Possible RootKit?!

Discussion in 'OS X' started by Ravernomina, Apr 26, 2010.

  1. macrumors member

    Joined:
    Nov 15, 2009
    #1
    Hello all. I just ran a scan my first time using Rkhunter. The results say i have the dica-kit rootkit. I Looked at the log file and the only reason why it is saying this is because i have a sshd_config file. So does this mean i have a breech? or is it just how Mac OS X is set up? i also ran a check using chkrootkit but it says i was clean. Anyone have an idea? Thanks!

    i Do have MacPorts installed and uTorrent installed if that makes any difference to the detection

    i also attached the log files saying that i have it.
     
  2. thread starter macrumors member

    Joined:
    Nov 15, 2009
    #2
    I Think im Clean. I googled a bit and it seems everyone has the sshd_config file on default. And i looked at the other results and they all look like nothing serious/dangerous at all. Can someone just confirm me please?? Thanks!
     
  3. macrumors 68040

    calderone

    Joined:
    Aug 28, 2009
    Location:
    Seattle
    #3
    It simply is not specific enough. Yes, the sshd_config file is standard, but is it simply looking for that file or looking for specific lines inside the file?

    From the log, it seems as if it is looking for the file itself in combination with the other files. It is a bit odd for the program to spit out a warning on a standard file. If some of the other files that the rootkit contains also existed, then yes it would be cause for concern.

    Since those files do not exist, I would say you are fine.
     
  4. thread starter macrumors member

    Joined:
    Nov 15, 2009
    #4
    I was thinking that as well. Because that file was making other warnings, thats really didnt make sense. Also Rkhunter is mostly used for Linux systems. So i think because i compiled from source and that file only appearing in Linux servers made the confusion with the program. And the program just looks for the file, not whats in the file. I'll see if i can edit the source to not look for that file
     
  5. macrumors 68040

    calderone

    Joined:
    Aug 28, 2009
    Location:
    Seattle
    #5
    It looking for the file makes sense on systems that do not include an ssh server by default.

    I would modify it to not throw an error if only that file is present (in the event you wanted to run it on a non OS X system), but removing it from the list would work as well.
     
  6. thread starter macrumors member

    Joined:
    Nov 15, 2009
    #6
    Well i found a Version for OS X its 1.3.0 and not 1.3.6, but hey at least it has the fixes already. Also i ran a chkrootkit scan and it says im clean, and the OS X Rkhunter says im clean, and all the log files look normal. So i think it was just the program giving a false positive. Well anyway thanks for you help :D
     

Share This Page