht! ROOTKIT_FILES_DIRS_SINAR_DIR:Ãœberprüfe in '$1' ROOTKIT_FILES_DIRS_SINAR:SInAR gefunden in: $1 ROOTKIT_LINK_COUNT:Ãœberprüfung des "hard link"-Zählers von '$1' ROOTKIT_LINK_COUNT_FAIL:"Hard link"-Zähler von '$1' Kommando: $2 ROOTKIT_LINK_COUNT_CMDERR:Fehler von '$1' Kommando während der Ãœberprüfung '$2' ROOTKIT_PHALANX2_LINK_COUNT_FAIL:"Hard link"-Ãœberprüfung von '$1' fehlgeschlagen ROOTKIT_ADD_START:Führe zusätzliche Rootkit-Tests aus ROOTKIT_ADD_SUCKIT: erweiterte "Suckit Rookit"-Tests ROOTKIT_ADD_SUCKIT_LOG:Führe erweiterte "Suckit Rookit"-Tests ROOTKIT_ADD_SUCKIT_LINK_NOCMD:Ãœberprüfe '/sbin/init' link-Anzahl: kein 'stat'-Kommando gefunden ROOTKIT_ADD_SUCKIT_LINK_FOUND:Ãœberprüfe '/sbin/init' link-Anzahl: Anzahl ist $1, sollte aber 1 sein ROOTKIT_ADD_SUCKIT_EXT:Ãœberprüfung auf versteckte Datei-Erweiterung ROOTKIT_ADD_SUCKIT_EXT_FOUND:Ãœberprüfe auf versteckte Datei-Erweiterungen: $1 gefunden ROOTKIT_ADD_SUCKIT_SKDET:Führe skdet-Kommando aus ROOTKIT_ADD_SUCKIT_SKDET_FOUND:Führe skdet-Kommando aus: $1 gefunden ROOTKIT_ADD_SUCKIT_SKDET_VER:Führe skdet-Kommando aus: unbekannte Version: $1 ROOTKIT_POSS_FILES_DIRS:Ãœberprüfe auf mögliche Rootkit-Dateien und -Verzeichnisse ROOTKIT_POSS_FILES_DIRS_LOG:Führe Ãœberprüfung auf mögliche Rootkit-Dateien und -Verzeichnisse aus ROOTKIT_POSS_FILES_FILE_FOUND:Datei '$1' gefunden. Mögliches Rootkit: $2 ROOTKIT_POSS_FILES_DIR_FOUND:Verzeichnis '$1' gefunden. Mögliches Rootkit: $2 ROOTKIT_POSS_STRINGS:Ãœberprüfe auf mögliche Rootkit-Zeichenketten ROOTKIT_POSS_STRINGS_LOG:Führe Ãœberprüfung auf mögliche Rootkit-Zeichenketten aus ROOTKIT_POSS_STRINGS_FOUND:Zeichenkette '$1' gefunden in Datei '$2'. Mögliches Rootkit: $3 ROOTKIT_MALWARE_START:Führe Ãœberprüfung auf Malware aus ROOTKIT_MALWARE_SUSP_FILES:Ãœberprüfe laufende Prozesse auf verdächtige Dateien ROOTKIT_MALWARE_SUSP_FILES_FOUND:Eine oder mehrere Datei(en) wurden gefunden: $1 ROOTKIT_MALWARE_SUSP_FILES_FOUND:Ãœberprüfen Sie die Ausgabe des lsof-Kommandos 'lsof -F n -w -n' ROOTKIT_MALWARE_HIDDEN_PROCS:Ãœberprüfe auf versteckte Prozesse ROOTKIT_MALWARE_HIDDEN_PROCS_FOUND:Versteckte Prozesse gefunden: $1 ROOTKIT_MALWARE_DELETED_FILES:Ãœberprüfe laufende Prozesse auf gelöschte Dateien ROOTKIT_MALWARE_DELETED_FILES_FOUND:Die folgenden Prozesse nutzen gelöschte Dateien: ROOTKIT_MALWARE_DELETED_FILES_FOUND_DATA:Prozess: $1 PID: $2 Datei: $3 ROOTKIT_MALWARE_DELETED_FILES_WL:Prozess '$1' benutzt Datei '$2': erlaubt mittels Whitelist. ROOTKIT_MALWARE_LOGIN_BDOOR:Ãœberprüfung auf Backdoors, die der Anmeldung dienen ROOTKIT_MALWARE_LOGIN_BDOOR_LOG:Führe Ãœberprüfungen auf Backdoors für die Anmeldung aus ROOTKIT_MALWARE_LOGIN_BDOOR_CHK:Ãœberprüfe auf '$1' ROOTKIT_MALWARE_LOGIN_BDOOR_FOUND:Backdoor-Datei für Anmeldung gefunden: $1 ROOTKIT_MALWARE_SUSP_DIR:Ãœberprüfung auf verdächtige Verzeichnisse ROOTKIT_MALWARE_SUSP_DIR_LOG:Führe Ãœberprüfung auf verdächtige Verzeichnisse aus ROOTKIT_MALWARE_SUSP_DIR_FOUND:Verdächtiges Verzeichnis gefunden: $1 ROOTKIT_MALWARE_SFW_INTRUSION:Ãœberprüfung auf Eingriff in Software ROOTKIT_MALWARE_SFW_INTRUSION_FOUND:Die Datei '$1' enthält die Zeichenkette '$2'. Mögliches Rootkit: SHV5 ROOTKIT_MALWARE_SFW_INTRUSION_SKIP:Ãœberprüfung übersprungen - tripwire ist nicht installiert ROOTKIT_MALWARE_SNIFFER:Ãœberprüfung auf Log-Files von Sniffern ROOTKIT_MALWARE_SNIFFER_LOG:Führe Ãœberprüfung auf Log-Files von Sniffern aus ROOTKIT_MALWARE_SNIFFER_FOUND:Mögliche Sniffer-Log-Datei gefunden: $1 ROOTKIT_TROJAN_START:Führe Ãœberprüfung auf Trojaner aus ROOTKIT_TROJAN_INETD:Ãœberprüfe auf aktivierte Inetd-Dienste ROOTKIT_TROJAN_INETD_SKIP:Ãœberprüfung übersprungen - Datei '$1' existiert nicht. ROOTKIT_TROJAN_INETD_FOUND:Aktivierten Inetd-Dienst gefunden: $1 ROOTKIT_TROJAN_XINETD:Ãœberprüfe auf aktivierte Xinetd-Dienste ROOTKIT_TROJAN_XINETD_LOG:Ãœberprüfe auf aktivierte Xinetd-Dienste ROOTKIT_TROJAN_XINETD_ENABLED:Ãœberprüfe '$1' auf aktivierte Dienste ROOTKIT_TROJAN_XINETD_INCLUDE:'include $1'-Anweisung gefunden ROOTKIT_TROJAN_XINETD_INCLUDEDIR:'includedir $1'-Anweisung gefunden ROOTKIT_TROJAN_XINETD_ENABLED_FOUND:Aktivierten Xinetd-Dienst gefunden: $1 ROOTKIT_TROJAN_XINETD_WHITELIST:Dienst '$1' gefunden: erlaubt in $2 mittels Whitelist. ROOTKIT_TROJAN_APACHE:Ãœberprüfe auf Apache-Backdoor ROOTKIT_TROJAN_APACHE_SKIPPED:Ãœberprüfung auf Apache-Backdoor übersprungen: Apache-Module und Konfigurations-Verzeichnis nicht gefunden. ROOTKIT_TROJAN_APACHE_FOUND:Apache-Backdoor Modul 'mod_rootme' gefunden: $1 ROOTKIT_OS_START:Führe $1 Ãœberprüfungen aus ROOTKIT_OS_SKIPPED:Keine speziellen Test verfügbar ROOTKIT_OS_BSD_SOCKNET:Ãœberprüfe sockstat und netstat Kommandos ROOTKIT_OS_BSD_SOCKNET_FOUND:Unterschiede zwischen sockstat und netstat Ausgaben: ROOTKIT_OS_BSD_SOCKNET_OUTPUT:$1 Ausgabe: $2 ROOTKIT_OS_FREEBSD_KLD:Ãœberprüfe auf KLD-Backdoors ROOTKIT_OS_FREEBSD_KLD_FOUND:Mögliche FreeBSD KLD-Backdoor gefunden. 'kldstat -v' Kommando zeigt Zeichenkette '$1' ROOTKIT_OS_FREEBSD_PKGDB:Ãœberprüfe Paketdatenbank ROOTKIT_OS_FREEBSD_PKGDB_NOTOK:Die Paketdatenbank enthält möglicherweise widersprüchliche Daten. ROOTKIT_OS_FREEBSD_PKGDB_NOTOK:Dies könnte kein Sicherheitsproblem sein, aber das Ausführen von 'pkgdb -F' könnte bei der Diagnose helfen. ROOTKIT_OS_LINUX_LKM:Ãœberprüfe geladene Kernel-Module ROOTKIT_OS_LINUX_LKM_FOUND:Unterschiede zwischen dem lsmod-Kommando und der Datei /proc/modules: ROOTKIT_OS_LINUX_LKM_OUTPUT:$1 Ausgabe: $2 ROOTKIT_OS_LINUX_LKM_EMPTY:Keine Ausgabe des lsmod-Kommandos oder aus der Datei /proc/modules erhalten: ROOTKIT_OS_LINUX_LKM_MOD_MISSING:Die Modul-Datei '$1' fehlt. ROOTKIT_OS_LINUX_LKMNAMES:Ãœberprüfe Namen der Kernel-Module ROOTKIT_OS_LINUX_LKMNAMES_PATH:Verwende Modul-Pfadname von '$1' ROOTKIT_OS_LINUX_LKMNAMES_FOUND:Als schädlich bekanntes Kernel-Modul gefunden in '$1': $2 ROOTKIT_OS_LINUX_LKMNAMES_PATH_MISSING:Das Kernel-Modul-Verzeichnis '$1' fehlt oder ist leer. CHECK_LOCALHOST:Ãœberprüfe lokalen Host... STARTUP_FILES_START:Führe Ãœberprüfung des System-Boot aus STARTUP_HOSTNAME:Ãœberprüfe auf lokalen Hostnamen STARTUP_NO_HOSTNAME:Kein Hostname gefunden. STARTUP_CHECK_FILES_EXIST:Ãœberprüfung der System-Start-Dateien STARTUP_NONE_GIVEN:Benutzer-Vorgabe 'NONE' für System-Start Pfadnamen STARTUP_CHECK_FILES_MALWARE:Ãœberprüfe System-Start-Dateien auf Malware STARTUP_CHECK_NO_RC_FILES:Keine System-Start-Dateien gefunden. ACCOUNTS_START:Führe Ãœberprüfungen auf Gruppen und Konten aus ACCOUNTS_PWD_FILE_CHECK:Ãœberprüfe auf passwd-Datei ACCOUNTS_FOUND_PWD_FILE:password-Datei gefunden: $1 ACCOUNTS_NO_PWD_FILE:Passwort-Datei $1 existiert nicht. ACCOUNTS_UID0:Ãœberprüfung auf root-ähnliche (UID 0) Konten ACCOUNTS_UID0_WL:root-ähnliches Konto '$1' gefunden: erlaubt mittels Whitelist. ACCOUNTS_UID0_FOUND:Konto '$1' ist root-ähnlich (UID = 0) ACCOUNTS_SHADOW_FILE:Shadow-Datei gefunden: $1 ACCOUNTS_SHADOW_TCB:TCB-Shadow-Datei Verzeichnis: $1 ACCOUNTS_PWDLESS:Ãœberprüfung auf Konten ohne Passwort ACCOUNTS_PWDLESS_WL:Konto '$1' ohne Passwort gefunden: erlaubt mittels Whitelist. ACCOUNTS_PWDLESS_FOUND:Konto ohne Passwort gefunden: $1 ACCOUNTS_NO_SHADOW_FILE:Keine shadow/passwd-Datei gefunden. PASSWD_CHANGES:Checking for passwd file changes PASSWD_CHANGES_NO_TMP:Ãœberprüfung auf Unterschiede in der passwd-Datei nicht möglich: es existiert keine Kopie der Datei. PASSWD_CHANGES_ADDED:Konten wurden der passwd-Datei hinzugefügt: PASSWD_CHANGES_REMOVED:Konten wurden aus der passwd-Datei entfernt: GROUP_CHANGES:Ãœberprüfung auf Änderungen der Gruppen-Datei GROUP_CHANGES_NO_FILE:Gruppen-Datei $1 existiert nicht. GROUP_CHANGES_NO_TMP:Ãœberprüfung auf Unterschiede in der group-Datei nicht möglich: es existiert keine Kopie der Datei. GROUP_CHANGES_ADDED:Gruppen wurden der group-Datei hinzugefügt: GROUP_CHANGES_REMOVED:Gruppen wurden aus der group-Datei entfernt: HISTORY_CHECK:Ãœberprüfung der Historie der Shell des Root-Kontos HISTORY_CHECK_FOUND:Historie der Shell des Root-Kontos $1 ist ein symbolischer Link: $2 SYSTEM_CONFIGS_START:Führe Ãœberprüfung der System-Konfigurations-Dateien aus SYSTEM_CONFIGS_FILE:Ãœberprüfung auf Konfigurations-Datei von $1 SYSTEM_CONFIGS_FILE_FOUND:$1 Konfigurations-Datei gefunden: $2 SYSTEM_CONFIGS_SSH_ROOT:Ãœberprüfung ob Zugang des Root-Kontos mittels SSH erlaubt ist SYSTEM_CONFIGS_SSH_ROOT_FOUND:Die SSH- und rkhunter-Konfigurationvariablen sollten übereinstimmen: SYSTEM_CONFIGS_SSH_ROOT_FOUND1:SSH-Konfigurationvariable 'PermitRootLogin': $1 SYSTEM_CONFIGS_SSH_ROOT_FOUND2:Rkhunter-Konfigurationvariable 'ALLOW_SSH_ROOT_USER': $1 SYSTEM_CONFIGS_SSH_ROOT_NOTFOUND:Die SSH-Konfigurationsvariable 'PermitRootLogin' has not been set. SYSTEM_CONFIGS_SSH_ROOT_NOTFOUND:Der Standard-Wert kann 'yes' enthalten, um Root-Zugang zu erlauben. SYSTEM_CONFIGS_SSH_PROTO:Ãœberprüfung, ob das SSH-Protokoll Version 1 erlaubt ist SYSTEM_CONFIGS_SSH_PROTO_FOUND:SSH-Protokoll Version 1 ist aktiviert in der SSH-Konfiguration ($1). SYSTEM_CONFIGS_SSH_PROTO_NOTFOUND:Die SSH-Konfigurationsvariable 'Protocol' wurde nicht gesetzt. SYSTEM_CONFIGS_SSH_PROTO_NOTFOUND:Der Standard-Wert kann '2,1' enthalten, um die Benutzung des Protokolls in Version 1 zu nutzen. SYSTEM_CONFIGS_SYSLOG:Ãœberprüfung, ob der syslog-Daemon asugeführt wird SYSTEM_CONFIGS_SYSLOG_NOT_RUNNING:Der syslog-Daemon wird nicht ausgeführt nicht. SYSTEM_CONFIGS_SYSLOG_METALOG_RUNNING:Der syslog-Daemon wird nicht ausgeführt, aber ein Metalog-Daemon wurde gefunden. SYSTEM_CONFIGS_SYSLOG_SOCKLOG_RUNNING:Der syslog-Daemon wird nicht ausgeführt, aer ein socklog-Daemon wurde gefunden. SYSTEM_CONFIGS_SYSLOG_NO_FILE:Der syslog-Daemon wird ausgeführt, aber es kann keine Konfigurations-Datei gefunden werden. SYSTEM_CONFIGS_SYSLOG_REMOTE:Ãœberprüfung, ob entferntes Logging via syslog erlaubt ist SYSTEM_CONFIGS_SYSLOG_REMOTE_FOUND:Syslog-Konfiguration erlaubt entferntes Logging: $1 SYSTEM_CONFIGS_SYSLOG_REMOTE_ALLOWED:Rkhunter-Konfigurationsvariable 'ALLOW_SYSLOG_REMOTE_LOGGING' ist aktiviert. FILESYSTEM_START:Führe Dateisystem-Tests aus FILESYSTEM_DEV_CHECK:Ãœberprüfe /dev auf verdächtige Dateien FILESYSTEM_DEV_CHECK_NO_DEV:/dev existiert nicht. FILESYSTEM_DEV_FILE_WL:Datei '$1' gefunden: erlaubt mittels Whitelist. FILESYSTEM_DEV_FILE_FOUND:Verdächtige Dateitypen in ${1} gefunden: FILESYSTEM_HIDDEN_DIR_WL:Verstecktes Verzeichnis '$1' gefunden: erlaubt mittels Whitelist. FILESYSTEM_HIDDEN_FILE_WL:Versteckte Datei '$1' gefunden: erlaubt mittels Whitelist. FILESYSTEM_HIDDEN_CHECK:Ãœberprüfe auf versteckte Dateien und Verzeichnisse FILESYSTEM_HIDDEN_DIR_FOUND:Verstecktes Verzeichnis gefunden: $1 FILESYSTEM_HIDDEN_FILE_FOUND:Versteckte Datei gefunden: $1 CHECK_APPS:Ãœberprüfe Versionsnummern der Anwendungen... APPS_NONE_FOUND:Keine bekannten Anwendungen gefunden - alle Tests übersprungen. APPS_DAT_MISSING:Alle Anwendungs-Tests übersprungen. APPS_DAT_MISSING:Die Datei mit der Liste der unsicheren Anwendungsversionen (programs_bad.dat) fehlt oder ist leer. APPS_DAT_MISSING:Wenn diese Datei gelöscht wurde müssen Sie 'rkhunter --update' ausführen. APPS_NOT_FOUND:Anwendung '$1' nicht gefunden. APPS_CHECK:Ãœberprüfe Version von $1 APPS_CHECK_WL:Anwendung '$1' gefunden: erlaubt mittels Whitelist. APPS_CHECK_VERSION_UNKNOWN:Versionsnummer kann nicht ausgelesen werden für '$1'. APPS_CHECK_VERSION_FOUND:Anwendung '$1' in Version '$2' gefunden. APPS_CHECK_VERSION_WL:Anwendung '$1' in Version '$2' gefunden: diese Version ist erlaubt mittels Whitelist. APPS_CHECK_WHOLE_VERSION_USED:Versionsnummer kann nicht ausgelesen werden für '$1': Versions-Option gibt folgendes zurück: $2 APPS_CHECK_FOUND:Anwendung '$1', Version '$2', ist veraltet und ein mögliches Sicherheitsrisiko. APPS_TOTAL_COUNT:Anwendungen überprüft: $1 von $2 CHECK_NETWORK:Ãœberprüfe das Netzwerk... NETWORK_PORTS_START:Führe Ãœberprüfungen auf Backdoor-Ports aus NETWORK_PORTS_FILE_MISSING:Alle Backdoor-Port-Test übersprungen. NETWORK_PORTS_FILE_MISSING:Die Datei mit den bekannten Backdoor-Ports (backdoorports.dat) fehlt oder ist leer. NETWORK_PORTS_FILE_MISSING:Wenn diese Datei gelöscht wurde müssen Sie 'rkhunter --update' ausführen. NETWORK_PORTS_UNKNOWN_NETSTAT:Alle Ãœberprüfungen auf Backdoor-Ports übersprungen. NETWORK_PORTS_UNKNOWN_NETSTAT:Unbekannte netstat-Kommando Formatierung in diesem Betriebssystem. NETWORK_PORTS_DISABLE_PATHS:Deaktiviere Pfadnamen und '*' in Port-Whitelist-Einstellungen: kein 'lsof'-Kommando verfügbar NETWORK_PORTS_ENABLE_TRUSTED:Vertrauenswürdige Pfadnamen sind aktiviert für Port-Whitelisting. NETWORK_PORTS:Ãœberprüfe auf $1 Port $2 NETWORK_PORTS_PATH_WHITELIST:Netzwerk $1 Port $2 wird verwendet von $3: der Pfadname ist erlaubt mittels Whitelist. NETWORK_PORTS_TRUSTED_WHITELIST:Netzwerk $1 Port $2 wird verwendet von $3: der Pfadname ist vertrauenswürdig. NETWORK_PORTS_PORT_WHITELIST:Netzwerk $1 Port $2 wird verwendet: der Port ist erlaubt mittels Whitelist. NETWORK_PORTS_FOUND:Netzwerk $1 Port $2 wird verwendet ${3}. Mögliches Rootkit: $4 NETWORK_PORTS_FOUND:Verwenden Sie das 'lsof -i' oder 'netstat -an'-Kommando um dies zu überprüfen. NETWORK_INTERFACE_START:Führe Ãœberprüfungen der Netzwerk-Schnittstellen durch NETWORK_PROMISC_CHECK:Ãœberprüfe auf Netzwerk-Schnittstellen im promiscuous-Modus NETWORK_PROMISC_NO_IFCONFIG:Ãœberprüfung auf Netzwerk-Schnittstellen im promiscuous-Modus übersprungen - 'ifconfig'-Kommando wurde nicht gefunden. NETWORK_PROMISC_NO_IP:Ãœberprüfung der Netzwerk-Schnittstelle im promiscuous-Modus mit dem 'ip'-Kommando übersprungen - 'ip'-Kommando wurde nicht gefunden. NETWORK_PROMISC_IF:Mögliche Netzwerk-Schnittstellen im promiscuous-Modus: NETWORK_PROMISC_IF_1:'ifconfig'-Kommando Ausgabe: $1 NETWORK_PROMISC_IF_2:'ip'-Kommando Ausgabe: $1 NETWORK_PACKET_CAP_CHECK:Ãœberprüfe auf Anwendungen, die Pakete abfangen NETWORK_PACKET_CAP_CHECK_NO_FILE:Ãœberprüfung auf Anwendungen, die Pakete abfangen, übersprungen - die Datei '$1' fehlt. NETWORK_PACKET_CAP_FOUND:Prozess '$1' (PID $2) ist in offen in das Netzwerk. NETWORK_PACKET_CAP_WL:Prozess '$1' gefunden: erlaubt mittels Whitelist. SHARED_LIBS_START:Führe 'shared libraries' Ãœberprüfung aus SHARED_LIBS_PRELOAD_VAR:Ãœberprüfe auf 'preloading' Variablen SHARED_LIBS_PRELOAD_VAR_FOUND:Bibliothek gefunden die Variablen vorlädt: $1 SHARED_LIBS_PRELOAD_FILE:Ãœberprüfe Dateien, die vorgeladen werden SHARED_LIBS_PRELOAD_FILE_FOUND:Bibliothek gefunden die Datei(en) vorlädt: $1 SHARED_LIBS_PATH:Ãœberprüfe LD_LIBRARY_PATH Variable SHARED_LIBS_PATH_BAD:Die LD_LIBRARY_PATH Umgebungs-Variable ist gesetzt und beinflusst ausführbare Dateien: gesetzt auf: $1 SUSPSCAN_CHECK:Ãœberprüfe auf Dateien mit verdächtigem Inhalt SUSPSCAN_DIR_NOT_EXIST:Das Verzeichnis '$1' existiert nicht. SUSPSCAN_INSPECT:Datei '$1' (Wertung: $2) enthält einigen verdächtigen Inhalt und sollte überprüft werden. SUSPSCAN_START:Führe Ãœberprüfung auf Dateien mit verdächtigem Inhalt aus SUSPSCAN_DIRS:Zu überprüfende Verzeichnisse: $1 SUSPSCAN_NO_DIRS:Keine Verzeichnisse angegeben: verwende Standard-Einstellungen ($1) SUSPSCAN_TEMP:Verwende temporäres Verzeichnis: $1 SUSPSCAN_NO_TEMP:Kein temporäres Verzeichnis angegeben: verwende Standard-Einstellungen ($1) SUSPSCAN_TEMP_NOT_EXIST:Das zu nutzende temporäre Verzeichnis existiert nicht: $1 SUSPSCAN_TEMP_NO_WRITE:In das zu nutzende temporäre Verzeichnis kann nicht geschrieben werden: $1 SUSPSCAN_SIZE:Maximale Größe für Dateien, die zu überprüfen sind (in Bytes): '$1' SUSPSCAN_NO_SIZE:Keine maximale Größe für zu untersuchende Dateien angegeben: verwende Standard-Einstellungen ($1) SUSPSCAN_SIZE_INVALID:Die konfigurierte maximale Größe für Dateien ist fehlerhaft: $1 SUSPSCAN_THRESH:Grenzwert für Bewertung ist gesetzt auf: $1 SUSPSCAN_NO_THRESH:Kein Grenzwert für Bewertungen konfiguriert: verwende Standard-Einstellungen ($1) SUSPSCAN_THRESH_INVALID:Der konfigurierte Grenzwert für Bewertungen ist fehlerhaft: $1 SUSPSCAN_DIR_CHECK:Ãœberprüfe Verzeichnis: '$1' SUSPSCAN_DIR_CHECK_NO_FILES:Keine passenden Dateien für die Ãœberprüfung gefunden. SUSPSCAN_FILE_CHECK:Datei überprüft: Name: '$1' Bewertung: $2 SUSPSCAN_FILE_CHECK_DEBUG:Datei überprüft: Name: '$1' Bewertung: $2 Treffersumme: $3 Treffer: ($4) SUSPSCAN_FILE_SKIPPED_EMPTY:Datei ignoriert: leer: '$1' SUSPSCAN_FILE_SKIPPED_LINK:Datei ignoriert: symbolischer Link: '$1' SUSPSCAN_FILE_SKIPPED_TYPE:Datei ignoriert: falscher Typ: '$1': '$2' SUSPSCAN_FILE_SKIPPED_SIZE:Datei ignoriert: zu groß: '$1' SUSPSCAN_FILE_LINK_CHANGE:Symbolischer Link wurde nicht gefunden: '$1' -> '$2' LIST_TESTS:Verfügbare Ãœberprüfungen lauten: LIST_GROUPED_TESTS:Gruppierte Ãœberprüfungen lauten: LIST_LANGS:Verfügbare Sprachen: LIST_RTKTS:Rootkits überprüft für: rkhunter-1.4.0/files/i18n/zh0000640000123200012320000005730111254021420015532 0ustar unspawnunspawnVersion:2009091601 # # We start with the definitions of the message types and results. There # are very few of these, so including these and all the parts of each # message in one file makes sense and for easier translation. # # The message type MSG_TYPE_PLAIN is used for ordinary messages. It has # no specific value, and is intercepted in the display function. It is # included here for completeness. The index names of MSG_TYPE_ and # MSG_RESULT_ are reserved - no messages can use this as part of its index. # MSG_TYPE_PLAIN: MSG_TYPE_INFO:°T®§ MSG_TYPE_WARNING:ĵ§i # # This is the list of message results. # MSG_RESULT_OK:¥¿±` MSG_RESULT_BAD:·lÃa MSG_RESULT_SKIPPED:¸õ¹L MSG_RESULT_WARNING:!ª`·N! MSG_RESULT_FOUND:µo²{ MSG_RESULT_NOT_FOUND:¨Sµo²{ MSG_RESULT_NONE_FOUND:¨Sµo²{ MSG_RESULT_ALLOWED:¥i¥H MSG_RESULT_NOT_ALLOWED:¤£¥i¥H MSG_RESULT_UPD: §ó·sªº MSG_RESULT_NO_UPD: ¨S§ó·s MSG_RESULT_UPD_FAILED: §ó·s¥¢±Ñ MSG_RESULT_VCHK_FAILED: ª©¥»Àˬd¥¢±Ñ # # The messages. # VERSIONLINE:[ $1 ª©¥» $2 ] VERSIONLINE2:¦b¥D¾÷ $3 °õ¦æ $1 ª©¥» $2 VERSIONLINE3:°õ¦æ $1 ª©¥» $2 RKH_STARTDATE:¶}©l®É¶¡¬O $1 RKH_ENDDATE:µ²§ô®É¶¡¬O $1 OPSYS:°»´ú¨ìªº¨t²Î¬O '$1' UNAME:Uname ¿é¥X¬O '$1' CONFIG_CHECK_START:Àˬd³]©wÀɤΩR¥O¦C¿ï¶µ... CONFIG_CMDLINE:©R¥O¦C¬O $1 CONFIG_ENVSHELL:SHELLµ{¦¡¬O $1; rkhunter ¥¿¦b¨Ï¥Î $2 CONFIG_CONFIGFILE:rkhunter³]©wÀɬO '$1' CONFIG_INSTALLDIR:¦w¸Ë¥Ø¿ý¬O'$1' CONFIG_LANGUAGE:¨Ï¥Îªº»y¨¥¬O '$1' CONFIG_DBDIR:¸ê®Æ®w¥Ø¿ý '$1' CONFIG_SCRIPTDIR:script¥Ø¿ý '$1' CONFIG_BINDIR:°õ¦æÀɥؿý '$1' CONFIG_ROOTDIR:®Ú¥Ø¿ý '$1' CONFIG_TMPDIR:¼È¦sÀɥؿý '$1' CONFIG_NO_MAIL_ON_WARN:¨S¦³³]¸mĵ§i«Hªº¶l¥ó¦ì§} CONFIG_MOW_DISABLED:®Ú¾Ú¨Ï¥ÎªÌ³]©w¡A¤£¨Ï¥Îĵ§i«H CONFIG_MAIL_ON_WARN:¨Ï¥Î©R¥O'$2'µ¹ '$1' µoĵ§i«H CONFIG_SSH_ROOT:Rkhunter ªº¿ï¶µ ALLOW_SSH_ROOT_USER³Q³]¸m¦¨ '$1'. CONFIG_SSH_PROTV1:Rkhunter ¿ï¶µ³Q³]¸m¦¨¥i¥H¨Ï¥Îª©¥»1ªºSSH¨ó©w CONFIG_X_AUTO:¦Û°ÊÀˬdX CONFIG_CLRSET2:¨Ï¥Î²Ä¤G­Ó°t¦â¤èªk CONFIG_NO_SHOW_SUMMARY:®Ú¾Ú¨Ï¥ÎªÌ³]©w¡A¤£Åã¥Ü¨t²ÎÁ`µ²³ø§i CONFIG_SCAN_MODE_DEV:SCAN_MODE_DEV³Q³]¸m¬°'$1' CONFIG_NO_VL:®Ú¾Ú¨Ï¥ÎªÌ³]©w¡A¤£¸Ô²Ó°O¿ý CONFIG_XINETD_PATH:¨Ï¥Î $1 ³]©wÀÉ '$2' CONFIG_SOL10_INETD:¨Ï¥ÎSolaris 10 ¤Î¥H«áªºinetd¾÷¨î CONFIG_LOCAL_RC_DIR:¨Ï¥Î¨t²Îªº±Ò°Ê¥Ø¿ý: $1 CONFIG_LOCAL_RC_FILE:¨Ï¥Î¥»¦aªº±Ò°Ê¥Ø¿ýÀÉ®×: $1 CONFIG_ROTATE_MIRRORS:³Æ´©ÀÉ®×±N¤©¥HÂà¸m ONFIG_NO_ROTATE_MIRRORS:³Æ´©ÀÉ®×±N¤£³QÂà¸m CONFIG_UPDATE_MIRRORS:³Æ´©ÀÉ®×±N³Q§ó·s CONFIG_NO_UPDATE_MIRRORS:³Æ´©ÀÉ®×±N¤£³Q§ó·s CONFIG_MIRRORS_MODE0:¥»¦a©M»·ºÝ³Æ´©ÀÉ®×±N³£³Q¨Ï¥Î CONFIG_MIRRORS_MODE1:¥u¨Ï¥Î¥»¦a³Æ´©ÀÉ®× CONFIG_MIRRORS_MODE2:¥u¨Ï¥Î»·ºÝ³Æ´©ÀÉ®× FOUND_CMD:§ä¨ì '$1' ©R¥O: $2 NOT_FOUND_CMD:µLªk§ä¨ì'$1' ©R¥O SYS_PRELINK:¨t²Î¥¿¦b¨Ï¥Îprelinking SYS_NO_PRELINK:¨t²Î¤£¨Ï¥Îprelinking HASH_FUNC_PRELINK:¬°¤FÀɮתº hash Àˬd¦Ó¨Ï¥Î prelink ©R¥O (±a $1) HASH_FUNC_PERL:¨Ï¥Î perl $1 ¼Ò²Õ¨ÓÀˬdÀÉ®×hash HASH_FUNC:checksumµ{¦¡ '$1' HASH_FUNC_NONE:µLªkÀˬdÀÉ®×hash : ¨S¦³«ü©w HASH_FUNC_NONE_PKGMGR:¨S¦³«ü©wÀÉ®×hash¨ç¼Æ: ¥u¯à¨Ï¥Î®M¥óºÞ²zµ{¦¡ HASH_FUNC_DISABLED:Hash¨ç¼Æ³]¸m¬°'NONE': ¦Û°Ê¨ÏÀÉ®×hashÀˬdµL®Ä HASH_FUNC_OLD:¨Ï¥Îhash¨ç¼Æ '$1'Àx¦shash­È HASH_FUNC_OLD_DISABLED:ªºªºhash¨ç¼ÆµL®Ä: ¨S¦³hash­È³QÀx¦s HASH_PKGMGR_OLD::¨Ï¥Î®M¥óºÞ²zµ{¦¡'$1'Àx¦shash­È HASH_PKGMGR_OLD_NONMD5:¨Ï¥Î®M¥óºÞ²zµ{¦¡'$1'(md5 function)Àx¦shash­È HASH_PKGMGR_OLD_UNSET:¤£¨Ï¥Î®M¥óºÞ²zµ{¦¡¦ÓÀx¦shash­È HASH_PKGMGR:¨Ï¥Î®M¥óºÞ²zµ{¦¡ '$1' ÀˬdÀÉ®×ÄÝ©Ê HASH_PKGMGR_MD5:¨Ï¥Î MD5 hash ¨ç¼Æ©R¥O '$1' À°§U®M¥óºÞ²zµ{¦¡¶i¦æÅçÃÒ HASH_PKGMGR_NOT_SPEC:¨S¦³«ü©w®M¥óºÞ²zµ{¦¡: ¨Ï¥Î hash ¨ç¼Æ '$1' HASH_PKGMGR_NOT_SPEC_PRELINKED:¨S¦³«ü©w®M¥óºÞ²zµ{¦¡: ¨Ï¥Î±a '$1' ªº prelink ©R¥O HASH_PKGMGR_USE_VRFY:®M¥óºÞ²zµ{¦¡ÅçÃÒ±N¥Î©óÀÉ®×ÄݩʪºÀˬdµ²ªG HASH_PKGMGR_NO_USE_VRFY:®M¥óºÞ²zµ{¦¡ÅçÃÒ±N¤£¥Î©óÀÉ®×ÄݩʪºÀˬdµ²ªG HASH_FIELD_INDEX:hash ¨ç¼ÆªºÄæ¦ì¯Á¤Þ³Q³]¸m¬° $1 HASHUPD_DISABLED:Hash Àˬd¥¢®Ä: ¥Ø«eªºÀÉ®×hash­È±N¤£·|Àx¦s HASHUPD_PKGMGR:¨Ï¥Î®M¥óºÞ²zµ{¦¡ '$1' ¨Ó§ó·sÀÉ®×hash­È HASHUPD_PKGMGR_NONE:¨S¦³«ü©w®M¥óºÞ²zµ{¦¡: ¨Ï¥Îhash¨ç¼Æ '$1' HASHUPD_PKGMGR_NONE_PRELINKED:¨S¦³«ü©w®M¥óºÞ²zµ{¦¡: ¨Ï¥Î±a'$1'ªºprelink©R¥O HASHUPD_PKGMGR_NOT_SPEC:¨S¦³«ü©wÀÉ®× hash §ó·s®M¥óºÞ²zµ{¦¡: ¨Ï¥Î hash ¨ç¼Æ '$1' HASHUPD_PKGMGR_NOT_SPEC_PRELINKED:¨S¦³«ü©wÀÉ®× hash §ó·s®M¥óºÞ²zµ{¦¡: ¨Ï¥Î±a '$1'ªº prelink ©R¥O HASHUPD_PKGMGR_MD5:¨Ï¥ÎMD5 hash¨ç¼Æ©R¥O'$1'§@¬°®M¥óºÞ²zµ{¦¡ HASHUPD_PKGMGR_MD5_PRELINK:¨Ï¥Îprelink©R¥O (±a $1)§@¬°®M¥óºÞ²zµ{¦¡ ATTRUPD_DISABLED:ÀÉ®×ÄÝ©ÊÀˬd¥¢®Ä: ¥Ø«eªºÀÉ®×ÄݩʱN¤£·|Àx¦s ATTRUPD_NOSTAT:ÀÉ®×ÄÝ©ÊÀˬd¥¢®Ä: ¨S¦³µo²{'stat'©R¥O:¥Ø«eªºÀÉ®×ÄݩʱN¤£·|Àx¦s ATTRUPD_OK:¥Ø«eªºÀÉ®×ÄݩʱN³QÀx¦s ATTRUPD_OLD_DISABLED:ªºÀÉ®×ÄݩʵL®Ä: ¨S¦³ÀÉ®×ÄÝ©ÊÀx¦s ATTRUPD_OLD_NOSTAT:ªºÀÉ®×ÄݩʵL®Ä: ¨S¦³µo²{'stat'©R¥O: ¨S¦³ÀÉ®×ÄݩʳQÀx¦s ATTRUPD_OLD_OK:Àx¦sªºÀÉ®×ÄÝ©Ê GRSECINSTALLED:µo²{¦³¦w¸ËGRSEC SYSLOG_ENABLED:±Ò¥Î syslog - facility/priority µ¥¯Å¬O '$1'. SYSLOG_DISABLED:®Ú¾Ú¨Ï¥ÎªÌ³]©w¡A¤£¨Ï¥Î syslog . SYSLOG_NO_LOGGER:µLªk¨Ï¥Î syslog - µLªk§ä¨ì 'logger' ©R¥O. NAME:$1 PRESSENTER:[«ö ÁäÄ~Äò] TEST_SKIPPED_OS:¦]¬° OS: $2¡A¸õ¹LÀˬd '$1' SUMMARY_TITLE1:¨t²ÎÀˬdµ²ªG SUMMARY_TITLE2:===================== SUMMARY_PROP_SCAN:ÀˬdÀÉ®×ÄÝ©Ê... SUMMARY_PROP_REQCMDS:­n¨DªºÀˬd©R¥O¥¢±Ñ SUMMARY_PROP_COUNT:ÀˬdÀÉ®×: $1 SUMMARY_PROP_FAILED:¥iºÃÀÉ®×: $1 SUMMARY_CHKS_SKIPPED:¸õ¹L©Ò¦³Àˬd SUMMARY_RKT_SCAN:ÀˬdRootkit... SUMMARY_RKT_COUNT:ÀˬdRootkits : $1 SUMMARY_RKT_FAILED:¥i¯à¦s¦b rootkits: $1 SUMMARY_RKT_NAMES:Rootkit ¦WºÙ : $1 SUMMARY_APPS_SCAN:À³¥Îµ{¦¡Àˬd... SUMMARY_APPS_COUNT:À³¥Îµ{¦¡Àˬd: $1 SUMMARY_APPS_FAILED:¥iºÃªºÀ³¥Îµ{¦¡: $1 SUMMARY_SCAN_TIME:Àˬd¨t²Î®É¶¡: $1 SUMMARY_NO_SCAN_TIME:Àˬd¨t²Î®É¶¡: µLªk­pºâ¨t²Î®É¶¡ SUMMARY_LOGFILE:©Ò¦³µ²ªG¤w³Q¼g¤J¨ì¨t²Î°O¿ýÀÉ($1) SUMMARY_NO_LOGFILE:¨S¦³«Ø¥ß¨t²Î°O¿ýÀÉ. CREATED_TEMP_FILE:«Ø¥ß¼È¦sÀɥؿý '$1' MIRRORS_NO_FILE:³Æ´©ÀÉ®×'$1'¤£¦s¦b MIRRORS_NO_MIRRORS:³Æ´©ÀÉ®× '$1' ¤¤¨S¦³»Ý­nªº³Æ´©. MIRRORS_NO_VERSION:³Æ´©ÀÉ®× '$1'¤¤¨S¦³ª©¥»½s¸¹ - ­«·s³]¸m¬°0. MIRRORS_ROTATED:³Æ´©ÀÉ®× '$1' ¤w³Q§ó·s. MIRRORS_SF_DEFAULT:¨Ï¥Î SourceForge ³Æ´©: $1 DOWNLOAD_CMD:°õ¦æ¤U¸ü©R¥O '$1' DOWNLOAD_FAIL:¤U¸ü¥¢±Ñ - $1 ³Æ´©ÀÉ®×µL®Ä. VERSIONCHECK_START:¥¿¦bÀˬd rkhunter ª©¥»... VERSIONCHECK_FAIL_ALL:¤U¸ü¥¢±Ñ: µLªk½T©w³Ì·sªºµ{¦¡ª©¥». VERSIONCHECK_CURRENT:¥Ø«eªºª©¥» : $1 VERSIONCHECK_LATEST:³Ì·sªºª©¥»: $1 VERSIONCHECK_LATEST_FAIL:³Ì·sª©¥»: ¤U¸ü¥¢±Ñ VERSIONCHECK_UPDT_AVAIL:§ó·s¦³®Ä VERSIONCHECK_CONV_FAIL:µLªk¤ñ¸ûª©¥»½s¸¹: µ{¦¡: '$1' Latest: '$2' UPDATE_START:¥¿¦bÀˬdrkhunter ªº¸ê®ÆÀÉ®×... UPDATE_CHECKING_FILE:¥¿¦bÀˬdÀÉ®×$1 UPDATE_FILE_NO_VERS:ÀÉ®× '$1' ¨S¦³¦³®Äªºª©¥»½s¸¹. ¥¿¤U¸ü¤@­Ó·sªº°Æ¥». UPDATE_FILE_MISSING:ÀÉ®× '$1' ¿ò¥¢©Î¬°ªÅÀÉ. ¥¿¤U¸ü¤@­Ó·sªº°Æ¥». UPDATE_DOWNLOAD_FAIL:'$1'¤U¸ü¥¢±Ñ: µLªk½T©w³Ì·sªºª©¥»½s¸¹. UPDATE_I18N_NO_VERS:µLªkµo²{i18n»y¨¥Àɮת©¥»½s¸¹. OSINFO_START:Àˬd¦Û¤W¦¸Àˬd«á¨t²Î¬O§_¦³³QÅܧó... OSINFO_END:¨S¦³µo²{¥ô¦óÅܧó OSINFO_HOST_CHANGE1:¦Û±q¤W¦¸Àˬd«á¡A¥D¾÷¦WºÙ¤w§ïÅÜ OSINFO_HOST_CHANGE2:ªº¥D¾÷¦WºÙ: $1 ·sªº¥D¾÷¦WºÙ: $2 OSINFO_OSVER_CHANGE1:¦Û¤W¦¸Àˬd«á¡A¨t²Î¦WºÙ©Îª©¥»¤w§ïÅÜ OSINFO_OSVER_CHANGE2:ªº§@·~¨t²Î: $1 ·sªº§@·~¨t²Î: $2 OSINFO_PRELINK_CHANGE:¦Û¤W¦¸Àˬd«á¡A¨Ï¥Îprelinking¨t²Î¥i¯à¤w§ïÅܬ°${1} OSINFO_ARCH_CHANGE1:¨t²ÎªºCPUÃþ«¬¥i¯à¤w§ïÅÜ OSINFO_ARCH_CHANGE2:ªºCPU: $1 ·sªºCPU: $2 OSINFO_MSG1:¦]¬°³o¨Ç§ïÅÜ¡AÀÉ®×ÄÝ©ÊÀˬd¥i¯à¦³¿ù»~ªºµ²ªG. OSINFO_MSG2:§A¥i¯à»Ý­n¥Î'--propupd' ¿ï¶µ­«·s°õ¦ærkhunter SET_FILE_PROP_START: file properties¥¿¦b¨ú±oÀÉ®×ÄÝ©Ê... SET_FILE_PROP_DIR_FILE_COUNT:¦b$2µo²{$1 ­ÓÀÉ®× SET_FILE_PROP_FILE_COUNT:ÀÉ®× $1: ·j´M¤F $2 ­ÓÀÉ®×, µo²{ $3 SET_FILE_PROP_FILE_COUNT_NOHASH:FÀÉ®× $1: ·j´M¤F $2 ­ÓÀÉ®×, µo²{ $3, ¿ò¥¢ hashes $4 PROPUPD_START:¶}©l§ó·sÀÉ®×Äݩʸê®Æ... PROPUPD_OSINFO_START:¥¿¦b¦¬¶°§@·~¨t²Îªº°T®§... PROPUPD_ARCH_FOUND:µo²{¨t²Î¬[ºc: $1 PROPUPD_REL_FILE:µo²{ release ÀÉ®×: $1 PROPUPD_NO_REL_FILE:¤£¯à§ä¨ìrelease ÀÉ®×: LS ¿é¥XÅã¥Ü: PROPUPD_OSNAME_FOUND:µo²{§@·~¨t²Î¦WºÙ: $1 PROPUPD_ERROR:¦w¸Ë·sªº rkhunter.dat ÀÉ®×µo¥Í¿ù»~. ¥N½X $1 PROPUPD_NEW_DAT_FILE:·sªº rkhunter.dat Àɮפw¦w¸Ë¦b '$1' PROPUPD_WARN:ĵ§i! ·í¨Ï¥Î '--propupd' ¿ï¶µ®É¡A¨Ï¥ÎªÌ¥²¶·¦Û¦æ½T©w PROPUPD_WARN:¨t²Î¤¤©Ò¦³ªºÀɮ׬O¯u¹êªº¡B¦w¸ËªºÀɮרӷ½¬O¥i¾aªº. PROPUPD_WARN:rkhunter '--check' ¿ï¶µ±N¥Ø«eªºÀÉ®×ÄÝ©Ê»P¥ý«e PROPUPD_WARN:Àx¦sªº­È¶i¦æ¹ï¤ñ,¨Ã¥B³ø§i¥ô¦óªºÅÜ°Ê. µM¦Ó, rkhunter PROPUPD_WARN:µLªk½T©w¬O¤°»ò­ì¦]³y¦¨¤F³o¨ÇÅÜ°Ê¡A»Ý«Ý¨Ï¥ÎªÌ¥h½T»{. ENABLED_TESTS:±Ò¥Îªº´ú¸Õ¬O: $1 DISABLED_TESTS:¤£±Ò¥Îªº´ú¸Õ¬O: $1 KSYMS_FOUND:µo²{ ksym ÀÉ®× '$1' KSYMS_MISSING:©Ò¦³ªº ksyms ©M kallsyms Àˬd¤w³Q¨ú®ø - ³o¨âºØÀɮצb¨t²Î¤¤³£¤£¦s¦b. STARTING_TEST:¶}©l '$1' Àˬd USER_DISABLED_TEST:¨Ï¥ÎªÌ¤w¨ú®ø '$1' Àˬd. CHECK_START:¶}©lÀˬd¨t²Î... CHECK_WARNINGS_NOT_FOUND:¦bÀˬd¨t²Î¹Lµ{¤¤¨S¦³Äµ§i²£¥Í. CHECK_WARNINGS_FOUND:Àˬd¨t²Î¹Lµ{¤¤µo²{¤@­Ó©Î¦h­Óĵ§i. CHECK_WARNINGS_FOUND_RERUN:½Ð­«·s°õ¦ærkhunter¡A½T»{¨t²Î°O¿ýÀɤw«Ø¥ß. CHECK_WARNINGS_FOUND_CHK_LOG:½ÐÀˬd¨t²Î°O¿ýÀÉ ($1) CHECK_SYS_COMMANDS:Àˬd¨t²Î©R¥O... STRINGS_CHECK_START:°õ¦æ '¦r¦ê' ©R¥OÀˬd STRINGS_SCANNING_OK:±½ºË¦r¦ê $1 STRINGS_SCANNING_BAD:±½ºË¦r¦ê $1 STRINGS_SCANNING_BAD:'¦r¦ê' ©R¥O¤¤µLªkµo²{¦r¦ê STRINGS_CHECK:Àˬd '¦r¦ê' ©R¥O STRINGS_CHECK:¸õ¹LÀˬd - ¨S¦³µo²{ '¦r¦ê' ©R¥O. FILE_PROP_START:°õ¦æÀÉ®×ÄÝ©ÊÀˬd FILE_PROP_CMDS:Àˬd­«­nªº°ò¥»µ{¦¡ FILE_PROP_IMMUT_OS:¸õ¹L©Ò¦³ªº immutable-bit Àˬd. ¸ÓÀˬd¶È¦b Linux ¨t²Î¤U¦³®Ä. FILE_PROP_SKIP_ATTR:µLªk§ä¨ì 'stat' ©R¥O - ©Ò¦³ªºÀÉ®×ÄÝ©ÊÀˬd±N³Q¸õ¹L. FILE_PROP_SKIP_HASH:©Ò¦³ªºÀÉ®× hash Àˬd±N³Q¸õ¹L¡A¦]¬° : FILE_PROP_SKIP_HASH_FUNC:¥Ø«eªºªº hash ¨ç¼Æ ($1) ©ÎªÌ®M¥óºÞ²zµ{¦¡ ($2) »P hash ¨ç¼Æ ($3)¤£¬Û®e©Î®M¥óºÞ²zµ{¦¡ ($4) ³Q¥Î©óÀx¦s³o¨Ç­È. FILE_PROP_SKIP_HASH_PRELINK:µLªk§ä¨ì 'prelink' ©R¥O. FILE_PROP_SKIP_HASH_SHA1:³o­Ó¨t²Î¨Ï¥Î prelinking, ¦ý¬O hash ¨ç¼Æ©R¥O ¤£¹³¬O SHA1 or MD5. FILE_PROP_SKIP_HASH_LIBSAFE:¨Sµo²{ Libsafe , ³o¥i¯à¾É­P¿ù»~. ¦pªG¥i¯à, Ãö³¬ libsafe ¨Ã°õ¦æ prelink ©R¥O. ³Ì«á, ¨Ï¥Î 'rkhunter --propupd'­«·s«Ø¥ß hash ­È. FILE_PROP_SKIP_IMMUT:µLªk§ä¨ì 'lsattr' ©R¥O - ©Ò¦³ªºÀÉ®× immutable-bit Àˬd±N³Q¸õ¹L. FILE_PROP_SKIP_SCRIPT:µLªk§ä¨ì 'file' ©R¥O - ©Ò¦³script¥N´ÀÀˬd±N³Q¸õ¹L. FILE_PROP_DAT_MISSING:Àx¦sÀÉ®×ÄݩʪºÀÉ®× (rkhunter.dat) ¤£¦s¦b, ©Ò¥H¥²¶·«Ø¥ß¥¦. ¿é¤J©R¥O 'rkhunter --propupd'«Ø¥ß. FILE_PROP_DAT_EMPTY:Àx¦sÀÉ®×ÄݩʪºÀÉ®× (rkhunter.dat) ¬OªÅªº, ©Ò¥H¥²¶·«Ø¥ß¥¦. ¿é¤J©R¥O 'rkhunter --propupd'«Ø¥ß. FILE_PROP_SKIP_ALL:¥Ø«e©¿²¤©Ò¦³ÀÉ®×ÄݩʪºÀˬd. FILE_PROP_FILE_NOT_EXIST:¨t²Î¤¤¤£¦s¦b '$1' ÀÉ®×, ¦ý¬O¥¦¦s¦b©ó rkhunter.dat ÀÉ®×. FILE_PROP_WL:µo²{ÀÉ®× '$1': ¥¦¦s¦b©ó¥Õ¦W³æ¤¤¡A¥Î©ó '$2' Àˬd. FILE_PROP_NO_RKH_REC:¨t²Î¤¤¦s¦bÀÉ®× '$1' , ¦ý¬O¥¦¤£¦s¦b©ó the rkhunter.dat ÀÉ®×. FILE_PROP_HASH_WL_INVALID:µo²{ÀÉ®× '$1': ¥Õ¦W³æªº hash ­È ($2) »P¥Ø«eªºªº hash ­È¤£¬Û²Å. FILE_PROP_CHANGED:ÀÉ®×Äݩʤw§ïÅÜ: FILE_PROP_CHANGED2:ÀÉ®×: $1 FILE_PROP_NO_PKGMGR_FILE:¸õ¹LÀÉ®× '$1' hash ­È: Àɮפ£ÄÝ©ó¸Ó®M¥ó FILE_PROP_NO_SYSHASH:¨Sµo²{ÀÉ®× '$1'ªºhash­È FILE_PROP_NO_SYSHASH_CMD:Hash ©R¥O¿é¥X: $1 FILE_PROP_NO_SYSHASH_DEPENDENCY:¹Á¸Õ¨Ï¥Î©R¥O 'prelink $1' ­×´_¬Û¨Ì©Ê¿ù»~. FILE_PROP_SYSHASH_UNAVAIL:¥Ø«eªº hash: µLªk¨ú±o FILE_PROP_SYSHASH:¥Ø«eªº hash: $1 FILE_PROP_RKHHASH:Àx¦s hash : $1 FILE_PROP_NO_RKHHASH:¤£¯à§ä¨ìrkhunter.dat¤¤ÀÉ®×'$1' ªºhash­È. FILE_PROP_NO_RKHPERM:¤£¯à§ä¨ìrkhunter.dat¤¤ÀÉ®×'$1' ªºÅv­­­È. FILE_PROP_PERM_UNAVAIL:¥Ø«eªºÅv­­: µLªk¨ú±o cvs -d:pserver:anonymous@rkhunter.cvs.sourceforge.net:/cvsroot/rkhunter Àx¦sªºÅv­­: $1 FILE_PROP_PERM:¥Ø«eªºÅv­­: $1 Àx¦sªºÅv­­: $2 FILE_PROP_UID_UNAVAIL:¥Ø«eªº uid: µLªk¨ú±o Àx¦sªº uid: $1 FILE_PROP_UID:¥Ø«eªº uid: $1 Àx¦sªº uid: $2 FILE_PROP_NO_RKHUID:¦bÀÉ®×rkhunter.dat¤¤¨S¦³§ä¨ìÀÉ®× '$1' ªºuser-id­È. FILE_PROP_GID_UNAVAIL:¥Ø«eªºªº gid: µLªk¨ú±o Àx¦sªº gid: $1 FILE_PROP_GID:¥Ø«eªºªº gid: $1 Àx¦sªº gid: $2 FILE_PROP_NO_RKHGID:¦bÀÉ®×rkhunter.dat¤¤¨S¦³§ä¨ìÀÉ®× '$1' ªºgroup-id­È. FILE_PROP_INODE_UNAVAIL:¥Ø«eªºªº inode: µLªk¨ú±o Àx¦sªº inode: $1 FILE_PROP_INODE:¥Ø«eªºªº inode: $1 Àx¦sªº inode: $2 FILE_PROP_NO_RKHINODE:¦bÀÉ®×rkhunter.dat¤¤¨S¦³§ä¨ìÀÉ®× '$1' ªºinode­È. FILE_PROP_SYSDTM_UNAVAIL:¥Ø«eªºªºÀɮ׭קï®É¶¡: µLªk¨ú±o FILE_PROP_SYSDTM:¥Ø«eªºÀɮ׭קï®É¶¡: $1 FILE_PROP_RKHDTM:Àx¦sªºÀɮ׭קï®É¶¡ : $1 FILE_PROP_NO_RKHDTM:¦bÀÉ®×rkhunter.dat¤¤¨S¦³§ä¨ìÀÉ®× '$1' ªº­×§ï®É¶¡­È. FILE_PROP_NO_SYSATTR:µLªk¨ú±o '$1' ªº¥Ø«eªºÄÝ©Ê FILE_PROP_WRITE:ÀÉ®× '$1'³Q³]¸m¬°¹ï©Ò¦³¨Ï¥ÎªÌ¥i¼g. FILE_PROP_SYSPERM_UNAVAIL:µLªk¨ú±oÀÉ®× '$1' ªº¥Ø«eªº¼gÅv­­ FILE_PROP_IMMUT:ÀÉ®× '$1' ³Q³]¸m¤F immutable-bit . FILE_PROP_SCRIPT:©R¥O '$1' ¤w¸g³Qscript: $2 ¥N´À FILE_PROP_VRFY:®M¥óºÞ²zµ{¦¡ÅçÃÒ¤w¥¢®Ä: FILE_PROP_VRFY_HASH:ÀÉ®×hash­È¤w§ïÅÜ FILE_PROP_VRFY_PERM:ÀÉ®×Åv­­¤w§ïÅÜ FILE_PROP_VRFY_UID:Àɮתº¾Ö¦³ªÌÄݩʤw§ïÅÜ FILE_PROP_VRFY_GID:ÀɮײÕÄݩʤw§ïÅÜ FILE_PROP_VRFY_DTM:Àɮתº­×§ï®É¶¡¤w§ïÅÜ CHECK_ROOTKITS:¥¿¦bÀˬdrootkit... ROOTKIT_FILES_DIRS_START:¶}©lÀˬd¥Ø«e¤wª¾ªºrootkitºØÃþ©M¬ÛÃö¥Ø¿ý ROOTKIT_FILES_DIRS_NAME_LOG:Àˬd ${1}... ROOTKIT_FILES_DIRS_FILE:ÀˬdÀÉ®× '$1' ROOTKIT_FILES_DIRS_DIR:Àˬd¥Ø¿ý '$1' ROOTKIT_FILES_DIRS_KSYM:Àˬd®Ö¤ß²Å¸¹ '$1' ROOTKIT_FILES_DIRS_FILE_FOUND:µo²{ÀÉ®× '$1' ROOTKIT_FILES_DIRS_DIR_FOUND:µo²{¥Ø¿ý '$1' ROOTKIT_FILES_DIRS_KSYM_FOUND:µo²{®Ö¤ß²Å¸¹ '$1' ROOTKIT_FILES_DIRS_STR:Àˬd¦r¦ê '$1' ROOTKIT_FILES_DIRS_STR_FOUND:¦bÀÉ®× '$2'¤¤µo²{¦r¦ê'$1' ROOTKIT_FILES_DIRS_NOFILE:ÀÉ®× '$1' ¤£¦s¦b! ROOTKIT_FILES_DIRS_SINAR_DIR:Àˬd '$1' ROOTKIT_FILES_DIRS_SINAR:¦b: $1¤¤µo²{SInAR ROOTKIT_ADD_START:°õ¦æ¨ä¥¦ªºrootkitÀˬd ROOTKIT_ADD_SUCKIT:Suckit Rookit ÃB¥~ªºÀˬd ROOTKIT_ADD_SUCKIT_LOG:°õ¦æSuckit Rookit ÃB¥~ªºÀˬd ROOTKIT_ADD_SUCKIT_LINK:Àˬd/sbin/init ³sµ²¼Æ¶q ROOTKIT_ADD_SUCKIT_LINK_NOCMD:Àˬd /sbin/init ³sµ²¼Æ¶q: ¨Sµo²{ 'stat' ©R¥O ROOTKIT_ADD_SUCKIT_LINK_ERR:Àˬd /sbin/init ³sµ²¼Æ¶q: 'stat' ©R¥O¿ù»~ ROOTKIT_ADD_SUCKIT_LINK_FOUND:Àˬd /sbin/init ³sµ²¼Æ¶q: ¼Æ¶q¬O $1, ¥¦À³·í¬O 1 ROOTKIT_ADD_SUCKIT_EXT:ÀˬdÁôÂÃÀÉ®× ROOTKIT_ADD_SUCKIT_EXT_FOUND:ÀˬdÁôÂÃÀÉ®×: µo²{: $1 ROOTKIT_ADD_SUCKIT_SKDET:°õ¦æ skdet ©R¥O ROOTKIT_ADD_SUCKIT_SKDET_FOUND:°õ¦æ skdet ©R¥O: µo²{: $1 ROOTKIT_ADD_SUCKIT_SKDET_VER:°õ¦æ skdet ©R¥O: ¥¼ª¾ª©¥»: $1 ROOTKIT_POSS_FILES_DIRS:Àˬd¥i¯à¦s¦bªºrootkit¤Î¨ä¥Ø¿ý ROOTKIT_POSS_FILES_DIRS_LOG:°õ¦æÀˬd¥i¯à¦s¦bªºrootkitÀɮפΨä¥Ø¿ý ROOTKIT_POSS_FILES_FILE_FOUND:µo²{ÀÉ®× '$1'. ¥i¯à¦s¦brootkit: $2 ROOTKIT_POSS_FILES_DIR_FOUND:µo²{¥Ø¿ý '$1'. ¥i¯à¦s¦brootkit: $2 ROOTKIT_POSS_STRINGS:Àˬd§P©wrootkit¥i¯à¦s¦bªº¦r¦ê ROOTKIT_POSS_STRINGS_LOG:°õ¦æÀˬd§P©wrootkit¥i¯à¦s¦bªº¦r¦ê ROOTKIT_POSS_STRINGS_FOUND:¦bÀÉ®× '$2'¤¤µo²{¦r¦ê'$1' . ¥i¯àÁÙ¦brootkit: $3 ROOTKIT_MALWARE_START:°õ¦æ´c·N³nÅéÀˬd ROOTKIT_MALWARE_SUSP_FILES:Àˬd°õ¦æ¤¤ªº¦æµ{¬O§_¬°¥iºÃªºÀÉ®× ROOTKIT_MALWARE_SUSP_FILES_FOUND:µo²{¤@­Ó©Î¦h­Ó³o¼ËªºÀÉ®×: $1 ROOTKIT_MALWARE_SUSP_FILES_FOUND:Àˬd lsof ©R¥O 'lsof -F n -w -n' ªº¿é¥X ROOTKIT_MALWARE_HIDDEN_PROCS:ÀˬdÁôÂææµ{ ROOTKIT_MALWARE_HIDDEN_PROCS_FOUND:µo²{ÁôÂ꺦æµ{: $1 ROOTKIT_MALWARE_DELETED_FILES:¦b¥¿°õ¦æ¦æµ{¤¤Àˬd deleted ÀÉ®× ROOTKIT_MALWARE_DELETED_FILES_FOUND:¥H¤U¦æµ{¥¿¦b¨Ï¥Î deleted ÀÉ®×: ROOTKIT_MALWARE_DELETED_FILES_FOUND_DATA:¦æµ{: $1 PID: $2 ÀÉ®×: $3 ROOTKIT_MALWARE_LOGIN_BDOOR:Àˬd login «áªù ROOTKIT_MALWARE_LOGIN_BDOOR_LOG:°õ¦æÀˬd login «áªù ROOTKIT_MALWARE_LOGIN_BDOOR_CHK:Àˬd '$1' ROOTKIT_MALWARE_LOGIN_BDOOR_FOUND:µo²{ login «áªùÀÉ®×: $1 ROOTKIT_MALWARE_SUSP_DIR:Àˬd¥iºÃ¥Ø¿ý ROOTKIT_MALWARE_SUSP_DIR_LOG:°õ¦æ¥iºÃ¥Ø¿ýªºÀˬd ROOTKIT_MALWARE_SUSP_DIR_FOUND:µo²{¥iºÃªº¥Ø¿ý: $1 ROOTKIT_MALWARE_SFW_INTRUSION:Àˬd³nÅé¤J«I ROOTKIT_MALWARE_SFW_INTRUSION_FOUND:ÀÉ®× '$1' ¤¤®M¥ó§t¦³¦r¦ê '$2'. ¥i¯à¦s¦brootkit: SHV5 ROOTKIT_MALWARE_SFW_INTRUSION_SKIP:¸õ¹LÀˬd - tripwire ¨S¦³¦w¸Ë ROOTKIT_MALWARE_SNIFFER:Àˬd sniffer ¨t²Î°O¿ýÀÉ ROOTKIT_MALWARE_SNIFFER_LOG:°õ¦æ sniffer ¨t²Î°O¿ýÀɪºÀˬd ROOTKIT_MALWARE_SNIFFER_FOUND:µo²{¥iºÃªºsniffer ¨t²Î°O¿ýÀÉ: $1 ROOTKIT_TROJAN_START:°õ¦æ¤ì°¨µ{¦¡ªºÀˬd ROOTKIT_TROJAN_INETD:Àˬd±Ò°Êªº inetd ªA°È ROOTKIT_TROJAN_INETD_SKIP:¸õ¹LÀˬd - ÀÉ®× '$1' ¤£¦s¦b. ROOTKIT_TROJAN_INETD_FOUND:µo²{¤w±Ò°Êªº inetd ªA°È: $1 ROOTKIT_TROJAN_XINETD:Àˬd±Ò°Êªº xinetd ªA°È ROOTKIT_TROJAN_XINETD_LOG:°õ¦æ¤w±Ò°Êªº xinetd ªA°ÈªºÀˬd ROOTKIT_TROJAN_XINETD_ENABLED:¦b '$1' ¤¤Àˬd¤w±Ò°ÊªºªA°È ROOTKIT_TROJAN_XINETD_INCLUDE:µo²{ 'include $1' «ü¥O ROOTKIT_TROJAN_XINETD_INCLUDEDIR:µo²{ 'includedir $1' «ü¥O ROOTKIT_TROJAN_XINETD_ENABLED_FOUND:µo²{±Ò°Êªº xinetd ªA°È: $1 ROOTKIT_TROJAN_XINETD_WHITELIST:µo²{ªA°È '$1': ¥¦¦ì©ó $2 ¥Õ¦W³æ. ROOTKIT_TROJAN_APACHE:Àˬd Apache ªº«áªù ROOTKIT_TROJAN_APACHE_SKIPPED:¸õ¹LApache «áªùªºÀˬd: ¨Sµo²{Apache ¼Ò²Õ©M³]¸m¥Ø¿ý. ROOTKIT_TROJAN_APACHE_FOUND:µo²{Apache «áªù¼Ò²Õ 'mod_rootme' : $1 ROOTKIT_OS_START:°õ¦æ $1 ²`¤JªºÀˬd ROOTKIT_OS_SKIPPED:¨S¦³¥i¥Îªº²`¤JÀˬd ROOTKIT_OS_BSD_SOCKNET:Àˬd sockstat ©M netstat ©R¥O ROOTKIT_OS_BSD_SOCKNET_FOUND: sockstat ©M netstat ªº¿é¥Xµo²{¤£¦P: ROOTKIT_OS_BSD_SOCKNET_OUTPUT:$1 ¿é¥X: $2 ROOTKIT_OS_FREEBSD_KLD:Àˬd KLD «áªù ROOTKIT_OS_FREEBSD_KLD_FOUND:µo²{¥iºÃªº FreeBSD KLD «áªù. 