changelog

在网络安全中经常会遇到rootkit

 - Some checks were not respecting the ROOTDIR option in their pathnames. This
   has now been corrected (possibly not completely though). Also, some tests
   were using ROOTDIR pathnames in grep/strings checks when they shouldn't
   have been. This has also been corrected.
 - The file hash prelink test should now work even if SELinux objects to the
   prelink command (provided the 'runcon' command exists). When the '--propupd'
   option is used, any file for which a hash cannot be obtained is logged as
   a warning. (Typically prelink may need to be run on the file.) Rkhunter will
   still work as before, but the file properties check may show that the hash
   value has changed to or from a null value.
 - Corrected file attributes check - previously the immutable flag would never
   have been found.
 - Backdoor UDP port tests were not being done correctly. The TCP port tests
   have been made a bit more aggressive - TCP tests only look for TCP ports;
   they also look for established connections rather than just listeners.
 - Backdoor port data file (backdoorports.dat) is now part of the '--update'
   process.
 - The '--versioncheck' option did not set the return code. It now does so.
   However, note that if an update is available then the code will be set
   to '2'. This allows use of the '--quiet' option, but still being able to
   detect if an error occurred (code 1), an update is available (code 2) or
   if no error occurred and no update available (code 0).
 - Corrected bug in Solaris script replacement check. The tested output is
   never used on Solaris, so previously the test would never have worked.
 - The '--quiet' option now does what it says. No output is shown unless other
   options are specified by the user. E.g. using '--quiet' on its own produces
   no output, but sets the return code. If the '--report-warnings-only'
   option is used as well, then warnings will be shown despite '--quiet'
   being used.
 - Enabled the login backdoor check. It was coded, but used the wrong variable.
   It also checked for directory names rather than file names. This looked
   wrong, but I could not find any more info about it. As such we now check
   for their existence rather than whether they are files or directories.
 - Corrected the suspicious directories check.
 - The xinetd.conf check only occurred for Linux systems. It will now occur
   for all O/S's. Also, the check always reported the file was clean,
   regardless of whether this was true or not.
 - The hidden files and directories check was not working correctly for
   Gentoo users.
 - Small bug in T0rn rootkit file list.

 --

 * 1.2.10 (Not released)

 New:
 - Enabled Ohhara Rootkit check

 Changes:
 - If duplicate configuration file options are seen, then only the last
   one seen is used

 Bugfixes:
 - Lsof resolution fix
 - Fixed Danny Boy's Abuse Kit check
 - Fixed SHV5/Tripwire check
 - Fixed ignoKit check

 --

 * 1.2.9 (30/09/2006)

 New:
 - Rootkit Hunter is under new management so maintenance, development and support is assured
 - Added support for RHEL WS/AS/ES 3, Taroon update 8
 - Added support for Fedora Core 5
 - Added support for SuSE 10
 - Added check for packet capturing applications (see rkhunter.conf for whitelisting)
 - Added check for processes using deleted files (see rkhunter.conf for whitelisting)
 - Enabled netstat check for AIX
 - Enabled backdoor check for SunOS
 - Enabled logfile specification and checks

 Changes:
 - Improved cAos support
 - Improved AIX rc.sysinit test
 - Improved second promiscuous mode check
 - Improved prelinking test
 - Improved binaries found check
 - Improved MD5 check and application scan
 - Improved FreeBSD/AIX grepping
 - Improved Solaris grep/ifconfig (FP's)
 - Improved reportmode report-warnings-only
 - Improved permitrootlogin check with forced-commands-only
 - Improved passwordless user accounts test
 - Improved file/module name checks (FP's)
 - Improved check-update: DBDIR vs temp dir and preserve DAC rights
 - Improved Solaris script replacements
 - Fix typos, grammatical changes, formatting/displaying
 - Added more examples to config
 - Change contact information

 Bugfixes:
 - Removed stale mirrors
 - Fix SF tracker issue 1449701
 - Fix skdet test
 - Time uses Perl epoch 
 - Error message about "group" file
 - Ksh 'shift' fix

