Rootkit Hunter (rkhunter) - How do I update?

[open4biz]

Is there a way to update Rootkit Hunter? My Plesk Control Panel v8.2.1 has RKHunter v1.2.8 and there's a v1.3.0 out now. What the best / quickest / easiest way to update it?

I have Fedora Core 6 installed with all the latest updates yum'ed in. I have slight Linux experience. So being verbose might help.

Thank you in advance.

 

[atomicturtle]

I should have a new version out in my archive today.

 

[Amin Taheri]

http://kb.swsoft.com/en/1323

After running Plesk security check in the watchdog module I see a message
similar to the following: "Your system contains some unknown version
numbers. Please run Rootkit Hunter with the --update parameter or fill in the contact form (www.rootkit.nl)"



CAUSE:

Rootkit Hunter found new packages versions which are not listed in it's database.


RESOLUTION:

Rootkit Hunter usually updates the database automatically. You can force update with following command:

$PRODUCT_ROOT_D/admin/sbin/modules/watchdog/rkhunter --configfile
$PRODUCT_ROOT_D/etc/modules/watchdog/rkhunter.conf --update

to get $PRODUCT_ROOT_D

grep 'PRODUCT_ROOT_D' /etc/psa/psa.conf

 

[open4biz]

$PRODUCT_ROOT_D/admin/sbin/modules/watchdog/rkhunter --configfile

My Product_Root_D is: /usr/local/psa

I tried that and it didn't work:

$/usr/local/psa/admin/sbin/modules/watchdog/rkhunter --configfile
-bash: $/usr/local/psa/admin/sbin/modules/watchdog/rkhunter: No such file or directory

I checked that folder and rkhunter is not in it. Am I doing something wrong?

 

[Amin Taheri]

That is odd, I have it in mine....

try

locate rkhunter | less

and see if you can find it - you may have to do some file copies or sym links

For example, I had to sym link
/usr/local/etc/rkhunter.conf to /usr/local/psa/etc/modules/watchdog/rkhunter.conf

 

[open4biz]

/usr/local/psa/admin/bin/modules/watchdog/rkhunter
/usr/local/psa/admin/sbin/modules/watchdog/rkhunter
/usr/local/psa/etc/modules/watchdog/rkhunter.conf
/usr/local/psa/share/modules/watchdog/locale/de_DE.UTF-8/LC_MESSAGES/rkhunter.mo
/usr/local/psa/share/modules/watchdog/locale/es_ES.UTF-8/LC_MESSAGES/rkhunter.mo
/usr/local/psa/share/modules/watchdog/locale/fr_FR.UTF-8/LC_MESSAGES/rkhunter.mo
/usr/local/psa/share/modules/watchdog/locale/it_IT.UTF-8/LC_MESSAGES/rkhunter.mo
/usr/local/psa/share/modules/watchdog/locale/ja_JP.UTF-8/LC_MESSAGES/rkhunter.mo
/usr/local/psa/share/modules/watchdog/locale/zh_CN.UTF-8/LC_MESSAGES/rkhunter.mo
/usr/local/psa/share/modules/watchdog/locale/zh_TW.UTF-8/LC_MESSAGES/rkhunter.mo
/usr/local/psa/var/modules/watchdog/lib/rkhunter
/usr/local/psa/var/modules/watchdog/lib/rkhunter/db
/usr/local/psa/var/modules/watchdog/lib/rkhunter/docs
/usr/local/psa/var/modules/watchdog/lib/rkhunter/scripts
/usr/local/psa/var/modules/watchdog/lib/rkhunter/tmp
/usr/local/psa/var/modules/watchdog/lib/rkhunter/db/backdoorports.dat
/usr/local/psa/var/modules/watchdog/lib/rkhunter/db/defaulthashes.dat
/usr/local/psa/var/modules/watchdog/lib/rkhunter/db/md5blacklist.dat
/usr/local/psa/var/modules/watchdog/lib/rkhunter/db/mirrors.dat
/usr/local/psa/var/modules/watchdog/lib/rkhunter/db/os.dat
/usr/local/psa/var/modules/watchdog/lib/rkhunter/db/programs_bad.dat
/usr/local/psa/var/modules/watchdog/lib/rkhunter/db/programs_good.dat
/usr/local/psa/var/modules/watchdog/lib/rkhunter/docs/CHANGELOG
/usr/local/psa/var/modules/watchdog/lib/rkhunter/docs/README
/usr/local/psa/var/modules/watchdog/lib/rkhunter/docs/WISHLIST
/usr/local/psa/var/modules/watchdog/lib/rkhunter/scripts/check_modules.pl
/usr/local/psa/var/modules/watchdog/lib/rkhunter/scripts/check_port.pl
/usr/local/psa/var/modules/watchdog/lib/rkhunter/scripts/check_update.sh
/usr/local/psa/var/modules/watchdog/lib/rkhunter/scripts/filehashmd5.pl
/usr/local/psa/var/modules/watchdog/lib/rkhunter/scripts/filehashsha1.pl
/usr/local/psa/var/modules/watchdog/lib/rkhunter/scripts/showfiles.pl
/usr/local/psa/var/modules/watchdog/lib/rkhunter/tmp/group
/usr/local/psa/var/modules/watchdog/lib/rkhunter/tmp/passwd
/var/log/rkhunter.log

Here's the info from that. What should I do next?

 

[Amin Taheri]

your locate shows you have the rkhunter file
/usr/local/psa/admin/sbin/modules/watchdog/rkhunter

 

[open4biz]

I feel like I'm getting closer. I copied the rkhunter.conf /usr/local/etc/

Here's the latest of what I typed and the result:

/usr/local/psa/admin/sbin/modules/watchdog/rkhunter --configfile
Don't you want to check your system?
Please submit a parameter like --checkall or --cronjob

I tried the following next and here's the result:

/usr/local/psa/etc/modules/watchdog/rkhunter.conf --update
-bash: /usr/local/psa/etc/modules/watchdog/rkhunter.conf: Permission denied

I'm logged in as root... how can permission be denied?!?

 

[open4biz]

I was able to update the database for 1.2.8 after taking a break and using a fresh brain. But... still can't figure out how to update to v1.3.0.

 

[open4biz]

Originally posted by atomicturtle
I should have a new version out in my archive today.

I looked for it Mr. Turtle... no luck. Has it been updated because I've hit a brick wall. I can't figure out how to install v1.3.0 to the same watchdog directory so the Plesk control panel may take advantage of it.

 

[atomicturtle]

Got sidetracked on some other things and havent finished it yet. I'll see if I can get it out today.

In response to the other parts of this thread --update just updates the signature files used by rkhunter, it doesn't update rkhunter itself.

 

[open4biz]

Well, thank you for your work.

How do you like Joomla vs Mambo vs Drupal?

I would like to use drupal, but the theme system is unruly and I keep getting stuck while developing for it. How is the templeting system for Joomla? If it's easier... I'll switch over posthaste.

 

[atomicturtle]

Ive got it in the [atomic-testing] channel now. Its a pretty big change and I haven't worked all my tweaks into it yet.

I use Joomla myself. Its kind of a pain in the *** to get started with. Once you're going its pretty easy though. Just a steep learning curve. The look and feel is all done with CSS. Same thing with Mambo. Haven't worked with Drupal.

 

[open4biz]

Originally posted by atomicturtle
Ive got it in the [atomic-testing] channel now. Its a pretty big change and I haven't worked all my tweaks into it yet.

Should I wait? I guess I don't know what that means to what I'm trying to accomplish.

I use Joomla myself. Its kind of a pain in the *** to get started with. Once you're going its pretty easy though. Just a steep learning curve. The look and feel is all done with CSS. Same thing with Mambo. Haven't worked with Drupal.

Yes, I know. I've been on your website a couple times. I even clicked a few of the adsense items to get some $$$ to you for your help. :O)

Drupal is robust and a little daunting. The templates can be made from CSS, PHP/CSS and PHP/javascript/CSS combos. I only want to deal with CSS. The modules are pretty straightforward, though.

Have you seen this?

http://www.joomlatemplatekit.com/ar...emplate-kit-the-joomla-template-kit-se-1.html

Looks promising... a little pricey though. Seems more like a $19-49 product as it does just one thing... hopefully well.

 

[atomicturtle]

I could use the extra eyes on the package. I rely pretty heavily on the community to test out these releases, and give me feedback.

 

[open4biz]

Roger. I'll be your test monkey. If I can get it...

Most semi-intelligent MS-knowledgebased individuals can. At least I remember DOS and the command line. That's been my saving grace with *nix.

Off to go give it a shot...

 

[open4biz]

Well... it installed and it's working from SSH... but I don't know how to link Plesk v.8.2.1 to it so that is what runs from Plesks control panel.

Any ideas?

(And thank you for package)

 

[Amin Taheri]

go to modules and then watchdog and then security and scan, see what it says

 

[atomicturtle]

This doesn't tie into plesk directly. You'd have to do some hacking on your own to do that.

 

[open4biz]

Ha ha ha ha ha ha ha! Oh really? Did you forgot who you're corresponding with?!? That's totally out of my reach if I have to 'hack it.' lol

Thanks anyway.

Mr Hosting Guy: the security scan in plesk still says, 'v1.2.8. They must be installed in different directories then. When I whereis, I get:

rkhunter: /usr/bin/rkhunter /etc/rkhunter.conf /usr/lib/rkhunter /usr/local/etc/rkhunter.conf /usr/share/man/man8/rkhunter.8.gz

Is there a way to tie to Plesk?