| Current Path : /usr/local/share/doc/rkhunter/ |
FreeBSD hs32.drive.ne.jp 9.1-RELEASE FreeBSD 9.1-RELEASE #1: Wed Jan 14 12:18:08 JST 2015 root@hs32.drive.ne.jp:/sys/amd64/compile/hs32 amd64 |
| Current File : //usr/local/share/doc/rkhunter/CHANGELOG |
####################################################################
#
# CHANGELOG
#
####################################################################
!! Important notices !!:
- Dates in this file are formatted as DD/MM/YYYY (European format)
- The rkhunter configuration file (default /etc/rkhunter.conf) will
not be overwritten when using the rkhunter installer.
Be sure you compare your existing configuration file against the
one delivered in this package, in order to optimize the file for
your machine.
--
* 1.3.2 (27/02/2008)
New:
- Added support for the socklog and rsyslog (syslog) daemons.
- Added support for IRIX/IRIX64 systems.
- If the user wishes to force RKH to use the 'stat' or 'readlink'
supplied scripts, then this can be set in the configuration file.
The options STAT_CMD and READLINK_CMD, respectively, can be given
the value of BUILTIN to achieve this. For the 'stat' script, perl
must be present.
Changes:
- Improved the 'unsupported language' error message so that the user is
told exactly what command to run in order to see the list of supported
languages. Added a similar comment in the configuration file.
- Errors from applications during the application version check are mostly
now ignored. Improved checking that a valid version has been found.
- The ALLOW_SSH_ROOT_USER and ALLOW_SSH_PROT_V1 options in the configuration
file can now be set to 'unset' and '2' respectively. These values indicate
that the SSH configuration file have no specific value set for the
corresponding SSH option ('PermitRootLogin' and 'Protocol'). RKH will show
the test result in green and as 'Not set'.
- Application names, in the application check, can now be completely
whitelisted. Previously only specific versions were whitelisted, and
RKH had to run the application to find the version. By whitelisting
the application completely, RKH does not have to run it.
- The use of the 'pflog' network interface is now checked for on all *BSD
systems (not just OpenBSD).
- Allow i18n language filenames to contain characters other than just letters.
Bugfixes:
- Scanning the /dev directory in LAZY mode corrupted the pathname being
tested. Also RKH now handles filenames (in /dev) with spaces correctly.
- During the test of files in /dev, MAKEDEV was not being automatically
whitelisted if it exists as an actual file (not a symlink).
- Ensure the suspscan test removes any files it creates.
- The MAIL-ON-WARNING configuration file option and the --no-verbose-logging
command-line option, are now only logged if the system is being checked.
- Root equivalent and passwordless account names are now shown correctly.
Previously, names which contained spaces, for example if the account had
been manually commented out, were only shown up to the first space character.
- Whitelisted passwordless account names are now logged.
- Suspscan warnings were being ignored by the rkhunter summary and return code.
- Corrected obtaining process names in Solaris for the network ports and
deleted files tests. Previously they did not report the name correctly, if
at all.
- Use of the '--debug' option with the Korn shell was not working correctly.
- Reset the SIGPIPE handler to its default to avoid pipe output errors.
- Language files may contain backticks. These are now escaped during
processing.
- Unset the MANPATH in the spec file to allow the RPM to be built on
OpenSuSE systems.
- The hidden files/directories test would try and run even if no 'file'
command was present.
- Cater for *BSD systems using the fdesc/fdescfs filesystem on /dev/fd.
--
* 1.3.0 (22/09/2007)
New:
- Created an ACKNOWLEDGMENTS file.
- Added configuration file option MAIL_CMD when MAIL-ON-WARNING is used.
This can specify the 'mail' command to use and the subject line.
- The log file can be appended to. This can be set in the config file or
by using the --append-log command line option.
- A second colour set has been added for users using rkhunter with black
characters on a white screen. The command-line option --cs2 will enable it.
- Added special config file and command-line option, -x/-X, to detect if X
is in use. If detected then second colour set will be used.
- Added '--propupd' option. This allows a user to create the rkhunter.dat
file. This file contains the O/S name, file hash values and other bits of
information. If the file hash values change, perhaps due to new versions
of software, then the user simply runs rkhunter with the option again. If
the user has not run rkhunter with this option, then the file properties
checks are skipped. This option obsoletes the 'hashupd.sh' script previously
recommended to users. If use of the '--propupd' option is suggested by
the program, then the log file will contain a warning message to the
user that they must ensure that the commands checked on their system must
have been installed and verified as being genuine. The file properties
check consists of two main parts - the file attributes (permissions, uid
etc), and the hash value. Both are stored in rkhunter.dat. Either part, or
both, can be disabled using the '--disable' option.
- Added the '--hash' command-line option, and the HASH_FUNC option to the
configuration file. This allows a user to select the hash function command
they want to use for the file hash value check and the properties update.
By default SHA1 will be used, or MD5 if SHA1 cannot be found. For prelinked
systems the function must be either MD5 or SHA1. A value of NONE can be used
to disable the hash check or to stop the hash values being recorded in the
rkhunter.dat file.
- Added the HASH_FLD_IDX option to the configuration file. This specifies the
field of the HASH_FUNC command output which contains the hash value. A
default of 1 is used, except for *BSD systems where 4 will be used.
- The files for the file hash checks are now 'looked for'. The code will
search the command directories, and check the relevant files in all the
directories. Additional commands and directories are used for Solaris,
MAC OS X, NetBSD and FreeBSD systems. Overall more commands will be checked.
- Added support for Ubuntu, and the 'dash' and 'ash' shells.
- If the O/S name, architecture or prelinking status changes from one rkhunter
run to the next, then a warning message is written to the log file and the
file properties prerequisite check will fail. The change may well cause the
file hash checks to show false positives. (The user should rerun rkhunter
with the --propupd option.)
- Rkhunter will now check that certain commands are present before starting
any checks. This avoids spurious 'command not found' type messages
suddenly appearing.
- Added basic internationalization (i18n) functionality. The messages
displayed during test processing are obtained from an indexed file.
This file can be translated in to other languages, keeping the index
the same. To see which languages are provided use the new
'--list languages' option. Chinese translation provided.
- Added two new command-line and configuration file options, '--enable'
and '--disable' to specify which tests are to be carried out and which
are to be ignored. Use of either option will automatically assume '--check'.
- To list the available test names, use the new '--list tests' option.
- The '--update' and --versioncheck' options can now use commands other than
wget to download files. Supported commands are now wget, curl, elinks,
links, lynx, bget and GET. Once a command has been found, it will be used
for all downloads. Since bget and GET are perl commands, checks will be
made that any required perl modules are also present on the system.
- (SF Tracker 1616395) Added '--syslog' cli option, configuration file option
USE_SYSLOG. This will allow the --check option start and finish time to
be logged via syslog. The facility/priority are user configurable.
- Added --debug cli option, and allow commands to be configured in the
configuration file. Both of these additions are for the developers, but
may be used when debugging user problems.
- Added command-line options '--summary/--nosummary' (--ns). These control
whether the system checks summary is shown. By default it is shown.
The '--summary' option, as well as the '--report-warnings-only' option,
will override the '--quiet' option if they are specified. However, no
other information will be displayed if '--quiet' is used.
- Added SunOS SInAR rootkit check.
- Added '--verbose-logging/--no-verbose-logging' options. This cuts down on
some of the logging for some of the tests. By default verbose logging is
enabled.
- The inetd and xinetd configuration file pathnames can now be specified
in the rkhunter configuration file. Also, enabled inetd and xinetd
services can now be whitelisted.
- Added support for Solaris 10 inetd mechanism (inetadm).
- The directory containing the SSH configuration file can now be specified
in the rkhunter config file.
- The pathname to the syslog configuration file can now be specified
in the rkhunter config file.
- The use of syslog remote logging can be allowed in the configuration file.
- The pathnames to the local system startup file (rc.local), and the
startup directory (/etc/rc.d) can now be specified in the rkhunter
config file.
- Files in /dev can now be whitelisted.
- Application version numbers can now be whitelisted. This caters for those
distributions that may patch a 'known bad' version, but without updating
the original version number.
- Added 'suspscan' to malware tests. Suspscan attempts to scan files in
directories containing temporary files for signs of malicious activity, and
could be of use on (publicly accessable) web servers running for instance
PHP-based applications. Please note that in it's current state suspscan is
prone to reporting false positives, and is CPU and I/O intensive to boot.
Therefore suspscan is disabled by default. Please do not enable suspscan
unless you have good reasons to use it. Review the settings in the configu-
ration file, and test before deploying it on production servers.
- Added the command-line option '--pkgmgr', and the configuration file option
PKGMGR. These provide support for package managers when using the
'--propupd' and '--check' options. Currently supported package managers are
'RPM' for RedHat/RPM-based systems, 'DPKG' for Debian-based systems, and
'BSD' for *BSD systems. Additionally, 'NONE' can be used to indicate that
no package manager is to be used. The default is 'NONE'. See the README file
for more details.
- It is now possible to configure rkhunter to use local or remote mirrors,
rather than just the SourceForge one. This applies when either the
'--update' or the '--versioncheck' option is used. The default is to use
all defined mirrors. The README file has more details about this.
- It is possible to configure rkhunter to not rotate the mirrors.dat file.
It is also possible to configure the mirrors file not to be updated when
the '--update' option is used. Both of these options can be useful when
defining local mirrors. The README file has more details about this.
- Added a file size check to the file properties checks. This will only occur
for non-prelinked files, files not part of a package, or packaged files
when the RPM package manager is being used.
- Network ports listed in the backdoorports.dat file can now be whitelisted.
Specific protocol/port pairs, or pathnames to allowed executables, may be
used. Additionally, an asterisk may be used to indicate that trusted
pathnames will be allowed. The configuration file has more details about this.
- The O/S 'release' file pathname may now be configured. This option should only
be necessary for those systems on which rkhunter cannot automatically
determine the O/S name or version.
- Rootkit files and directories, including those with spaces, may now be
whitelisted in the configuration file.
Changes:
- Improved command-line and config file option checking.
- The log file is now created by default, it can be disabled in the config
file or by using the --nolog command line option. The log file is created
with permissions 600.
- The log file cannot be a symlink.
- Multiple recipients may be specified with the MAIL-ON-WARNING config option.
- Added BINDIR and ROOTDIR options to the config file.
- Split out the README file in to README and FAQ files.
- Solaris will now use the bash shell if available.
- Expanded the command PATH used to include the /opt/sfw and /usr/sfw
directories for Solaris users.
- Expanded the command PATH used to include the /usr/pkg directory for
NetBSD users.
- Expanded the command PATH used to include the /System/Links/Executables
directory for GoboLinux users.
- Versioncheck now checks the versions numerically.
- The HASHWHITELIST configuration file option has been removed. It is no
longer required because users can now create their own file of hash
values using the '--propupd' option.
- The '--checkall' option has been changed to '--check'. The old option is
still recognised, but will be deprecated at some time.
- If a logfile is to be written, but not appended to, then the old log file
is moved to '<logfile name>.old' now. The same happens to the rkhunter.dat
file if the --propupd option is used.
- The previous 'known good' hash check now also checks the files inode, uid,
gid, permissions and modification date/time, for any changes. The latter
is only for non-prelinked systems. As before, in all cases, the file hash
is checked. (This is now the file properties check.)
- Improved the O/S detection mechanism. Rather than requiring users to send
us details, rkhunter actively looks at the 'release' file(s) to find the
O/S name. Included support for some lesser-known Linuxes - GoboLinux,
Lunar Linux, Rock Linux, Source Mage Linux, Kanotix, Sidux and Zenwalk.
- If the --propupd or --update options are used, as well as the system
check option --check, then the update checks are performed before the
system is checked. Previously the update occurred after the system was
checked.
- Hidden file search now checks /usr/share/man directories.
- Improved NetBSD support.
- The supplied perl scripts, providing the stat, md5 and sha1 commands,
can now be executed without perl being in the default directory (/usr/bin).
- If a perl script is to be used, then a check is made that required modules
are installed on the system. If they are not, then it is treated the same
as if perl was not present.
- Included the /usr/share/man directories when looking for hidden files.
- Check for symbol entries in kallsyms file if ksyms does not exist.
- Enabled sockstat/netstat test for all BSD variants (not just FreeBSD).
- Enabled backdoor port test for all systems which have either the 'lsof'
or 'netstat' command. However, if the netstat syntax is not understood
on the O/S, then an error is shown. (The user can configure the test to
be disabled to avoid the error.)
- The TMPDIR configuration option and --tmpdir command-line option cannot
be set to /tmp or /var/tmp because files will be copied and left there.
It cannot be set to /etc either because files will be deleted from there.
- Removed the '--scan-knownbad-files' option. This test was considered to
be obsolete.
- Removed the '--disable-md5-check' option. This is now the 'hashes' test
name, and can be disabled by the '--disable' option.
- Removed the '--allow-ssh-root-user' option from the command-line. This
can still be set/unset in the configuration file. This option must now
be set to the value of the 'PermitRootLogin' option in the SSH config
file. This then allows root access to be set, but will check to see if
the option has changed. A default value of "no" is used.
- The --rootdir/ROOTDIR configuration option has been changed to be more
intuitive. Previously the specified ROOTDIR had to end in a slash (e.g.