 --

 * 1.2.8 (24/02/2006)

 New:
 - Added '-sk' alias (instead of --skip-keypress)
 - Added support for Fedora core 4
 - Added support for FreeBSD 4.11, 5.2, 5.3, 5.4, 6.0
 - Added support for CentOS 3.3 ('final' and 'Final')
 - Added support for CentOS 3.5, 4.1 and 4.2
 - Added support for Debian 3.1 (AMD64)
 - Added support for RHEL WS/AS/ES 3, Taroon update 6
 - Added support for RHEL WS 4, Nahant Update 1 and 2
 - Added support for Slackware 10.2
 
 Changes:
 - Updated RHEL hashes
 - Updated Fedora Core 3 hashes
 - Updated SuSE 9.1 hashes
 - Updated software database
 - Update copyright line
 
 --

 * 1.2.7 (24/05/2005)
 
 New:
 - Added support for CentOS 4.0
 - Added support for Mandrake 10.2
 - Added support for Gentoo (sparc/sparc64/x86)
 - Added additional support for E-smith (SME 6.0.1)
 - Added support for FreeBSD 4.5 and 4.6

 Changes:
 - Improved support for Bind (thanks to Craig)
 - Improved support for RHEL AS release 3
 - Updated hashes for SuSE 9.1 (core-utils)

 Bugfixes:
 - Fixed problem with the updater (file was retrieved, but not placed within
   the correct directory)
 
 --

 * 1.2.6 (10/05/2005)
 
 New:
 - Added support for Tao Linux
 - Added support for Trustix 2.2 (Sunchild)
 
 Bugfixes:
 - Fixed problem with updater
 
 --

 * 1.2.5 (03/05/2005)
 
 New:
 - Added support for FreeBSD 4.11 (i386)
 - Added support for RHEL AS release 3
 - Added support for Cobalt (6.5.1)

 Changes:
 - Fixed permissions of check_update.sh
 - Fixed typo in help
 - Improved detection for some unknown rootkits/backdoors
 - Improved messages/logging
 - Some code cleanups
 - Important: fixed a security issue, related to temporary files
 
 --

 * 1.2.4 (25/04/2005)
 
 New:
 - Added support for E-smith (SME 6.0)
 
 Changes:
 - Updated hashes for Fedora core 2
 - Improved documentation of tools (see tools directory)
 - Removed logging from installer
  
 Bugfixes:
 - Fixed problem when using --allow-ssh-root-user (option was overwritten
   by configuration file option) 
 
 --

 * 1.2.3 (21/03/2005)

 New:
 - Added option to allow/whitelist hidden files and directories. See
   configuration file
 - Added support for SuSE 9.2 (x86-64)

 Changes:
 - Updated configuration file, to give more information about
   whitelisting of hidden files/directories
 - Updated Fedora core 3 hashes (procps package)
 - Updated packages: OpenSSH
 - Updated manpage
 - Improved logging
 - Added debugging info for named
 - Strip off patch version with PHP port (Debian)
 - Extended support for Fink (MacOS), added /sw/bin to BINPATHS in
   check_update.sh
 - Improved installer when /usr/local/bin is missing
  
 Bugfixes:
 - Fixed problem with unquoted variable (passwordless accounts)

 --

 * 1.2.2 (18/03/2005)
 
 New:
 - Added support for Mandrake 10.1
 - Added hashes for Mandrake 10.1. Thanks to Roderick B. Greening
 - Added support for RHEL WS release 3
 - Added support for NIS when looking for passwordless accounts
 - Added support for beX2 (evil code)
 
 Changes:
 - Updated Debian hashes
 - Changed permissions of installer (0755 instead of 0750)
 - Changed installer so normal users can install rkhunter. This is
   experimental, so check is commented in installer
 - Updated packages: Bind, Exim, OpenSSL
 - Improved logging
 - Small layout fixes
 - Code cleanup
 - Updated mirror list
 - Updated copyright message (2005)
 
