Rootkit Hunter....

[Rmpmw]

Since installing and running the RootKit Application, It did find TWO Suspect files, both in compressed .gz format, Both are in hidden directories and I don't know if I should Kill them or not, I am running Leopard OS X 10.5.1, And don't know if they are part of Leopard or not, I seriously doubts....

I know where these two files are. The Rootkit app did not find anything else wrong on the system, except for these two files, which produced a warning only.

;; Ray Marotta | Admin, InTheMac.com - Apple Mac Software +

[llamame]

Is this is response to a previous thread? I've never heard of a rootkit for OS X nor a program that finds them.

[Yuiichi]

@llamame - It's actually a response to this article from TAB.

What are the file names of the two suspects that Rootkit Hunter found? That might help us help you help other people (in the future)

[Rmpmw]

This is what is found: NO ROOTKITS, but some strange files:

1. a Prerequisite file:

Warning:

/sw/bin/which has been replaced by a script text file executable

And this:

2.)

Warning:

/usr/share/man/man5/.rhosts.5.gz found in hidden directory

thats all it found, no rootkits were found, just these two strange files, So I think I will call Apple Tech Support on Monday to find out what to do with these files.

- Ray Marotta

[rjoe]

I received the same errors running OS X Rootkit Hunter 0.2. I have pasted the errors below and at the bottom of the message I have included the text for the files in question.

<SNIP>
-e [14:33:52] /sw/bin/which [ Warning ]
-e [14:33:52] Warning: The command '/sw/bin/which' has been replaced by a script: /sw/bin/which: Bourne shell script text executable
</SNIP>

-e [14:44:30] Performing filesystem checks
<SNIP>
-e [14:44:57] Warning: Hidden file found: /usr/share/man/man5/.rhosts.5.gz: gzip compressed data, was ".rhosts.5", from Unix, last modified: Thu Sep 27 2
1:49:57 2007
</SNIP>

as well as this one:

<SNIP>
-e [14:44:30] Warning: Syslog configuration file allows remote logging: install.* @127.0.0.1:32376
[14:44:30]
</SNIP>



********************************************
The text for the file /sw/bin/which is
********************************************

#! /bin/sh
set -ef

if [ "$#" = "0" ]; then
ALLRET=1
else
ALLRET=0
fi
case $PATH in
*::) : "not *DIR:" ;;
*:) PATH="$PATH:" ;;
esac
for PROGRAM in "$@"; do
RET=1
IFS_SAVE="$IFS"
IFS=:
case $PROGRAM in
*/*)
if [ -f "$PROGRAM" ] && [ -x "$PROGRAM" ]; then
printf '%s\n' "$PROGRAM"
RET=0
fi
;;
*)
for ELEMENT in $PATH; do
if [ -z "$ELEMENT" ]; then
ELEMENT=.
fi
if [ -f "$ELEMENT/$PROGRAM" ] && [ -x "$ELEMENT/$PROGRAM" ]; then
printf '%s\n' "$ELEMENT/$PROGRAM"
RET=0
break
fi
done
;;
esac
IFS="$IFS_SAVE"
if [ "$RET" != "0" ]; then
ALLRET=1
fi
done

exit "$ALLRET"


*****
The files in the /sw/bin directory look like this:
****

-rwxr-xr-x 1 root admin 2510 Feb 11 15:02 apt-get-lockwait
-rwxr-xr-x 1 root admin 2507 Feb 11 15:02 dpkg-lockwait
-rwxr-xr-x 1 root admin 124 Feb 11 15:01 editor
-rwxr-xr-x 1 root admin 1314 Feb 11 15:02 fink
-rwxr-xr-x 1 root admin 2605 Feb 11 15:02 fink-instscripts
-rwxr-xr-x 1 root admin 2785 Feb 11 15:02 fink-scanpackages
-rwxr-xr-x 1 root admin 5062 Feb 11 15:02 fink-virtual-pkgs
-rwxr-xr-x 3 root admin 64428 Feb 11 15:03 gunzip
lrwxr-xr-x 1 root admin 4 Feb 11 15:03 gzcat -> zcat
-rwxr-xr-x 1 root admin 3837 Feb 11 15:03 gzexe
-rwxr-xr-x 3 root admin 64428 Feb 11 15:03 gzip
-rw-r--r-- 1 root admin 4015 Feb 11 15:01 init.csh
-rw-r--r-- 1 root admin 3796 Feb 11 15:01 init.sh
-rwxr-xr-x 1 root admin 192 Feb 11 15:01 pager
-rwxr-xr-x 1 root admin 7303 Feb 11 15:02 pathsetup.sh
-rwxr-xr-x 1 root admin 8391 Nov 15 2002 savelog
-rwxr-xr-x 1 root admin 235 Sep 28 2002 sensible-editor
-rwxr-xr-x 1 root admin 185 Sep 28 2002 sensible-pager
-rwxr-xr-x 1 root admin 644 Nov 10 2002 which
-rwxr-xr-x 3 root admin 64428 Feb 11 15:03 zcat
-rwxr-xr-x 2 root admin 1999 Feb 11 15:03 zcmp
-rwxr-xr-x 2 root admin 1999 Feb 11 15:03 zdiff
-rwxr-xr-x 1 root admin 1003 Feb 11 15:03 zforce
-rwxr-xr-x 1 root admin 1332 Feb 11 15:03 zgrep
lrwxr-xr-x 1 root admin 5 Feb 11 15:03 zless -> zmore
-rwxr-xr-x 1 root admin 1067 Feb 11 15:03 zmore
-rwxr-xr-x 1 root admin 3501 Feb 11 15:03 znew