'kldstat -v' ©R¥OÅã¥Ü¦r¦ê '$1' ROOTKIT_OS_FREEBSD_PKGDB:Àˬd®M¥ó¸ê®Æ®w ROOTKIT_OS_FREEBSD_PKGDB_NOTOK:®M¥ó¸ê®Æ®w¦ü¥G¦³°ÝÃD. ROOTKIT_OS_FREEBSD_PKGDB_NOTOK:³o¥i¯à¤£¬O¦w¥þ°ÝÃD, ¦ý¬O°õ¦æ 'pkgdb -F' ¥i¯à¦³§U©ó¶EÂ_°ÝÃD. ROOTKIT_OS_LINUX_LKM:Àˬd®Ö¤ß¼Ò²Õ©R¥O ROOTKIT_OS_LINUX_LKM_FOUND: lsmod ©R¥O ©M /proc/modules Àɮפ§¶¡µo²{¤£¦Pªº¦a¤è: ROOTKIT_OS_LINUX_LKM_OUTPUT:$1 ¿é¥X: $2 ROOTKIT_OS_LINUX_LKM_EMPTY: ¨S¦³µo²{ lsmod ©R¥O ©M©Î /proc/modules Àɮתº¿é¥X: ROOTKIT_OS_LINUX_LKM_MOD_MISSING:¼Ò²ÕÀÉ®× '$1' ¤w¿ò¥¢. ROOTKIT_OS_LINUX_LKMNAMES:Àˬd®Ö¤ß¼Ò²Õ¦WºÙ ROOTKIT_OS_LINUX_LKMNAMES_PATH:¨Ï¥Î¼Ò²Õ¸ô®|¦W '$1' ROOTKIT_OS_LINUX_LKMNAMES_FOUND:¦b '$1'¤¤µo²{¤wª¾ªº´c·N®Ö¤ß¼Ò²Õ: $2 ROOTKIT_OS_LINUX_LKMNAMES_PATH_MISSING:®Ö¤ß¼Ò²Õ¥Ø¿ý '$1' ¿ò¥¢ CHECK_LOCALHOST:Àˬd¥»¦a¥D¾÷... STARTUP_FILES_START:°õ¦æ¨t²Î¶}¾÷Àˬd STARTUP_HOSTNAME:Àˬd¥»¦a¥D¾÷¦WºÙ STARTUP_NO_HOSTNAME:¨Sµo²{¥D¾÷¦WºÙ. STARTUP_LOCAL_RC_FILE:Àˬd¥»¦a±Ò°ÊÀÉ®× STARTUP_FOUND_LOCAL_RC_FILE:µo²{¥»¦a±Ò°ÊÀÉ®×: $1 STARTUP_NO_LOCAL_RC_FILE:¨Sµo²{¥»¦a±Ò°ÊÀÉ®×. STARTUP_CHECK_LOCAL_RC:Àˬd¥»¦a±Ò°ÊÀɮ׬O§_¯A¤Î¦³®`µ{¦¡ STARTUP_CHECK_SYSTEM_RC:Àˬd¨t²Î±Ò°ÊÀɮ׬O§_¯A¤Î¦³®`µ{¦¡ STARTUP_CHECK_SYSTEM_RC_FOUND:µo²{¨t²Î±Ò°Ê¥Ø¿ý: $1 STARTUP_CHECK_SYSTEM_RC_NONE:¨Sµo²{¨t²Î±Ò°ÊÀÉ®×. ACCOUNTS_START:°õ¦æ¨Ï¥ÎªÌ¸s²Õ©M±b¸¹Àˬd ACCOUNTS_PWD_FILE_CHECK:Àˬd±K½XÀÉ®× ACCOUNTS_FOUND_PWD_FILE:µo²{±K½XÀÉ®×: $1 ACCOUNTS_NO_PWD_FILE:±K½XÀÉ®× $1 ¤£¦s¦b. ACCOUNTS_UID0:Àˬdµ¥¦P©óroot (UID 0) ±b¸¹ ACCOUNTS_UID0_WL:µo²{µ¥¦P©óroot ±b¸¹ '$1': ¥¦¦ì©ó¥Õ¦W³æ¤¤. ACCOUNTS_UID0_FOUND:±b¸¹ '$1' ¬Oµ¥¦P©óroot (UID = 0) ACCOUNTS_SHADOW_FILE:µo²{ shadow ÀÉ®×: $1 ACCOUNTS_PWDLESS:ÀˬdªÅ±K½Xªº±b¸¹ ACCOUNTS_PWDLESS_FOUND:µo²{ªÅ±K½X±b¸¹: $1 ACCOUNTS_NO_SHADOW_FILE:¨Sµo²{ shadow/password ÀÉ®×. PASSWD_CHANGES:Àˬd±K½XÀɮתºÅÜ¤Æ PASSWD_CHANGES_NO_TMP:µLªkÀˬd±K½XÀɮתº²§±`: ±K½XÀɮתº°Æ¥»¤£¦s¦b. PASSWD_CHANGES_ADDED:¦³¨Ï¥ÎªÌ³Q¥[¨ì±K½XÀɮפ¤: PASSWD_CHANGES_REMOVED:¦³¨Ï¥ÎªÌ±q±K½XÀɮפ¤²¾°£: GROUP_CHANGES:Àˬd¨Ï¥ÎªÌ¸s²ÕÀɮתºÅÜ¤Æ GROUP_CHANGES_NO_FILE:¨Ï¥ÎªÌ¸s²ÕÀÉ®× $1 ¤£¦s¦b. GROUP_CHANGES_NO_TMP:µLªkÀˬd¨Ï¥ÎªÌ¸s²ÕÀɮתºÅܤÆ: ¨Ï¥ÎªÌ¸s²ÕÀɮתº°Æ¥»¤£¦s¦b. GROUP_CHANGES_ADDED:¦³¨Ï¥ÎªÌ³Q¥[¶i¥Î¨Ï¥ÎªÌ¸s²ÕÀÉ®×: GROUP_CHANGES_REMOVED:²Õ¤w³Q±q¨Ï¥ÎªÌ¸s²ÕÀɮפ¤§R°£: HISTORY_CHECK:Àˬdroot±b¸¹ªºshell¾ú¥v°O¿ý HISTORY_CHECK_FOUND:Root ±b¸¹ $1 shell ¾ú¥v°O¿ý¬O¤@­Ó²Å¸¹³sµ²: $2 SYSTEM_CONFIGS_START:°õ¦æ¨t²Î³]©wÀÉÀˬd SYSTEM_CONFIGS_FILE:Àˬd $1 ³]©wÀÉ SYSTEM_CONFIGS_FILE_FOUND:µo²{ $1 ³]©wÀÉ: $2 SYSTEM_CONFIGS_SSH_ROOT:ÀˬdSSH¬O§_¥i¥Îrootµn¤J SYSTEM_CONFIGS_SSH_ROOT_FOUND: SSH ©M rkhunter ªº³]©w¿ï³»À³·í¬Û¦P: SYSTEM_CONFIGS_SSH_ROOT_FOUND1:SSH ³]©w¿ï¶µ 'PermitRootLogin': $1 SYSTEM_CONFIGS_SSH_ROOT_FOUND2:Rkhunter ³]©w¿ï¶µ 'ALLOW_SSH_ROOT_USER': $1 SYSTEM_CONFIGS_SSH_ROOT_NOTFOUND: ÁÙ¨S³]¸mSSH ³]©w¿ï¶µ 'PermitRootLogin' . SYSTEM_CONFIGS_SSH_ROOT_NOTFOUND:¹w³]­È¥i¯à¬O 'yes', ¥i¥Îrootµn¤J. SYSTEM_CONFIGS_SSH_PROTO:Àˬd¬O§_¨Ï¥Î SSH v1ª©¨ó©w SYSTEM_CONFIGS_SSH_PROTO_FOUND:SSHªº³]©wÀÉSSH ($1)¤w¨Ï¥ÎSSH v1¨ó©w¥Í®Ä. SYSTEM_CONFIGS_SSH_PROTO_NOTFOUND: SSH ³]©w¿ï¶µ 'Protocol' ÁÙ¨S³]¸m. SYSTEM_CONFIGS_SSH_PROTO_NOTFOUND:¹w³]­È¥i¯à¬O '2,1', ¥i¥H¨Ï¥Î v1¨ó©w. SYSTEM_CONFIGS_SYSLOG:Àˬd¬O§_°õ¦æsyslog daemon SYSTEM_CONFIGS_SYSLOG_NOT_RUNNING:syslog daemon ¨S¦³°õ¦æ. SYSTEM_CONFIGS_SYSLOG_METALOG_RUNNING:The syslog daemon ¨S¦³°õ¦æ, ¦ý¬O¤w¸gµo²{¤@­Ómetalog daemon. SYSTEM_CONFIGS_SYSLOG_NO_FILE:syslog daemon ¥¿¦b°õ¦æ, ¦ý¬OµLªkµo²{³]©wÀÉ. SYSTEM_CONFIGS_SYSLOG_REMOTE:Àˬd¬O§_¥i¥H¨Ï¥Î syslog »·ºÝ°O¿ý SYSTEM_CONFIGS_SYSLOG_REMOTE_FOUND:Syslog ³]©wÀÉ¥i¥H»·ºÝµn¤J: $1 SYSTEM_CONFIGS_SYSLOG_REMOTE_ALLOWED:Rkhunter ³]©w¿ï¶µ 'ALLOW_SYSLOG_REMOTE_LOGGING' ¤w¸g¥Í®Ä. FILESYSTEM_START:°õ¦æÀɮרt²ÎÀˬd¤¤....½Ðµy«Ý.... FILESYSTEM_DEV_CHECK:/dev ¥iºÃÀÉ®×Ãþ«¬Àˬd FILESYSTEM_DEV_CHECK_NO_DEV:/dev ¤£¦s¦b. FILESYSTEM_DEV_FILE_WL:µo²{ÀÉ®× '$1': ¥¦¦s¦b©ó¥Õ¦W³æ¤¤. FILESYSTEM_DEV_FILE_FOUND:¦b ${1}¤¤µo²{¥iºÃÀÉ®×: FILESYSTEM_HIDDEN_DIR_WL:µo²{ÁôÂ꺥ؿý'$1': ¥¦¦s¦b©ó¥Õ¦W³æ¤¤.¦W³æ¤¤. FILESYSTEM_HIDDEN_FILE_WL:Found hidden file '$1': it is whitelisted. FILESYSTEM_HIDDEN_CHECK:ÀˬdÁôÂêºÀɮשM¥Ø¿ý FILESYSTEM_HIDDEN_DIR_FOUND:µo²{ÁôÂ꺥ؿý: $1 FILESYSTEM_HIDDEN_FILE_FOUND:µo²{ÁôÂêºÀÉ®×: $1 CHECK_APPS:ÀˬdÀ³¥Îµ{¦¡ªºª©¥»... APPS_NONE_FOUND:µo²{¥¼ª¾ªºÀ³¥Îµ{¦¡ - ¸õ¹L©Ò¦³ªºÀˬd. APPS_DAT_MISSING:¸õ¹L©Ò¦³ªºÀ³¥Îµ{¦¡ª©¥»Àˬd. APPS_DAT_MISSING:¤£¦w¥þÀ³¥Îµ{¦¡ª©¥» (programs_bad.dat) ¿ò¥¢©Î¬°ªÅ. APPS_DAT_MISSING:¦pªG¥¦¤w¸g³Q§R°£, §A±o°õ¦æ 'rkhunter --update'. APPS_NOT_FOUND:¨Sµo²{À³¥Îµ{¦¡ '$1' . APPS_CHECK:Àˬd $1 ªºª©¥» APPS_CHECK_VERSION_UNKNOWN:µLªk¨ú±o '$1'ªºª©¥»½s¸¹. APPS_CHECK_VERSION_FOUND:µo²{À³¥Îµ{¦¡ '$1' ª©¥»½s¸¹ '$2' . APPS_CHECK_VERSION_WL:µo²{À³¥Îµ{¦¡ '$1' ª©¥» '$2': ³o­Óª©¥»¦ì©ó¥Õ¦W³æ. APPS_CHECK_WHOLE_VERSION_USED:µLªk¨ú±o '$1'ªºª©¥»½s¸¹: ª©¥»¿ï¶µÅã¥Ü: $2 APPS_CHECK_FOUND:À³¥Îµ{¦¡ '$1', ª©¥»½s¸¹ '$2', ¤w¹L®É, ¦³¼ç¦bªº¦w¥þ­·ÀI. APPS_TOTAL_COUNT:À³¥Îµ{¦¡Àˬd: ¦b $2 ­ÓÀ³¥Îµ{¦¡¤¤, ¦³ $1 ­Ó­nª`·N CHECK_NETWORK:Àˬdºô¸ô... NETWORK_PORTS_START:°õ¦æ«áªù³q°T°ðªºÀˬd NETWORK_PORTS_FILE_MISSING:¸õ¹L©Ò¦³«áªù³q°T°ðªºÀˬd. NETWORK_PORTS_FILE_MISSING:¤wª¾«áªù³q°T°ðÀÉ®× (backdoorports.dat) ¿ò¥¢©Î¬°ªÅ¥Õ. NETWORK_PORTS_FILE_MISSING:¦pªG¥¦¤w³Q§R°£¡A§A¥²¶·°õ¦æ©R¥O 'rkhunter --update'. NETWORK_PORTS_FILE_NO_NETSTAT:¸õ¹L©Ò¦³«áªù³q°T°ðªºÀˬd. NETWORK_PORTS_FILE_NO_NETSTAT:µLªk§ä¨ì 'netstat' ©R¥O NETWORK_PORTS:Àˬd $1 ³q°T°ð ${2} NETWORK_PORTS_FOUND:ºô¸ô $1 ³q°T°ð $2 ¤w³Q¨Ï¥Î. ¥i¯àªºrootkit: $3 NETWORK_PORTS_FOUND:°õ¦æ 'netstat -an' ©R¥O¥hÀˬd¥¦. NETWORK_INTERFACE_START:°õ¦æºô¸ô¤¶­±ªºÀˬd NETWORK_PROMISC_CHECK:Àˬd promiscuous ¤¶­± NETWORK_PROMISC_NO_IFCONFIG:Promiscuous ºô¸ô¤¶­±³Q¸õ¹L - µLªk§ä¨ì 'ifconfig' ©R¥O. NETWORK_PROMISC_NO_IP:¨Ï¥Î'ip' ©R¥OÀˬdPromiscuous ºô¸ô¤¶­± - µLªk§ä¨ì 'ip' ©R¥O. NETWORK_PROMISC_IF:¥i¯àªºpromiscuous ¤¶­±: NETWORK_PROMISC_IF_1:'ifconfig' ©R¥O¿é¥X: $1 NETWORK_PROMISC_IF_2:'ip' ©R¥O¿é¥X: $1 NETWORK_PACKET_CAP_CHECK:Àˬd«Ê¥]ÄdºIµ{¦¡ NETWORK_PACKET_CAP_CHECK_NO_FILE:«Ê¥]ÄdºIµ{¦¡ªºÀˬd³Q¸õ¹L - ÀÉ®× '$1' ¿ò¥¢. NETWORK_PACKET_CAP_FOUND:¦æµ{ '$1' (PID $2) ¥¿¦bºô¸ô¤WºÊÅ¥. NETWORK_PACKET_CAP_WL:µo²{¦æµ{ '$1': ¥¦¦s¦b©ó¥Õ¦W³æ¤¤. SHARED_LIBS_START:°õ¦æ '¨ç¦¡®w' ªºÀˬd SHARED_LIBS_PRELOAD_VAR:Àˬd¹w¥ý¸ü¤JªºÅÜ¼Æ SHARED_LIBS_PRELOAD_VAR_FOUND:µo²{¹w¥ý¸ü¤JªºÅܼÆ: $1 SHARED_LIBS_PRELOAD_FILE:Àˬd¹w¥ý¸ü¤JªºÀÉ®× SHARED_LIBS_PRELOAD_FILE_FOUND:µo²{library preload ÀÉ®×: $1 SHARED_LIBS_PATH:Àˬd LD_LIBRARY_PATH ÅÜ¼Æ SHARED_LIBS_PATH_BAD: LD_LIBRARY_PATH Àô¹ÒÅܼƳQ³]¸m¡A¥¦·|¼vÅT¤G¶i¦ìµ{¦¡: ³Q³]¸m¬°: $1 SUSPSCAN_CHECK:Àˬd¨ã¦³¥iºÃ¤º®eªºÀÉ®× SUSPSCAN_DIR_NOT_EXIST:¥Ø¿ý '$1' ¤£¦s¦b. SUSPSCAN_INSPECT:ÀÉ®× '$1' (score: $2) ®M¥ó§t¦³¥iºÃªº¤º®e¡A¥¦±N³QÀˬd. SUSPSCAN_START:°õ¦æ±a¦³¥iºÃ¤º®eÀɮתºÀˬd SUSPSCAN_DIRS:«ÝÀˬdªº¥Ø¿ý¬O: $1 SUSPSCAN_NO_DIRS:¨S¦³«ü©w¥Ø¿ý: ¨Ï¥Î¥Î¹w³] ($1) SUSPSCAN_TEMP:¨Ï¥Î¼È¦sÀɥؿý: $1 SUSPSCAN_NO_TEMP:¨S«ü©w¼È¦sÀɮץؿý: ¨Ï¥Î¥Î¹w³]ªº ($1) SUSPSCAN_TEMP_NOT_EXIST:The suspscan ¼È¦sÀɥؿý¤£¦s¦b: $1 SUSPSCAN_TEMP_NO_WRITE:The suspscan ¼È¦s¥Ø¿ýµL¼g¤JÅv: $1 SUSPSCAN_SIZE:¥iÀˬdªº³Ì¤jÀɮפj¤p (¥H¦ì¤¸²Õ¬°³æ¦ì): '$1' SUSPSCAN_NO_SIZE:¨S«ü©w³Ì¤jªºÀɮפj¤p: ¨Ï¥Î¹w³]­È($1) SUSPSCAN_SIZE_INVALID:¦¹Suspscan ³Ì¤jªºÀɮפj¤pµL®Ä: $1 SUSPSCAN_THRESH:¿n¤À¤W­­³]¸m¬°: $1 SUSPSCAN_NO_THRESH:¨S¦³«ü©w¿n¤À¤W­­: ¨Ï¥Î¹w³]­È ($1) SUSPSCAN_THRESH_INVALID:¦¹ Suspscan ¿n¤À¤W­­¬OµL®Äªº: $1 SUSPSCAN_DIR_CHECK:Àˬd¥Ø¿ý: '$1' SUSPSCAN_DIR_CHECK_NO_FILES:¨S¦³¾A·íªºÀÉ®×Àˬd. SUSPSCAN_FILE_CHECK:ÀÉ®×Àˬd: Name: '$1' Score: $2 SUSPSCAN_FILE_CHECK_DEBUG:ÀÉ®×Àˬd: Name: '$1' Score: $2 Hitcount: $3 Hits: ($4) SUSPSCAN_FILE_SKIPPED_EMPTY:©¿²¤ÀÉ®×: ªÅ¥Õ: '$1' SUSPSCAN_FILE_SKIPPED_LINK:©¿²¤ÀÉ®×: ²Å¸¹³s±µÀÉ: '$1' SUSPSCAN_FILE_SKIPPED_TYPE:©¿²¤ÀÉ®×: ¿ù»~Ãþ«¬: '$1': '$2' SUSPSCAN_FILE_SKIPPED_SIZE:©¿²¤ÀÉ®×: ¤Ó¤j: '$1' SUSPSCAN_FILE_LINK_CHANGE:µo²{²Å¸¹³s±µÀÉ: '$1' -> '$2' LIST_TESTS:¦³®Äªº´ú¸Õ¦WºÙ: LIST_GROUPED_TESTS:¤À²ÕÀˬd¦WºÙ: LIST_LANGS:¥i¥Îªº»y¨¥: LIST_RTKTS:Àˬdrootkit # #If any problem related with this zh version message,please mail to #ols3@lxer.idv.tw. I will fix them as soon as possible. #¦pªG¦³¥ô¦óÃö©óÁcÅ餤¤åª©¥»Â½Ä¶ªº°ÝÃD¡A½ÐÁpô ols3@lxer.idv.tw #§Ú±N·|ºÉ§Ö¤©¥H­×¥¿. # #¥»Â½Ä¶ÀɰѦҦÛlinux_fqh@yahoo.com.cn©ÒĶªºÂ²Å骩¥»,¯S¦¹·PÁÂ¥L. # rkhunter-1.4.0/files/filehashsha.pl0000750000123200012320000000126111450440272017227 0ustar unspawnunspawn#!/usr/bin/perl die "Usage: $0 " if ($#ARGV != 2); my $sha = ''; my $mod = $ARGV[0]; my $size = $ARGV[1]; my $file = $ARGV[2]; eval "use $mod"; die "Invalid module: $mod" if ($@); if ($mod eq 'Digest::SHA1' || $mod eq 'Digest::Whirlpool' || $mod eq 'Crypt::RIPEMD160' || $mod eq 'Digest::MD5') { $sha = $mod -> new; } elsif ($mod eq 'Digest::SHA256') { $sha = Digest::SHA256::new($size); } else { $sha = $mod -> new($size); } # Open file in binary mode open(FILE, $file) or die "Can't open file '$file'"; binmode(FILE); # Hash file contents $sha -> add($_) while (); close(FILE); $_ = $sha -> hexdigest; s/ //g; print $_, "\n"; exit; rkhunter-1.4.0/files/ACKNOWLEDGMENTS0000640000123200012320000000243211304471415016563 0ustar unspawnunspawn ROOTKIT HUNTER ACKNOWLEDGMENTS ============================== Michael Boelen Initial Rootkit Hunter developer John Horne Current Rootkit Hunter developer Aus9 For Wiki and documentation support Gary Bak For enhancing AIX support and testing Andrej Ricnik For patching and testing konsolebox For loads of suggestions and testing Sibtay Abbas For testing Constantin Stefan For ideas Iain Roberts AIX and OpenBSD support Doncho N. Gunchev Steph For testing unSpawn Current Rootkit Hunter developer KNOWN CONTRIBUTORS ================== Macemoneta FUSE support B. Donnachie cAos support intrigeri Parallel run support jabel FreeBSD 6.1 cli vs cron baddcarma ProFTPd 1.3.0 on SuSE 10.0 linux_fqh Chinese translations Ryan Beckett For IRIX support Marc Becker German translation Julien Valroff Bug reports, ideas and fixes Dick Gevers For packaging and hosting skdet Jan Iven Bug reports, ideas and fixes And thanks to all others who contributed to Rootkit Hunter: the regulars on the Rootkit Hunter users mailing list, bug reporters, package maintainers, end-users and those promoting Rootkit Hunter usage. rkhunter-1.4.0/files/contrib/0000750000123200012320000000000011750002114016040 5ustar unspawnunspawnrkhunter-1.4.0/files/contrib/rkhunter_remote_howto.txt0000640000123200012320000000656510533054053023262 0ustar unspawnunspawnRUNNING ROOTKIT HUNTER FROM A CENTRAL SERVER ============================================ An example for running Rootkit Hunter using Webjob. Rootkit Hunter (RKH) currently does not have the capability to be run in a client-server way. We can remedy that by running RKH as a webjob command. Webjob allows you to run a command or a set of commands on a client by fetching the command from a remote server and returning the output to the server. While this setup is not exhaustively tested the steps should provide enough information to get you going. PREREQUISITES ============= - A webserver with CGI capabilities and Perl - A client with the requirements for running Webjob and RKH SETUP ===== 1. Set up Webjob and PAD by following the instructions included in the Webjob tarball. 2. Install "webjob" binary client-side and verify server-client operation works as expected with a client config (~/.webjob.cfg): ClientId=client_1 URLGetURL=http://your.server.net/cgi-client/nph-webjob.cgi URLPutURL=http://your.server.net/cgi-client/nph-webjob.cgi URLUsername=client_1 URLPassword= URLAuthType=basic RunType=snapshot TempDirectory=/dev/shm OverwriteExecutable=Y UnlinkOutput=N UnlinkExecutable=N - Download and unpack RKH and create a local installation: sh installer.sh --install --layout . - Set executable mode on the main rkhunter script, then rename the "files" directory, make the tarball, then pad: chmod 0755 files/rkhunter mv files rkhunter tar -czf rkhunter.tgz rkhunter pad-make-script --create rkhunter.tgz > rkhunter.tgz.pad - Now remove rkhunter/ and ../rkhunter-1.2.9/ and move rkhunter.tgz.pad to $WEBJOB_DIR/profiles/client_1/commands/. - Add a Sudo entry to allow an unprivileged user to run RKH from webjob as root account user. Note this is one line: Cmnd_Alias WEBJOB_RKH=/dev/shm/rkhunter/rkhunter --configfile /dev/shm/rkhunter/rkhunter.conf -c -sk --cronjob - Add the alias as a NOPASSWD entry to the unprivileged user account. - As unprivileged user run (note this is one line): rm -rf /dev/shm/rkhunter /usr/local/webjob/bin/webjob --execute --file ~/.webjob.cfg rkhunter.tgz.pad tar -C /dev/shm -zxf %payload \&\& cd /dev/shm/rkhunter \&\& sudo /dev/shm/rkhunter/rkhunter --configfile /dev/shm/rkhunter/rkhunter.conf -c -sk --cronjob - Inspect output on your.server.net in the $WEBJOB_DIR/incoming/ directory. It is named client_1_DATE-SPEC_JOB-SPEC_rkhunter.tgz.pad.out. CAUTION ======= Note this example does not cover running webjob and RKH on a compromised host. For RKH to produce less questionable results in such a situation you would minimally need to check the integrity of the download-capable binary before executing your secure download, be aware of the consequences of disturbing a "live" filesystem and memory contents, and download all requirements for unpacking and running RKH or access those from read-only media. GETTING HELP ============ - In the steps above we have taken the examples and variable names from the Webjob README. Inspect the Webjob README for answers about the examples and variable names. - Webjob-related questions about configuring, installing, running the server-side and client-side part should be directed to http://sourceforge.net/projects/webjob. - Sudo-related problems should be remedied by reading the man page. Please do not use the RKH mailing list for questions about webjob or sudo. rkhunter-1.4.0/files/contrib/README.txt0000640000123200012320000000104310533052371017545 0ustar unspawnunspawn##################################################################################################### # # Contrib # # NOTE: submitted conbtributions may have their own license. # Please check the source of each file to see how you can use this software. # ##################################################################################################### [name] [description] run_rkhunter script: start rkhunter rkhunter_remote_howto.txt howto: run Rootkit Hunter from a central server. rkhunter-1.4.0/files/contrib/run_rkhunter.sh0000640000123200012320000000530010510437531021131 0ustar unspawnunspawn#!/bin/sh # # run_rkhunter -- check the system integrity using rkhunter # Author: Dr. Andy Spiegl, KasCada Telekommunikation (www.kascada.com) # This software is GPL and free to use. # ############################################ # Have cron call this script, eg. like this: # /etc/cron.d/run_rkhunter ############################################ # # Fallthrough in case of errors in this cronfile # MAILTO=your_address@yourdomain.com # # SKRIPT=/usr/local/sbin/kas/run_rkhunter # PATH=/sbin:/bin:/usr/sbin:/usr/bin # # 15 4 * * * root test -x $SKRIPT && $SKRIPT 2>&1 ############################################ ############################################ # History: # # v0.1 2005-02-14: first Version, split from run_chkrootkit # v0.2 2005-02-15: translated into English # v0.3 2005-02-20: changed some private information # ############################################ # where to send the output of rkhunter MAILADDRESSES=rkhunter_errors@yourdomain.com # use aktelog instead: #AKTELOG=/usr/local/sbin/aktelog #AKTELOG_LABEL="rkhunter" # appending logfile (rotate it!) LOGFILE=/var/log/mylogdir/rkhunter.log # rkhunters own logfile (only contains info from last run) RKLOGFILE=/var/log/rkhunter.log RKHUNTER=/usr/local/rkhunter/bin/rkhunter RKHUNTER_OPTS="-c --cronjob --report-warnings-only --skip-application-check --createlogfile --tmpdir /usr/local/rkhunter/lib/rkhunter/tmp" # try to get a secure tempfile if [ -x /bin/tempfile ]; then TMPLOGFILE1=`/bin/tempfile -p rkhu.` TMPLOGFILE2=`/bin/tempfile -p rkhu.` else TMPLOGFILE1=/var/tmp/rkhunter.tmp1.$$ TMPLOGFILE2=/var/tmp/rkhunter.tmp2.$$ # avoid symlink attacks rm -fr $TMPLOGFILE1 $TMPLOGFILE2 touch $TMPLOGFILE1 $TMPLOGFILE2 fi # first update the rkhunter hashes echo "=======Updating=================================" >> $LOGFILE /bin/date >> $LOGFILE $RKHUNTER --update 2>&1 >> $TMPLOGFILE1 if egrep -q "(Error|outdated)" $TMPLOGFILE1 ; then echo . >> $TMPLOGFILE1 echo "WARNING: rkhunter couldn't update its hashes which will" >> $TMPLOGFILE1 echo "most likely lead to errors now." >> $TMPLOGFILE1 fi cat $TMPLOGFILE1 >> $LOGFILE # now start checking the server echo "=======Checking=================================" >> $LOGFILE /bin/date >> $LOGFILE $RKHUNTER $RKHUNTER_OPTS >> $TMPLOGFILE2 /bin/cat $RKLOGFILE >> $LOGFILE echo done. >> $LOGFILE if [ -s $TMPLOGFILE2 ]; then ( echo __Start__: Output of rkhunter at `/bin/date`; echo "=======Updating================================="; /bin/cat $TMPLOGFILE1 ; echo "=======Checking================================="; /bin/cat $TMPLOGFILE2 ; echo __End__ of rkhunter output ) | mail -s "rkhunter output" $MAILADDRESSES # ) | $AKTELOG $AKTELOG_LABEL fi rm -f $TMPLOGFILE1 $TMPLOGFILE2 rkhunter-1.4.0/files/README0000640000123200012320000010126011711077253015276 0ustar unspawnunspawn THE ROOTKIT HUNTER PROJECT ========================== Copyright (c) 2003-2012, Michael Boelen See the LICENSE file for conditions of use and distribution. It is recommended that all users of RootKit Hunter (RKH) join the rkhunter-users mailing list. Subscribing to the list can be done via the RKH website at http://rkhunter.sourceforge.net A copy of the RKH FAQ is also available from the web site. ROOTKIT HUNTER REQUIREMENTS =========================== Please note that RKH has some requirements: 1) Before RKH starts it will check that certain required commands are present on the system. These are typical commands such as 'cat', 'sed', 'head', 'tail', etc. If a command is missing then RKH will not run. 2) Some tests require commands such as stat, readlink, md5/md5sum or sha1/sha1sum. If these are not present, then RKH has perl scripts which will automatically be used instead. However, this requires perl, and certain modules, being present. If they are not, then the tests will be skipped. Readlink is provided as a script itself, and does not use perl. Other tests will use other commands. If the relevant command is not found on the system, then the test will be skipped. 3) A tool should be present with which to download file updates. Currently wget, curl, (e)links, lynx and GET are supported. If your system does not allow the possibility to install one of these applications, but does run perl, you can use 'bget' available from http://www.cpan.org/authors/id/E/EL/ELIJAH/. If you use another generic method of updating RKH then please let us know. Additionally, a non-standard command to be used for file downloads can be configured in the RKH configuration file. 4) Some tests require single-purpose tools. RKH does not depend on these, but it will use them if it finds them. They can enhance RKH's detection capabilities. The tools are: - Skdet Tests for SucKIT, Adore, Adore-NG, UNFshit, UNFkmem and frontkey. http://www.xs4all.nl/~dvgevers/ - Unhide and unhide-tcp (C versions) Finds hidden ports and processes. http://unhide.sourceforge.net - Unhide (Ruby version) Finds hidden processes. https://launchpad.net/unhide.rb If the relevant tool is not found, then the test is skipped. ROOTKIT HUNTER INSTALLATION =========================== Unpacking the tar file should produce a single directory called 'rkhunter-'. Where '' is the version number of rkhunter being installed. For example, the rkhunter-1.3.6.tar.gz tar file will produce the 'rkhunter-1.3.6' directory when unpacked. Within this directory is the installation script called 'installer.sh'. To perform a default installation of RKH simply unpack the tarball and, as root, run the installation script: tar zxf rkhunter-.tar.gz cd rkhunter- ./installer.sh --install Note: If some form of file permission error is shown, then check that the 'installer.sh' script is executable. RKH installation supports custom layouts. To show some examples run: ./installer.sh --examples The installer also has a help option: ./installer.sh --help The default installation process will install a configuration file, called 'rkhunter.conf', into the '/etc' directory or where you chose using the '--layout' switch. You can either edit the main configuration file itself, or create a 'local' configuration file for your own settings. This file, which must be called 'rkhunter.conf.local', must reside in the same directory as the main configuration file. You should edit either, or both, of these files according to your own system requirements. If the installer encounters an existing 'rkhunter.conf' file, it will not be overwritten. Instead the installer creates a new configuration file, but with a unique number as its suffix. Please inspect the new configuration file and copy over any changes to the existing main configuration file, or to your local configuration file. The main RKH script will be installed into the '/usr/local/bin' directory or where you chose using the '--layout' switch. Man pages will be installed into '/usr/local/share/man', and other documentation will be installed into the '/usr/local/share/doc' directory. RKH data files, language support, and a directory for temporary files will be installed into '/var/lib/rkhunter'. Finally, RKH support scripts will be installed into '/usr/local/lib/rkhunter/scripts', or, if using an x86_64 system, into '/usr/local/lib64/rkhunter/scripts'. All directories, except 'lib64', will be created where necessary. Before running RKH you will need to fill the file properties database by running the following command: rkhunter --propupd Note that if you want to use the package management tools provided by your distribution you will need to select a package manager. In the case of using RPM your command would be: rkhunter --propupd --pkgmgr RPM To run RKH, as root, simply enter the following command: rkhunter --check By default, the log file '/var/log/rkhunter.log' will be created. It will contain the results of the checks made by RKH. To see what other options can be used with rkhunter, enter: rkhunter --help NOTE: The first run of 'rkhunter' after installation may give some warning messages. Please see the FAQ file and the rkhunter mailing list archive posts for more details about this. STANDALONE INSTALLATION ======================= It is possible to run RKH standalone, that is, with it all being installed into one directory. To do this unpack RKH as described above, and then install it using the following command: ./installer.sh --layout custom . --install It is then necessary to change to the 'files' directory: cd files Within the directory will be a copy of the 'rkhunter.conf' configuration file. You can modify this file according to your requirements if you wish, but note the installer has already set the necessary variables. To run RKH, as root simply enter the following command: ./rkhunter --propupd --check --sk TESTING RKHUNTER WITHOUT INSTALLING IT ====================================== It is perfectly understandable that new users may wish to try out rkhunter without having to fully install it. Similarly current users may want to test a new version of rkhunter, or a CVS version of it, without it affecting their current system or current installation of rkhunter. This is all perfectly possible, and quite easy, using a standalone installation. First, as the root user, it is suggested that a separate temporary directory is created, and then change to that directory. For example: mkdir /tmp/rkh cd /tmp/rkh It is now necessary to either copy or download a tarball of the version of rkhunter that you want to test. (Since you are reading this file, we assume you have already downloaded the relevant version.) For users wishing to try the latest CVS version, it is possible to download a tarball. For example: wget http://rkhunter.sourceforge.net/rkhunter-CVS.tar.gz Next, it is necessary to extract the files from the tarball. The simplest way is to use the 'tar' command, such as: tar xzf rkhunter-CVS.tar.gz Obviously, for official releases, you will need to use the correct tarball name. For example: tar xzf rkhunter-1.3.6.tar.gz For users of systems with alternative implementations of 'tar', for example Solaris users, you may need to break the extraction process into two steps (or use the 'gtar' command if you have it installed). For example: gunzip rkhunter-CVS.tar.gz tar xf rkhunter-CVS.tar Additionally it is possible to download from CVS directly using the command: cvs -d:pserver:anonymous@rkhunter.cvs.sourceforge.net:/cvsroot/rkhunter co -P rkhunter The extraction process will create a sub-directory containing all the rkhunter files. The sub-directory name will contain the rkhunter version number, or, for CVS tarballs, it will simply be called 'rkhunter'. Change into this directory: cd rkhunter-1.3.6 (for an official release tarball) or cd rkhunter (for CVS and CVS tarballs) Now, we can run the installer program as described in the section above about standalone installations: ./installer.sh --layout custom . --install Finally change to the 'files' sub-directory: cd files Within here will be all the files that rkhunter requires. The configuration file, './rkhunter.conf', will already have been configured for a standalone installation. So there is no need to modify it unless you want to. Any files created by rkhunter will be within this directory. So, as mentioned above, it is perfectly possible to run a check using this installation without affecting any other installation of rkhunter that may exist on your system. To run a check use this command: ./rkhunter --propupd --check --sk By default a log file (rkhunter.log) will be created, and that too will be within this directory. NOTE: If the rkhunter '--debug' option is used then this will, by default, create a file in the '/tmp' directory, and not within the current directory. Once you have finished testing rkhunter, simply delete the entire directory it was installed into: cd /tmp /bin/rm -rf rkh INSTALLATION INFORMATION FOR x86_64 SYSTEMS =========================================== The installation of RKH is largely independent of the system architecture. However, RKH does have some support scripts and these need to be installed into the appropriate library directory. When performing a default installation, or using one of the known layout options (for example, '/usr' or '/usr/local'), then the relevant 'lib64' directory will be used only if it already exists. For a 'custom' layout, the 'lib64' directory will be used and created if necessary. Standalone installations do not use any special library directory at all. RPM installations will use the relevant 'lib64' directory only if the system architecture is detected as being 'x86_64'. REMOVING AN INSTALLATION ======================== RKH supports uninstallation. To do this unpack the installation tarball, and then run the installer with the --remove option. If RKH was installed using a default installation, then run: tar zxf rkhunter-.tar.gz cd rkhunter- ./installer.sh --remove If you chose a different layout, for example '/usr', then run the installer using: ./installer.sh --layout /usr --remove Note: the installer will not remove files that were installed using RPM (use the 'rpm' command to remove the package). For a standalone uninstallation, specified by using '--layout custom .', the installer will remove the whole installation directory (the 'files' sub-directory). During uninstallation, the installer will remove the initial configuration file (usually '/etc/rkhunter.conf'). However, any other files beginning with 'rkhunter.conf' are not removed. These may be removed manually. When installing RKH, some directories may have been created. However, RKH is unaware of this when being uninstalled. As such, and especially when having used a custom installation, some directories may be emptied of files, but the directories themselves may remain. Again, these can be removed manually if wished. In order to see where RKH installed its files during installation, the '--show' option can be used. For example: ./installer.sh --layout custom /opt --show USING TEST NAMES ================ Within RKH some of the tests have been given names. There are two types of test names - specific test names and grouped test names. A specific test name generally refers to one specific test within RKH. A grouped test name refers to a set, or group, of related tests. Within a group name there are usually one or more specific test names. To see the current list of test names use the 'rkhunter --list tests' command. The grouped names list will show the specific names that are within the group. So, for example, the file properties check has the grouped name of 'properties'. However, within that test the file hash value test is known as 'hashes'. Similarly, the file attributes check, which checks the file permissions, uid and gid values, and so on, is known as the 'attributes' test. Note that while it is possible to tell RKH to run the file properties check, but ignore the file hash value test, it is not possible to tell RKH to run the file attributes but to ignore the file permissions checks. RKH has no specific name for the file permissions test, and so it cannot be specifically enabled or disabled. RKH can be told to enable or disable one or more of the tests by using the '--enable' and '--disable' command-line options. Alternatively, the RKH configuration file options 'ENABLE_TESTS' and 'DISABLE_TESTS' can be used. By default, if the command-line '--disable' option is used, then the configuration file option 'DISABLE_TESTS' is also used to determine which tests to run. If only the command-line option is to be used to determine which tests to run, then the '--nocf' option must also be given. The program defaults, if no options are used at all, are to enable all tests and to disable no tests. For this purpose the enable options can use the special test name 'all', and the disable options can use the name 'none'. The enable options cannot use the name 'none', and the disable options cannot use the name 'all'. To specify more than one test name, specify them as a comma-separated list. For example: rkhunter --enable 'rootkits,hashes' Note that in the above example no disabled test list was specified. As such, it will default to the value of the configuration file option (DISABLE_TESTS), or ultimately to the program default value of 'none'. The command-line options '--enable' and '--disable' may be used more than once on the command-line. The supplied RKH configuration file will have some tests already disabled. These are generally CPU and/or I/O intensive tests, or ones which may be prone to giving false-positive results. They can, of course, be enabled by editing the DISABLE_TESTS list. To run the tests from the command line, either user the '--enable' command-line option with the specified test name, or use either '--enable all' or '--disable none'. If either of the '--enable' or '--disable' command-line options is used, and the '--propupd' option is not given, then '--check' is assumed. If the '--enable' option is used and only one test name, other than 'all', is given, then the '--skip-keypress' option is assumed as well. So, for example, to run all the rootkit tests just use: rkhunter --enable rootkits Similarly, to run all the tests except the rootkit tests, then use: rkhunter --disable rootkits In this example RKH will assume the value of the configuration file option (ENABLE_TESTS) for the enabled test list, or ultimately the program default of 'all'. In the previous example, the value of DISABLED_TESTS or, ultimately, 'none' will have been used for the disabled tests list. If a combination of enabled and disabled tests are specified, then RKH will disable a test if it is specified in the enable list. So, for example: rkhunter --enable 'rootkits,deleted_files' --disable malware In this example the 'malware' test is disabled because it is part of the 'rootkits' test. The fact that the 'deleted_files' test is specified to be run is ignored, because that is part of the 'malware' test. RKH will always look to see what tests to disable first. It will then run any enabled tests that are left. By default RKH will log what test names have been enabled and disabled. Additionally it will log each test name that it is about to execute. When initially run RKH may skip some tests due to missing commands or files. It is usually possible to omit these tests by including them in the DISABLE_TESTS list in the configuration file. The test name associated with these tests can be found by looking in the log file. It should be noted that not all the tests have been given names. As such some test names may execute more tests than expected. For example: rkhunter --enable group_changes The 'group_changes' test name refers to the check to see if the /etc/group file has been modified. However, running the above command will also cause several tests on the /etc/passwd file to be executed. This is because those tests are part of the 'local_host' grouped test name, as is the 'group_changes' test, but those other tests have no specific names. As such, RKH will start the 'local_host' tests, executing some of the /etc/passwd file tests and then the 'group_changes' test, but ignoring any other tests within 'local_host' which do have specific names (for example, 'filesystem' and 'passwd_changes'). USING PACKAGE MANAGERS ====================== The RKH file properties check, by default, performs a check of various current file properties against those that it has previously stored in the 'rkhunter.dat' file. This way RKH can warn the user if a file has changed. The file properties include items such as the files hash value, file permissions, uid, gid, inode number and so on. The properties are obtained and stored in the rkhunter.dat file when RKH is run with the '--propupd' option. Typically the file properties are obtained using commands such as 'stat', 'file', 'md5sum' and 'prelink'. However, it is also possible to specify that RKH should get whatever values it can by using a package manager. This can be done by using the '--pkgmgr' command-line option, or the 'PKGMGR' configuration file option. When the RPM package manager is specified, during the file properties check the results from the RPM verification command are used as the test results. For the other package managers, the values from the package manager database are compared against the current values for the files. By using a package manager, it is possible to avoid some false-positive reports that a file has changed when in fact it has been automatically updated by the system. The currently available package managers are 'RPM' for RedHat/RPM-based systems, 'DPKG' for Debian-based systems, 'BSD' for *BSD systems, and 'SOLARIS' for Solaris systems. It is also possible to specify 'NONE' to indicate not to use a package manager. The program default is 'NONE'. Any file which is not part of a package is treated as before, that is, the HASH_FUNC configuration file option, or the '--hash' command-line option, will be used. It should be noted that all the package managers, except 'SOLARIS', provide an MD5 hash value for a file. However, the 'RPM' and 'SOLARIS' package managers can provide other file property values as well, such as the file permissions, uid, gid, modification time and so on. During the file properties check all of these values will be used, rather than the ones stored in the rkhunter.dat file. The Solaris package manager does store a 16-bit hash value, but this is not used by default. If it is wished to use the stored value, then the USE_SUNSUM configuration option must be enabled. It should also be noted that the 'DPKG' and 'BSD' package manager options only provide the files MD5 hash value. As such, during the file properties check, all the other current file properties will be re-calculated as before, and compared against the values in the rkhunter.dat file. Hence, only the 'RPM' and 'SOLARIS' package managers offer any real benefits in using a package manager. NOTE: It is possible for a package manager database to become maliciously corrupted. To that extent the use of the package manager options with RKH does not provide any increase in security. However, it may result in less false-positive warnings of files which have changed. As always RKH can only report on changes, but not on what has caused the change. USING LOCAL MIRRORS =================== When the '--update' or '--versioncheck' options are used, rkhunter uses a mirror site from the mirrors.dat file to obtain the required information. By default rkhunter will use any mirror listed in the file, and it will then rotate the list of mirrors. At the time of writing the supplied mirrors.dat file lists the Rootkit Hunter SourceForge site as a mirror. However, it is possible for users to define a local mirror if they wish to. This is done by simply editing the mirrors.dat file and inserting the mirror URL. The line should begin with the text 'local='. For example: local=http://www.example.com/rkhunter_data The required rkhunter files must be placed in a location, of the users choice, which is accessible by the clients. So in the above example, the rkhunter data files would have been placed in the 'rkhunter_data' directory. The required files consist of the '.dat' files supplied with rkhunter, and which will have been installed in the database directory. For a default installation this would have been in '/var/lib/rkhunter/db'. Additionally, the mirror directory must have an 'i18n' sub-directory which contains all the current language translation files for the various versions of rkhunter. Each version is put into its own sub-directory. So, for example, there would be a '1.3.5' sub-directory, a '1.3.6' sub-directory and so on, all within the 'i18n' directory. Again, the database directory will already have had the 'i18n' sub-directory installed in to it, but it will only contain the language files for the current version of rkhunter. There are no version sub-directories installed by default. As such, the mirror will need to have the various version sub-directories created, and the relevant language files put in to them, for the versions of rkhunter that the mirror is required to support. If a client tries to access the language files for a version of rkhunter that is not supported by the mirror, then the download will fail. Depending on how the client is configured, another, possibly remote, mirror may be tried, or rkhunter will give a warning. Within each rkhunter version sub-directory of the 'i18n' directory, it is necessary to have a file called 'i18n.ver'. This file simply contains a list of the available language files, and their version numbers. For example: cn:2009112801 en:2009112902 So, as an example, the mirror file structure will need to look similar to this: rkhunter_data || || =============================================== || || || || mirrors.dat rkhunter_latest.dat i18n suspscan.dat || || 1.3.5 ============ 1.3.6 ============ 1.3.7 / | \ / | \ / | \ / | \ / | \ / | \ cn en i18n.ver cn en i18n.ver cn en i18n.ver Finally, if the '--versioncheck' option is to be supported with the local mirror, then the directory, 'rkhunter_data' in the above example, must contain a file called 'rkhunter_latest.dat'. This file must contain the current rkhunter version number (for example, '1.3.6') and no other text. It is possible to similarly define 'remote' mirrors, which begin with the text 'remote='. At present though there is no real difference between a local or remote mirror. The supplied mirror site(s) in the mirrors.dat file begin with the text 'mirror=', and this should not be changed. In order to select whether all the mirrors or only the local or remote mirrors should be used, the rkhunter configuration file has an option in it called 'MIRRORS_MODE'. This option takes a numeric value, which by default is zero. The current values and meanings are: 0 - use any mirror (the default) 1 - use only local mirrors 2 - use only remote mirrors To further support local and remote mirrors there are two other configuration options available: The first is 'UPDATE_MIRRORS', which simply tells rkhunter whether the mirrors.dat file itself should be updated (i.e. overwritten) when the '--update' option is used. If local mirrors are listed in the file then you probably do not want the file automatically updated. The 'UPDATE_MIRRORS' option has a default value of one, indicating that the mirrors.dat file should be updated. Set this option to zero to disable this feature. The second option is 'ROTATE_MIRRORS'. This tells rkhunter whether it should rotate the list of mirrors whenever the '--update' or '--versioncheck' options are used. Again, with local mirrors you may want these accessed in a specific order, rather than rotated each time. The option has a default value of one indicating that the mirrors should be rotated. Set this option to zero to disable this feature. By default if a mirror fails for some reason, then rkhunter will use the next mirror, of the configured type, listed in the file. If there are no more mirrors left, then rkhunter will give a warning message. CREATING A NEW LANGUAGE FILE ============================ Creating a new language file to work with rkhunter is quite easy - the actual translating is the hard part! First, it is necessary to find out where the current language files are located. For a default installation this will be in the '/var/lib/rkhunter/db/i18n' directory. If this directory does not exist, then look in the rkhunter log file (usually located in /var/log) and there should be a line similar to 'Using... as the database directory'. Within that directory there should be the 'i18n' sub-directory. Once you have changed to that directory, you should then see the current language files. Next, take a copy of the 'en' language file and name it for your new language. We would suggest that you use something similar to the known ISO 639 language codes. For example, to create a generic French language file, then execute 'cp -p en fr'. Once you have done this, your new language file will be recognised by rkhunter. You can check this by using the command 'rkhunter --list lang'. Note that if you use the 'rkhunter --update' command, the new language file will not be touched in any way. Also note that you must not remove the 'en' file, rkhunter will not work without it. The next part is to actually translate the messages. Each language file starts with a line containing the version number of that file. The actual messages start with a keyword, which must not be changed at all, followed by a colon (:), and then the actual message. It is the actual message which you need to translate. Some messages may contain variables such as '$1' or '$2'. Again, these must not be changed. Once you have translated the messages you can test them by using the command 'rkhunter --lang fr ...' - substituting 'fr' for whatever name you gave to your language file. If you want to have your new language translation made available as part of rkhunter, then please submit a feature request on the rkhunter SourceForge web site. However, please be aware that the language file is a fundamental part of rkhunter, and as such is continuously changing. You should endeavour to keep your translation up to date with the current version of rkhunter. ROOTKIT HUNTER GENERAL SUPPORT ============================== If a problem is found with RKH, it is recommended that users initially try and resolve the problem themselves. This can be done by first checking the FAQ file, which is present in your installation if the distributed tarball is used as source. The FAQ will contain answers to many common problems. The latest version of the FAQ can always be found at RKH's project pages on SourceForge, in the 'Documentation' section. If the problem has occurred directly after upgrading RKH, then please check the CHANGELOG file. It will contain information about changes made since the previous version of RKH, and may indicate why you are now experiencing a problem. Users should also check the rkhunter-users mailing list archives (available on the web site). The problem will be investigated by the RKH development team, and, where appropriate, a solution posted on the mailing list. Hence the mailing list archives may well contain a solution to the problem. Additionally, users should check the RKH tracker system (available at http://sourceforge.net/tracker/?group_id=155034). It is quite possible that the problem has already been reported to us as a bug or support request. It is also possible that a fix for the problem has been provided in the tracker log. Depending upon the nature of the problem it may be worthwhile trying an Internet search (for example using google), to see if anyone else has experienced a similar problem. Finally, if you have still not found an answer to the problem, then mail it to the rkhunter-users mailing list. Please provide as much information as possible about the problem, but do not make the message excessively long! Information such as your operating system and version of RKH should always be included. Please be advised that while you are free to ask for advice in your favourite IRC channel, all-purpose forum or distribution mailing list, the demonstrated level of general and security knowledge and experience, and therefore the quality of responses, may vary (very much). If you are sure the problem is a bug, or want it considered as a support request, then please submit it directly into the tracker system. ROOTKIT HUNTER REPORTS SIGNS OF A POTENTIAL BREACH OF SECURITY ============================================================== When you think you have a (potential) security problem it is advised to think and inform yourself thoroughly before you act. Please consider checking the FAQ, the rkhunter-users mailing list archives, your distribution documentation about security and security issues and the CERT Intruder Detection Checklist, formerly located at http://www.cert.org/tech_tips/intruder_detection_checklist.html, and archived at http://web.archive.org/web/20080109214340/\ http://www.cert.org/tech_tips/intruder_detection_checklist.html. If you do not have the required knowledge and experience to deal with security issues then please ensure yourself that the people who respond do and have. - Logging in, killing processes, deleting files, powering down, rebooting the machine, removing or installing software may signal the intruder and may destroy vital information. If you need to communicate with people or compile software then do use a different machine to work on. - If usage of the machine is governed by rules and regulations consider alerting the designated security officer or team, systems or network administrators or IT department before doing anything else. - In your initial email or post include as much information and make it as detailed as possible. The more details you provide the more efficient the troubleshooting or incident response process will be. - Do not be easily satisfied or mistake "don't worry" type of replies for qualitatively good answers: read the FAQ, ask for specific steps to take and commands to run so you can verify things yourself. - Please act timely and responsibly. (Potential) security problems should be prioritized and acted on at the time of reporting, not days or weeks later. ROOTKIT HUNTER AS PART OF YOUR SECURITY STRATEGY ================================================ Rootkit Hunter is a host-based, passive, post-incident, path-based tool. - Host-based means it only diagnoses the host you run it on. - Passive means it has to be scheduled or run manually. - Post-incident means it can only be effective when a breach of security is suspected, is in progress or has already occurred. Due to the nature of software that hides processes and files it may be beneficial to run Rootkit Hunter from a bootable medium if a breach of security is suspected and the machine can be booted from a bootable medium. - Path-based means RKH will check for filenames. It does not include or use heuristics or signatures like for instance an antivirus product could. Do understand that the SCANROOTKITMODE configuration option and "suspscan" functionality are just crude attempts to try and bridge that gap. Rootkit Hunter is best deployed as part of your security strategy. - Most breaches of security are preceded by reconnaissance. Regular system and log file auditing provides the necessary "early warning" capabilities. - RKH does not replace, or absolve you from performing, proper host hardening. Common administration errors that may result in a breach of security includes failing to apply updates when they are released, misconfiguration, lack of access restrictions and lack of auditing. Please see your distribution documentation and search the 'net. - Do not rely on one tool or one class of tools. Consider installing same- class tools like Chkrootkit or OSSEC-HIDS and consider overlap as a Good Thing. Additionally it is suggested you install and use a separate filesystem integrity scanner like Samhain, Aide, Integrit, Osiris (or even tripwire) to provide you with a second opinion. - Like with all data used for verifying integrity it is recommended to regularly save a copy of your RKH data files off-site. rkhunter-1.4.0/files/CHANGELOG0000640000123200012320000025520711750001112015623 0ustar unspawnunspawn #################################################################### # # CHANGELOG # #################################################################### !! Important notices !!: - Dates in this file are formatted as DD/MM/YYYY (European format) - The rkhunter configuration file (default /etc/rkhunter.conf) will not be overwritten when using the rkhunter installer, unless specifically requested to do so (using the '--overwrite' option). Be sure you compare your existing configuration file against the one delivered in this package, in order to optimize the file for your machine. -- * 1.4.0 (01/05/2012) New: - Added the '--list propfiles' command-line option. This will dump out the list of filenames that will be searched for when building the file properties database. By default the list is not shown if just '--list' is used. - Added Jynx rootkit check. - Added Turtle/Turtle2 rootkit check. - Added KBeast rootkit check. - The installer now supports the Slackware TXZ package layout option. Changes: - Avoid checking exclamation points in ALLOWDEVFILE checks (this was caught on 01/05/2012 causing a reissue of the 1.4.0 release). - Allow the ALLOWDEVFILE, ALLOWHIDDENFILE and ALLOWHIDDENDIR options to use '%' as the space character. (Note: This is a temporary fix). - The ALLOWPROCDELFILE option can now use wildcards in the file names. - The '--list perl' command-line option now shows whether the perl command itself is installed or not. - The 'shared_libs' test now allows whitelisting of the preloading environment variables. - The '-r/--rootdir' command-line options, and the ROOTDIR configuration option are now deprecated. If they are used then an error message will be displayed. The options will have no effect, but rkhunter will continue. The options will be completely removed at the next release. - The 'hidden_ports' test will now show if a found port is TCP or UDP. - It is now possible to whitelist ports in the 'hidden_ports' test using the PORT_WHITELIST configuration option. Bugfixes: - Allow the ALLOWPROCDELFILE option to work again. - Correct the check of the ProFTPD version number. - Fix the FreeBSD 'sockstat' command check to ensure that the correct fields are used. - Fix for newer version of the 'file' command when reporting scripts. - Fix the ALLOWHIDDENFILE option to allow hidden symbolic links. - The 'filesystem' check now handles files and directories with spaces in their names correctly. - The 'startup_files' test was displaying file names with spaces in them incorrectly. Also the test was not checking files which were in hidden directories. - Ensure that the ALLOWDEVFILE, ALLOWHIDDENFILE and ALLOWHIDDENDIR options re-evaluate their whitelisting lists to ensure that any wildcard entries are the most recent. (A time window previously existed which meant that the list was processed, but new files could be created before the test was run. As such they were reported as false-positive warnings, when they should have been whitelisted.) - Allow the EXISTWHITELIST option to work with symbolic links. - The test of whether prelinking is being used or not was sometimes causing the file properties hash test to be skipped, without the real reason being stated. Now the hash test will proceed but the user will still get a warning (because it detects that prelinking was used and is not now, or vice-versa). - Rkhunter will now check to see if the 'head' and 'tail' commands understand the '-n' option. If they do, then it will be used. If they do not, then the older 'head -1' and 'tail -1' commands will be used. -- * 1.3.8 (17/11/2010) New: - It is now possible to whitelist specific rootkit strings in specific files using the RTKT_FILE_WHITELIST option. Details are in the configuration file. - For those