Go Back   MacRumors Forums > Apple Systems and Services > OS X

Reply
 
Thread Tools Search this Thread Display Modes
Old Apr 26, 2010, 10:04 PM   #1
Ravernomina
macrumors member
 
Join Date: Nov 2009
Possible RootKit?!

Hello all. I just ran a scan my first time using Rkhunter. The results say i have the dica-kit rootkit. I Looked at the log file and the only reason why it is saying this is because i have a sshd_config file. So does this mean i have a breech? or is it just how Mac OS X is set up? i also ran a check using chkrootkit but it says i was clean. Anyone have an idea? Thanks!

i Do have MacPorts installed and uTorrent installed if that makes any difference to the detection

i also attached the log files saying that i have it.

Last edited by Ravernomina; Aug 15, 2010 at 03:17 PM.
Ravernomina is offline   0 Reply With Quote
Old Apr 26, 2010, 10:44 PM   #2
Ravernomina
Thread Starter
macrumors member
 
Join Date: Nov 2009
I Think im Clean. I googled a bit and it seems everyone has the sshd_config file on default. And i looked at the other results and they all look like nothing serious/dangerous at all. Can someone just confirm me please?? Thanks!
Ravernomina is offline   0 Reply With Quote
Old Apr 26, 2010, 10:50 PM   #3
calderone
macrumors 68040
 
calderone's Avatar
 
Join Date: Aug 2009
Location: Seattle
It simply is not specific enough. Yes, the sshd_config file is standard, but is it simply looking for that file or looking for specific lines inside the file?

From the log, it seems as if it is looking for the file itself in combination with the other files. It is a bit odd for the program to spit out a warning on a standard file. If some of the other files that the rootkit contains also existed, then yes it would be cause for concern.

Since those files do not exist, I would say you are fine.
__________________
ACSA, ACMT
calderone is offline   0 Reply With Quote
Old Apr 26, 2010, 10:55 PM   #4
Ravernomina
Thread Starter
macrumors member
 
Join Date: Nov 2009
Quote:
Originally Posted by calderone View Post
It simply is not specific enough. Yes, the sshd_config file is standard, but is it simply looking for that file or looking for the contents?

From the log, it seems as if it is looking for the file itself in combination with the other files. It is a bit odd for the program to spit out a warning on a standard file. If some of the other files that the rootkit contains also existed, then yes it would be cause for concern.

Since those files do not exist, I would say you are fine.
I was thinking that as well. Because that file was making other warnings, thats really didnt make sense. Also Rkhunter is mostly used for Linux systems. So i think because i compiled from source and that file only appearing in Linux servers made the confusion with the program. And the program just looks for the file, not whats in the file. I'll see if i can edit the source to not look for that file
Ravernomina is offline   0 Reply With Quote
Old Apr 26, 2010, 11:03 PM   #5
calderone
macrumors 68040
 
calderone's Avatar
 
Join Date: Aug 2009
Location: Seattle
It looking for the file makes sense on systems that do not include an ssh server by default.

I would modify it to not throw an error if only that file is present (in the event you wanted to run it on a non OS X system), but removing it from the list would work as well.
__________________
ACSA, ACMT
calderone is offline   0 Reply With Quote
Old Apr 26, 2010, 11:26 PM   #6
Ravernomina
Thread Starter
macrumors member
 
Join Date: Nov 2009
Quote:
Originally Posted by calderone View Post
It looking for the file makes sense on systems that do not include an ssh server by default.

I would modify it to not throw an error if only that file is present (in the event you wanted to run it on a non OS X system), but removing it from the list would work as well.
Well i found a Version for OS X its 1.3.0 and not 1.3.6, but hey at least it has the fixes already. Also i ran a chkrootkit scan and it says im clean, and the OS X Rkhunter says im clean, and all the log files look normal. So i think it was just the program giving a false positive. Well anyway thanks for you help
Ravernomina is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Systems and Services > OS X

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
What are the chances to get a rootkit and\or keylogger in OSX ML ? V4705 OS X 10.8 Mountain Lion 2 Mar 21, 2013 03:14 PM

Forum Jump

All times are GMT -5. The time now is 07:21 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC