June 07, 2009

Dealing with rkhunter warnings

rkhunter often warns on file property changes after upgrade and such, and sometimes you just aren't sure whether it is due to recent upgrades, or because you really were compromised. The following script was written to compare the checksum of all files rkhunter warns about against the originals in a debian repository.



The latest version of this is available in my script.git respos.




#!/bin/bash
desc="
This script will verify whether files for which rkhunter has logged a
warning for is still valid. It does this by finding which debian package
it came out of, and downloads them, unpacks them, then checks
the checksums.

Run it by supplying a rkhunter log file as first argument
"

HASHER="sha256sum"

IFS="
"
function find_suspect_files
{
echo "parsing $1 for suspect files" 1>&2
grep -1 Warning "$1"| grep File | sed 's|.*File: ||'
}

function find_packages
{
echo "finding packages" 1>&2
for suspect_file in $1
do
package=$(dpkg -S $suspect_file|awk '{print $1}'|sed 's/.$//')
echo "suspect file $suspect_file found in $package" 1>&2
echo $package
done

}

function make_aptitude_args
{
echo "generating aptitude arguments" 1>&2
for package in $1
do
version=$(dpkg -p $package | grep Version | awk '{print $2}')
echo $package=$version
done
}

function cleanup
{
echo "cleaning up"
popd
rm -rf tmp
exit $1
}

function setup
{
echo "setting up"
rm -rf tmp
mkdir tmp
pushd tmp
}

if [ $# -ne 1 ];
then
echo "$desc"
exit 1
fi

suspect_files=$(find_suspect_files "$1")

packages=$(find_packages "$suspect_files" | sort | uniq)

if [ -z "$packages" ];
then
echo "***WARNING****"
echo "No packages contain any of the suspect files!"
cleanup 1
fi

aptitude_args=$(make_aptitude_args "$packages")

setup

echo "downloading packages"
aptitude download $aptitude_args 1>/dev/null
if [ $? -ne 0 ];
then
echo "aptitude download failed!"
echo "args=$aptitude_args"
cleanup 1
fi

echo "unpacking"
for deb_file in *.deb
do
ar -x $deb_file
tar zxf data.tar.gz
rm -rf data.tar.gz control.tar.gz
done

for suspect_file in $suspect_files
do
if [ ! -f ".$suspect_file" ]
then
echo "***WARNING****"
echo "For some reason .$suspect_file does not exis!"
continue
fi
echo -n "verifying $suspect_file... "
suspect_sum=$($HASHER $suspect_file | awk '{print $1}')
clean_sum=$($HASHER ".$suspect_file" | awk '{print $1}')
if [ $suspect_sum == $clean_sum ];
then
echo "OK"
else
echo
echo "***WARNING****"
echo "Checksum mistmatch for $suspect_file!!!"
echo "Should be: $clean_sum"
echo "Is: $suspect_sum"
fi
done
cleanup


Cheers,

Steve