systems on which files generally have the immutable -bit set, the 'immutable' test can now be reversed (that is, warnings will be issued for files which do not have the bit set). The configuration file option IMMUTABLE_SET can be set to '1' to enable this. By default it is '0'. - The installer now supports the ppc64 architecture. - The RTKT_FILE_WHITELIST option can be used to whitelist reported 'suspicious files' found in the 'running_procs' test. - Using the EXISTWHITELIST configuration option it is now possible to whitelist files and directories that might not always be present on the system. Whitelisted items are, in effect, whitelisted from 'existence' checks. - Added a new test to check for hidden network ports being used. It is called 'hidden_ports'. This test is disabled by default, and will only run if the 'unhide-tcp' command is present. - Added support for DragonFly BSD. - Added Inqtana worm check (variants A, B and C). - It is now possible to whitelist a combined pathname and port number with the PORT_WHITELIST configuration option. Details are in the configuration file. - Added Togroot rootkit check. - It is now possible to specify 'SOLARIS' as a package manager for Solaris systems. It can be used to check several of the file properties, such as the file permissions, ownership, size and so on. By default the stored 16-bit hash value is not used, and a hash value will be calculated, as before, using the configured hash function. However, if it is wished that the stored hash value is used, then the USE_SUNSUM configuration option must be enabled. - The command-line option '--list perl' may be used to see the installation status of perl modules that may be used by some of the tests. - For the file properties test the hash functions 'Whirlpool' and 'Ripemd160' may now be specified. However, only the relevant perl module will be looked for when using these functions. - Added Solaris Wanuk backdoor and worm checks. - The new command-line option '-C' (or '--config-check') can be used to check the rkhunter configuration files. This will check most of the options, but only for the tests which would normally be run (as defined by the enable and disable options). The program exits once the check has run. See the man page for more details. - The 'hidden_procs' test will now run the 'unhide.rb' command if it is present. This is the Ruby version of the original C 'unhide' program. (The 'unhide' command is also still run if found.) - Added the DISABLE_UNHIDE configuration option. This allows users to disable one or other of the 'unhide' or 'unhide.rb' commands if they are both present on the system. The default is to look for and run both commands. - Added OS X Boonana (Koobface.A) trojan check. Changes: - Allow the 'unhide' command to be detected on Linux systems. - Allow most of the whitelisting-type configuration options to be specified more than once in the configuration file. - NIS entries are now ignored when checking the password file. - The use of '--disable all' on the command-line is now allowed provided that the '--enable' option is also used, and not set to 'none'. Disabling all the tests in the configuration file will still give an error. - If the enabled and disabled test name(s) are the same, then an error will now be displayed. This only applies to certain non-grouped test names. - The check of syslog remote logging no longer considers a 127.x.x.x address as being remote. - In the configuration file the WEBCMD option has now changed name to WEB_CMD. However, the old name will still be recognised. - If the UPDT_ON_OS_CHANGE option is set, and an O/S change has been detected, a message is now logged stating that an automatic update will occur. Additionally, the output of the update is no longer displayed (it looked confusing). - Removed the automatic exception of TDB database files from the 'filesystem' check. (This seems to have been introduced in version 1.1.3, but we have whitelisting now.) - The file properties test now handles broken links. These were previously reported as an error. If there are any broken links, then the '--propupd' option will report how many have been found. - The old configuration options LOCAL_RC_PATH and SYSTEM_RC_DIR have now been removed. They were replaced by STARTUP_PATHS at version 1.3.6. - Most of the configuration options which take a list of pathnames, and which are not set in the provided config file, can now be specified more than once. They are all now space-separated lists as well. - The 'suspicious files' check in the 'running_procs' test now displays each found file individually. Additionally the warning will include the command being executed, the PID, the user id, the full pathname that appears to be suspicious, and the possible rootkit name. - Reverted a change to the 'os_specific' test so that it will show the test as being skipped for O/S's which have no specific tests. Without this if the test was enabled on its own, then nothing at all was displayed. - More rigorous testing of the various '.dat' files before each test which uses them has now been included. If a problem is found, then a warning is displayed. - The ALLOW_SSH_ROOT_USER configuration option can no longer be set to 'yes' if the 'PermitRootLogin' option is not set in the SSH configuration file. A value of 'unset' must be used. - The ALLOW_SSH_PROT_V1 configuration option can no longer be set to '1' if the 'Protocol' option is not set in the SSH configuration file. A value of '2' must be used. (The use of '1' in this instance was an undocumented, but allowed setting.) - The '--enable' and '--disable' command-line options may now be specified more than once. - The default behaviour when the command-line option '--disable' is used has been changed. Rkhunter will now also include the configuration file option used to disable tests, in order to determine overall which tests to run. This is more intuitive for the user. If the previous behaviour of only the '--disable' option being used to determine which tests to run, then the new '--nocf' option must also be used. - The network 'ports' test no longer displays the details of the test on the screen, but just shows the overall result. This brings the test format more inline with the other tests. The result of individual ports being checked is still logged as before. - The 'sort' and 'uniq' commands are now required to be on the system in order to run rkhunter. - Grsecurity-enabled systems may now run the network 'ports' test. If this causes a problem, then that particular test can be disabled. - Improved support for OS X a little bit more. - When using the installer '--show' option, if a directory does not exist, then it will now state that the directory will be created. - The 'hidden_procs' test used to run the 'unhide sys' command. Now it is possible to specify which test names to provide to the 'unhide' command by using the UNHIDE_TESTS configuration option. It defaults to 'sys'. This allows for additional tests to be run with 'unhide' if the user wishes, and caters for newer versions of 'unhide' which have several new options. Increased the amount of logging of what rkhunter is doing during the 'hidden_procs' test. - Both the '--bindir' command-line option and the BINDIR configuration file option may now be specified more than once. The description of how these options affect the PATH of rkhunter has been reworded in both the supplied rkhunter.conf file and the man page. - The log file permissions and owner/group settings will now be copied to each new log file, rather than a new log file, with default permissions, being created each time. This will allow users to modify the permissions/owner/group of the log file, without them being lost when a new log file is created. If no log file exists, then, as before, one will be created with permissions of 600 and with the owner/group of the root user. - For OS X users the test of root-equivalent accounts now works with directory services as well as with the password files. - The check of the syslog configuration file will now check all the files found, not just the first one. Bugfixes: - Corrected test of ProFTPD version number in apps test. - Make the apps test version number check case-independent. - Ensure the promiscuous interface whitelisting is applied to both parts of the test. Corrected and tidied up the displayed output. - Correct the test of rkhunter itself being changed to a non-script file. - Ensure the suspscan test removes any files it creates. (Again!) - The --rootdir/ROOTDIR configuration option now works correctly if specified as '/'. Previously it caused the file properties file entries to become a bit messed up. - The file properties immutable test checked the 'lsattr' command against the rkhunter configuration file. However, if the file was a symbolic link, then the test failed. Now the test checks 'lsattr' against several of the rkhunter installed files, looking for a regular, non-link, file. These include the configuration file, the rkhunter database files, and the language files. - The ALLOWDEVFILE whitelisting now allows filenames to contain colon (:) characters. - The rootkit summary could list detected rootkit names more than once. This has now been corrected, each rootkit name will only be displayed once. The rootkit count will also now only show the number of unique rootkits found. - It was possible for part of the summary to be displayed twice. This has now been corrected so that it only displays once. - For system startup files (rc files), the rootkit strings check now ignores comment lines (lines starting with '#'). For Solaris systems, the 'gstrings' command is used rather than 'strings' if it exists. - Allow *BSD 'grep' to work correctly with binary (i18n) files. - Removed the configuration file option use of a comma as an option separator. Now only spaces and tabs can be used. Use of a comma would prevent known rootkit files and directories, as well as RCS files, from being whitelisted correctly. - When the German language is selected rkhunter will now try to display messages using the correct encoding. - The test of rootkit strings in the startup files could display the wrong string and rootkit. It now displays the correct information. - The 'filesystem' check now correctly identifies non-standard directories (e.g. setgid directory), and allows them to be whitelisted. - The UPDT_ON_OS_CHANGE option was defaulting to 1 rather than 0. - The result of the libsafe check, a prelink command check, and a prelink hash function check were not being reported. - The 'filesystem' check would ignore files with spaces in their name if the default setting of SCAN_MODE_DEV was used. This has now been corrected, filenames with spaces in them are checked regardless of the configuration option setting. - If the installer is used with the RPM, TGZ or DEB layout options, and '/' is the build root, then this will now build correctly. - NetBSD, FreeBSD and OS X would print out an error regarding the 'print' command. They would also display the locking messages incorrectly. Both of these have now been corrected. - The sockstat/netstat output check for *BSD systems gave a spurious error message because FreeBSD/OpenBSD sockstat did not support the '-n' option. This has been fixed, but NetBSD systems will still use it. - The installer option '--layout custom /' now works correctly. - The SHA256 perl module was not being called correctly. -- * 1.3.6 (30/11/2009) New: - Added ZK rootkit check. - German translation provided. - Added the IGNORE_PRELINK_DEP_ERR option to the configuration file. This option can be used when a persistent prelink dependency error occurs. Further details of its use are in the configuration file. - Added CX rootkit check. - Added the USER_FILEPROP_FILES_DIRS configuration option. This allows users to add further files and directories to the file properties check. Details are in the configuration file. The installer program will automatically add the configuration file pathname to this option. - Added the EPOCH_DATE_CMD configuration option. In the file properties test any modification date/times will now be displayed in human-readable format as well as the number of epoch seconds. This option can be used to specify the command to use if the 'date' or 'perl' commands cannot convert epoch seconds. - Added the COPY_LOG_ON_ERROR configuration option. When set this will take a copy of the log file if any errors or warnings have occurred. - Added the WEBCMD configuration option. This allows users to specify the command used to download data file updates from the Internet. - It is now possible to put configuration changes into a local config file. This file, called 'rkhunter.conf.local', must be in the same directory as the main configuration file. Rkhunter will look for configuration options in the main config file, and then in the local config file if it exists. As before, for options allowed only once, the last one seen is used. For options allowed more than once, all options from both files will be used. - Added the SHARED_LIB_WHITELIST configuration option to allow the whitelisting of preloaded shared libraries. - Made some minor changes to enable support for SliTaz Linux. - Added the WARN_ON_OS_CHANGE and UPDT_ON_OS_CHANGE configuration options. During the file properties check there are some O/S tests performed to see if the O/S has changed since the last run of 'rkhunter --propupd'. By default if something has changed, then a warning is shown. If the WARN_ON_OS_CHANGE option is unset, then no warnings will be shown. If the UPDT_ON_OS_CHANGE option is set, and the O/S has changed, then rkhunter will automatically update the file properties file (in effect, it will run 'rkhunter --propupd'). - The installer now has a '--overwrite/-o' option. When used this will overwrite the existing configuration file. This allows a site to check the new config file (at least once) for changes, and then modify their own 'rkhunter.conf.local' file as required. This option can then be used to have the installer overwrite the default config file. It saves having to move the new default config file into place on each computer. - Locking is now possible when rkhunter runs. This prevents RKH running more than once and corrupting any modified files such as the log file, or the file properties file. New configuration options have been added to handle the locking, and the configuration file contains details of how the locking works. The default is not to use locking. - Added support for hash functions SHA224, SHA256, SHA384 and SHA512 using perl modules Digest-SHA-PurePerl or SHA256, both available at CPAN. - Added the UPDATE_LANG configuration option. This can be set to those language files the user wants to be updated when the '--update' option is used. Since most sites may only use one language, this can reduce the network bandwidth used. The default is to update all the languages. The configured default language, and English (en), are always updated. - Added the ALLOWPROMISCIF configuration option. This can be used to specify network interfaces which are allowed to be in promiscuous mode. - Added the SCANROOTKITMODE configuration option. If set to "THOROUGH" then the scanrootkit function will search for filenames in all directories. While still not optimal this is one step away from the rigidity of searching only in known locations. Enabling this feature implies you have the knowledge to interprete results properly. - Added OSX rootkit check. - Added weaponX rootkit check. - Added the PKGMGR_NO_VRFY configuration option. This allows specified files to be exempt from the package manager verification process. Now that users can include their own files into the file properties check, it is possible that changed packaged files will cause a warning to be issued. This option allows those files to skip the package manager verification, and be treated as non-packaged files. - Added cb rootkit check. - Added Fu rootkit check. - Added ld-linuxv.so.1 LD_PRELOAD check. - Added Adore Rootkit aka strings.o rootkit aka Dextenea check. - Added iLLogiC rootkit check. - Added 'Spanish' rootkit check. - Added Xzibit rootkit check. - Added trNkit rootkit check. Changes: - Removed the 'os_specific' test for OpenBSD. The *BSD test is currently only applicable to NetBSD and FreeBSD. - Updated the ENYE LKM check. - The '--debug' option no longer needs to be the first option on the command line. - Improved support for MAC's now using the bash shell by default. Include logging of whether 64-bit is available. - When uninstalling rkhunter, old versions of the document directory (usually /usr/local/share/doc/rkhunter-*) will now be removed. - The warnings from the passwd and group file changes tests are now more specific about what has changed. - Small change to the detection of Source Mage Linux. - Renamed part of the 'shared_libs' test to display that it is checking for preloaded libraries, rather than just the preload file. The pathname of the preload file is now logged, and any found shared library files are now logged as a warning. - The SYSLOG_CONFIG_FILE configuration option can now take the value of 'NONE' to indicate that there is no syslog configuration file, despite the fact that syslogd may be running. - Some tests will now show their result as 'Whitelisted'. If a test uses a configuration option, and this has been set, and the test passes - giving a green result - then it will now be shown as 'Whitelisted'. The user can now see that a test has either passed correctly - an 'OK' or 'Not found' type result - or has passed because the test requirements have been whitelisted. It is for the user to investigate if this is correct or not. (This change does not currently apply to all relevant tests.) Additionally, the configuration option WHITELISTED_IS_WHITE can be set if the 'Whitelisted' result is to be shown in white rather than green. For color set two users this will be shown in black. - Improved the O/S name detection slightly for those systems which only provide a version number. - Rkhunter now ensures that the output from the 'lsattr' command, or 'ls -lno' on *BSD systems, and the 'file' command is valid. That is, it produces something on stdout. If it doesn't, then the 'immutable' and/or 'scripts' test is skipped. - Changed the RPM spec file so as not to verify the checksum, size and mtime of the database files and the i18n files. These files may be changed by rkhunter itself. - The installer now uses the 'default' layout by default. It is no longer necessary to specify the layout at all if the default is to be used. The '--layout' option no longer needs to be the first option specified if it is used. - Improved Fleakit Linux Rootkit checks. - Improved SHV4 Rootkit checks. - Improved beX2 Rootkit check. - Improved Phalanx2 Rootkit check to include Phalanx version 2.3d as reported in ticket 2839813, including a PHALANX2_DIRTEST configuration option which enables scanning for directory names and accepts the value '0' for default directory names to search for and '1' for scanning the /etc and /usr directories for directory names ending in '.p2' at the expense of a slightly longer running time. Absence of the configuration option selects value '0'. - Improved Ambient (ark) Rootkit check. - Improved BOBkit Rootkit check. - Improved Dica-Kit Rootkit check. - Improved Evil strings test. - Improved Possible rootkit files and directories test. - Improved Suspicious startup file strings test. - Improved Suspicious open files test. - Improved Known bad Linux kernel modules test. - Improved Dreams Rootkit check. - Improved Universal Rootkit (URK) check. - Improved FreeBSD Rootkit (FBRK) check and removed standalone ImperialS version. Bugfixes: - When using the Korn shell the application check could give a spurious error printing out '-1'. - The debug code only partially worked when using the Korn shell. - Fixed the option parsing in the configuration file such that leading and trailing whitespace are now correctly removed. - When displaying the list of checked rootkit names, the list was supposed to be sorted. - If the '--list' option was used more than once with the same argument (e.g. '--list tests --list tests'), it displayed the wrong information. - The rootkit strings check wasn't logging a warning for the particular string found. It was, however, displaying an overall test failure warning on the screen though. - The rootkit file whitelisting wasn't applied to the startup script malware check. Also the summary wasn't showing if any possible rootkits had been found or not. - If the '--propupd' option was used with either of the '--enable/--disable' command-line options, then the file properties would not be stored. However, if, for example, the 'hashes' test was enabled, then only these would be stored. In all cases the relevant test was not run after the file properties were obtained, unless the '--check' option was also used. - The installer now uses a basic 'echo' command. Hopefully it should work on all UNIX/Linux systems, and avoid any further "-e"'s being displayed. - Changed how rkhunter detects the Korn shell, and added a test to see if the 'echo -e' command works or not. As with the installer, this should allow rkhunter to work on all UNIX/Linux systems, and avoid any further "-e"'s being displayed. - When converting the case of characters, unpredictable results could occur when other languages were specified (via LANG). We now use character classes rather than the 'a-z' and 'A-Z' ranges. - For the 'ports' test ensure that only local ports are checked. Also if a port is whitelisted, the result will say so. - Using '--hash MD5 --propupd' on a prelinked system caused an error. - If a non-existent syslog config file was put into the RKH configuration file, then rkhunter incorrectly said that it was found. - If the use of prelinking changed, and the 'hashes' test was disabled, then rkhunter correctly logged a warning (of an O/S change) but did not display it unless the '--rwo' option was used. It now displays the warning whether '--rwo' is used or not. - The 'group_accounts' test now checks /etc/passwd, as well as the shadow file, for passwordless accounts. - If the passwd file did not exist, then a warning of this was logged three times. It is now logged once as a warning, and as an info message for the other times. - It was possible for the network ports test to incorrectly display a warning due to an uninitialised variable. - The SSH configuration file tests now allow for leading spaces/tabs. - When using the '--debug' option, and running the 'suspscan' test, the debug file itself could be logged as suspicious. It is now skipped from the test. - Ensure the /proc/ksyms or /proc/kallsyms file is readable before using it. - If the mirrors.dat file has been locally modified to provide a mirror, then the installer will no longer overwrite the file. -- * 1.3.4 (31/12/2008) New: - Added IntoXonia-NG rootkit check. - Added Vampire rootkit check. - Added support for TCB shadow files. - Added Phalanx2 rootkit check. Changes: - The MAIL-ON-WARNING option must now exist in the configuration file. This avoids it being accidentally misspelt, and rkhunter then not notifying the user of any warnings. - The DBDIR directory can now be read-only, after installation, provided that neither of the '--propupd' or '--update' options are specified, and that the '--versioncheck' option is not specified if ROTATE_MIRRORS is set to 1 in the configuration file. - Renamed the cron job file created by the RPM spec file from '01-rkhunter' to 'rkhunter'. This will then run 'rkhunter' after a prelink cron job (if one exists), and avoid some of the 'run prelink' errors. - The system startup file and directory tests have now been merged. The configuration file options LOCAL_RC_PATH and SYSTEM_RC_DIR have been replaced by the STARTUP_PATHS option, but, for compatability, they will still be recognised. - The ALLOWPROCDELFILE configuration option, used to whitelist specific processes from the deleted files test, can now be followed by a colon-separated list of pathnames. The given process will then only be whitelisted if it is using one of the given pathnames. - The '--propupd' option can now take an optional file, directory or package name after it. The argument can be a list of names. When used, then only the given file names will be updated in the rkhunter.dat file. Hopefully this will make things a bit quicker on slower machines. See the man page for more details. If using a package manager, then you must run 'rkhunter --propupd' first. - The Linux 'os_specific' test has now been split into two separate tests - 'loaded_modules' and 'avail_modules'. The tests, however, are the same as before, they check the currently loaded kernel modules and the names of the available modules. A new configuration file option has been added, called MODULES_DIR, so that users can specify which directory, and sub-directories, are checked for bad module names, should rkhunter be unable to work out the correct location. - The pathname of the debug file, if used, is now written to the log file. Bugfixes: - Cater for when ROOTDIR is explicitly set to '/'. - Added an infinite loop check to the readlink.sh supplied script - only 64 levels of symbolic links are allowed now. Also cater better for top-level names and links, and file names with spaces. - Improved the rsyslog remote logging check. - The wrong error message was shown if the English (en) language file was missing. - The hidden files and directories check wasn't checking for directories! - Improved the O/S name detection. Previously the lsb-release file would have preference to any other file. This could result in some gibberish being given as the O/S name, rather than continuing to look for other release files. This has now been fixed. - The tests against the SSH configuration file now accept the key/value pair to be separated by an equals sign as well as spaces and/or tabs. - The file properties inode check did not work correctly when used on non-prelinked systems with the RPM package manager. The test is now only performed when prelinking is not being used, and the inode data is always obtained from the disk. This is a partial fix, as the test should run for scripts regardless of whether prelinking is used or not. - The debug file is now created with a random name, and the file permissions are set to 600. -- * 1.3.2 (27/02/2008) New: - Added support for the socklog and rsyslog (syslog) daemons. - Added support for IRIX/IRIX64 systems. - If the user wishes to force RKH to use the 'stat' or 'readlink' supplied scripts, then this can be set in the configuration file. The options STAT_CMD and READLINK_CMD, respectively, can be given the value of BUILTIN to achieve this. For the 'stat' script, perl must be present. Changes: - Improved the 'unsupported language' error message so that the user is told exactly what command to run in order to see the list of supported languages. Added a similar comment in the configuration file. - Errors from applications during the application version check are mostly now ignored. Improved checking that a valid version has been found. - The ALLOW_SSH_ROOT_USER and ALLOW_SSH_PROT_V1 options in the configuration file can now be set to 'unset' and '2' respectively. These values indicate that the SSH configuration file have no specific value set for the corresponding SSH option ('PermitRootLogin' and 'Protocol'). RKH will show the test result in green and as 'Not set'. - Application names, in the application check, can now be completely whitelisted. Previously only specific versions were whitelisted, and RKH had to run the application to find the version. By whitelisting the application completely, RKH does not have to run it. - The use of the 'pflog' network interface is now checked for on all *BSD systems (not just OpenBSD). - Allow i18n language filenames to contain characters other than just letters. Bugfixes: - Scanning the /dev directory in LAZY mode corrupted the pathname being tested. Also RKH now handles filenames (in /dev) with spaces correctly. - During the test of files in /dev, MAKEDEV was not being automatically whitelisted if it exists as an actual file (not a symlink). - Ensure the suspscan test removes any files it creates. - The MAIL-ON-WARNING configuration file option and the --no-verbose-logging command-line option, are now only logged if the system is being checked. - Root equivalent and passwordless account names are now shown correctly. Previously, names which contained spaces, for example if the account had been manually commented out, were only shown up to the first space character. - Whitelisted passwordless account names are now logged. - Suspscan warnings were being ignored by the rkhunter summary and return code. - Corrected obtaining process names in Solaris for the network ports and deleted files tests. Previously they did not report the name correctly, if at all. - Use of the '--debug' option with the Korn shell was not working correctly. - Reset the SIGPIPE handler to its default to avoid pipe output errors. - Language files may contain backticks. These are now escaped during processing. - Unset the MANPATH in the spec file to allow the RPM to be built on OpenSuSE systems. - The hidden files/directories test would try and run even if no 'file' command was present. - Cater for *BSD systems using the fdesc/fdescfs filesystem on /dev/fd. -- * 1.3.0 (22/09/2007) New: - Created an ACKNOWLEDGMENTS file. - Added configuration file option MAIL_CMD when MAIL-ON-WARNING is used. This can specify the 'mail' command to use and the subject line. - The log file can be appended to. This can be set in the config file or by using the --append-log command line option. - A second colour set has been added for users using rkhunter with black characters on a white screen. The command-line option --cs2 will enable it. - Added special config file and command-line option, -x/-X, to detect if X is in use. If detected then second colour set will be used. - Added '--propupd' option. This allows a user to create the rkhunter.dat file. This file contains the O/S name, file hash values and other bits of information. If the file hash values change, perhaps due to new versions of software, then the user simply runs rkhunter with the option again. If the user has not run rkhunter with this option, then the file properties checks are skipped. This option obsoletes the 'hashupd.sh' script previously recommended to users. If use of the '--propupd' option is suggested by the program, then the log file will contain a warning message to the user that they must ensure that the commands checked on their system must have been installed and verified as being genuine. The file properties check consists of two main parts - the file attributes (permissions, uid etc), and the hash value. Both are stored in rkhunter.dat. Either part, or both, can be disabled using the '--disable' option. - Added the '--hash' command-line option, and the HASH_FUNC option to the configuration file. This allows a user to select the hash function command they want to use for the file hash value check and the properties update. By default SHA1 will be used, or MD5 if SHA1 cannot be found. For prelinked systems the function must be either MD5 or SHA1. A value of NONE can be used to disable the hash check or to stop the hash values being recorded in the rkhunter.dat file. - Added the HASH_FLD_IDX option to the configuration file. This specifies the field of the HASH_FUNC command output which contains the hash value. A default of 1 is used, except for *BSD systems where 4 will be used. - The files for the file hash checks are now 'looked for'. The code will search the command directories, and check the relevant files in all the directories. Additional commands and directories are used for Solaris, MAC OS X, NetBSD and FreeBSD systems. Overall more commands will be checked. - Added support for Ubuntu, and the 'dash' and 'ash' shells. - If the O/S name, architecture or prelinking status changes from one rkhunter run to the next, then a warning message is written to the log file and the file properties prerequisite check will fail. The change may well cause the file hash checks to show false positives. (The user should rerun rkhunter with the --propupd option.) - Rkhunter will now check that certain commands are present before starting any checks. This avoids spurious 'command not found' type messages suddenly appearing. - Added basic internationalization (i18n) functionality. The messages displayed during test processing are obtained from an indexed file. This file can be translated in to other languages, keeping the index the same. To see which languages are provided use the new '--list languages' option. Chinese translation provided. - Added two new command-line and configuration file options, '--enable' and '--disable' to specify which tests are to be carried out and which are to be ignored. Use of either option will automatically assume '--check'. - To list the available test names, use the new '--list tests' option. - The '--update' and --versioncheck' options can now use commands other than wget to download files. Supported commands are now wget, curl, elinks, links, lynx, bget and GET. Once a command has been found, it will be used for all downloads. Since bget and GET are perl commands, checks will be made that any required perl modules are also present on the system. - (SF Tracker 1616395) Added '--syslog' cli option, configuration file option USE_SYSLOG. This will allow the --check option start and finish time to be logged via syslog. The facility/priority are user configurable. - Added --debug cli option, and allow commands to be configured in the configuration file. Both of these additions are for the developers, but may be used when debugging user problems. - Added command-line options '--summary/--nosummary' (--ns). These control whether the system checks summary is shown. By default it is shown. The '--summary' option, as well as the '--report-warnings-only' option, will override the '--quiet' option if they are specified. However, no other information will be displayed if '--quiet' is used. - Added SunOS SInAR rootkit check. - Added '--verbose-logging/--no-verbose-logging' options. This cuts down on some of the logging for some of the tests. By default verbose logging is enabled. - The inetd and xinetd configuration file pathnames can now be specified in the rkhunter configuration file. Also, enabled inetd and xinetd services can now be whitelisted. - Added support for Solaris 10 inetd mechanism (inetadm). - The directory containing the SSH configuration file can now be specified in the rkhunter config file. - The pathname to the syslog configuration file can now be specified in the rkhunter config file. - The use of syslog remote logging can be allowed in the configuration file. - The pathnames to the local system startup file (rc.local), and the startup directory (/etc/rc.d) can now be specified in the rkhunter config file. - Files in /dev can now be whitelisted. - Application version numbers can now be whitelisted. This caters for those distributions that may patch a 'known bad' version, but without updating the original version number. - Added 'suspscan' to malware tests. Suspscan attempts to scan files in directories containing temporary files for signs of malicious activity, and could be of use on (publicly accessable) web servers running for instance PHP-based applications. Please note that in it's current state suspscan is prone to reporting false positives, and is CPU and I/O intensive to boot. Therefore suspscan is disabled by default. Please do not enable suspscan unless you have good reasons to use it. Review the settings in the configu- ration file, and test before deploying it on production servers. - Added the command-line option '--pkgmgr', and the configuration file option PKGMGR. These provide support for package managers when using the '--propupd' and '--check' options. Currently supported package managers are 'RPM' for RedHat/RPM-based systems, 'DPKG' for Debian-based systems, and 'BSD' for *BSD systems. Additionally, 'NONE' can be used to indicate that no package manager is to be used. The default is 'NONE'. See the README file for more details. - It is now possible to configure rkhunter to use local or remote mirrors, rather than just the SourceForge one. This applies when either the '--update' or the '--versioncheck' option is used. The default is to use all defined mirrors. The README file has more details about this. - It is possible to configure rkhunter to not rotate the mirrors.dat file. It is also possible to configure the mirrors file not to be updated when the '--update' option is used. Both of these options can be useful when defining local mirrors. The README file has more details about this. - Added a file size check to the file properties checks. This will only occur for non-prelinked files, files not part of a package, or packaged files when the RPM package manager is being used. - Network ports listed in the backdoorports.dat file can now be whitelisted. Specific protocol/port pairs, or pathnames to allowed executables, may be used. Additionally, an asterisk may be used to indicate that trusted pathnames will be allowed. The configuration file has more details about this. - The O/S 'release' file pathname may now be configured. This option should only be necessary for those systems on which rkhunter cannot automatically determine the O/S name or version. - Rootkit files and directories, including those with spaces, may now be whitelisted in the configuration file. Changes: - Improved command-line and config file option checking. - The log file is now created by default, it can be disabled in the config file or by using the --nolog command line option. The log file is created with permissions 600. - The log file cannot be a symlink. - Multiple recipients may be specified with the MAIL-ON-WARNING config option. - Added BINDIR and ROOTDIR options to the config file. - Split out the README file in to README and FAQ files. - Solaris will now use the bash shell if available. - Expanded the command PATH used to include the /opt/sfw and /usr/sfw directories for Solaris users. - Expanded the command PATH used to include the /usr/pkg directory for NetBSD users. - Expanded the command PATH used to include the /System/Links/Executables directory for GoboLinux users. - Versioncheck now checks the versions numerically. - The HASHWHITELIST configuration file option has been removed. It is no longer required because users can now create their own file of hash values using the '--propupd' option. - The '--checkall' option has been changed to '--check'. The old option is still recognised, but will be deprecated at some time. - If a log file is to be written, but not appended to, then the old log file is moved to '.old' now. The same happens to the rkhunter.dat file if the --propupd option is used. - The previous 'known good' hash check now also checks the files inode, uid, gid, permissions and modification date/time, for any changes. The latter is only for non-prelinked systems. As before, in all cases, the file hash is checked. (This is now the file properties check.) - Improved the O/S detection mechanism. Rather than requiring users to send us details, rkhunter actively looks at the 'release' file(s) to find the O/S name. Included support for some lesser-known Linuxes - GoboLinux, Lunar Linux, Rock Linux, Source Mage Linux, Kanotix, Sidux and Zenwalk. - If the --propupd or --update options are used, as well as the system check option --check, then the update checks are performed before the system is checked. Previously the update occurred after the system was checked. - Hidden file search now checks /usr/share/man directories. - Improved NetBSD support. - The supplied perl scripts, providing the stat, md5 and sha1 commands, can now be executed without perl being in the default directory (/usr/bin). - If a perl script is to be used, then a check is made that required modules are installed on the system. If they are not, then it is treated the same as if perl was not present. - Included the /usr/share/man directories when looking for hidden files. - Check for symbol entries in kallsyms file if ksyms does not exist. - Enabled sockstat/netstat test for all BSD variants (not just FreeBSD). - Enabled backdoor port test for all systems which have either the 'lsof' or 'netstat' command. However, if the netstat syntax is not understood on the O/S, then an error is shown. (The user can configure the test to be disabled to avoid the error.) - The TMPDIR configuration option and --tmpdir command-line option cannot be set to /tmp or /var/tmp because files will be copied and left there. It cannot be set to /etc either because files will be deleted from there. - Removed the '--scan-knownbad-files' option. This test was considered to be obsolete. - Removed the '--disable-md5-check' option. This is now the 'hashes' test name, and can be disabled by the '--disable' option. - Removed the '--allow-ssh-root-user' option from the command-line. This can still be set/unset in the configuration file. This option must now be set to the value of the 'PermitRootLogin' option in the SSH config file. This then allows root access to be set, but will check to see if the option has changed. A default value of "no" is used. - The --rootdir/ROOTDIR configuration option has been changed to be more intuitive. Previously the specified ROOTDIR had to end in a slash (e.g. '/abc/'). Now this is not necessary, a normal directory name can be used (e.g. '/abc'). - The '--versioncheck' option now rotates the mirror file. It also assumes program defaults if the mirror file is missing or empty, or if no mirrors are found within it. Additionally if the URL is missing from the configuration file, then a program default is used. This allows the option to work even if the files have become a bit corrupt. Any missing files or mirrors are logged to the log file. If a mirror fails, then the next mirror is used, until all the mirrors have been tried. Only then is a failure message displayed, and the return code set. The return code will be set to 0 if no error occurred, 1 if an error did occur, and 2 if no error occurred but a new version is available. - The '--update' option will use a default mirror if the mirror file is missing or empty. If a mirror fails then the next mirror is used. If a file has become corrupted such that the version number cannot be read, then a new copy will be downloaded. The return code will be set for this function. It will take the value of 0 for no error, 1 for an error, and 2 for no error but an update has occurred. This allows a user to use the --quiet option, but still check for the return code. - The version numbering of the '.dat' database files has changed. This makes them incompatable with previous versions of rkhunter, and as such files from previous versions will be overwritten if used with this version. - The displayed output and logged output are now similar. This allows checking the log file to be easier when looking for specific tests. The log file will, of course, log more information than is displayed on the screen. - Script replacement check now checks for any type of script (perl, awk, etc). Previous versions only checked for shell scripts. Commands which are supposed to be scripts can be whitelisted in the configuration file. The 'rkhunter' command itself is an exception, and the check will ensure that 'rkhunter' is a shell script. The script check will be automatically skipped if a package manager is being used, and the file has already passed the file size and hash checks. - File permissions check improved to check if 'other' has the 'w' bit set. Previous versions only checked if '777' ('rwxrwxrwx') was set. Merged this into the file properties checks. Soft links are ignored, as are packaged files when the RPM package manager is used. - The '--report-mode' option has been removed. It was not seen as being useful, and combinations of the other options will provide the same, if not better, reporting. - The xinetd.conf check now handles the 'include' directive. It also now handles the 'includedir' directive in all files, and not just in the initial xinetd configuration file. - The '--display-logfile' option can now be used after any option. Previously the log file was only shown after checking the system. - The checks on accounts and the password and shadow files, have been improved. The user can configure the pathname to the password and shadow files, as well as being able to whitelist accounts with no password or which are root equivalent. *BSD support improved. - Improved the hidden files and directories checks. Some directories are now searched more thoroughly, and checks against the file type are more robust. - Apache backdoor test now looks in more places. - The application version check no longer checks against known 'good' versions. Only a file of bad versions is kept. The previous method was impossible to maintain. - Enabled the immutable file test for *BSD systems. - Soft (symbolic) links for files and directories are now handled correctly. Previously the link was dealt with, but not what it pointed to. Soft links are dealt with when using the '--propupd' command, and when running the file properties checks. For those systems with no 'readlink' command (e.g. Solaris), or those in which readlink does not understand the '-f' option (e.g. NetBSD), a shell script is now provided to support this. - RPM spec file and installer now caters for x86_64 machines. Removing the RPM now more fully removes RKH; only the rkhunter.conf file should remain. Bugfixes: - Command-line options requiring an argument now work correctly under Solaris. - The -h/--help option now works as expected. - The 'ignoKit rootkit' check was not checking all the required files. - Some checks were not respecting the ROOTDIR option in their pathnames. This has now been corrected (possibly not completely though). Also, some tests were using ROOTDIR pathnames in grep/strings checks when they shouldn't have been. This has also been corrected. - The file hash prelink test should now work even if SELinux objects to the prelink command (provided the 'runcon' command exists). When the '--propupd' option is used, any file for which a hash cannot be obtained is logged as a warning. (Typically prelink may need to be run on the file.) Rkhunter will still work as before, but the file properties check may show that the hash value has changed to or from a null value. - Corrected file attributes check - previously the immutable flag would never have been found. - Backdoor UDP port tests were not being done correctly. The TCP port tests have been made a bit more aggressive - TCP tests only look for TCP ports; they also look for established connections rather than just listeners. - Backdoor port data file (backdoorports.dat) is now part of the '--update' process. - The '--versioncheck' option did not set the return code. It now does so. However, note that if an update is available then the code will be set to '2'. This allows use of the '--quiet' option, but still being able to detect if an error occurred (code 1), an update is available (code 2) or if no error occurred and no update available (code 0). - Corrected bug in Solaris script replacement check. The tested output is never used on Solaris, so previously the test would never have worked. - The '--quiet' option now does what it says. No output is shown unless other options are specified by the user. E.g. using '--quiet' on its own produces no output, but sets the return code. If the '--report-warnings-only' option is used as well, then warnings will be shown despite '--quiet' being used. - Enabled the login backdoor check. It was coded, but used the wrong variable. It also checked for directory names rather than file names. This looked wrong, but I could not find any more info about it. As such we now check for their existence rather than whether they are files or directories. - Corrected the suspicious directories check. - The xinetd.conf check only occurred for Linux systems. It will now occur for all O/S's. Also, the check always reported the file was clean, regardless of whether this was true or not. - The hidden files and directories check was not working correctly for Gentoo users. - Small bug in T0rn rootkit file list. -- * 1.2.10 (Not released) New: - Enabled Ohhara Rootkit check Changes: - If duplicate configuration file options are seen, then only the last one seen is used Bugfixes: - Lsof resolution fix - Fixed Danny Boy's Abuse Kit check - Fixed SHV5/Tripwire check - Fixed ignoKit check -- * 1.2.9 (30/09/2006) New: - Rootkit Hunter is under new management so maintenance, development and support is assured - Added support for RHEL WS/AS/ES 3, Taroon update 8 - Added support for Fedora Core 5 - Added support for SuSE 10 - Added check for packet capturing applications (see rkhunter.conf for whitelisting) - Added check for processes using deleted files (see rkhunter.conf for whitelisting) - Enabled netstat check for AIX - Enabled backdoor check for SunOS - Enabled logfile specification and checks Changes: - Improved cAos support - Improved AIX rc.sysinit test - Improved second promiscuous mode check - Improved prelinking test - Improved binaries found check - Improved MD5 check and application scan - Improved FreeBSD/AIX grepping - Improved Solaris grep/ifconfig (FP's) - Improved reportmode report-warnings-only - Improved permitrootlogin check with forced-commands-only - Improved passwordless user accounts test - Improved file/module name checks (FP's) - Improved check-update: DBDIR vs temp dir and preserve DAC rights - Improved Solaris script replacements - Fix typos, grammatical changes, formatting/displaying - Added more examples to config - Change contact information Bugfixes: - Removed stale mirrors - Fix SF tracker issue 1449701 - Fix skdet test - Time uses Perl epoch - Error message about "group" file - Ksh 'shift' fix -- * 1.2.8 (24/02/2006) New: - Added '-sk' alias (instead of --skip-keypress) - Added support for Fedora core 4 - Added support for FreeBSD 4.11, 5.2, 5.3, 5.4, 6.0 - Added support for CentOS 3.3 ('final' and 'Final') - Added support for CentOS 3.5, 4.1 and 4.2 - Added support for Debian 3.1 (AMD64) - Added support for RHEL WS/AS/ES 3, Taroon update 6 - Added support for RHEL WS 4, Nahant Update 1 and 2 - Added support for Slackware 10.2 Changes: - Updated RHEL hashes - Updated Fedora Core 3 hashes - Updated SuSE 9.1 hashes - Updated software database - Update copyright line -- * 1.2.7 (24/05/2005) New: - Added support for CentOS 4.0 - Added support for Mandrake 10.2 - Added support for Gentoo (sparc/sparc64/x86) - Added additional support for E-smith (SME 6.0.1) - Added support for FreeBSD 4.5 and 4.6 Changes: - Improved support for Bind (thanks to Craig) - Improved support for RHEL AS release 3 - Updated hashes for SuSE 9.1 (core-utils) Bugfixes: - Fixed problem with the updater (file was retrieved, but not placed within the correct directory) -- * 1.2.6 (10/05/2005) New: - Added support for Tao Linux - Added support for Trustix 2.2 (Sunchild) Bugfixes: - Fixed problem with updater -- * 1.2.5 (03/05/2005) New: - Added support for FreeBSD 4.11 (i386) - Added support for RHEL AS release 3 - Added support for Cobalt (6.5.1) Changes: - Fixed permissions of check_update.sh - Fixed typo in help - Improved detection for some unknown rootkits/backdoors - Improved messages/logging - Some code cleanups - Important: fixed a security issue, related to temporary files -- * 1.2.4 (25/04/2005) New: - Added support for E-smith (SME 6.0) Changes: - Updated hashes for Fedora core 2 - Improved documentation of tools (see tools directory) - Removed logging from installer Bugfixes: - Fixed problem when using --allow-ssh-root-user (option was overwritten by configuration file option) -- * 1.2.3 (21/03/2005) New: - Added option to allow/whitelist hidden files and directories. See configuration file - Added support for SuSE 9.2 (x86-64) Changes: - Updated configuration file, to give more information about whitelisting of hidden files/directories - Updated Fedora core 3 hashes (procps package) - Updated packages: OpenSSH - Updated manpage - Improved logging - Added debugging info for named - Strip off patch version with PHP port (Debian) - Extended support for Fink (MacOS), added /sw/bin to BINPATHS in check_update.sh - Improved installer when /usr/local/bin is missing Bugfixes: - Fixed problem with unquoted variable (passwordless accounts) -- * 1.2.2 (18/03/2005) New: - Added support for Mandrake 10.1 - Added hashes for Mandrake 10.1. Thanks to Roderick B. Greening - Added support for RHEL WS release 3 - Added support for NIS when looking for passwordless accounts - Added support for beX2 (evil code) Changes: - Updated Debian hashes - Changed permissions of installer (0755 instead of 0750) - Changed installer so normal users can install rkhunter. This is experimental, so check is commented in installer - Updated packages: Bind, Exim, OpenSSL - Improved logging - Small layout fixes - Code cleanup - Updated mirror list - Updated copyright message (2005) Bugfixes: - Changed symbols when one or more groups are added/removed -- * 1.2.1 (21/02/2005) New: - Added support for Mandrake 8.1 (i586, no hashes) - Added support for FreeBSD 5.3 (i386, with hashes for release version) - Added support for Slackware 10.1 - Added Turkish translation to installer (note: language support temporarily disabled) - Added support for Fink (MacOS), added /sw/bin to BINPATHS - Added contrib directory - Added script (contrib) run_rkhunter, by Andy Spiegel Changes: - Updated hashes for SuSE 9.1, Mandrake 10.0 - Updated installer (changed copyright line, comments and disabled version number, because it can be confusing when installer version is another version than main version.) - Perform extra check before checking configuration file (to see if it exists) - Improved logging (show temporary directory, improve output when scanning for default rootkit files/directories) - Improved output when system is unsupported - Stop program when temporary directory doesn't exist instead of creating it - Updated packages: Apache, Bind, GnuPG, OpenSSL - Fixed some typos Bugfixes: - BINPATHS got overwritten when performing software version check - Fixed bug when checking for ssh root user. Thanks to Andy Spiegel - Clean up temporary prelink file Website: - Added notification list - Fixed some XHTML bugs -- * 1.2.0 (10/02/2005) New: - Added support for CentOS 3.4 - Added new configuration option 'ALLOW_SSH_ROOT_USER' and program parameter '--allow-ssh-root-user' to allow directly login of a `root` user, in your SSH configuration file. Changes: - Updated hashes for Fedora Core 1, Core 2, Core 3 - Changed RHEL 3, so taroon 4 uses the hashes of taroon 3 - Updated Debian hashes - Removed ClamAV from application scan. It warns the user now when it runs an too old version. - Updated manpage - Changed detection for SuSE versions. SuSE Linux Enterprise Server didn't work, because of the capitals (instead of the usual name) - Warn if user uses /tmp as temporary directory (possible security issue) - Updated wishlist/todo and manpage. Bugfixes: - Fixed wrong message when group was added/deleted from /etc/groups -- * 1.1.9 (28/12/2004) New: - Added RH-Sharpe's rootkit (rootkit) - Added SHV5 rootkit (rootkit) - Added special test for tripwire - Added support for metalog (syslog daemon) - Added support for ALTLinux 2.2 and 2.4 - Added support for CentOS 3.3 - Added support for Gentoo 1.6 - Added support for FreeBSD 4.10 (alpha platform) - Added support for SuSE SLES8. Thanks to Mario Lenz - Added support for SuSE 9.2 (i586) - Added support for Fedora Core 3 - Added support for Red Hat Enterprise Linux ES/WS release 4 - Added hashes for Fedora Core 3. Thanks to Steph - Official port is now available for ALTLinux - Change text when an old software package has been found. This will happen with backporting operating systems (Red Hat, Fedora etc) Changes: - Improved logging for lsof test - Updated hashes for Fedora Core 1 - Updated hashes for Debian woody - Updated hashes for Red Hat Enterprise Linux ES/WS release 3 - Updated hashes for Slackware 9 - Updated hashes for Slackware 10 - Updated hashes for SuSE 9.1 - Updated wishlist/todo, updated readme and manpage. - Code cleanup (added more remarks, cleanup of old/buggy things).. - Improved logging Bugfixes: - Changed binary search path due typo. Thanks to Bertrand -- * 1.1.8 (12/09/2004) New: - Added support for Red Hat 6.2 and hashes. Thanks to Sebastian Herbszt - Added support for Red Hat Enterprise Linux ES 3, Taroon update 3 - Added support for Red Hat Enterprise Linux AS 3, Taroon update 1 Changes: - Improved Suckit detection - Improved FreeBSD version detection. It now will skip MD5 check if sysctl contains 'release', but patches for primary binaries are installed (like ls, ps, top etc) - Added error redirection when performing lsattr checks - Added `find` to path search - Updated installer with portogues/brazilian language. Thanks to Douglas - Updated hashes for Red Hat Enterprise Linux 3 - Updated hashes for Slackware 10 - Cleaned up logging when checking for passwordless accounts - Show message when bad hashes are found. Some scared people began to worry inmediately after they found several bad hashes, without understanding the reason of it (reason: updated packages). - Improved output in logging which deals with updated packages / hashes - Improved logging (informational logging) - Improved output of hidden directories/files. Thanks to Greg Houlette - Corrected some parts of logging - Code cleanup Bugfixes: - Forgot to initialise LSATTRFOUND -- * 1.1.7 (29/08/2004) New: - Added support for ADM Worm - Added support for MzOzD and spwn backdoor - Added LKM filename check (experimental) - Added passwordless user account test Changes: - Updated Mandrake 9.2 hashes. Thanks to Eric Gerbier - Updated application version list - Extended inetd.conf test (searches for shells) - Added total of vulnerable applications at report, if application scan was performed. Bugfixes: - Fixed a major bug in the installer when you install version 1.1.5 or newer. The sample configuration won't be copied and the due to that, the --update function won't work. -- * 1.1.6 (18/08/2004) New: - Added support for RSHA's rootkit (rootkit) - Inspect files attributes (immutable detection) - Added '--update' to help text. Updater seems to be stable - Added FreeBSD packages database test (pkgdb). It performs an automatic fixup of the database and displays an error when problems were found. - Added '--skip-application-check' option. This skips the program version check. On some systems it's half useless, because they use patched (old) version numbers. Changes: - Improved report at end (hide line when no rootkits are found) - Updated hashes for SuSE 9.1 (i586) - Fixed double hash in database - Updated database with program versions - Added more help and informational messages Bugfixes: - Improved installer (when last line contains no newline char, the INSTALLDIR option was added on the wrong place) -- * 1.1.5 (11/08/2004) New: - Added support for Ni0 Rootkit (rootkit) - Added 'open files' check - Added OpenSSL check - Added Solaris 9 support Changes: - Improved logging of application scan check - Improved xinetd.conf tests (disabled some parts, due false positives) - Improved logging on different places (more breaks etc) - Improved SunOS support. Thanks to Michael Gueting - Improved (POSIX compatible) applications support for SunOS - Fixed a typo (application version check) - Fixed a typo (SSH check) - Fixed small layout issue at application scan check - Removed an double declared variable (WARNING=0) Bugfixes: - Fixed missing lines in rkhunter.spec file - Installation script shouldn't be overwriting rkhunter.conf file.. -- * 1.1.4 (07/08/2004) New: - Added support for FreeBSD 4.10 - Added support for White Box Enterprise Linux 3.0 - Added support for Debian 3.1 (Sid) - Added support for OpenBSD 3.5 (i386 and sparc64) - Added support for SunOS. Thanks to Michael Gueting - Added boot.local test for SuSE 9.x - Added Apache test - Added support for mod_rootme module (apache backdoor) - Added option '--display-logfile'. It displays the logfile you specified at the end of the output (don't forget to use --create-logfile) - Added application version checker Changes: - Don't quit when wget cannot be found during install - Updated installer (for new update function) - Updated MD5 hashes for Mandrake 9.1 - Updated MD5 hashes for Slackware 9.1 - Updated MD5 hashes for FreeBSD 5.2.1 - Improved logging in quiet mode - Improved key pauses when in 'interactive' mode - Improved xinetd check - Improved report-mode option (--report-mode). If you want a small amount of information (ie. if you scan a lot of servers), use this option. - Updated document location in installer - Updated the wishlist. A lot of issues are solved now. - Updated changelog (had some little typos) Bugfixes: - Fixed false positive when using Debian - Fixed support for PLD Linux and CPUBuilders Linux - Fixed a typo in the installer -- * 1.1.3 (20/07/2004) New: - Added support for SuSE Linux Enterprise Server 8. Thanks to Daniel Berlin - Added support for SuSE Linux Openexchange Server 4.1.1. Thanks to Daniel Berlin - Added support for Fedora Core 2 with 64 bits support - Added support for TDB database (/dev related) - Added hashes for FreeBSD 5.2.1 * Added tools directory in tarball with a experimal auto-updater. Use it on your own risk and check the script before you run it! Changes: - Improved Suckit support (rootkit) - Improved user detection (the check will now handle NIS users fine when checking for UID 0 alike users) - Improved logging on multiple sections - Updated parameter list (--help), to reflect changes (--quiet) - Updated hashes for Mandrake 10 - Updated installer. With a SunOS improvement by Michael Gueting. Bugfixes: - Quiet-option is now really quiet (xinetd line still appeared when running in quiet mode) - Fixed a problem with the binary UPX scan (multiple error lines appeared) -- * 1.1.2 (14/05/2004) New: - Added string check. This checks some binaries which often get trojaned. - Added '--quiet' option. Very usefull when running Rootkit Hunter as a cronjob and don't want to see all the output (EXCEPT when warnings/errors has been found) - Added xinet daemon test. Thanks to unSpawn and Andrea - Added test for binaries (UPX) - Added alias '--create-logfile' for '--createlogfile' - Added support for Mandrake 8.2 - Added support for Mandrake 9.0 - Added support for Mandrake 9.1 - Added support for Redhat Enterprise Linux AS (Taroon update 2). Thanks to Yann Le Guennec - Added support for Slackware 10. Thanks to Fred Bulthuis - Added support for Gentoo 1.5. Thanks to Nicolas Kaiser - Added support for some Gentoo ppc versions - Added hashes for Slackware 10 Changes: - Improved support for AIX and OpenBSD. Thanks to Iain Roberts - Improved support for rootkits (Dica, Dreams, Fuckit, MRK, Ohhara, Sin, SunOS Rootkit and TBD Rootkit) - Updated hashes for Fedora Core 2 - Updated hashes for SuSE 8.2. Thanks to Jack Denman - Updated installer Bugfixes: - Fixed another problem in the installer - Fixed a problem with the updater (not yet in use) - Changed output of `ps` when checking for syslog daemon (should fix a problem on some systems where the output was too long) -- * 1.1.1 Bugfixes: - Fixed a problem with the installer.. (wrong shell) -- * 1.1.0 New: - Added support for Red Hat Linux Advanced Server 2.1 - Added support for Slackware 9.0. Thanks to Stan Cosmin - Added support for Slackware 9.1. Thanks to Fred Bulthuis - Added support for Trustix 2.0. Thanks to Agung Ud - Added support for Debian with sparc64 architecture (testing/unstable) - Added hashes for Slackware 9.0 - Added hashes for Slackware 9.1 Changes: - Updated SuSE 9.1 hashes - Updated Mandrake 10 hashes - Updated Fedora Core 1 hashes - Updated Fedora Core 2 hashes - Updated OpenBSD 3.3 hashes - Updated Suckit (rootkit), multiple improvements - Updated rkhunter.spec file. Thanks to Craig Orsinger - Updated installer. Thanks to Iain Roberts - Added mirrors.dat to file checks Bugfixes: - Fixed WHITELIST option again (it stripped the wrong characters: when a hash contains a '5', it got stripped) - Updated sockstat/netstat check for FreeBSD - Skipping of MD5 didn't work anymore (due a forcefully check when Perl module Digest::MD5 was found). Thanks to Zac -- * 1.0.9 New: - Added support for Balaur Rootkit (rootkit) - Added installdir option to the installer - Added INSTALLDIR option to configuration file - Added support for SuSE 9.1 (pro) - Added support for Fedora Core 2 - Added support for RHEL 3 Taroon update 2 - Added support for PCLinuxOS (HD-install) - Added hashes for SuSE 9.1 - Added hashes for Fedora Core 2 - Added hashes for Mandrake 10 Changes: - Updated hashes for Fedora Core 1 (updating prelinked hashes is no good idea..) Thanks to Doncho. - Updated hashes for SuSE 8.2 - Updated hashes for Mandrake 9.2 - Updated hashes for RHEL 3 Taroon update 1 and update 2. Thanks to Tom and Eilko - Improved hidden file detection Bugfixes: - Added prelink check, to resolve some problems with a few Fedora Core 1 installations. Thanks to Mike Haslam for pointing out this problem. - Changed detection of syslog daemon - Fixed a problem with the MD5WHITELIST option (see rkhunter.conf). Thanks to John P. New - Updated installer (added /usr/local/etc to directory check, because some systems don't have this directory by default) -- * 1.0.8 New: - Added support for Mandrake 10 (official release). Thanks to Dave Edwards - Added support for Slackware 9.1.0. Thanks to Zebul666 - Added hashes for Red Hat Enterprise Linux 2.1 (Panama). Thanks to Duke (mastre). (+1 beer for me) Changes: - Updated hashes for Red Hat Enterprise Linux 3 - Updated hashes for Fedora Core 1. Thanks to Greg Houlette - Updated rkhunter.spec file by Doncho - Improved extra Suckit tests. Check the presence of `stat`, before performing the scans. Reported by Pasi. -- * 1.0.7 New: - Added support for Irix Rootkit (rootkit) - Added support for URK (Universal Root Kit) (rootkit) - Added 'whitelist support' for MD5 hashes. See configuration file for more information about this new option. - Added improved support for Yellowdog 3.0 (Sirius). Thanks to P. Hopkins Changes: - Improved Suckit detection (multiple improvements). Thanks to unSpawn! - Fixed problem when running a special listener under FreeBSD (i.e. a DHCP daemon). Thanks to Yann Nottara - Fixed wrong text with 'rootdir' option. Thanks to Doncho N. Gunchev - Fixed typo with '--dbdir' parameter. Thanks to unSpawn. - Fixed rkhunter.spec file. md5blacklist.dat was missing. Thanks to Masanari Iida - Fixed a problem with the $rootdir - Improved rkhunter.spec file. Thanks to Doncho N. Gunchev - Improved Perl version detection. Thanks to Doncho N. Gunchev - Updated installer to support dynamic paths soon. - Layout improvements for installer - Changed copyright text in main binary and installer (as required/suggested by GPL) - Updated website (FAQ, documentation) -- * 1.0.6 New: - Added support for FreeBSD 4.9 and 5.2.1 - Added support for SuSE 9.0 (i386 and i586). Thanks to multiple people - Added support for Trustix. Thanks to Joachim Holst - Added support for Whitebox Enterprise Linux 3.0. Thanks to Fire - Added support for CentOS 3.1. Thanks to Fire - Added support for Mandrake 10 (community release). Thanks to Ted Kline - Added support for CPUBuilders Linux. Thanks to Chris Locke - Added support for Gentoo's 'rc.local' file (local.start) - Added parameter '--bindir' to use another (binary) directory than the default ones (to select which binaries will be used to perform the tests). Requested by Joel. - Added parameter '--configfile' to use another configuration file. - Added parameter '--dbdir' to use another (dynamic) database directory - Added a check when dynamic parameters are used (like --dbdir, --bindir) to check the existance of these paths/files. - Added lsmod check (/proc/modules) for Linux distros. Thanks to Micah Anderson Changes: - Updated hashes for Mandrake 9.2. Thanks to John P. New and others. - Updated hashes for Red Hat Enterprise Linux Update 1. Thanks to Eilko - Added informational message, when 'PermitRootLogin' or SSH protocol 1 is found, into the logfile - Renamed .spec file to rkhunter.spec - Updated installer. Thanks to Uwe Hermann - Improved LKM check. Thanks to Joe Croft - Improved logging - Fixed a problem with ifconfig -- * 1.0.5 New: - Added 'ignoKit' (rootkit) - Added support for Red Hat Linux 8.0 (Psyche) - Added option '--disable-passwd-check', to disable passwd/group check. Suggested by Michael Niehren - Added option '--scan-knownbad-files', to scan besides the 'known good' MD5 checks, a lot of system binaries against a 'known bad' database. - Added option '--tmpdir', to specify a temporary directory instead of the static one (see below, at 'tmpdir' option within the configuration file). - Added a 'known bad' database with a lot of 'blacklisted' binaries and tools (like sniffers, rootkits, backdoored binaries, IRC tools etc) - Added hashes for Red Hat Enterprise Linux ES release 3 (unpatched). Thanks to Nico Morrison - Added a 'mail-on-warning' option to the configuration file. When the checker finds one or more warnings, it will send a warning to the system administrator (see the configuration file for more information) - Added 'tmpdir' option to the configuration. This optional value can be used instead of the default (/usr/local/rkhunter/tmp) directory and is one of the first steps to make rkhunter less static. - Rootkit Hunter now exists with an exit code of 1 when a rootkit is found or a MD5 checksum failed. Suggested by Michael Niehren Changes: - Updated support for Red Hat Enterprise Linux. Thanks to Nico Morrison - Improved/updated .spec file for RPM creation (improved cronjob script, updated file version, corrected packager value). Thanks to Joe Klemmer and Michael Niehren - Improved cronjob check (it contained a little bug, so it wasn't always non- interactive..) - Improved logging of sockstat/netstat tests - Fixed message when parameters are provided, but 'check' option is missing - Updated installer (0.0.6) -- * 1.0.4 New: - Added 'AjaKit' (rootkit) - Added 'Legion of Doom (LoD)' (rootkit) (note: uses almost every same file as AjaKit) - Added support for Red Hat Enterprise Linux. Thanks to Kevin Jarnot Changes: - Updated 'NSDAP' (rootkit) - Updated 'Dica' (rootkit) - Updated 'X-Org SunOS Rootkit' (rootkit) - Changed message 'not found' into 'OK' when no file redirection has been found. Thanks to Jens Gutzeit - Improved check for hidden files (empty files will be skipped, more directories added) - Corrected file scan counter. - Improved logging - Cleaned up tarball -- * 1.0.3 New: - Added support for SuSE Linux 8.1. Changes: - Updated 'Flea Linux Rootkit', because /lib/security is a legal path name. Thanks to Moritz Bunkus - Updated syslog-ng checking (checking remote logging in the configuration file). Thanks to Juri Memmert for reporting the problem -- * 1.0.2 New: - Added 'aPa Kit' (rootkit) - Added 'Danny-Boy's Abuse Kit' (rootkit) - Added 'Duarawkz' (rootkit) - Added 'Flea Linux Rootkit' (rootkit) - Added 'HjC kit' (rootkit) - Added 'Kitko' (rootkit) - Added 'R3dstorm Toolkit' (rootkit) - Added 'TeLeKiT' (rootkit) - Added 'VcKit' (rootkit) - Added support for Aurora Linux 1.0 (SPARC, named 'Ansel') - Added support for Red Hat Linux 7.0 - Added support for Mac OS X (Darwin kernel) - Added option '--report-mode' to remove footer and location of logfile - Added alias parameter '--createlog' for '--createlogfile' - Added alias parameter '--skipkeypress' for '--skip-keypress' - Added informational message when a user doesn't use '--checkall' or '--cronjob' Changes: - Updated hashes for Fedora Core 1. Thanks to Doncho N. Gunchev - Improved output of logfile - Changed warning message when a part of a rootkit has been found (show correct logfile instead of default file) - Changed footer message (and tell you guys you have to submit your undetected rootkits) Website: - Updated articles: Hyperlinks, Scanning Techniques -- * 1.0.1 New: - Added parameter '-h' (or --help, -?) to display the usage syntax (same thing when you give no options at all). Reported by Arthur E. Groen - Support for Linux SuSE 8.2 (i586 platform) Changes: - Improved scan for 'Suckit' (rootkit) - Updates hashes for Mandrake 9.2 - Fixed a problem with the installer (wrong function declaration). - Had to strip down all colors in the installer, because of the complaints :-) - Changed installer so it could be used as a non-interactive installer (like it was before).. Languages are still usuable, but will be used in later versions (with a interactive switch) - Fixed the LANG function (renamed it, because of the reserved name). - Added Swedish translation for the installer. Thanks to Daniel Olsson - Improved logging when Perl has been found - Undo 'skip MD5 test' (MD5CHECK_SKIP=0) when Digest::MD5 available, but md5(sum) isn't, so we can still scanning. - Fixed a wrong path name (deleting of temporary passwd file) Website / Documentation: - Updated FAQ - Updated Project information (updated supported OSes, rootkits, added date of last modification) - Updated README -- * 1.0.0 Special remarks: - New developer: Stephane Dudzinski (a.k.a. FRLinux) New: * Operating system support - Added support for Fedora (tested with Core 1, Yarrow) - Added support for Gentoo (tested with 1.4 release) - Added support for Red Hat 7.3 (Valhalla) - Added support for Sun Solaris (not working yet..) - Added OpenBSD 3.3 (i386) hashes - Added Fedora Core 1 (i386) hashes - Added special verify section when prelinked binaries are found (like Fedora Core 1 uses). Thanks to Michael G. Rozman - Added support for IBM AIX. A big thanks to Iain Roberts! Versions 4.3.2, 4.3.3, 5.1, 5.2, 5.3, 5.4 * Rootkit / backdoor support - Added 'Dreams' (rootkit). Thanks to Joshua Levitsky - Added 'Heroin' (LKM rootkit) - Added 'Sin' (rootkit) - Added 'Shutdown' (rootkit) - Added 'Sneakin' (rootkit) - Added 'Superkit' (rootkit) - Added 'T0rn' (rootkit) - Added 'Trojanit Kit' (rootkit) - Added 'zaRwT.KiT' (rootkit) - Added 'Volc' (rootkit) * Linux support - Added extra kernel check (2.4/2.6) when OS is Linux - Added Linux 2.6 kernel support. - Added extra check when using a RPM based distro, to display the package name in the logfile when filehashes are different. Thanks to Michael G. Rozman * Rootkit Hunter options - Added option '--quick'. Can be used with newly added scans and will use some tweaks to scan quicker (be carefull: can hide some usefull information at first scan, i.e. hidden files with trojaned binaries) - Added option '--skip-keypress'. Make rkhunter non-interactive, so you don't have to press [enter] after every test. Requested by Michael G. Rozman - Added option '--version'. Displays version and quits. - Added extra check for promiscuous interfaces, when 'ip' command is available - Added check for (rootdir)etc/conf.d/local.start file (Gentoo) - Added ksyms check to rootkitscan section - Added check for binaries like nmap, ls, lsof, ps (for future use) - Added Perl Digest::SHA1 module check - Added SSH 'PermitRootLogin without-password' (as an unsafe option). Thanks to Doncho - Added check for sniffer logfiles detection - Added support for grsec enabled Linux kernel. Thanks Steph ;-) Changes: - Improved installation - Splitted version number (from 1.00 --> 1.0.0) due future minor releases - Updated 'Ambient' - Updated 'BOBkit' - Updated 'Knark' - Updated 'Sebek' - Updated hashes for Red Hat 7.1 (fileutils, util-linux, SysVinit and xinetd). Thanks to Michael G. Rozman - Updated hashes for Debian 3.0 (IPv6 enabled version of tcpd). Thanks to Steph - Changed LKM check when kernelversion of Linux is the new 2.6 - Improved support for other rootdirs (instead of '/') - Added check for empty files when searching for hidden files - Added check for real device fiels when searching for hidden files - Added colored layout, when performing file checks (for i.e. hidden files) - Little bugfix when perform LKM checking - Bugfix when scanning sshd_config for file if file isn't available in /etc/ssh - Improved logging for selftests - Improved logging when performing MD5 hash test - Improved logging for scanning of rootkits and malware - Improved logging of rootkitscan section (files and directories) - Improved logging for detection of binaries and Perl modules - Improved SSH 'root login allowed', to decrease false positives - Changed detection of users with an UID of 0 (zero) - Improved rootkitscan section for files and directories with spaces - Fixed wrong detection of Debian version (unstable/testing). Thanks to Daniel Olsson - Fixed wrong use of parameters when using --quick option, but not using -c. Thanks to Joost Peters - Added missing 'full OS' string, when RH doesn't recognise the operating system. - Fixed bad logging of rootkits (and files) - Fixed a problem when using --skip-keypress and a rootkit was found (skip keypress didn't work, and user input was required). - Fixed installer for NetBSD and MacOS X, by commenting whereis functions (will be soon replaced) - A lot of code cleanups.. Website: - Updated website (FAQ / Changelog, Project information) - Fixed a problem with the contact form (-moz-opacity CSS property failed with some browsers). -- * 1.00 RC3 New: - Added option --disable-md5-check to skip checking MD5 hashes (if you run customized binaries/tools) - Added option --rootdir (or -r), to use with chrooted systems. Note: not completely integrated yet. Requested by Henk Wevers - Added functions logtext and displaytext to make script more powerfull and easier to use (for example with a new 'quiet' option) - Added support for OpenBSD 3.3 and OpenBSD 3.4 (MD5 fix added, due the missing of the -q (quiet) option of MD5). Thanks to Stefan Changes: - Updated 'Beastkit' - Updated 'BOBkit' - Updated hashes for Red Hat 9.0 (coreutils update). Thanks to Andrew Matthews - Fixed a little problem with support for multiple file hashes (see 1.00 RC2). When more than one hash was available, only the first one was checked. Thanks to Andrew Matthews for testing. - Solved two little issues with netstat check. Check reported possible backdoor if portnumber was present in another portnumber (like string '2001' is available in '20010'). Also the portnumber was found when the remote connection had the same portnumber as a possible backdoor (like a dynamic port 2001 was assigned to a SSH client). Thanks to Michael Firkins - Changed text when a possible backdoored file is found (because --debug option is not a valid). Thanks to Anton Pirnat - Changed check for OpenSSH sshd_config file (it will search now for more than 1 place). Thanks to Jeroen Griede - Added extra check for file retrieval utilities (i.e. to do version checking) - Changed string at beginning of RH output (Determing OS... Ready) - Made some tweaks to the layout of the logfile (with --createlogfile option) -- * 1.00 RC2 New: - Added check for syslog-ng (instead of only checking for the presence of syslogd). Thanks to Chris Vaughan - Added check to allow more than one MD5/SHA1 for a single file. When a 'base' file will be updated, it's possible to add a second hash. Thanks to James Clark and Greg Bell - Added AIX check. Thanks to Val Baranov - Added hashes for SuSE 8.2 (i386) - Added hashes for Red Hat 9.0 - Added hashes for Mandrake 9.2 - Added hashes for Debian 3.0 (tested with release 2) - Added support for Mandrake (i.e. /dev/.devfsd file) - Added section to check the file type of every hidden file found - Added parameter 'nocolors' to disable colored output - Added support to run RH as a cronjob (parameter '--cronjob') - Added check to removed layout when running as cronjob - Added option to create a logfile (parameter '--createlogfile') - Added changelog on website (rootkit.nl) Changes: - Updated hashes for Red Hat 7.2 - Cleanup logfile at startup - Just check /dev directory once for hidden files - Deleted unused consistency check (on Debian it showed several warnings) - Fixed a little problem with querying the default hashes database (added a slash to the query, to resolve the problem) - Layout fix for Linux distros - Fixed an error for Debian (where /etc/rc.d files not always exists..) by adding an extra check for the presence of this files. - Tweaked section to scan /dev directory. Scan is faster now (scan for unknown shellscripts and files) - Some little layout changes - Updated 'Beastkit' due false positive. Thanks to Dunay - Updated 'Suckit' (more checks added) - Changed FAQ -- * 1.00 RC1 Remarks: First release New: - Database: backdoor ports (DB:backdoorports.dat) - Added filtering for network connections - Added OS support for SuSE Linux: - Added OS support for Debian: 2.2/3.0/testing - Added OS support for FreeBSD 5.x: version 5.0/5.1 - Added OS support for FreeBSD 4.x: version 4.3/4.7 - Added OS support for Red Hat Linux 7.1/7.2 - Added KLD tests (FreeBSD) - All other options... rkhunter-1.4.0/files/development/0000750000123200012320000000000011750002114016722 5ustar unspawnunspawnrkhunter-1.4.0/files/development/new-OS-support0000640000123200012320000001230211441015263021474 0ustar unspawnunspawn Some of the tests within RKH use commands which do not have standard options. An example is the 'ps' command: for GNU linux we would use 'ps aux', but for SunOS or IRIX we would use 'ps -ef'. As such the test can run for all these operating systems, but RKH must be coded to handle each of them differently. In cases were an O/S is not supported by a test, then RKH will usually mark the test as 'skipped'. The user should look in the log file to see why the test was skipped. It may be that we can then include code to enable the test for that O/S, or the user can include it as a disabled test in the configuration file. The problem is that when we are asked to support a new O/S, we need to find out which command options are avaiable. We can then see if the test will run on the new O/S, or if we need to modify RKH to support it. This file lists those instances in RKH where whichever operating system is used, RKH will use different commands and/or command options. ============================================================================== RKH makes the assumtion that certain commands are standard among all UNIX, Linux and *BSD operating systems. If one or more of these commands are not present on the system, then RKH will not run. The current list of required commands is: awk cat chmod chown cp cut date egrep grep head ls mv sed sort tail touch tr uname uniq wc ============================================================================== 1) What is the output of the 'uname' command? This is a very basic command, but it is possible it may not work or may not provide the information we want. 2) Is the '/bin' directory a link to '/usr/bin'? In order to cut down on the time repeatedly looking for files in '/bin' and '/usr/bin', RKH can exclude '/bin' if it is a link to '/usr/bin'. This occurs on the AIX, IRIX and SunOS operating systems. 3) What is the output of the 'uname -m' command? Typically 'uname -m' can be used to determine if the system is 32 or 64-bit. For other operating systems, we have to use other commands. For example, 'sysctl' on FreeBSD and OSX, 'uname -p' on SunOS and AIX. 4) Does 'ls -ld /etc/*release* /etc/*version* /etc/issue' show some sort of 'release' or version file being present? In order to find out some information about the O/S, such as its version number, RKH will look in '/etc' for any one of various files. Typically this information will come from '/etc/lsb-release', or specific O/S versions such as '/etc/debian_version' or '/etc/gentoo_release'. The RKH configuration file contains an option to set the specific file name, if RKH cannot correctly detect a 'release' file. 5) Does the O/S support setting an 'immutable-bit' on files? If so, then is the 'lsattr' command present? This is one of the file properties checks. However, at present only Linux and *BSD support the immutable-bit on files. If the system supports the immutable-bit, but 'lsattr' is not present, then does 'ls -lno' show the file attributes? 6) What is the output of the 'netstat -an' command? RKH may use this output in determining if certain ports are being used. However, the output from 'netstat' varies wildly amongst different operating systems. So we need to see the output in order to ensure that RKH handles it correctly. 7) Does the 'ifconfig' or 'ifconfig -a' command show the available network interfaces? RKH looks at the network interfaces to see if they are in promiscuous mode. 8) Is the 'ip' command present? If so, then can it show the interfaces present, and if so how? (Perhaps using 'ip -s link'?) As above, this is a second check for promiscuous interfaces. 9) Does the file '/proc/net/packet' exist? (It may be zero-sized.) If it does exist, then is the 'lsof' command present on the system as well? This is used by RKH to see if there are any applications watching the network interfaces. The 'lsof' command is used by several tests in RKH. 10) Does the 'ps ax' command display the processes running on the system? If not, then does 'ps -ef' work instead? If not, what options to the 'ps' command cause it to show all the current running processes on the system (the output must include the PID and the process (command) being run by that PID). RKH uses the 'ps' command for a few tests. However, the output varies a lot amongst different operating systems, so we have to code RKH according to each system. 