%% RootCheck 0.3 						%%
%% Available at: http://www.ossec.net/rootcheck %%
%% By Daniel B. Cid					%%


%% Scan result info %%

	Date: Mon Oct 20 10:03:02 2003
	Operating system: Linux
	Logged in as: root
	Hostname: testsys

%% Conf files %%

	Rootkits list - db/rootkits.txt - 178 entries
	Files to check  - db/files.txt - 6 entries
	Binaries list - db/bin.txt - 54 entries
	System list (bad files) - db/list.txt - 43 entries


%% Binaries check %%

		Binaries clean.


%%Ports check %%

		TCP check:	OK

		UDP check:	OK

		You dont have any port hidden from netstat. 


%% Interfaces check %%

		Checking eth0: 192.168.10.1 OK
		Checking lo: 127.0.0.1 OK


%%Check password db%%

		User mysql has /bin/bash shell
		User gdm has /bin/bash shell


%% Check Config Files %%

	Checking sudo: /etc/sudoers

	Checking httpd.conf: /etc/apache/httpd.conf
		Server Signature is On (should be Off).

		Check http://www.ossec.net/rootcheck/info/httpd-conf.php for more info

	Checking inetd.conf: /etc/inetd.conf
		 OK

	Checking sshd_config: /etc/ssh/sshd_config
		Your system is allowing root login on sshd (should disable it).

		You are probably using the default version of sshd_config.
 		Check http://www.ossec.net/rootcheck/info/sshd-conf.php for more info

	Checking ssh keys: /etc/ssh/ssh_host_key
		OK

	Checking ssh keys: /etc/ssh/ssh_host_rsa_key
		OK

	Checking exports(NFS): /etc/exports
		 OK

	Checking ssh keys: /etc/ssh_host_key
		OK

	Checking ssh keys: /lib/security/.config/ssh/ssh_host_key
		OK

	Checking sshd_config: /lib/security/.config/ssh/sshd_config
		Your system is reading .rhosts and .shosts files.
		Take a carefull look at it.
		Your system is allowing root login on sshd (should disable it).

		Check http://www.ossec.net/rootcheck/info/sshd-conf.php fore more info

	Checking ssh keys: /illogic/etc/ssh_host_key
		OK

	Checking sshd_config: /illogic/etc/sshd_config
		Your system is reading .rhosts and .shosts files.
		Take a carefull look at it.
		Your system is allowing root login on sshd (should disable it).

		Check http://www.ossec.net/rootcheck/info/sshd-conf.php fore more info


%% Check Logs: %%

		Syslogd is not running!

		Check http://www.ossec.net/rootcheck/info/syslog.php for more info


%% Check process/ps: %%

			PID 1 in use but "ps" do not show! 
			PID 10 in use but "ps" do not show! 
			PID 118 in use but "ps" do not show! 
			PID 391 in use but "ps" do not show! 
			PID 412 in use but "ps" do not show! 
			PID 415 in use but "ps" do not show! 
			PID 419 in use but "ps" do not show! 
			PID 421 in use but "ps" do not show! 
			PID 819 in use but "ps" do not show! 
			PID 821 in use but "ps" do not show! 
			PID 2167 in use but "ps" do not show! 


%% Check for rootkits %%


		File found: /etc/ld.so.hash			 
		Problem:  Illogic Rootkit 
		Info: http://www.ossec.net/rootkits/illogic.php

		File found: /usr/bin/sia			 
		Problem:  Illogic Rootkit 
		Info: http://www.ossec.net/rootkits/illogic.php

		File found: /lib/security/.config		 
		Problem:  Illogic Rootkit 
		Info: http://www.ossec.net/rootkits/illogic.php


%%Check /dev %%

		/dev is OK


%% Check all the system %%

	 Link files:

			Linked files OK.

	The following binaries were the last modified:

			1 - /bin/xlogin -> Mon Oct 20 10:01:20 2003
			2 - /usr/bin/ssh2d -> Mon Oct 20 10:01:20 2003
			3 - /sbin/login -> Mon Oct 20 10:01:20 2003
			4 - /usr/bin/hcopy -> Mon Oct 20 04:22:08 2003
			5 - /usr/bin/hdel -> Mon Oct 20 04:22:08 2003

	The following files need check:

			File found: /lib/security/.config/uconf.inv 
				Problem:  Illogic rootkit 
				Info: http://www.ossec.net/rootkits/illogic.php