'/abc/'). Now this is not necessary, a normal directory name can be used
(e.g. '/abc').
- The '--versioncheck' option now rotates the mirror file. It also assumes
program defaults if the mirror file is missing or empty, or if no mirrors
are found within it. Additionally if the URL is missing from the
configuration file, then a program default is used. This allows the option
to work even if the files have become a bit corrupt. Any missing files or
mirrors are logged to the log file. If a mirror fails, then the next
mirror is used, until all the mirrors have been tried. Only then is a
failure message displayed, and the return code set. The return code will be
set to 0 if no error occurred, 1 if an error did occur, and 2 if no error
occurred but a new version is available.
- The '--update' option will use a default mirror if the mirror file is
missing or empty. If a mirror fails then the next mirror is used. If a file
has become corrupted such that the version number cannot be read, then a
new copy will be downloaded. The return code will be set for this function.
It will take the value of 0 for no error, 1 for an error, and 2 for no
error but an update has occurred. This allows a user to use the --quiet
option, but still check for the return code.
- The version numbering of the '.dat' database files has changed. This makes
them incompatable with previous versions of rkhunter, and as such files
from previous versions will be overwritten if used with this version.
- The displayed output and logged output are now similar. This allows
checking the log file to be easier when looking for specific tests. The
log file will, of course, log more information than is displayed on
the screen.
- Script replacement check now checks for any type of script (perl, awk, etc).
Previous versions only checked for shell scripts. Commands which are
supposed to be scripts can be whitelisted in the configuration file.
The 'rkhunter' command itself is an exception, and the check will ensure
that 'rkhunter' is a shell script. The script check will be automatically
skipped if a package manager is being used, and the file has already
passed the file size and hash checks.
- File permissions check improved to check if 'other' has the 'w' bit set.
Previous versions only checked if '777' ('rwxrwxrwx') was set. Merged this
into the file properties checks. Soft links are ignored, as are packaged
files when the RPM package manager is used.
- The '--report-mode' option has been removed. It was not seen as being
useful, and combinations of the other options will provide the same, if
not better, reporting.
- The xinetd.conf check now handles the 'include' directive. It also now
handles the 'includedir' directive in all files, and not just in the
initial xinetd configuration file.
- The '--display-logfile' option can now be used after any option. Previously
the log file was only shown after checking the system.
- The checks on accounts and the password and shadow files, have been improved.
The user can configure the pathname to the password and shadow files, as
well as being able to whitelist accounts with no password or which are root
equivalent. *BSD support improved.
- Improved the hidden files and directories checks. Some directories are now
searched more thoroughly, and checks against the file type are more robust.
- Apache backdoor test now looks in more places.
- The application version check no longer checks against known 'good'
versions. Only a file of bad versions is kept. The previous method was
impossible to maintain.
- Enabled the immutable file test for *BSD systems.
- Soft (symbolic) links for files and directories are now handled correctly.
Previously the link was dealt with, but not what it pointed to. Soft links
are dealt with when using the '--propupd' command, and when running the
file properties checks. For those systems with no 'readlink' command (e.g.
Solaris), or those in which readlink does not understand the '-f' option
(e.g. NetBSD), a shell script is now provided to support this.
- RPM spec file and installer now caters for x86_64 machines. Removing the
RPM now more fully removes RKH; only the rkhunter.conf file should remain.
Bugfixes:
- Command-line options requiring an argument now work correctly under Solaris.
- The -h/--help option now works as expected.
- The 'ignoKit rootkit' check was not checking all the required files.
- Some checks were not respecting the ROOTDIR option in their pathnames. This
has now been corrected (possibly not completely though). Also, some tests
were using ROOTDIR pathnames in grep/strings checks when they shouldn't
have been. This has also been corrected.
- The file hash prelink test should now work even if SELinux objects to the
prelink command (provided the 'runcon' command exists). When the '--propupd'
option is used, any file for which a hash cannot be obtained is logged as
a warning. (Typically prelink may need to be run on the file.) Rkhunter will
still work as before, but the file properties check may show that the hash
value has changed to or from a null value.
- Corrected file attributes check - previously the immutable flag would never
have been found.
- Backdoor UDP port tests were not being done correctly. The TCP port tests
have been made a bit more aggressive - TCP tests only look for TCP ports;
they also look for established connections rather than just listeners.
- Backdoor port data file (backdoorports.dat) is now part of the '--update'
process.
- The '--versioncheck' option did not set the return code. It now does so.
However, note that if an update is available then the code will be set
to '2'. This allows use of the '--quiet' option, but still being able to
detect if an error occurred (code 1), an update is available (code 2) or
if no error occurred and no update available (code 0).
- Corrected bug in Solaris script replacement check. The tested output is
never used on Solaris, so previously the test would never have worked.
- The '--quiet' option now does what it says. No output is shown unless other
options are specified by the user. E.g. using '--quiet' on its own produces
no output, but sets the return code. If the '--report-warnings-only'
option is used as well, then warnings will be shown despite '--quiet'
being used.
- Enabled the login backdoor check. It was coded, but used the wrong variable.
It also checked for directory names rather than file names. This looked
wrong, but I could not find any more info about it. As such we now check
for their existence rather than whether they are files or directories.
- Corrected the suspicious directories check.
- The xinetd.conf check only occurred for Linux systems. It will now occur
for all O/S's. Also, the check always reported the file was clean,
regardless of whether this was true or not.
- The hidden files and directories check was not working correctly for
Gentoo users.
- Small bug in T0rn rootkit file list.
--
* 1.2.10 (Not released)
New:
- Enabled Ohhara Rootkit check
Changes:
- If duplicate configuration file options are seen, then only the last
one seen is used
Bugfixes:
- Lsof resolution fix
- Fixed Danny Boy's Abuse Kit check
- Fixed SHV5/Tripwire check
- Fixed ignoKit check
--
* 1.2.9 (30/09/2006)
New:
- Rootkit Hunter is under new management so maintenance, development and support is assured
- Added support for RHEL WS/AS/ES 3, Taroon update 8
- Added support for Fedora Core 5
- Added support for SuSE 10
- Added check for packet capturing applications (see rkhunter.conf for whitelisting)
- Added check for processes using deleted files (see rkhunter.conf for whitelisting)
- Enabled netstat check for AIX
- Enabled backdoor check for SunOS
- Enabled logfile specification and checks
Changes:
- Improved cAos support
- Improved AIX rc.sysinit test
- Improved second promiscuous mode check
- Improved prelinking test
- Improved binaries found check
- Improved MD5 check and application scan
- Improved FreeBSD/AIX grepping
- Improved Solaris grep/ifconfig (FP's)
- Improved reportmode report-warnings-only
- Improved permitrootlogin check with forced-commands-only
- Improved passwordless user accounts test
- Improved file/module name checks (FP's)
- Improved check-update: DBDIR vs temp dir and preserve DAC rights
- Improved Solaris script replacements
- Fix typos, grammatical changes, formatting/displaying
- Added more examples to config
- Change contact information
Bugfixes:
- Removed stale mirrors
- Fix SF tracker issue 1449701
- Fix skdet test
- Time uses Perl epoch
- Error message about "group" file
- Ksh 'shift' fix
--
* 1.2.8 (24/02/2006)
New:
- Added '-sk' alias (instead of --skip-keypress)
- Added support for Fedora core 4
- Added support for FreeBSD 4.11, 5.2, 5.3, 5.4, 6.0
- Added support for CentOS 3.3 ('final' and 'Final')
- Added support for CentOS 3.5, 4.1 and 4.2
- Added support for Debian 3.1 (AMD64)
- Added support for RHEL WS/AS/ES 3, Taroon update 6
- Added support for RHEL WS 4, Nahant Update 1 and 2
- Added support for Slackware 10.2
Changes:
- Updated RHEL hashes
- Updated Fedora Core 3 hashes
- Updated SuSE 9.1 hashes
- Updated software database
- Update copyright line
--
* 1.2.7 (24/05/2005)
New:
- Added support for CentOS 4.0
- Added support for Mandrake 10.2
- Added support for Gentoo (sparc/sparc64/x86)
- Added additional support for E-smith (SME 6.0.1)
- Added support for FreeBSD 4.5 and 4.6
Changes:
- Improved support for Bind (thanks to Craig)
- Improved support for RHEL AS release 3
- Updated hashes for SuSE 9.1 (core-utils)
Bugfixes:
- Fixed problem with the updater (file was retrieved, but not placed within
the correct directory)
--
* 1.2.6 (10/05/2005)
New:
- Added support for Tao Linux
- Added support for Trustix 2.2 (Sunchild)
Bugfixes:
- Fixed problem with updater
--
* 1.2.5 (03/05/2005)
New:
- Added support for FreeBSD 4.11 (i386)
- Added support for RHEL AS release 3
- Added support for Cobalt (6.5.1)
Changes:
- Fixed permissions of check_update.sh
- Fixed typo in help
- Improved detection for some unknown rootkits/backdoors
- Improved messages/logging
- Some code cleanups
- Important: fixed a security issue, related to temporary files
--
* 1.2.4 (25/04/2005)
New:
- Added support for E-smith (SME 6.0)
Changes:
- Updated hashes for Fedora core 2
- Improved documentation of tools (see tools directory)
- Removed logging from installer
Bugfixes:
- Fixed problem when using --allow-ssh-root-user (option was overwritten
by configuration file option)
--
* 1.2.3 (21/03/2005)
New:
- Added option to allow/whitelist hidden files and directories. See
configuration file
- Added support for SuSE 9.2 (x86-64)
Changes:
- Updated configuration file, to give more information about
whitelisting of hidden files/directories
- Updated Fedora core 3 hashes (procps package)
- Updated packages: OpenSSH
- Updated manpage
- Improved logging
- Added debugging info for named
- Strip off patch version with PHP port (Debian)
- Extended support for Fink (MacOS), added /sw/bin to BINPATHS in
check_update.sh
- Improved installer when /usr/local/bin is missing
Bugfixes:
- Fixed problem with unquoted variable (passwordless accounts)
--
* 1.2.2 (18/03/2005)
New:
- Added support for Mandrake 10.1
- Added hashes for Mandrake 10.1. Thanks to Roderick B. Greening
- Added support for RHEL WS release 3
- Added support for NIS when looking for passwordless accounts
- Added support for beX2 (evil code)
Changes:
- Updated Debian hashes
- Changed permissions of installer (0755 instead of 0750)
- Changed installer so normal users can install rkhunter. This is
experimental, so check is commented in installer
- Updated packages: Bind, Exim, OpenSSL
- Improved logging
- Small layout fixes
- Code cleanup
- Updated mirror list
- Updated copyright message (2005)
Bugfixes:
- Changed symbols when one or more groups are added/removed
--
* 1.2.1 (21/02/2005)
New:
- Added support for Mandrake 8.1 (i586, no hashes)
- Added support for FreeBSD 5.3 (i386, with hashes for release version)
- Added support for Slackware 10.1
- Added Turkish translation to installer (note: language support
temporarily disabled)
- Added support for Fink (MacOS), added /sw/bin to BINPATHS
- Added contrib directory
- Added script (contrib) run_rkhunter, by Andy Spiegel
Changes:
- Updated hashes for SuSE 9.1, Mandrake 10.0
- Updated installer (changed copyright line, comments and disabled
version number, because it can be confusing when installer version
is another version than main version.)
- Perform extra check before checking configuration file (to see if
it exists)
- Improved logging (show temporary directory, improve output when
scanning for default rootkit files/directories)
- Improved output when system is unsupported
- Stop program when temporary directory doesn't exist instead of
creating it
- Updated packages: Apache, Bind, GnuPG, OpenSSL
- Fixed some typos
Bugfixes:
- BINPATHS got overwritten when performing software version check
- Fixed bug when checking for ssh root user. Thanks to Andy Spiegel
- Clean up temporary prelink file
Website:
- Added notification list
- Fixed some XHTML bugs
--
* 1.2.0 (10/02/2005)
New:
- Added support for CentOS 3.4
- Added new configuration option 'ALLOW_SSH_ROOT_USER' and program
parameter '--allow-ssh-root-user' to allow directly login of a
`root` user, in your SSH configuration file.
Changes:
- Updated hashes for Fedora Core 1, Core 2, Core 3
- Changed RHEL 3, so taroon 4 uses the hashes of taroon 3
- Updated Debian hashes
- Removed ClamAV from application scan. It warns the user now when
it runs an too old version.
- Updated manpage
- Changed detection for SuSE versions. SuSE Linux Enterprise Server
didn't work, because of the capitals (instead of the usual name)
- Warn if user uses /tmp as temporary directory (possible security
issue)
- Updated wishlist/todo and manpage.
Bugfixes:
- Fixed wrong message when group was added/deleted from /etc/groups
--
* 1.1.9 (28/12/2004)
New:
- Added RH-Sharpe's rootkit (rootkit)
- Added SHV5 rootkit (rootkit)
- Added special test for tripwire
- Added support for metalog (syslog daemon)
- Added support for ALTLinux 2.2 and 2.4
- Added support for CentOS 3.3
- Added support for Gentoo 1.6
- Added support for FreeBSD 4.10 (alpha platform)
- Added support for SuSE SLES8. Thanks to Mario Lenz
- Added support for SuSE 9.2 (i586)
- Added support for Fedora Core 3
- Added support for Red Hat Enterprise Linux ES/WS release 4
- Added hashes for Fedora Core 3. Thanks to Steph
- Official port is now available for ALTLinux
- Change text when an old software package has been found. This
will happen with backporting operating systems (Red Hat,
Fedora etc)
Changes:
- Improved logging for lsof test
- Updated hashes for Fedora Core 1
- Updated hashes for Debian woody
- Updated hashes for Red Hat Enterprise Linux ES/WS release 3
- Updated hashes for Slackware 9
- Updated hashes for Slackware 10
- Updated hashes for SuSE 9.1
- Updated wishlist/todo, updated readme and manpage.
- Code cleanup (added more remarks, cleanup of old/buggy things)..
- Improved logging
Bugfixes:
- Changed binary search path due typo. Thanks to Bertrand
--
* 1.1.8 (12/09/2004)
New:
- Added support for Red Hat 6.2 and hashes. Thanks to Sebastian Herbszt
- Added support for Red Hat Enterprise Linux ES 3, Taroon update 3
- Added support for Red Hat Enterprise Linux AS 3, Taroon update 1
Changes:
- Improved Suckit detection
- Improved FreeBSD version detection. It now will skip MD5 check if sysctl
contains 'release', but patches for primary binaries are installed (like
ls, ps, top etc)
- Added error redirection when performing lsattr checks
- Added `find` to path search
- Updated installer with portogues/brazilian language. Thanks to Douglas
- Updated hashes for Red Hat Enterprise Linux 3
- Updated hashes for Slackware 10
- Cleaned up logging when checking for passwordless accounts
- Show message when bad hashes are found. Some scared people began to worry
inmediately after they found several bad hashes, without understanding the
reason of it (reason: updated packages).
- Improved output in logging which deals with updated packages / hashes
- Improved logging (informational logging)
- Improved output of hidden directories/files. Thanks to Greg Houlette
- Corrected some parts of logging
- Code cleanup
Bugfixes:
- Forgot to initialise LSATTRFOUND
--
* 1.1.7 (29/08/2004)
New:
- Added support for ADM Worm
- Added support for MzOzD and spwn backdoor
- Added LKM filename check (experimental)
- Added passwordless user account test
Changes:
- Updated Mandrake 9.2 hashes. Thanks to Eric Gerbier
- Updated application version list
- Extended inetd.conf test (searches for shells)
- Added total of vulnerable applications at report, if application scan was
performed.
Bugfixes:
- Fixed a major bug in the installer when you install version 1.1.5 or newer. The
sample configuration won't be copied and the due to that, the --update function
won't work.
--
* 1.1.6 (18/08/2004)
New:
- Added support for RSHA's rootkit (rootkit)
- Inspect files attributes (immutable detection)
- Added '--update' to help text. Updater seems to be stable
- Added FreeBSD packages database test (pkgdb). It performs an automatic
fixup of the database and displays an error when problems were found.
- Added '--skip-application-check' option. This skips the program version
check. On some systems it's half useless, because they use patched
(old) version numbers.
Changes:
- Improved report at end (hide line when no rootkits are found)
- Updated hashes for SuSE 9.1 (i586)
- Fixed double hash in database
- Updated database with program versions
- Added more help and informational messages
Bugfixes:
- Improved installer (when last line contains no newline char, the INSTALLDIR
option was added on the wrong place)
--
* 1.1.5 (11/08/2004)
New:
- Added support for Ni0 Rootkit (rootkit)
- Added 'open files' check
- Added OpenSSL check
- Added Solaris 9 support
Changes:
- Improved logging of application scan check
- Improved xinetd.conf tests (disabled some parts, due false positives)
- Improved logging on different places (more breaks etc)
- Improved SunOS support. Thanks to Michael Gueting
- Improved (POSIX compatible) applications support for SunOS
- Fixed a typo (application version check)
- Fixed a typo (SSH check)
- Fixed small layout issue at application scan check
- Removed an double declared variable (WARNING=0)
Bugfixes:
- Fixed missing lines in rkhunter.spec file
- Installation script shouldn't be overwriting rkhunter.conf file..
--
* 1.1.4 (07/08/2004)
New:
- Added support for FreeBSD 4.10
- Added support for White Box Enterprise Linux 3.0
- Added support for Debian 3.1 (Sid)
- Added support for OpenBSD 3.5 (i386 and sparc64)
- Added support for SunOS. Thanks to Michael Gueting
- Added boot.local test for SuSE 9.x
- Added Apache test
- Added support for mod_rootme module (apache backdoor)
- Added option '--display-logfile'. It displays the logfile you specified
at the end of the output (don't forget to use --create-logfile)
- Added application version checker
Changes:
- Don't quit when wget cannot be found during install
- Updated installer (for new update function)
- Updated MD5 hashes for Mandrake 9.1
- Updated MD5 hashes for Slackware 9.1
- Updated MD5 hashes for FreeBSD 5.2.1
- Improved logging in quiet mode
- Improved key pauses when in 'interactive' mode
- Improved xinetd check
- Improved report-mode option (--report-mode). If you want a small amount of
information (ie. if you scan a lot of servers), use this option.
- Updated document location in installer
- Updated the wishlist. A lot of issues are solved now.
- Updated changelog (had some little typos)
Bugfixes:
- Fixed false positive when using Debian
- Fixed support for PLD Linux and CPUBuilders Linux
- Fixed a typo in the installer
--
* 1.1.3 (20/07/2004)
New:
- Added support for SuSE Linux Enterprise Server 8. Thanks to Daniel Berlin
- Added support for SuSE Linux Openexchange Server 4.1.1. Thanks to Daniel Berlin
- Added support for Fedora Core 2 with 64 bits support
- Added support for TDB database (/dev related)
- Added hashes for FreeBSD 5.2.1
* Added tools directory in tarball with a experimal auto-updater. Use it on your
own risk and check the script before you run it!
Changes:
- Improved Suckit support (rootkit)
- Improved user detection (the check will now handle NIS users fine when
checking for UID 0 alike users)
- Improved logging on multiple sections
- Updated parameter list (--help), to reflect changes (--quiet)
- Updated hashes for Mandrake 10
- Updated installer. With a SunOS improvement by Michael Gueting.
Bugfixes:
- Quiet-option is now really quiet (xinetd line still appeared when running in
quiet mode)
- Fixed a problem with the binary UPX scan (multiple error lines appeared)
--
* 1.1.2 (14/05/2004)
New:
- Added string check. This checks some binaries which often get trojaned.
- Added '--quiet' option. Very usefull when running Rootkit Hunter as a cronjob
and don't want to see all the output (EXCEPT when warnings/errors has been
found)
- Added xinet daemon test. Thanks to unSpawn and Andrea
- Added test for binaries (UPX)
- Added alias '--create-logfile' for '--createlogfile'
- Added support for Mandrake 8.2
- Added support for Mandrake 9.0
- Added support for Mandrake 9.1
- Added support for Redhat Enterprise Linux AS (Taroon update 2). Thanks to Yann Le Guennec
- Added support for Slackware 10. Thanks to Fred Bulthuis
- Added support for Gentoo 1.5. Thanks to Nicolas Kaiser
- Added support for some Gentoo ppc versions
- Added hashes for Slackware 10
Changes:
- Improved support for AIX and OpenBSD. Thanks to Iain Roberts
- Improved support for rootkits (Dica, Dreams, Fuckit, MRK, Ohhara, Sin, SunOS Rootkit
and TBD Rootkit)
- Updated hashes for Fedora Core 2
- Updated hashes for SuSE 8.2. Thanks to Jack Denman
- Updated installer
Bugfixes:
- Fixed another problem in the installer
- Fixed a problem with the updater (not yet in use)
- Changed output of `ps` when checking for syslog daemon (should fix a problem on some
systems where the output was too long)
--
* 1.1.1
Bugfixes:
- Fixed a problem with the installer.. (wrong shell)
--
* 1.1.0
New:
- Added support for Red Hat Linux Advanced Server 2.1
- Added support for Slackware 9.0. Thanks to Stan Cosmin
- Added support for Slackware 9.1. Thanks to Fred Bulthuis
- Added support for Trustix 2.0. Thanks to Agung Ud
- Added support for Debian with sparc64 architecture (testing/unstable)
- Added hashes for Slackware 9.0
- Added hashes for Slackware 9.1
Changes:
- Updated SuSE 9.1 hashes
- Updated Mandrake 10 hashes
- Updated Fedora Core 1 hashes
- Updated Fedora Core 2 hashes
- Updated OpenBSD 3.3 hashes
- Updated Suckit (rootkit), multiple improvements
- Updated rkhunter.spec file. Thanks to Craig Orsinger
- Updated installer. Thanks to Iain Roberts
- Added mirrors.dat to file checks
Bugfixes:
- Fixed WHITELIST option again (it stripped the wrong characters: when a hash
contains a '5', it got stripped)
- Updated sockstat/netstat check for FreeBSD
- Skipping of MD5 didn't work anymore (due a forcefully check when Perl module
Digest::MD5 was found). Thanks to Zac
--
* 1.0.9
New:
- Added support for Balaur Rootkit (rootkit)
- Added installdir option to the installer
- Added INSTALLDIR option to configuration file
- Added support for SuSE 9.1 (pro)
- Added support for Fedora Core 2
- Added support for RHEL 3 Taroon update 2
- Added support for PCLinuxOS (HD-install)
- Added hashes for SuSE 9.1
- Added hashes for Fedora Core 2
- Added hashes for Mandrake 10
Changes:
- Updated hashes for Fedora Core 1 (updating prelinked hashes is no good
idea..) Thanks to Doncho.
- Updated hashes for SuSE 8.2
- Updated hashes for Mandrake 9.2
- Updated hashes for RHEL 3 Taroon update 1 and update 2. Thanks to Tom and Eilko
- Improved hidden file detection
Bugfixes:
- Added prelink check, to resolve some problems with a few Fedora Core 1
installations. Thanks to Mike Haslam for pointing out this problem.
- Changed detection of syslog daemon
- Fixed a problem with the MD5WHITELIST option (see rkhunter.conf). Thanks to
John P. New
- Updated installer (added /usr/local/etc to directory check, because some
systems don't have this directory by default)
--
* 1.0.8
New:
- Added support for Mandrake 10 (official release). Thanks to Dave Edwards
- Added support for Slackware 9.1.0. Thanks to Zebul666
- Added hashes for Red Hat Enterprise Linux 2.1 (Panama). Thanks to Duke
(mastre). (+1 beer for me)
Changes:
- Updated hashes for Red Hat Enterprise Linux 3
- Updated hashes for Fedora Core 1. Thanks to Greg Houlette
- Updated rkhunter.spec file by Doncho
- Improved extra Suckit tests. Check the presence of `stat`, before performing
the scans. Reported by Pasi.
--
* 1.0.7
New:
- Added support for Irix Rootkit (rootkit)
- Added support for URK (Universal Root Kit) (rootkit)
- Added 'whitelist support' for MD5 hashes. See configuration file for more
information about this new option.
- Added improved support for Yellowdog 3.0 (Sirius). Thanks to P. Hopkins
Changes:
- Improved Suckit detection (multiple improvements). Thanks to unSpawn!
- Fixed problem when running a special listener under FreeBSD (i.e. a DHCP
daemon). Thanks to Yann Nottara
- Fixed wrong text with 'rootdir' option. Thanks to Doncho N. Gunchev
- Fixed typo with '--dbdir' parameter. Thanks to unSpawn.
- Fixed rkhunter.spec file. md5blacklist.dat was missing. Thanks to Masanari
Iida
- Fixed a problem with the $rootdir
- Improved rkhunter.spec file. Thanks to Doncho N. Gunchev
- Improved Perl version detection. Thanks to Doncho N. Gunchev
- Updated installer to support dynamic paths soon.
- Layout improvements for installer
- Changed copyright text in main binary and installer (as required/suggested
by GPL)
- Updated website (FAQ, documentation)
--
* 1.0.6
New:
- Added support for FreeBSD 4.9 and 5.2.1
- Added support for SuSE 9.0 (i386 and i586). Thanks to multiple people
- Added support for Trustix. Thanks to Joachim Holst
- Added support for Whitebox Enterprise Linux 3.0. Thanks to Fire
- Added support for CentOS 3.1. Thanks to Fire
- Added support for Mandrake 10 (community release). Thanks to Ted Kline
- Added support for CPUBuilders Linux. Thanks to Chris Locke
- Added support for Gentoo's 'rc.local' file (local.start)
- Added parameter '--bindir' to use another (binary) directory than the default
ones (to select which binaries will be used to perform the tests). Requested
by Joel.
- Added parameter '--configfile' to use another configuration file.
- Added parameter '--dbdir' to use another (dynamic) database directory
- Added a check when dynamic parameters are used (like --dbdir, --bindir) to
check the existance of these paths/files.
- Added lsmod check (/proc/modules) for Linux distros. Thanks to Micah Anderson
Changes:
- Updated hashes for Mandrake 9.2. Thanks to John P. New and others.