11) Does the 'date +%s' command show the number of seconds since the epoch? Does it also understand "date --date '5 seconds ago'"? If not then perl will be needed. This is used by RKH in order to add to filenames to make them random. 12) Is the 'stat' command present on the system, and if so, does the 'stat -c '%i 0%a %u %g %s %Y:' /etc/motd' command work? If not try using 'stat -f ...'. This should display some numbers relating to the ('/etc/motd') file attributes. If it doesn't work, then we may need to see the man page for the 'stat' command. 13) Does the grep command need the '-a' option, or some other option, in order to treat binary (language) files as text files. See GREP_OPT in RKH. 14) Does the 'readlink' command exist, and if so does it support the '-f' option to get the full pathname. If not, then the builtin command may be required. rkhunter-1.4.0/files/development/i18nchk0000750000123200012320000000360511170212001020113 0ustar unspawnunspawn#! /usr/bin/perl -w # # A simple util to check the lines in the i18n/en file # exist in the rkhunter program. # # Author: John Horne (17-2-07) # my $keyword = my $arg = my $found = ''; my $search_string = my $ignore_case = ''; my $dir = '/var/lib/rkhunter/db/i18n'; my $rkh = '/usr/local/bin'; while (@ARGV) { $arg = shift; if ($arg =~ /^--?d$/io) { $dir = shift; } elsif ($arg =~ /^--?p$/io) { $rkh = shift; } elsif ($arg =~ /^--?s$/io) { $search_string = shift; if (! defined($search_string) || ! $search_string) { print "No search string given.\n"; exit 1; } $ignore_case = '-i' if ($arg =~ /s$/o); } elsif ($arg =~ /^--?h$/io) { print "\nUsage: i18nchk [-d i18n_dir] [-p rkhunter_dir] [-{sS} search_string]\n\n"; exit; } else { print "Unknown option: $arg\n"; exit 1; } } if (! $dir || ! -d $dir) { print "Unable to find the i18n directory.\n"; exit 1; } elsif (! $rkh || ! -d $rkh) { print "Unable to find the rkhunter program.\n"; exit 1; } if ($search_string) { $found = `grep $ignore_case "$search_string" $dir/en`; if ($found) { print $found; } else { print "Search string not found.\n"; } exit; } unless (open(I18N, "$dir/en")) { print "Unable to open i18n file: $!\n"; exit 1; } while (defined($keyword = )) { next if ($keyword =~ /^\s*(#|$)/o); next if ($keyword =~ /^version:/io); next if ($keyword eq "MSG_TYPE_PLAIN:\n"); chomp($keyword); if ($keyword =~ /^([^:]+):\s*\S/o) { $keyword = $1; } else { print "Keyword $keyword has no value.\n"; } $keyword = $1 if ($keyword =~ /^MSG_TYPE_(.*)/o); $keyword = $1 if ($keyword =~ /^MSG_RESULT_(.*)/o); if ($keyword =~ /[a-z]/o) { print "Keyword $keyword contains lowercase characters.\n"; } $found = `egrep -e " $keyword( |\$)" $rkh/rkhunter`; unless ($found) { print "Keyword $keyword not found in rkhunter.\n"; } # print "$keyword\n"; } close(I18N); exit; rkhunter-1.4.0/files/mirrors.dat0000640000123200012320000000014110633345176016605 0ustar unspawnunspawnVersion:2007060601 mirror=http://rkhunter.sourceforge.net mirror=http://rkhunter.sourceforge.net rkhunter-1.4.0/files/readlink.sh0000750000123200012320000000623311033732627016551 0ustar unspawnunspawn#!/bin/sh # # This is a short script to get the full pathname of a link file. # It has the same effect as the Linux 'readlink -f' command. The # script was written because some systems have no 'readlink' command, # and others have no '-f' option for readlink. As such we use the 'ls' # and 'awk' commands to get the link target. # # We check the 'pwd' command because the shell builtin command will # usually print out the current directory, which may be a link, rather # than the true working directory. The (typically) '/bin/pwd' command # itself shows the true directory. # # A soft (symbolic) link has two parts to it: # # linkname -> target # # Usage: readlink.sh [-f] [pwd command] # # # We don't actually do anything with the '-f' option # if it is used. # test "$1" = "-f" && shift LINKNAME=$1 PWD_CMD=$2 test -z "${PWD_CMD}" -o ! -x "${PWD_CMD}" && PWD_CMD="pwd" # # If we were given just a filename, then prepend # the current directory to it. # if [ -z "`echo \"${LINKNAME}\" | grep '/'`" ]; then DIR=`${PWD_CMD}` test "${DIR}" = "/" && DIR="" LINKNAME="${DIR}/${LINKNAME}" fi # # Now do some tests on the link name. # if [ -d "${LINKNAME}" ]; then FNAME="" DIR="${LINKNAME}" else # # We have been given a pathname to a file. Separate # out the filename and the directory. # FNAME=`echo "${LINKNAME}" | sed -e 's:^.*/\([^/]*\)$:\1:'` DIR=`echo "${LINKNAME}" | sed -e 's:/[^/]*$::'` # Check if it is a top-level name. if [ -z "${DIR}" ]; then if [ ! -e "${LINKNAME}" ]; then DIR="${LINKNAME}" else DIR="/" fi fi if [ ! -d "${DIR}" ]; then echo "Directory ${DIR} does not exist." >&2 echo "${LINKNAME}" exit fi fi # # Get the true directory path. # DIR=`cd ${DIR}; ${PWD_CMD}` # # If we were only given a directory name, then return # its true path. # if [ -z "${FNAME}" ]; then echo "${DIR}" exit fi # # Now we loop round while we have a link. # RKHLINKCOUNT=0 ORIGLINK="${LINKNAME}" while test -h "${DIR}/${FNAME}"; do # # Get the link directory, and the target. # LINKNAME="${DIR}" FNAME=`ls -ld "${DIR}/${FNAME}" | awk '{ print $NF }'` # # If the target is just a filename, then we # prepend the link directory path. If it isn't # just a filename, then we have a pathname. That # now becomes our new link name. # if [ -z "`echo \"${FNAME}\" | grep '^/'`" ]; then LINKNAME="${LINKNAME}/${FNAME}" else LINKNAME="${FNAME}" fi # # Once again, extract the file name and the directory # path, and then get the real directory path name. # FNAME=`echo "${LINKNAME}" | sed -e 's:^.*/\([^/]*\)$:\1:'` DIR=`echo "${LINKNAME}" | sed -e 's:/[^/]*$::'` DIR=`cd ${DIR}; ${PWD_CMD}` RKHLINKCOUNT=`expr ${RKHLINKCOUNT} + 1` if [ ${RKHLINKCOUNT} -ge 64 ]; then echo "Too many levels of symbolic links (${RKHLINKCOUNT}): ${ORIGLINK}" >&2 echo "${ORIGLINK}" exit fi done # # At this point we have a pathname to a file, which is not # a link. To ensure we have the true pathname, we once again # extract the directory. # FNAME=`echo "${LINKNAME}" | sed -e 's:^.*/\([^/]*\)$:\1:'` DIR=`echo "${LINKNAME}" | sed -e 's:/[^/]*$::'` test -n "${DIR}" && DIR=`cd ${DIR}; ${PWD_CMD}` echo "${DIR}/${FNAME}" exit rkhunter-1.4.0/files/rkhunter.spec0000640000123200012320000001372711746343440017150 0ustar unspawnunspawn# No debuginfo: %define debug_package %{nil} # If you want to debug, uncomment the next line and remove # the duplicate percent sign (due to macro expansion) #%%dump %define name rkhunter %define ver 1.4.0 %define rel 1 %define epoch 0 # Don't change this define or also: # 1. installer.sh --layout custom /temporary/dir/usr --striproot /temporary/dir --install # 2. rewrite the files section below. %define _prefix /usr/local # We can't let RPM do the dependencies automatically because it will then pick up # a correct, but undesirable, perl dependency, which rkhunter does not require in # order to function properly. AutoReqProv: no Name: %{name} Summary: %{name} scans for rootkits, backdoors and local exploits Version: %{ver} Release: %{rel} Epoch: %{epoch} License: GPL Group: Applications/System Source0: %{name}-%{version}.tar.gz BuildArch: noarch Requires: filesystem, bash, grep, findutils, net-tools, coreutils, e2fsprogs, modutils, procps, binutils, wget, perl Provides: %{name} URL: http://rkhunter.sourceforge.net/ BuildRoot: %{_tmppath}/%{name}-%{version} %description Rootkit Hunter is a scanning tool to ensure you are about 99.9%% clean of nasty tools. It scans for rootkits, backdoors and local exploits by running tests like: - File hash check - Look for default files used by rootkits - Wrong file permissions for binaries - Look for suspected strings in LKM and KLD modules - Look for hidden files - Optional scan within plaintext and binary files - Software version checks - Application tests Rootkit Hunter is released as a GPL licensed project and free for everyone to use. %prep %setup -q %build %install MANPATH="" export MANPATH sh ./installer.sh --layout RPM --install # Make a cron.daily file to mail us the reports %{__mkdir} -p "${RPM_BUILD_ROOT}/%{_sysconfdir}/cron.daily" %{__cat} > "${RPM_BUILD_ROOT}/%{_sysconfdir}/cron.daily/rkhunter" </dev/null 2>&1 || : %{__cp} -p /etc/group /var/lib/rkhunter/tmp >/dev/null 2>&1 || : fi %preun # Only do this when removing the RPM if [ $1 -eq 0 ]; then %{__rm} -f /var/log/rkhunter.log /var/log/rkhunter.log.old >/dev/null 2>&1 %{__rm} -rf /var/lib/rkhunter/* >/dev/null 2>&1 fi %clean if [ "$RPM_BUILD_ROOT" = "/" ]; then echo Invalid Build root \'"$RPM_BUILD_ROOT"\' exit 1 else rm -rf $RPM_BUILD_ROOT fi %define docdir %{_prefix}/share/doc/%{name}-%{version} %files %defattr(-,root,root) %attr(640,root,root) %config(noreplace) %{_sysconfdir}/%{name}.conf %attr(750,root,root) %{_prefix}/bin/%{name} %attr(750,root,root) %dir %{_libdir}/%{name} %attr(750,root,root) %dir %{_libdir}/%{name}/scripts %attr(750,root,root) %{_libdir}/%{name}/scripts/*.pl %attr(750,root,root) %{_libdir}/%{name}/scripts/*.sh %attr(644,root,root) %doc %{_prefix}/share/man/man8/%{name}.8 %attr(755,root,root) %dir %{docdir} %attr(644,root,root) %doc %{docdir}/* %attr(750,root,root) %dir %{_var}/lib/%{name} %attr(750,root,root) %dir %{_var}/lib/%{name}/db %attr(640,root,root) %verify(not md5 size mtime) %{_var}/lib/%{name}/db/*.dat %attr(750,root,root) %dir %{_var}/lib/%{name}/db/i18n %attr(640,root,root) %verify(not md5 size mtime) %{_var}/lib/%{name}/db/i18n/* %attr(750,root,root) %dir %{_var}/lib/%{name}/tmp %{_sysconfdir}/cron.daily/rkhunter %changelog * Tue May 01 2012 unSpawn - 1.4.0 - Spec sync, see CHANGELOG. * Tue Nov 16 2010 unSpawn - 1.3.7 - Spec sync. * Sun Nov 29 2009 unSpawn - 1.3.6 - For changes please see the CHANGELOG. * Fri Nov 27 2009 jhorne - 1.3.6 - Spec sync. * Sat Jul 18 2009 jhorne - 1.3.5 - Do not verify the checksum, size or mtime of the database files or the i18n files. * Wed Dec 10 2008 unSpawn - 1.3.4 - Spec sync. * Sun Aug 09 2008 jhorne - 1.3.3 - Renamed cron.daily file from '01-rkhunter' to 'rkhunter' so that it will run after a prelink cron job (if it exists). * Sun Feb 11 2007 unSpawn - pre-1.3.0 - Sync spec with fixes, installer and CVS * Sun Nov 12 2006 unSpawn - 1.2.9 - Re-spec, new installer * Fri Sep 29 2006 unSpawn - 1.2.9 - Updated for release 1.2.9 * Tue Aug 10 2004 Michael Boelen - 1.1.5 - Added update script - Extended description * Sun Aug 08 2004 Greg Houlette - 1.1.5 - Changed the install procedure eliminating the specification of destination filenames (only needed if you are renaming during install) - Changed the permissions for documentation files (root only overkill) - Added the installation of the rkhunter Man Page - Added the installation of the programs_{bad, good}.dat database files - Added the installation of the LICENSE documentation file - Added the chmod for root only to the /var/rkhunter/db directory * Sun May 23 2004 Craig Orsinger (cjo) - version 1.1.0-1.cjo - changed installation in accordance with new rootkit installation procedure - changed installation root to conform to LSB. Use standard macros. - added recursive remove of old build root as prep for install phase * Wed Apr 28 2004 Doncho N. Gunchev - 1.0.9-0.mr700 - dropped Requires: perl - rkhunter works without it - dropped the bash alignpatch (check the source or contact me) - various file mode fixes (.../tmp/, *.db) - optimized the %%files section - any new files in the current dirs will be fine - just %%{__install} them. * Mon Apr 26 2004 Michael Boelen - 1.0.8-0 - Fixed missing md5blacklist.dat * Mon Apr 19 2004 Doncho N. Gunchev - 1.0.6-1.mr700 - added missing /usr/local/rkhunter/db/md5blacklist.dat - patched to align results in --cronjob, I think rpm based distros have symlink /bin/sh -> /bin/bash - added --with/--without alignpatch for conditional builds (in case previous patch breaks something) * Sat Apr 03 2004 Michael Boelen / Joe Klemmer - 1.0.6-0 - Update to 1.0.6 * Mon Mar 29 2004 Doncho N. Gunchev - 1.0.0-0 - initial .spec file rkhunter-1.4.0/files/stat.pl0000750000123200012320000000602310526454452015734 0ustar unspawnunspawn#!/usr/bin/perl -w use File::stat qw/:FIELDS/; #=head1 NAME #stat - display information about a file #=head1 SYNOPSIS #stat [--follow] [--octal] [--modeoct] [--raw] [--] file #=head1 DESCRIPTION #stat prints information about a file: # dev device number of filesystem # ino inode number # mode file mode (type and permissions) # nlink number of (hard) links to the file # uid numeric user ID of file's owner # gid numeric group ID of file's owner # rdev the device identifier (special files only) # size total size of file, in bytes # atime last access time since the epoch # mtime last modify time since the epoch # ctime inode change time (NOT creation time!) since the epoch # Atime last access time in YYYYMMDDhhmmss format # Mtime last modify time in YYYYMMDDhhmmss format # Ctime inode change time in YYYYMMDDhhmmss format # blksize preferred block size for file system I/O # blocks actual number of blocks allocated # #Each of the keys in the first column above may be used as an option. Only that #information will then be printed for the file. More than one key option can be #used. If no key options are used, all information will be printed, one line #per key, in the format keyvalue. # #For links the --follow option may be used to follow the link, i.e. to print the #information for the file at the end of the link. #The --octal prints numbers (excluding the time keys) in octal. #The --raw option just prints out the value, and not the key name. If more than # one key is used, they are space separated. #The --modeoct option prints only the mode in octal, and only the lower byte. #=head1 AUTHOR #wybo@servalys.nl #=cut use Getopt::Long; use vars qw /$opt_octal $opt_follow $opt_raw $opt_modeoct/; @h=qw/ dev ino mode nlink uid gid rdev size atime mtime ctime Atime Mtime Ctime blksize blocks /; @h2=(); Getopt::Long::Configure(no_ignore_case); GetOptions(@h,'follow','octal','raw','modeoct'); for (@h) { $o="opt_$_"; $$o and push @h2,$_; } @h2=@h if (@h2 < 1); $file=shift or die "Usage: stat file\n"; if ($file eq '-') { while (defined($file=)) { chomp($file); last unless $file; &do_it(); } } else { &do_it(); } exit; sub do_it { -e $file or do { print STDERR "File $file does not exist\n"; return; }; if ($opt_follow) { stat $file } else { lstat $file } for (@h2) { if (/^[AMC]/) { $v="st_\l$_"; $v=conv($$v); } else { $v="st_$_"; $v=$$v; } $opt_octal && ! /time/ and ($v=sprintf("0%o",$v))=~s/^00/0/; if ($opt_modeoct && /mode/) {$v=sprintf("%04o",$v & 07777)} if (@h2>1 && ! $opt_raw) { write } else { print "$v " } } print "\n" if ($opt_raw); format = @>>>>> @<<<<<<<<<<<<< @<<<<<<<<<<<<< $_, $v, '' # $link ? $y : '' . return; } sub conv { my $t=shift; my @s=(localtime($t))[0..5]; $s[4]++; $s[5]+=1900; sprintf("%04d%02d%02d%02d%02d%02d",reverse @s); } rkhunter-1.4.0/files/programs_bad.dat0000640000123200012320000000620311471046777017563 0ustar unspawnunspawnVersion:2010111601 httpd: 1.3a1 1.3b1 1.3b3 1.3b4 1.3b5 1.3b6 1.3b7 1.3.0 1.3.1 1.3.2 1.3.3 1.3.4 1.3.6 1.3.9 1.3.10 1.3.11 1.3.12 1.3.14 1.3.17 1.3.19 1.3.20 1.3.21 1.3.22 1.3.23 1.3.24 1.3.25 1.3.26 1.3.27 1.3.28 1.3.29 1.3.30 1.3.31 1.3.32 1.3.33 1.3.34 1.3.35 1.3.36 1.3.37 1.3.39 1.3.40 2.0a1 2.0a2 2.0a3 2.0a4 2.0a5 2.0a6 2.0a7 2.0a8 2.0a9 2.0.11 2.0.12 2.0.13 2.0.14 2.0.15 2.0.16 2.0.17 2.0.18 2.0.19 2.0.20 2.0.21 2.0.22 2.0.23 2.0.24 2.0.25 2.0.26 2.0.27 2.0.28 2.0.29 2.0.30 2.0.31 2.0.32 2.0.33 2.0.34 2.0.35 2.0.36 2.0.37 2.0.38 2.0.39 2.0.40 2.0.41 2.0.42 2.0.43 2.0.44 2.0.45 2.0.46 2.0.47 2.0.48 2.0.49 2.0.50 2.0.51 2.0.52 2.0.53 2.0.54 2.0.55 2.0.56 2.0.57 2.0.58 2.0.59 2.0.61 2.0.62 2.2.0 2.2.1 2.2.2 2.2.3 2.2.4 2.2.6 2.2.8 2.2.9 2.2.10 2.2.11 2.2.12 2.2.13 2.2.14 2.2.15 2.2.16 sshd: 2.1.1p4 2.2.0p1 2.3.0p1 2.5.1p1 2.5.1p2 2.5.2p1 2.5.2p2 2.9.9p1 2.9.9p2 2.9p1 2.9p2 3.0.1p1 3.0.2p1 3.0p1 3.1p1 3.2.2p1 3.2.3p1 3.3p1 3.4p1 3.5p1 3.6.1p1 3.6.1p2 3.6p1 3.7.1p1 3.7.1p2 3.7p1 3.8.1p1 3.8p1 3.9p1 4.0p1 4.1p1 4.2p1 4.3p1 4.3p2 4.4p1 4.5p1 4.6p1 4.7p1 4.9p1 5.0p1 5.1p1 5.2p1 5.5p1 exim: 4.20 4.21 4.22 4.23 4.24 4.30 4.31 4.32 4.33 4.34 4.40 4.41 4.42 4.43 4.44 4.50 4.51 4.52 4.53 4.54 4.60 4.61 4.62 4.63 4.64 4.65 4.66 4.67 4.68 4.69 4.70 4.71 php: 4.1.2 4.3.0 4.3.1 4.3.2 4.3.3 4.3.4 4.3.5 4.3.6 4.3.7 4.3.8 4.3.9 4.3.10 4.3.9RC2 5.0.0 5.0.1 5.0.2 5.0.3 5.0.4 5.0.5 5.1.0 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.2.0 5.2.1 5.2.2 5.2.3 5.2.4 5.2.5 5.2.6 5.2.7 5.2.8 5.2.9 5.2.10 5.3.0 5.3.1 5.3.2 gpg: 1.0.2 1.0.4 1.0.6 1.0.7 1.2.0 1.2.1 1.2.2 1.2.3 1.2.4 1.2.5 1.2.6 1.2.7 1.3.3 1.3.4 1.4.0 1.4.1 1.4.2 2.0.12 2.0.11 2.0.10 2.0.8 1.4.8 2.0.7 2.0.6 2.0.5 2.0.4 2.0.3 2.0.1 2.0 1.4.4 1.4.3 1.9.19 1.4.2 1.9.17 1.9.16 1.4.9 1.4.10 named: 8.1 8.1.1 8.1.2 8.2 8.2.1 8.2.2 8.2.2-P3 8.2.2-P5 8.2.2-P7 8.2.3 8.2.4 8.2.5 8.2.6 8.2.7 8.3.0 8.3.1 8.3.2 8.3.3 8.3.4 8.3.5 8.3.6 8.3.7 8.4.0 8.4.1 8.4.2 8.4.3 8.4.4 8.4.5 8.4.6 8.4.7 8.4.7-P1 9.0.0 9.0.0b1 9.0.0b2 9.0.0b3 9.0.0b4 9.1.0b1 9.1.0b2 9.2.0a1 9.2.0a2 9.2.0a3 9.2.0b1 9.2.0b2 9.2.0rc1 9.5.0a1 9.5.0a2 9.5.0a3 9.5.0a4 9.5.0a5 9.5.0a6 9.5.0a7 9.5.0b1 9.6.0a1 9.6.0b1 9.6.0rc1 9.7.0a1 9.7.0a2 9.7.0a3 9.7.0b1 9.7.0b2 9.7.0b3 9.7.0rc1 9.7.0rc2 9.7.0 9.7.1b1 9.7.1rc1 9.7.1 9.7.2b1 9.7.2rc1 9.7.2 9.7.2-P1 procmail: 1.00 1.01 1.02 1.10 1.20 1.21 1.30 1.35 1.99 2.00 2.01 2.02 2.03 2.10 2.11 2.30 2.31 2.40 2.50 2.60 2.61 2.70 2.71 2.80 2.81 2.90 2.91 3.00 3.01 3.02 3.03 3.04 3.05 3.06 3.10 3.11pre3 3.11pre4 3.11pre7 3.12 3.13 3.14 3.15 3.20 3.21 proftpd: 1.2.10rc1 1.2.10rc2 1.2.10rc3 1.2.5 1.2.6 1.2.8p 1.2.9 1.3.0a 1.3.1 1.3.1rc1 1.3.1rc2 1.3.1rc3 1.3.2 1.3.2rc1 1.3.2rc2 1.3.2rc3 1.3.2rc4 1.3.2 1.3.2a 1.3.2b 1.3.2c 1.3.2d 1.3.3rc1 1.3.3rc2 1.3.3rc3 1.3.3rc4 1.3.3 1.3.3a 1.3.3b openssl: 0.9.3 0.9.3a 0.9.4 0.9.5 0.9.5a 0.9.6 0.9.6a 0.9.6a 0.9.6b 0.9.6b 0.9.6c 0.9.6c 0.9.6d 0.9.6d 0.9.6e 0.9.6e 0.9.6f 0.9.6f 0.9.6g 0.9.6g 0.9.6h 0.9.6h 0.9.7 0.9.6i 0.9.6i 0.9.7a 0.9.6j 0.9.6j 0.9.7b 0.9.6k 0.9.6k 0.9.7c 0.9.6l 0.9.6l 0.9.6m 0.9.6m 0.9.7d 0.9.7e 0.9.7f 0.9.7g 0.9.8 0.9.7h 0.9.8a 0.9.7i 0.9.7j 0.9.8b 0.9.7k 0.9.8c 0.9.7l 0.9.8d 0.9.7m 0.9.8e 0.9.8f 0.9.8g 0.9.8h 0.9.8i 0.9.8j 0.9.8k 0.9.8l 0.9.8m 0.9.8n 0.9.8o 0.9.8n 1.0.0 1.0.0a rkhunter-1.4.0/files/check_modules.pl0000750000123200012320000000354611240776443017576 0ustar unspawnunspawn#!/usr/bin/perl -w ################################################################################# # # Perl module checker 0.0.3 # ################################################################################# # # This Perl script checks for installed modules by trying to 'use' the # module. If the check fails, then the module is not present. # # If you want to install additional modules, use: # > perl -MCPAN -e shell # > install [module name] # # If the first one fails, please install the perl-CPAN package first # # Upgrade CPAN if possible: # > install Bundle::CPAN # > reload cpan # # Digest modules: # > install Digest::MD5 # > install Digest::SHA # > install Digest::SHA1 # > install Digest::SHA256 # ################################################################################# use strict; my $check = "0"; # Modules to check my @modCheck = qw( Digest::MD5 Digest::SHA Digest::SHA1 Digest::SHA256 ); # Use command-line module names if present. @modCheck = @ARGV if (@ARGV); for (@modCheck) { if (installed("$_")) { print "$_ installed (version ",$check,").\n" } else { print "$_ NOT installed.\n" } } ######################################### # # SUB: Installed modules # ######################################### sub installed { my $module = $_; # Try to use the Perl module eval "use $module"; # Check eval response if ($@) { # Module is NOT installed $check = 0; } else { # Module is installed (reset module version to '1') $check = 1; my $version = 0; # Try to retrieve version number (by using eval again) eval "\$version = \$$module\::VERSION"; # Set version number if no problem occurred $check = $version if (!$@); } # Return version number return $check; } exit(); # The end rkhunter-1.4.0/files/suspscan.dat0000640000123200012320000000356011304471415016747 0ustar unspawnunspawnVersion:2009112901 a:0x..,.0x.., a:add? a:asm+10 a:%:bh a:decb a:decl a:disasm+10 a:%e[bp,di,sp] a:%e[cx,si] a:%e?x a:%hi a:inc[b,l] a:jmp a:jmpcode ajuda a:jump a:%?l a:mov? a:nasm+10 a:ndisasm+10 a:nopsize+10 a:notb a:offset+10 a:opcode+10 a:p[op,ush] a:reassembl a:ret a:ro[r,l]b a:sub? a:xor c:%..%..%..% d:flood+100 d:nuke+100 f:abort f:access f:AF_INET f:atoi@ f:buf[fe,si] f:call f:changeown f:exec.* f:fopen@ f:malloc f:memcpy f:memset f:mmap f:'system(' i:bounc+10 i:dalnet i:eggbot+10 i:eggshell+10 i:invite+10 i:irc\.+100 i:iroffer+100 i:dalnet i:efnet i:undernet i:nick+10 i:pbsync+100 i:psybnc+100 i:vhost+100 i:xdcc+100 n:bind n:connect+100 n:'inet_aton(' n:listen+100 n:remote+10 n:resolv+10 n:sendfile+10 n:server+10 n:setsockopt+10 n:'(?sock' n:sockaddr n:'sockaddr_in(' n:sock[ad,et,fd] n:socket n:socklen n:'sockopen(' s:?0x[a-z0-9]\{2\}.* s:backdoor+10 s:/bin/sh+100 s:chmod s:chown s:logclean s:login s:password+10 s:/ptmx+100 s:/pty+100 s:setgid+100 s:setreuid+100 s:setuid+100 s:shellcode+100 s:tmp/sh+100 s:/tty+100 s:\"/\x[a-z0-9]\{2\}.* t:'0^wN' t:[O,0,P,p]wn.d+100 t:adviso+100 t:attack+10 t:authent t:bogus t:brute+100 t:crypt t:decode t:destruct t:device t:/dev/kmem+100 t:/dev/mem+100 t:disclos+10 t:discov+10 t:distrib+10 t:download t:elf-init t:elflbl t:evasion+10 t:exception t:exclusiv+10 t:existant t:ploit+100 t:fatal+10 t:fragment t:h[a4]x[oO0]r t:hardcod+100 t:heap+100 t:hexdump+10 t:hidden+10 t:hide+100 t:host t:hostile t:infect+10 t:inject+100 t:invisibl+10 t:javascr+50 t:kernel+100 t:leak t:'log(' t:mech+10 t:modif[yi] t:mprot t:nvalid+10 t:overwrit+10 t:patch t:payload+100 t:pointer+100 t:priv[a8] t:process t:scam+10 t:segment t:sent t:sniff+10 t:spoof+10 t:stealth+10 t:terminat t:transpar t:victim t:violat t:vuln t:worm t:rootkit t:banner t:portsc x:apache x:mambo x:openssl x:samba x:sshd x:openssh x:xhide x:joomla x:webmin x:wwwadmin x:telnet x:ftpd rkhunter-1.4.0/files/rkhunter.80000640000123200012320000004705711661317246016371 0ustar unspawnunspawn.\" rkhunter - RootKit Hunter .TH rkhunter 8 "November 2011" .SH NAME rkhunter \- RootKit Hunter .SH SYNOPSIS \fBrkhunter\fP {--check | --unlock | --update | --versioncheck | --propupd [{filename | directory | package name},...] | --list [tests | {lang | languages} | rootkits | perl | propfiles] | --config\-check | --version | --help} [options] .SH DESCRIPTION \fBrkhunter\fP is a shell script which carries out various checks on the local system to try and detect known rootkits and malware. It also performs checks to see if commands have been modified, if the system startup files have been modified, and various checks on the network interfaces, including checks for listening applications. \fBrkhunter\fP has been written to be as generic as possible, and so should run on most Linux and UNIX systems. It is provided with some support scripts should certain commands be missing from the system, and some of these are perl scripts. \fBrkhunter\fP does require certain commands to be present for it to be able to execute. Additionally, some tests require specific commands, but if these are not present then the test will be skipped. \fBrkhunter\fP needs to be run under a Bourne\-type shell, typically \fBbash\fP or \fBksh\fP. \fBrkhunter\fP can be run as a cron job or from the command\-line. .PP .SH COMMAND OPTIONS If no command option is given, then \fB\-\-help\fP is assumed. \fBrkhunter\fP will return a non-zero exit code if any error or warning occurs. .PP .IP "\fB\-c, \-\-check\fP" This command option tells \fBrkhunter\fP to perform various checks on the local system. The result of each test will be displayed on stdout. If anything suspicious is found, then a warning will be displayed. A log file of the tests and the results will be automatically produced. It is suggested that this command option is run regularly in order to ensure that the system has not been compromised. .IP .IP "\fB\-\-unlock\fP" This command option simply unlocks (removes) the lock file. If this option is used on its own, then no log file is created. .IP .IP \fB\-\-update\fP This command option causes \fBrkhunter\fP to check if there is a later version of any of its text data files. A command\-line web browser, for example \fBwget\fP or \fBlynx\fP, must be present on the system when using this option. It is suggested that this command option is run regularly in order to ensure that the data files are kept up to date. If this option is used via cron, then it is recommended that the \fB\-\-nocolors\fP option is also used. An exit code of zero for this command option means that no updates were available. An exit code of one means that a download error occurred, and a code of two means that no error occurred but updates were available and have been installed. .IP .IP "\fB\-\-propupd [{filename | directory | package name},...]\fP" One of the checks \fBrkhunter\fP performs is to compare various current file properties of various commands, against those it has previously stored. This command option causes \fBrkhunter\fP to update its data file of stored values with the current values. If the \fIfilename\fP option is used, then it must either be a full pathname, or a plain file name (for example, 'awk'). When used, then only the entry in the file properties database for that file will be updated. If the \fIdirectory\fP option is used, then only those files listed in the database that are in the given directory will be updated. Similarly, if the \fIpackage name\fP option is used, then only those files in the database which are part of the specified package will be updated. The package name must be the base part of the name, no version numbers should be included - for example, 'coreutils'. Package names will, of course, only be stored in the file properties database if a package manager is being used. If a package name is the same as a file name - for example, 'file' could refer to the 'file' command or to the RPM 'file' package (which contains the 'file' command) - the package name will be used. If no specific option is given, then the entire database is updated. \fIWARNING:\fP It is the users responsibility to ensure that the files on the system are genuine and from a reliable source. \fBrkhunter\fP can only report if a file has changed, but not on what has caused the change. Hence, if a file has changed, and the \fB\-\-propupd\fP command option is used, then \fBrkhunter\fP will assume that the file is genuine. .IP .IP \fB\-\-versioncheck\fP This command option causes \fBrkhunter\fP to check if there is a later version of the program. A command\-line web browser must be present on the system when using this option. If this option is used via cron, then it is recommended that the \fB\-\-nocolors\fP option is also used. An exit code of zero for this command option means that no new version was available. An exit code of one means that an error occurred downloading the latest version number, and a code of two means that no error occurred but a new version is available. .IP .IP "\fB\-\-list [tests | {lang | languages} | rootkits | perl | propfiles]\fP" This command option will list some of the supported capabilities of the program, and then exit. The \fItests\fP option lists the currently available test names (see the README file for more details about test names). The \fIlanguages\fP option lists the currently available languages, and the \fIrootkits\fP option lists the rootkits that are searched for by \fBrkhunter\fP. The \fIperl\fP option lists the installation status of the perl command and perl modules that may be used by some of the tests. Note that it is not \fIrequired\fP to install these modules. However, if \fBrkhunter\fP is forced to use perl to execute a test then the module must be present. The \fIpropfiles\fP option will list the file names that are used to generate the file properties database. If no specific option is given, then all the lists, except for the file properties database, are displayed. .IP .IP "\fB\-C, \-\-config\-check\fP" This command option causes \fBrkhunter\fP to check its configuration file(s), and then exit. The program will run through its normal configuration checks as specified by the enable and disable options on the command\-line and in the configuration files. That is, only the configuration options for tests which would normally run are checked. In order to check all the configured options, then use the \fB--enable all --disable none\fP options on the command line. Additionally, the program will check to see if there are any unrecognised configuration options. If any configuration problems are found, then they will be displayed and the return code will be set to 1. It is suggested that this option is used whenever the configuration file(s) have been changed. .IP .IP "\fB\-V, \-\-version\fP" This command option causes \fBrkhunter\fP to display its version number, and then exit. .IP .IP "\fB\-h, \-\-help\fP" .br This command option displays the help screen menu, and then exits. .IP .SH OPTIONS \fBrkhunter\fP uses a configuration file, named \fIrkhunter.conf\fP, for many of its configuration options. It will also use a local configuration file, named \fIrkhunter.conf.local\fP, if it is present. However, some options can also be specified on the command\-line, and these will override the configuration file options. The configuration file options are well documented within the main configuration file itself. The following are the command\-line options. The defaults mentioned here are the program defaults, unless explicitly stated as the configuration file default. .PP .IP \fB\-\-appendlog\fP By default a new log file will be created when \fBrkhunter\fP runs, and the previous log file will be renamed by having \fI.old\fP appended to its name. This option tells \fBrkhunter\fP to append to the existing log file. If the log file does not exist, then it will be created. .IP "\fB\-\-bindir ...