1. Daniel Cid
  2. ossec-hids
Issue #29 new

rootkit_files.txt will fail to detect Phalanx root kit

Anonymous created an issue

The current entry in the rootkit file is: {{{

PHALANX rootkit

usr/share/.home.ph1 ! PHALANX rootkit :: usr/share/.home.ph1/tty ! PHALANX rootkit :: etc/host.ph1 ! PHALANX rootkit :: bin/host.ph1 ! PHALANX rootkit :: }}}

However from the version of Phalanx2 available at PacketStorm: http://packetstormsecurity.org/files/view/42556/phalanx-b6.tar.bz2 the setup.sh script takes an argument $suffix which it uses as part of a sed operation to replace the 'ph1' characters in the filenames if supplied.

From setup.sh (line 44):

{{{ cat install.sh.template |sed -e "s/.ph1/$suffix/g" > ph/install.sh }}} I would suggest that the lines in rootkit_files.txt should be:

{{{

PHALANX rootkit

usr/share/.home. ! PHALANX rootkit :: usr/share/.home./tty ! PHALANX rootkit :: etc/host. ! PHALANX rootkit :: bin/host. ! PHALANX rootkit :: }}}

Regards,

Mark

Comments (2)

  1. jbcheng

    Mark, good investigation with Phalanx2. There seem to be two issues with the suggested change to rootkit_files.txt:

    1) "s/.ph1/$suffix/g" does not guarantee the suffix starts with a period
    2) /etc/host.conf is a legit resolver configuration file, and /bin/hostname is a legit binary.
    

    How about a slight modification:

    # PHALANX rootkit
    usr/share/.home*     ! PHALANX rootkit ::
    usr/share/.home*/tty ! PHALANX rootkit ::
    etc/host.ph1            ! PHALANX rootkit ::
    bin/host.ph1            ! PHALANX rootkit ::
    

    I assume it takes only one match (not all four) in order to trigger an alert.

  2. Log in to comment