- Updated hashes for Red Hat Enterprise Linux Update 1. Thanks to Eilko
- Added informational message, when 'PermitRootLogin' or SSH protocol 1 is found,
into the logfile
- Renamed .spec file to rkhunter.spec
- Updated installer. Thanks to Uwe Hermann
- Improved LKM check. Thanks to Joe Croft
- Improved logging
- Fixed a problem with ifconfig
--
* 1.0.5
New:
- Added 'ignoKit' (rootkit)
- Added support for Red Hat Linux 8.0 (Psyche)
- Added option '--disable-passwd-check', to disable passwd/group check. Suggested
by Michael Niehren
- Added option '--scan-knownbad-files', to scan besides the 'known good' MD5 checks,
a lot of system binaries against a 'known bad' database.
- Added option '--tmpdir', to specify a temporary directory instead of the static
one (see below, at 'tmpdir' option within the configuration file).
- Added a 'known bad' database with a lot of 'blacklisted' binaries and tools
(like sniffers, rootkits, backdoored binaries, IRC tools etc)
- Added hashes for Red Hat Enterprise Linux ES release 3 (unpatched). Thanks
to Nico Morrison
- Added a 'mail-on-warning' option to the configuration file. When the checker finds
one or more warnings, it will send a warning to the system administrator (see the
configuration file for more information)
- Added 'tmpdir' option to the configuration. This optional value can be used instead
of the default (/usr/local/rkhunter/tmp) directory and is one of the first steps
to make rkhunter less static.
- Rootkit Hunter now exists with an exit code of 1 when a rootkit is found or
a MD5 checksum failed. Suggested by Michael Niehren
Changes:
- Updated support for Red Hat Enterprise Linux. Thanks to Nico Morrison
- Improved/updated .spec file for RPM creation (improved cronjob script, updated
file version, corrected packager value). Thanks to Joe Klemmer and Michael Niehren
- Improved cronjob check (it contained a little bug, so it wasn't always non-
interactive..)
- Improved logging of sockstat/netstat tests
- Fixed message when parameters are provided, but 'check' option is missing
- Updated installer (0.0.6)
--
* 1.0.4
New:
- Added 'AjaKit' (rootkit)
- Added 'Legion of Doom (LoD)' (rootkit) (note: uses almost every same file
as AjaKit)
- Added support for Red Hat Enterprise Linux. Thanks to Kevin Jarnot
Changes:
- Updated 'NSDAP' (rootkit)
- Updated 'Dica' (rootkit)
- Updated 'X-Org SunOS Rootkit' (rootkit)
- Changed message 'not found' into 'OK' when no file redirection has been found.
Thanks to Jens Gutzeit
- Improved check for hidden files (empty files will be skipped, more directories
added)
- Corrected file scan counter.
- Improved logging
- Cleaned up tarball
--
* 1.0.3
New:
- Added support for SuSE Linux 8.1.
Changes:
- Updated 'Flea Linux Rootkit', because /lib/security is a legal path name.
Thanks to Moritz Bunkus
- Updated syslog-ng checking (checking remote logging in the configuration file).
Thanks to Juri Memmert for reporting the problem
--
* 1.0.2
New:
- Added 'aPa Kit' (rootkit)
- Added 'Danny-Boy's Abuse Kit' (rootkit)
- Added 'Duarawkz' (rootkit)
- Added 'Flea Linux Rootkit' (rootkit)
- Added 'HjC kit' (rootkit)
- Added 'Kitko' (rootkit)
- Added 'R3dstorm Toolkit' (rootkit)
- Added 'TeLeKiT' (rootkit)
- Added 'VcKit' (rootkit)
- Added support for Aurora Linux 1.0 (SPARC, named 'Ansel')
- Added support for Red Hat Linux 7.0
- Added support for Mac OS X (Darwin kernel)
- Added option '--report-mode' to remove footer and location of logfile
- Added alias parameter '--createlog' for '--createlogfile'
- Added alias parameter '--skipkeypress' for '--skip-keypress'
- Added informational message when a user doesn't use '--checkall' or '--cronjob'
Changes:
- Updated hashes for Fedora Core 1. Thanks to Doncho N. Gunchev
- Improved output of logfile
- Changed warning message when a part of a rootkit has been found (show correct
logfile instead of default file)
- Changed footer message (and tell you guys you have to submit your undetected
rootkits)
Website:
- Updated articles: Hyperlinks, Scanning Techniques
--
* 1.0.1
New:
- Added parameter '-h' (or --help, -?) to display the usage syntax (same thing
when you give no options at all). Reported by Arthur E. Groen
- Support for Linux SuSE 8.2 (i586 platform)
Changes:
- Improved scan for 'Suckit' (rootkit)
- Updates hashes for Mandrake 9.2
- Fixed a problem with the installer (wrong function declaration).
- Had to strip down all colors in the installer, because of the complaints :-)
- Changed installer so it could be used as a non-interactive installer (like it
was before).. Languages are still usuable, but will be used in later versions
(with a interactive switch)
- Fixed the LANG function (renamed it, because of the reserved name).
- Added Swedish translation for the installer. Thanks to Daniel Olsson
- Improved logging when Perl has been found
- Undo 'skip MD5 test' (MD5CHECK_SKIP=0) when Digest::MD5 available, but
md5(sum) isn't, so we can still scanning.
- Fixed a wrong path name (deleting of temporary passwd file)
Website / Documentation:
- Updated FAQ
- Updated Project information (updated supported OSes, rootkits, added date of
last modification)
- Updated README
--
* 1.0.0
Special remarks:
- New developer: Stephane Dudzinski (a.k.a. FRLinux)
New:
* Operating system support
- Added support for Fedora (tested with Core 1, Yarrow)
- Added support for Gentoo (tested with 1.4 release)
- Added support for Red Hat 7.3 (Valhalla)
- Added support for Sun Solaris (not working yet..)
- Added OpenBSD 3.3 (i386) hashes
- Added Fedora Core 1 (i386) hashes
- Added special verify section when prelinked binaries are found (like Fedora
Core 1 uses). Thanks to Michael G. Rozman
- Added support for IBM AIX. A big thanks to Iain Roberts!
Versions 4.3.2, 4.3.3, 5.1, 5.2, 5.3, 5.4
* Rootkit / backdoor support
- Added 'Dreams' (rootkit). Thanks to Joshua Levitsky
- Added 'Heroin' (LKM rootkit)
- Added 'Sin' (rootkit)
- Added 'Shutdown' (rootkit)
- Added 'Sneakin' (rootkit)
- Added 'Superkit' (rootkit)
- Added 'T0rn' (rootkit)
- Added 'Trojanit Kit' (rootkit)
- Added 'zaRwT.KiT' (rootkit)
- Added 'Volc' (rootkit)
* Linux support
- Added extra kernel check (2.4/2.6) when OS is Linux
- Added Linux 2.6 kernel support.