\fP" This option modifies which directories \fBrkhunter\fP looks in to find the various commands it requires (that is, its PATH). The default is the root PATH, and an internal list of some common command directories. By default a specified directory will be appended to the default list. However, if the directory name begins with the '+' character, then it will be prepended to the list (that is, it will be put at the start of the list). .IP "\fB\-\-cs2, \-\-color\-set2\fP" By default \fBrkhunter\fP will display its test results in color. The colors used are green for successful tests, red for failed tests (warnings), and yellow for skipped tests. These colors are visible when a black background is used, but are difficult to see on a white background. This option tells \fBrkhunter\fP to use a different color set which is more suited to a white background. .IP "\fB\-\-configfile \fP" The installation process will automatically tell \fBrkhunter\fP where its configuration file is located. However, if necessary, this option can be used to specify a different pathname. If a local configuration file is to be used, then it must reside in the same directory as the configuration file specified by this option. .IP \fB\-\-cronjob\fP This is similar to the \fB\-\-check\fP command option, but it disables several of the interactive options. When this option is used \fB\-\-check\fP, \fB\-\-nocolors\fP and \fB\-\-skip-keypress\fP are assumed. By default no output is sent to stdout, so the \fB\-\-report\-warnings\-only\fP option may be useful with this option. .IP "\fB\-\-dbdir \fP" The installation process will automatically configure where the data files are stored for \fBrkhunter\fP. However, if necessary, this option can be used to specify a different directory. The directory can be read-only, after installation, provided that neither of the \fB\-\-update\fP or \fB\-\-propupd\fP options are specified, and that the \fB\-\-versioncheck\fP option is not specified if ROTATE_MIRRORS is set to 1 in the configuration file. .IP \fB\-\-debug\fP This is a special option mainly for the developers. It produces no output on stdout. Regular logging will continue as per default or as specified by the \fB\-\-logfile\fP option, and the debug output will be in a randomly generated filename which starts with \fI/tmp/rkhunter\-debug\fP. .IP "\fB\-\-disable [,...]\fP" This option tells \fBrkhunter\fP not to run the specified tests. If this option is used, and \fB\-\-propupd\fP is not specified, then the \fB\-\-check\fP command option is assumed. Read the README file for more information about test names. By default no tests are disabled. .IP \fB\-\-display\-logfile\fP This option will cause the logfile to be displayed on the screen once \fBrkhunter\fP has finished. .IP "\fB\-\-enable [,...]\fP" This option tells \fBrkhunter\fP to only run the specified tests. If this option is used, and \fB\-\-propupd\fP is not specified, then the \fB\-\-check\fP command option is assumed. If only one test name, other than \fIall\fP, is given, then the \fB\-\-skip\-keypress\fP option is also assumed. Read the README file for more information about test names. By default all tests are enabled. All the test names are listed below under TESTS. .IP "\fB\-\-hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |\fP" \fB NONE | }\fP .br Both the file properties check and the \fB\-\-propupd\fP command option will use a hash function to determine a files current hash value. This option tells \fBrkhunter\fP which hash function to use. The \fIMD5\fP and \fISHA\fP options will look for the relevant command, and, if not found, a perl support script will then be used to see if a perl module supporting the function has been installed. Alternatively, a specific \fIcommand\fP may be specified. A value of \fINONE\fP can be used to indicate that the hash values should not be obtained or used as part of the file properties check. The default is \fISHA1\fP, or \fIMD5\fP if no SHA1 command can be found. Systems using prelinking must use either MD5, SHA1 or NONE. .IP "\fB\-\-lang, \-\-language \fP" This option specifies which language to use for the displayed tests and results. The currently supported languages can be seen by the \fB\-\-list\fP command option. The default is \fIen\fP (English). If a message to be displayed cannot be found in the language file, then the English version will be used. As such, the English language file must always be present. The \fB\-\-update\fP command option will update the language files when new versions are available. .IP "\fB\-l, \-\-logfile [file]\fP" By default \fBrkhunter\fP will write out a log file. The default location of the file is \fI/var/log/rkhunter.log\fP. However, this location can be changed by using this option. If \fI/dev/null\fP is specified as the log file, then no log file will be written. If no specific \fIfile\fP is given, then the default will be used. By default \fBrkhunter\fP will create a new log file each time it is run. Any previously existing logfile is moved out of the way, and has \fI.old\fP appended to it. .IP \fB\-\-noappend\-log\fP This option reverts \fBrkhunter\fP to its default behaviour of creating a new log file rather than appending to it. .IP \fB\-\-nocf\fP .br This option is only valid when the command\-line \fB\-\-disable\fP option is used. When the \fB\-\-disable\fP option is used, by default, the configuration file option to disable tests is also used to determine which tests to run. If only the \fB\-\-disable\fP option is to be used to determine which tests to run, then \fB\-\-nocf\fP must be given. .IP \fB\-\-nocolors\fP This option causes the result of each test to not be displayed in a specific color. The default color, usually the reverse of the background color, will be used (typically this is just black and white). .IP \fB\-\-nolog\fP This option tells \fBrkhunter\fP not to write anything to a log file. .IP "\fB\-\-nomow, \-\-no\-mail\-on\-warning\fP" The configuration file has an option which will cause a simple email message to be sent to a user should \fBrkhunter\fP detect any warnings during system checks. This command\-line option overrides the configuration file option, and prevents an email message from being sent. The configuration file default is not to email a message. .IP "\fB\-\-ns, \-\-nosummary\fP" When the \fB\-\-check\fP command option is used, by default a short summary of results is displayed at the end. This option prevents the summary from being displayed. .IP "\fB\-\-novl, \-\-no\-verbose\-logging\fP" During some tests \fBrkhunter\fP will log a lot of information. Use of this option reduces the amount of logging, and so can improve the performance of \fBrkhunter\fP. However, the log file will contain less information should any warnings occur. By default verbose logging is enabled. .IP "\fB\-\-pkgmgr {RPM | DPKG | BSD | SOLARIS | NONE}\fP" This option is used during the file properties check or when the \fB\-\-propupd\fP command option is given. It tells \fBrkhunter\fP that the current file property values should be obtained from the relevant package manager. See the README file for more details of this option. The default is \fINONE\fP, which means not to use a package manager. .IP "\fB\-q, \-\-quiet\fP" This option tells \fBrkhunter\fP not to display any output. It can be useful when only the exit code is going to be checked. Other options may be used with this one, to force only specific items to be displayed. .IP "\fB\-\-rwo, \-\-report\-warnings\-only\fP" This option causes only warning messages to be displayed. This can be useful when \fBrkhunter\fP is run via cron. Other options may be used to force other items of information to be displayed. .IP "\fB\-\-sk, \-\-skip\-keypress\fP" When the \fB\-\-check\fP command option is used, after certain sections of tests, the user will be prompted to press the \fIreturn\fP key in order to continue. This option disables that feature, and \fBrkhunter\fP will run until all the tests have completed. If this option has not been given, and the user is prompted to press the \fIreturn\fP key, a single '\fIs\fP' character, in upper\- or lowercase, may be given followed by the \fIreturn\fP key. \fBrkhunter\fP will then continue the tests without prompting the user again (as if this option had been given). .IP \fB\-\-summary\fP This option will cause the summary of test results to be displayed. This is the default. .IP "\fB\-\-syslog [facility.priority]\fP" When the \fB\-\-check\fP command option is used, this option will cause the start and finish times to be logged to syslog. The default is not to log anything to syslog, but if the option is used, then the default level is \fIauthpriv.notice\fP. .IP "\fB\-\-tmpdir \fP" The installation process will automatically configure where temporary files are to be created. However, if necessary, this option can be used to specify a different directory. The directory must not be a symbolic link, and must be secure (root access only). .IP "\fB\-\-vl, \-\-verbose\-logging\fP" This option tells \fBrkhunter\fP that when it runs some tests, it should log as much information as possible. This can be useful when trying to diagnose why a warning has occurred, but it obviously also takes more time. The default is to use verbose logging. .IP "\fB\-x, \-\-autox\fP" When this option is used, \fBrkhunter\fP will try and detect if the X Window system is in use. If it is in use, then the second color set will automatically be used (see the \fB\-\-color\-set2\fP option). This allows \fBrkhunter\fP to be run on, for example, a server console (where X is not present, so the default color set should be used), and on a users terminal (where X is in use, so the second color set should be used). In both cases \fBrkhunter\fP will use the correct color set. The configuration file default is to try and detect X. .IP "\fB\-X, \-\-no\-autox\fP" This option prevents \fBrkhunter\fP from automatically detecting if the X Window system is being used. See the \fB\-\-autox\fP option. .SH TESTS [This section to be written] .IP "\fBadditional_rkts\fP" This test is for SHORT_EXPLANATION. It works as part of GROUP. Corresponding configuration file entries: ONE=one, TWO=two and for white-listing THREE=three,three. Simple globbing (/dev/shm/file-*) works. .IP \fBall\fP .IP \fBapps\fP .IP \fBattributes\fP .IP \fBavail_modules\fP .IP \fBdeleted_files\fP .IP \fBfilesystem\fP .IP \fBgroup_accounts\fP .IP \fBgroup_changes\fP .IP \fBhashes\fP .IP \fBhidden_ports\fP .IP \fBhidden_procs\fP .IP \fBimmutable\fP .IP \fBknown_rkts\fP .IP \fBloaded_modules\fP .IP \fBlocal_host\fP .IP \fBmalware\fP .IP \fBnetwork\fP .IP \fBnone\fP .IP \fBos_specific\fP .IP \fBother_malware\fP .IP \fBpacket_cap_apps\fP .IP \fBpasswd_changes\fP .IP \fBports\fP .IP \fBpossible_rkt_files\fP .IP \fBpossible_rkts\fP .IP \fBpossible_rkt_strings\fP .IP \fBpromisc\fP .IP \fBproperties\fP .IP \fBrootkits\fP .IP \fBrunning_procs\fP .IP \fBscripts\fP .IP \fBshared_libs\fP .IP \fBshared_libs_path\fP .IP \fBstartup_files\fP .IP \fBstartup_malware\fP .IP \fBstrings\fP .IP \fBsuspscan\fP .IP \fBsystem_commands\fP .IP \fBsystem_configs\fP .IP \fBtrojans\fP .SH FILES (For a default installation) .br /etc/rkhunter.conf .br /var/log/rkhunter.log .SH SEE ALSO See the CHANGELOG file for recent changes. .br The README file has information about installing \fBrkhunter\fP, as well as specific sections on test names and using package managers. .br The FAQ file should also answer some questions. .SH LICENSING RootKit Hunter is licensed under the GPL, copyright Michael Boelen. See the LICENSE file for details of GPL licensing. .SH CONTACT INFORMATION RootKit Hunter is under active development by the RootKit Hunter project team. For reporting bugs, updates, patches, comments and questions, please go to http://rkhunter.sourceforge.net/ .fi rkhunter-1.4.0/files/tools/0000750000123200012320000000000011750002114015540 5ustar unspawnunspawnrkhunter-1.4.0/files/backdoorports.dat0000640000123200012320000000203711467621037017771 0ustar unspawnunspawnVersion:2010111401 # # Syntax: ::protocol # # Note: The port number must be between 1 and 65535 inclusive. # Descriptions cannot contain any colon (:) characters. # The protocol must be UDP or TCP. # 1524:Possible FreeBSD (FBRK) Rootkit backdoor:TCP: 1984:Fuckit Rootkit:TCP: 2001:Scalper:UDP: 2006:CB Rootkit or w00tkit Rootkit SSH server:TCP: 2128:MRK:TCP: 6666:Possible rogue IRC bot:TCP: 6667:Possible rogue IRC bot:TCP: 6668:Possible rogue IRC bot:TCP: 6669:Possible rogue IRC bot:TCP: 7000:Possible rogue IRC bot:TCP: 13000:Possible Universal Rootkit (URK) SSH server:TCP: 14856:Optic Kit (Tux):TCP: 25000:Possible Universal Rootkit (URK) component:TCP: 29812:FreeBSD (FBRK) Rootkit default backdoor port:TCP: 31337:Historical backdoor port:TCP: 32982:Solaris Wanuk:TCP: 33369:Volc Rootkit SSH server (divine):TCP: 47107:T0rn:TCP: 47018:Possible Universal Rootkit (URK) component:TCP: 60922:zaRwT.KiT:TCP: 62883:Possible FreeBSD (FBRK) Rootkit default backdoor port:TCP: 65535:FreeBSD Rootkit (FBRK) telnet port:TCP: rkhunter-1.4.0/files/rkhunter0000750000123200012320000170015411747776703016234 0ustar unspawnunspawn#!/bin/sh # # rkhunter -- Scan the system for rootkits and other known security issues. # # Copyright (c) 2003-2012, Michael Boelen ( michael AT rootkit DOT nl ) # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA. # # # Unfortunately we must do some O/S checks at the very beginning, # otherwise SunOS will complain about some of the ksh/bash syntax. # By default the SunOS root account uses a simple Bourne shell, # which does not work with RKH. So we exec to use the Bash shell # if it is present, or the Korn shell which is usually installed # by default on Solaris systems. # BSDOS=0 SUNOS=0 OPERATING_SYSTEM=`uname 2>/dev/null` case "${OPERATING_SYSTEM}" in *BSD|DragonFly) BSDOS=1 ;; SunOS) SUNOS=1 ;; esac if [ $SUNOS -eq 1 ]; then # Simple SunOS test of RANDOM to see if we are now running bash or ksh. if [ -z "$RANDOM" ]; then # If the 'which' output contains a space, then it is probably an error. if [ -n "`which bash 2>/dev/null | grep -v ' '`" ]; then exec bash $0 $* elif [ -n "`which ksh 2>/dev/null | grep -v ' '`" ]; then exec ksh $0 $* else echo "Unable to find the bash or ksh shell to run rkhunter." exit 1 fi exit 0 fi fi # # Check to see if we are using the '--debug' option. If so, then # we exec to log everything to the debug file. # if [ -n "`echo \"$*\" | grep '\-\-debug'`" ]; then RKHDEBUGBASE="/tmp/rkhunter-debug" # # Ensure we create a random file name. # if [ -n "`which mktemp 2>/dev/null | grep -v ' '`" ]; then RKHDEBUGFILE=`mktemp ${RKHDEBUGBASE}.XXXXXXXXXX` elif [ -n "$RANDOM" ]; then RKHDEBUGFILE="${RKHDEBUGBASE}.$RANDOM" elif [ -n "`date +%N%s 2>/dev/null | grep '^[0-9][0-9]*$'`" ]; then RKHDEBUGFILE="${RKHDEBUGBASE}.`date +%N%s%N`" else RKHDEBUGFILE="${RKHDEBUGBASE}.`date +%Y%m%d%H%M%S`" fi if [ -e "${RKHDEBUGFILE}" ]; then if [ -f "${RKHDEBUGFILE}" -a ! -h "${RKHDEBUGFILE}" ]; then rm -f ${RKHDEBUGFILE} >/dev/null 2>&1 else echo "Cannot use '--debug' option. \"${RKHDEBUGFILE}\" already exists, but it is not a file." exit 1 fi fi DEBUG_OPT=1 exec 1>${RKHDEBUGFILE} 2>&1 chmod 600 ${RKHDEBUGFILE} >/dev/null 2>&1 set -x else DEBUG_OPT=0 fi # # Now we must determine if we are using the Korn shell or not. If so, # then we alias the 'echo' command and set ECHOOPT. For other shells, # we try and determine the real shell being used, and test to see if # the 'echo -e' command is valid or not. We set ECHOOPT accordingly. # # # Unfortunately *BSD doesn't seem to allow capturing of unknown commands. # So we must alias 'print' to something valid, but which will fail. # test $BSDOS -eq 1 && alias print=false if [ "`print "rkh-ksh-string-test" 2>/dev/null`" = "rkh-ksh-string-test" ]; then alias echo='print' ECHOOPT="--" MYSHELL=ksh elif [ $SUNOS -eq 1 ]; then # For Solaris, if we are not running ksh, then it must be bash. MYSHELL=bash ECHOOPT="-e" else # # We want to get the actual shell used by this program, and # so we need to test /bin/sh. # MYSHELL=/bin/sh test -h ${MYSHELL} && MYSHELL=`readlink ${MYSHELL} 2>/dev/null` MYSHELL=`basename ${MYSHELL} 2>/dev/null` # Assume 'bash' if we have problems finding the real shell. test -z "${MYSHELL}" && MYSHELL=bash # # Now test the 'echo -e' command. # if [ "`echo -e \"rkh-ksh\tstring-test\" 2>/dev/null`" = "rkh-ksh string-test" ]; then ECHOOPT="-e" else ECHOOPT="" fi fi # # We now perform a similar test to see if 'echo -n', or "\c", is valid # or not. Unfortunately on some systems both '-e' and '-n' are valid, # but not together. The "\c" option works in these cases. So we set # ECHON accordingly. # if [ "`echo -n -e \"rkh-ksh-string-test\" 2>/dev/null`" = "rkh-ksh-string-test" ]; then ECHON="-n" elif [ "`echo -e \"rkh-ksh-string-test\c\" 2>/dev/null`" = "rkh-ksh-string-test" ]; then ECHON="c" elif [ "`echo \"rkh-ksh-string-test\c\" 2>/dev/null`" = "rkh-ksh-string-test" ]; then ECHON="c" else ECHON="" fi # # Finally, we need to test the 'head' and 'tail' commands # to see if they understand the '-n' option or not. # if head -n 1 /dev/null 2>&1; then HEAD_OPT="-n " else HEAD_OPT="-" fi if tail -n 1 /dev/null 2>&1; then TAIL_OPT="-n " else TAIL_OPT="-" fi ###################################################################### # # Global function definitions # ###################################################################### display() { # # This function is used to display text messages on to the # users screen, as well as in to the log file. The same # message is written to both. However, the screen may have # a coloured result (green for good, red for bad, etc), and # the log file will have the time prefixed to the message and, # optionally, additional information messages after the main # message. All the messages are indexed in the language file. # # Syntax: display --to --type # [--screen-indent ] [--log-indent ] # [--nl []] [--nl-after] [--log-nl] [--screen-nl] [--nonl] # [--result --color ] # [optional message arguments] # # where the destination can be one of SCREEN, LOG or SCREEN+LOG. # The type can be one of PLAIN, INFO or WARNING. # The language file will have all the current values. # # The --screen-indent and --log-indent options are used to # forcibly indent a message. # The --nl option causes a blank-line to be output before the # message both on the screen and in the log file. A following # number can be used to indicate how many blank lines should # be displayed on the screen. # The --log-nl option outputs a blank line only in the log file. # The --screen-nl option outputs a blank line on the screen # regardless of whether SCREEN was specified or not. # The --nl-after option outputs a blank line on the screen after # the message. # The --nonl option is only to be used in special cases where we # want the output of more than one message to appear on the same # line. This is currently only used when trying to obtain the # lock file. It only applies to PLAIN messages, and may not be # supported on all systems (depending on whether 'echo -n' works # or not). # # # We first initialize some variables and then # process the switches used. # WARN_MSG=0; NL=0; NLAFTER=0; LOGINDENT=0; SCREENINDENT=0 LOGNL=0; SCREENNL=0 WRITETO=''; TYPE=''; RESULT=''; COLOR=''; MSG='' LINE1=''; LOGLINE1=''; SPACES=''; NONL='' DISPLAY_LINE="display $*" if [ $# -le 0 ]; then echo "Error: Invalid display call - no arguments given" return fi while [ $# -ge 1 ]; do case "$1" in --to) case "$2" in SCREEN|LOG|SCREEN+LOG) WRITETO=$2 ;; *) echo "Error: Invalid display destination: $2 Display line: ${DISPLAY_LINE}" return ;; esac shift ;; --type) TYPE=`eval echo "\\$MSG_TYPE_$2"` if [ -z "${TYPE}" -a "$2" != "PLAIN" ]; then if [ $RKHLANGUPDT -eq 0 ]; then echo "Error: Invalid display type: $2 Display line: ${DISPLAY_LINE}" return fi fi test "$2" = "WARNING" && WARN_MSG=1 shift ;; --result) RESULT=`eval echo "\\$MSG_RESULT_$2"` if [ -z "${RESULT}" ]; then if [ $RKHLANGUPDT -eq 0 ]; then echo "Error: Invalid display result: $2 Display line: ${DISPLAY_LINE}" return fi fi shift ;; --color) if [ $COLORS -eq 1 ]; then test -n "$2" && COLOR=`eval "echo \\${$2}"` if [ -z "${COLOR}" ]; then echo "Error: Invalid display color: $2 Display line: ${DISPLAY_LINE}" return fi fi shift ;; --log-indent) LOGINDENT=$2 if [ -z "${LOGINDENT}" ]; then echo "Error: No --log-indent value given. Display line: ${DISPLAY_LINE}" return elif [ -z "`echo ${LOGINDENT} | grep '^[0-9]*$'`" ]; then echo "Error: Invalid '--log-indent' value given: $2 Display line: ${DISPLAY_LINE}" return fi shift ;; --screen-indent) SCREENINDENT=$2 if [ -z "${SCREENINDENT}" ]; then echo "Error: No --screen-indent value given. Display line: ${DISPLAY_LINE}" return elif [ -z "`echo ${SCREENINDENT} | grep '^[0-9]*$'`" ]; then echo "Error: Invalid '--screen-indent' value given: $2 Display line: ${DISPLAY_LINE}" return fi shift ;; --nl) NL=1 case "$2" in [0-9]) NL=$2 shift ;; esac ;; --log-nl) LOGNL=1 ;; --screen-nl) SCREENNL=1 ;; --nl-after) NLAFTER=1 ;; --nonl) NONL=$ECHON ;; -*) echo "Error: Invalid display option given: $1 Display line: ${DISPLAY_LINE}" return ;; *) MSG=$1 shift break ;; esac shift done # # Before anything we must record if this is a warning message. # test $WARN_MSG -eq 1 && WARNING_COUNT=`expr ${WARNING_COUNT} + 1` # # For simplicity we now set variables as to whether the output # goes to the screen and/or the log file. In some cases we do # not need to output anything, and so can just return. # if [ $NOLOG -eq 1 ]; then test "${WRITETO}" = "LOG" && return test "${WRITETO}" = "SCREEN+LOG" && WRITETO="SCREEN" fi if [ $NOTTY -eq 1 ]; then test "${WRITETO}" = "SCREEN" && return test "${WRITETO}" = "SCREEN+LOG" && WRITETO="LOG" fi test "${WRITETO}" = "SCREEN" -o "${WRITETO}" = "SCREEN+LOG" && WRITETOTTY=1 || WRITETOTTY=0 test "${WRITETO}" = "LOG" -o "${WRITETO}" = "SCREEN+LOG" && WRITETOLOG=1 || WRITETOLOG=0 # # Now check that the options we have been given make sense. # if [ $WRITETOTTY -eq 0 -a $WRITETOLOG -eq 0 ]; then echo "Error: Invalid display destination: Display line: ${DISPLAY_LINE}" return elif [ $WRITETOTTY -eq 1 -a $COLORS -eq 1 -a -n "${RESULT}" -a -z "${COLOR}" ]; then echo "Error: Invalid display - no color given: Display line: ${DISPLAY_LINE}" return fi # # We only allow no newline for PLAIN messages. # test -n "${TYPE}" && NONL="" # # If we want whitelisted results to be shown as white, or # black for colour set two users, then change the colour now. # if [ $WLIST_IS_WHITE -eq 1 -a $WRITETOTTY -eq 1 -a $COLORS -eq 1 -a "${RESULT}" = "${MSG_RESULT_WHITELISTED}" ]; then COLOR=$WHITE fi # # We set the variable LINE1 to contain the first line of the message. # For the log file we use the variable LOGLINE1. We also set # where the language file is located. If a message cannot be found # in the file, then we look in the English file. This will allow RKH # to still work even when the language files change. # LANG_FILE="${DB_PATH}/i18n/${LANGUAGE}" if [ -n "${MSG}" ]; then LINE1=`grep "^${MSG}:" ${LANG_FILE} 2>/dev/null | head ${HEAD_OPT}1 | cut -d: -f2-` if [ $RKHCHKLOCALE -eq 1 ]; then LINE1=`echo "${LINE1}" | ${ICONV_CMD} -f UTF-8 -t ${RKHCHRMAP} 2>/dev/null` test $? -ne 0 && LINE1="" fi if [ -z "${LINE1}" ]; then LANG_FILE="${DB_PATH}/i18n/en" LINE1=`grep "^${MSG}:" ${LANG_FILE} 2>/dev/null | head ${HEAD_OPT}1 | cut -d: -f2-` if [ -z "${LINE1}" ]; then echo "Error: Invalid display - keyword cannot be found: Display line: ${DISPLAY_LINE}" return fi else LINE1=`echo "${LINE1}" | sed -e 's/\`/\\\\\`/g'` fi test -n "${LINE1}" && LINE1=`eval "echo \"${LINE1}\" | sed -e 's/;/\\;/g'"` fi # # At this point LINE1 is the text of the message. We have to # see if the message is to be indented, and must prefix the # time to log file messages. We must do the log file first # because it uses LINE1. # if [ $WRITETOLOG -eq 1 ]; then LOGLINE1=`date '+[%H:%M:%S]'` test $NL -gt 0 -o $LOGNL -eq 1 && echo "${LOGLINE1}" >>${RKHLOGFILE} if [ -n "${TYPE}" ]; then LOGLINE1="${LOGLINE1} ${TYPE}: ${LINE1}" else test $LOGINDENT -gt 0 && SPACES=`echo "${BLANK_LINE}" | cut -c1-$LOGINDENT` LOGLINE1="${LOGLINE1} ${SPACES}${LINE1}" fi fi if [ $WRITETOTTY -eq 1 -a $SCREENINDENT -gt 0 ]; then SPACES=`echo "${BLANK_LINE}" | cut -c1-$SCREENINDENT` LINE1="${SPACES}${LINE1}" fi # # We now check to see if a result is to be output. If it is, # then we need to space-out the line and color the result. # if [ -n "${RESULT}" ]; then if [ $WRITETOTTY -eq 1 ]; then LINE1_NUM=`echo "${LINE1}" | wc -c | tr -d ' '` NUM_SPACES=`expr 62 - ${LINE1_NUM}` test $NUM_SPACES -lt 1 && NUM_SPACES=1 if [ $COLORS -eq 0 ]; then SPACES=`echo "${BLANK_LINE}" | cut -c1-$NUM_SPACES` LINE1="${LINE1}${SPACES}[ ${RESULT} ]" else LINE1="${LINE1}\033[${NUM_SPACES}C[ ${COLOR}${RESULT}${NORMAL} ]" fi fi if [ $WRITETOLOG -eq 1 ]; then LOGLINE1_NUM=`echo "${LOGLINE1}" | wc -c | tr -d ' '` NUM_SPACES=`expr 62 - ${LOGLINE1_NUM}` test $NUM_SPACES -lt 1 && NUM_SPACES=1 SPACES=`echo "${BLANK_LINE}" | cut -c1-$NUM_SPACES` LOGLINE1="${LOGLINE1}${SPACES}[ ${RESULT} ]" fi elif [ $WRITETOTTY -eq 1 -a -n "${COLOR}" ]; then LINE1="${COLOR}${LINE1}${NORMAL}" fi # # We can now output the message. We start with any required blank # lines, and then the first line. If this is a warning message we # write to the log file any additional lines. # if [ $SCREENNL -eq 1 ]; then test $QUIET -eq 0 -a $SHOWWARNINGSONLY -eq 0 -a $NOTTY -eq 0 && echo "" fi if [ $WRITETOTTY -eq 1 ]; then NLLOOP=$NL while test $NLLOOP -gt 0; do echo "" NLLOOP=`expr ${NLLOOP} - 1` done if [ "${NONL}" = "c" ]; then echo $ECHOOPT "${LINE1}\c" else echo $NONL $ECHOOPT "${LINE1}" fi fi if [ $WRITETOLOG -eq 1 ]; then echo $ECHOOPT "${LOGLINE1}" >>${RKHLOGFILE} if [ $WARN_MSG -eq 1 ]; then test $SHOWWARNINGSONLY -eq 1 && echo $ECHOOPT "${LOGLINE1}" | cut -d' ' -f2- LINE1=1 OLDIFS="${IFS}" IFS=$IFSNL for LOGLINE1 in `grep "^${MSG}:" ${LANG_FILE} 2>/dev/null | cut -d: -f2-`; do if [ $LINE1 -eq 1 ]; then LINE1=0 continue else test $SHOWWARNINGSONLY -eq 1 && echo $ECHOOPT " ${LOGLINE1}" echo $ECHOOPT " ${LOGLINE1}" >>${RKHLOGFILE} fi done IFS="${OLDIFS}" elif [ $SHOWWARNINGSONLY -eq 1 -a -n "`echo \"${LOGLINE1}\" | grep '^\[[0-9][0-9]:[0-9][0-9]:[0-9][0-9]\] '`" ]; then echo $ECHOOPT "${LOGLINE1}" | cut -d' ' -f2- fi fi # # Output a final blank line if requested to do so. # test $WRITETOTTY -eq 1 -a $NLAFTER -eq 1 && echo "" return } keypresspause() { # # This function will display a prompt message to the user. # if [ $SKIP_KEY_PRESS -eq 0 -a $QUIET -eq 0 ]; then display --to SCREEN --type PLAIN --nl PRESSENTER read RKHTMPVAR test "${RKHTMPVAR}" = "s" -o "${RKHTMPVAR}" = "S" && SKIP_KEY_PRESS=1 fi return } get_option() { # # This function is used to process configuration file options. # # Syntax: get_option