********************************************
The text for the file /usr/share/man/man5/.rhosts.5.gz is below. Note that when uncompressed the file name is hosts.5. also this is the only file in this directory with a "." in front of the file name.
********************************************

.\" Portions Copyright (c) 2006 Apple Computer, Inc. All Rights Reserved.
.\" $NetBSD: hosts.5,v 1.4 1994/11/30 19:31:20 jtc Exp $
.\"
.\" Copyright (c) 1983, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\" must display the following acknowledgement:
.\" This product includes software developed by the University of
.\" California, Berkeley and its contributors.
.\" 4. Neither the name of the University nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" @(#)hosts.5 8.2 (Berkeley) 12/11/93
.\"
.Dd December 11, 1993
.Dt HOSTS 5
.Os BSD 4.2
.Sh NAME
.Nm hosts
.Nd host name data base
.Sh DESCRIPTION
The
.Nm hosts
file contains information regarding
the known hosts on the network.
For each host a single line should be present
with the following information:
.Bd -unfilled -offset indent
Internet address
Official host name
Aliases
.Ed
.Pp
Items are separated by any number of blanks and/or
tab characters. A ``#'' indicates the beginning of
a comment; characters up to the end of the line are
not interpreted by routines which search the file.
.Pp
Network addresses may either be specified for IP version 4 or version 6.
IP version 4 addresses are specified in the conventional dotted address notation.
IP version 6 addresses are specified using the colon-separated notation described in RFC1924.
.Pp
Host names may contain any printable
character other than a field delimiter, newline,
or comment character.
.Sh INTERACTION WITH DIRECTORY SERVICES
Processes generally find host-related information using the routines described in
.Xr gethostent 3 ,
.Xr getipnodebyname 3 ,
.Xr getaddrinfo 3 ,
and
.Xr getnameinfo 3 .
On Mac OS X, these functions interact with the
.Xr DirectoryService 8
daemon,
which reads the /etc/hosts file as well as searching other directory information services,
most notably the Domain Name System (DNS).
.Sh FILES
.Bl -tag -width /etc/hosts -compact
.It Pa /etc/hosts
.El
.Sh SEE ALSO
.Xr gethostent 3 ,
.Xr getipnodebyname 3 ,
.Xr getaddrinfo 3 ,
.Xr getnameinfo 3 ,
.Xr DirectoryService 8
.Rs
.%T "RFC1924: A Compact Representation of IPv6 Addresses"
.Re
.Sh HISTORY
The
.Nm
file format appeared in
.Bx 4.2 .

[spiralocean]

Hello,

I get the same warnings when I run the root kit hunter.

Did you find the answer to this?

[rjoe]

Quote:

Originally Posted by spiralocean

Hello,

I get the same warnings when I run the root kit hunter.

Did you find the answer to this?

I did some more research but still have not turned up anything definitive, but it was suggestive that this is not a critical error.

Please correct me if I am wrong!

Best,

R. Joe

[spiralocean]

Just the fact that more than one of us sees this 'error' message leads me to believe it is a file that the root kit hunter is incorrectly labeling as a warning.

[smc]

Did anybody find a answer to this?

I get the same warnings.

Checking if syslog remote logging is allowed [ Warning ]
Syslog configuration file allows remote logging: install.* @127.0.0.1:32376


Checking for hidden files and directories [ Warning ]
Hidden file found: /usr/share/man/man5/.rhosts.5.gz: gzip compressed data, was ".rhosts.5", from Unix, last modified: Thu Sep 27 20:49:57 2007

Has this program gone obsolete?

If so what can one use in it's place that is freeware/opensource?

[baseballboy828]

The rootkit hunter can potentially find some unix malware. Most of its findings are probably false positives. I wouldn't worry too much about it. You can read an article about it posted here on TAB:

http://theappleblog.com/2008/01/23/w...ootkit-hunter/