- Added extra check when using a RPM based distro, to display the package name
in the logfile when filehashes are different. Thanks to Michael G. Rozman
* Rootkit Hunter options
- Added option '--quick'. Can be used with newly added scans and will use
some tweaks to scan quicker (be carefull: can hide some usefull information
at first scan, i.e. hidden files with trojaned binaries)
- Added option '--skip-keypress'. Make rkhunter non-interactive, so you don't
have to press [enter] after every test. Requested by Michael G. Rozman
- Added option '--version'. Displays version and quits.
- Added extra check for promiscuous interfaces, when 'ip' command is available
- Added check for (rootdir)etc/conf.d/local.start file (Gentoo)
- Added ksyms check to rootkitscan section
- Added check for binaries like nmap, ls, lsof, ps (for future use)
- Added Perl Digest::SHA1 module check
- Added SSH 'PermitRootLogin without-password' (as an unsafe option). Thanks
to Doncho
- Added check for sniffer logfiles detection
- Added support for grsec enabled Linux kernel. Thanks Steph ;-)
Changes:
- Improved installation
- Splitted version number (from 1.00 --> 1.0.0) due future minor releases
- Updated 'Ambient'
- Updated 'BOBkit'
- Updated 'Knark'
- Updated 'Sebek'
- Updated hashes for Red Hat 7.1 (fileutils, util-linux, SysVinit and xinetd).
Thanks to Michael G. Rozman
- Updated hashes for Debian 3.0 (IPv6 enabled version of tcpd). Thanks to Steph
- Changed LKM check when kernelversion of Linux is the new 2.6
- Improved support for other rootdirs (instead of '/')
- Added check for empty files when searching for hidden files
- Added check for real device fiels when searching for hidden files
- Added colored layout, when performing file checks (for i.e. hidden files)
- Little bugfix when perform LKM checking
- Bugfix when scanning sshd_config for file if file isn't available in /etc/ssh
- Improved logging for selftests
- Improved logging when performing MD5 hash test
- Improved logging for scanning of rootkits and malware
- Improved logging of rootkitscan section (files and directories)
- Improved logging for detection of binaries and Perl modules
- Improved SSH 'root login allowed', to decrease false positives
- Changed detection of users with an UID of 0 (zero)
- Improved rootkitscan section for files and directories with spaces
- Fixed wrong detection of Debian version (unstable/testing). Thanks to Daniel
Olsson
- Fixed wrong use of parameters when using --quick option, but not using -c.
Thanks to Joost Peters
- Added missing 'full OS' string, when RH doesn't recognise the operating
system.
- Fixed bad logging of rootkits (and files)
- Fixed a problem when using --skip-keypress and a rootkit was found (skip
keypress didn't work, and user input was required).
- Fixed installer for NetBSD and MacOS X, by commenting whereis functions (will
be soon replaced)
- A lot of code cleanups..
Website:
- Updated website (FAQ / Changelog, Project information)
- Fixed a problem with the contact form (-moz-opacity CSS property failed with
some browsers).
--
* 1.00 RC3
New:
- Added option --disable-md5-check to skip checking MD5 hashes (if you run
customized binaries/tools)
- Added option --rootdir (or -r), to use with chrooted systems. Note: not
completely integrated yet. Requested by Henk Wevers
- Added functions logtext and displaytext to make script more powerfull and
easier to use (for example with a new 'quiet' option)
- Added support for OpenBSD 3.3 and OpenBSD 3.4 (MD5 fix added, due the
missing of the -q (quiet) option of MD5). Thanks to Stefan
Changes:
- Updated 'Beastkit'
- Updated 'BOBkit'
- Updated hashes for Red Hat 9.0 (coreutils update). Thanks to Andrew Matthews
- Fixed a little problem with support for multiple file hashes (see 1.00 RC2).
When more than one hash was available, only the first one was checked. Thanks
to Andrew Matthews for testing.
- Solved two little issues with netstat check. Check reported possible backdoor
if portnumber was present in another portnumber (like string '2001' is
available in '20010'). Also the portnumber was found when the remote connection
had the same portnumber as a possible backdoor (like a dynamic port 2001 was
assigned to a SSH client). Thanks to Michael Firkins
- Changed text when a possible backdoored file is found (because --debug option
is not a valid). Thanks to Anton Pirnat
- Changed check for OpenSSH sshd_config file (it will search now for more than
1 place). Thanks to Jeroen Griede
- Added extra check for file retrieval utilities (i.e. to do version checking)
- Changed string at beginning of RH output (Determing OS... Ready)
- Made some tweaks to the layout of the logfile (with --createlogfile option)
--
* 1.00 RC2
New:
- Added check for syslog-ng (instead of only checking for the presence of
syslogd). Thanks to Chris Vaughan
- Added check to allow more than one MD5/SHA1 for a single file. When a 'base'
file will be updated, it's possible to add a second hash. Thanks to
James Clark and Greg Bell
- Added AIX check. Thanks to Val Baranov
- Added hashes for SuSE 8.2 (i386)
- Added hashes for Red Hat 9.0
- Added hashes for Mandrake 9.2
- Added hashes for Debian 3.0 (tested with release 2)
- Added support for Mandrake (i.e. /dev/.devfsd file)
- Added section to check the file type of every hidden file found
- Added parameter 'nocolors' to disable colored output
- Added support to run RH as a cronjob (parameter '--cronjob')
- Added check to removed layout when running as cronjob
- Added option to create a logfile (parameter '--createlogfile')
- Added changelog on website (rootkit.nl)
Changes:
- Updated hashes for Red Hat 7.2
- Cleanup logfile at startup
- Just check /dev directory once for hidden files
- Deleted unused consistency check (on Debian it showed several warnings)
- Fixed a little problem with querying the default hashes database (added a
slash to the query, to resolve the problem)
- Layout fix for Linux distros
- Fixed an error for Debian (where /etc/rc.d files not always exists..) by
adding an extra check for the presence of this files.
- Tweaked section to scan /dev directory. Scan is faster now (scan for
unknown shellscripts and files)
- Some little layout changes
- Updated 'Beastkit' due false positive. Thanks to Dunay
- Updated 'Suckit' (more checks added)
- Changed FAQ
--
* 1.00 RC1
Remarks:
First release
New:
- Database: backdoor ports (DB:backdoorports.dat)
- Added filtering for network connections
- Added OS support for SuSE Linux:
- Added OS support for Debian: 2.2/3.0/testing
- Added OS support for FreeBSD 5.x: version 5.0/5.1
- Added OS support for FreeBSD 4.x: version 4.3/4.7
- Added OS support for Red Hat Linux 7.1/7.2
- Added KLD tests (FreeBSD)
- All other options...