 Bugfixes:
 - Changed symbols when one or more groups are added/removed

 --

 * 1.2.1 (21/02/2005)
 
 New:
 - Added support for Mandrake 8.1 (i586, no hashes)
 - Added support for FreeBSD 5.3 (i386, with hashes for release version)
 - Added support for Slackware 10.1
 - Added Turkish translation to installer (note: language support
   temporarily disabled)
 - Added support for Fink (MacOS), added /sw/bin to BINPATHS
 - Added contrib directory
 - Added script (contrib) run_rkhunter, by Andy Spiegel
 
 Changes: 
 - Updated hashes for SuSE 9.1, Mandrake 10.0
 - Updated installer (changed copyright line, comments and disabled
   version number, because it can be confusing when installer version
   is another version than main version.)
 - Perform extra check before checking configuration file (to see if
   it exists)
 - Improved logging (show temporary directory, improve output when
   scanning for default rootkit files/directories)
 - Improved output when system is unsupported
 - Stop program when temporary directory doesn't exist instead of
   creating it
 - Updated packages: Apache, Bind, GnuPG, OpenSSL
 - Fixed some typos

 Bugfixes:
 - BINPATHS got overwritten when performing software version check
 - Fixed bug when checking for ssh root user. Thanks to Andy Spiegel
 - Clean up temporary prelink file

 Website:
 - Added notification list
 - Fixed some XHTML bugs

 --
 
 
 * 1.2.0 (10/02/2005)

 New:
 - Added support for CentOS 3.4
 - Added new configuration option 'ALLOW_SSH_ROOT_USER' and program
   parameter '--allow-ssh-root-user' to allow directly login of a
   `root` user, in your SSH configuration file.
 
 Changes:
 - Updated hashes for Fedora Core 1, Core 2, Core 3
 - Changed RHEL 3, so taroon 4 uses the hashes of taroon 3
 - Updated Debian hashes
 - Removed ClamAV from application scan. It warns the user now when
   it runs an too old version.
 - Updated manpage  
 - Changed detection for SuSE versions. SuSE Linux Enterprise Server
   didn't work, because of the capitals (instead of the usual name)
 - Warn if user uses /tmp as temporary directory (possible security
   issue)
 - Updated wishlist/todo and manpage.
   
 Bugfixes:
 - Fixed wrong message when group was added/deleted from /etc/groups
 
 --
 
 * 1.1.9 (28/12/2004)

 New:
 - Added RH-Sharpe's rootkit (rootkit)
 - Added SHV5 rootkit (rootkit)
 - Added special test for tripwire
 - Added support for metalog (syslog daemon) 
 - Added support for ALTLinux 2.2 and 2.4
 - Added support for CentOS 3.3
 - Added support for Gentoo 1.6
 - Added support for FreeBSD 4.10 (alpha platform)
 - Added support for SuSE SLES8. Thanks to Mario Lenz
 - Added support for SuSE 9.2 (i586)
 - Added support for Fedora Core 3
 - Added support for Red Hat Enterprise Linux ES/WS release 4
 - Added hashes for Fedora Core 3. Thanks to Steph
 - Official port is now available for ALTLinux
 - Change text when an old software package has been found. This
   will happen with backporting operating systems (Red Hat,
   Fedora etc)
 
 Changes:
 - Improved logging for lsof test
 - Updated hashes for Fedora Core 1
 - Updated hashes for Debian woody
 - Updated hashes for Red Hat Enterprise Linux ES/WS release 3
 - Updated hashes for Slackware 9
 - Updated hashes for Slackware 10
 - Updated hashes for SuSE 9.1
 - Updated wishlist/todo, updated readme and manpage.
 - Code cleanup (added more remarks, cleanup of old/buggy things)..
 - Improved logging
 
 Bugfixes:
 - Changed binary search path due typo. Thanks to Bertrand