changelog

在网络安全中经常会遇到rootkit

 Changes:
 - Updated hashes for Mandrake 9.2. Thanks to John P. New and others.
 - Updated hashes for Red Hat Enterprise Linux Update 1. Thanks to Eilko
 - Added informational message, when 'PermitRootLogin' or SSH protocol 1 is found,
   into the logfile
 - Renamed .spec file to rkhunter.spec  
 - Updated installer. Thanks to Uwe Hermann
 - Improved LKM check. Thanks to Joe Croft 
 - Improved logging
 - Fixed a problem with ifconfig
 
 --

 * 1.0.5

 New:
 - Added 'ignoKit' (rootkit)
 - Added support for Red Hat Linux 8.0 (Psyche)
 - Added option '--disable-passwd-check', to disable passwd/group check. Suggested
   by Michael Niehren
 - Added option '--scan-knownbad-files', to scan besides the 'known good' MD5 checks,
   a lot of system binaries against a 'known bad' database.
 - Added option '--tmpdir', to specify a temporary directory instead of the static
   one (see below, at 'tmpdir' option within the configuration file).
 - Added a 'known bad' database with a lot of 'blacklisted' binaries and tools
   (like sniffers, rootkits, backdoored binaries, IRC tools etc)
 - Added hashes for Red Hat Enterprise Linux ES release 3 (unpatched). Thanks
   to Nico Morrison
 - Added a 'mail-on-warning' option to the configuration file. When the checker finds
   one or more warnings, it will send a warning to the system administrator (see the
   configuration file for more information)
 - Added 'tmpdir' option to the configuration. This optional value can be used instead
   of the default (/usr/local/rkhunter/tmp) directory and is one of the first steps
   to make rkhunter less static.   
 - Rootkit Hunter now exists with an exit code of 1 when a rootkit is found or
   a MD5 checksum failed. Suggested by Michael Niehren

 Changes:
 - Updated support for Red Hat Enterprise Linux. Thanks to Nico Morrison
 - Improved/updated .spec file for RPM creation (improved cronjob script, updated
   file version, corrected packager value). Thanks to Joe Klemmer and Michael Niehren
 - Improved cronjob check (it contained a little bug, so it wasn't always non-
   interactive..)
 - Improved logging of sockstat/netstat tests
 - Fixed message when parameters are provided, but 'check' option is missing
 - Updated installer (0.0.6)

 --

 * 1.0.4
 
 New:
 - Added 'AjaKit' (rootkit)
 - Added 'Legion of Doom (LoD)' (rootkit) (note: uses almost every same file
   as AjaKit)
 - Added support for Red Hat Enterprise Linux. Thanks to Kevin Jarnot
 
 Changes:
 - Updated 'NSDAP' (rootkit)
 - Updated 'Dica' (rootkit)
 - Updated 'X-Org SunOS Rootkit' (rootkit)
 - Changed message 'not found' into 'OK' when no file redirection has been found.
   Thanks to Jens Gutzeit
 - Improved check for hidden files (empty files will be skipped, more directories
   added)
 - Corrected file scan counter.
 - Improved logging
 - Cleaned up tarball
 
 --

 * 1.0.3

 New:
 - Added support for SuSE Linux 8.1.
 
 Changes:
 - Updated 'Flea Linux Rootkit', because /lib/security is a legal path name.
   Thanks to Moritz Bunkus
 - Updated syslog-ng checking (checking remote logging in the configuration file).
   Thanks to Juri Memmert for reporting the problem
 
 --

 * 1.0.2
 
 New:
 - Added 'aPa Kit' (rootkit)
 - Added 'Danny-Boy's Abuse Kit' (rootkit)
 - Added 'Duarawkz' (rootkit)
 - Added 'Flea Linux Rootkit' (rootkit)
 - Added 'HjC kit' (rootkit)
 - Added 'Kitko' (rootkit)
 - Added 'R3dstorm Toolkit' (rootkit)
 - Added 'TeLeKiT' (rootkit)
 - Added 'VcKit' (rootkit)
 - Added support for Aurora Linux 1.0 (SPARC, named 'Ansel')
 - Added support for Red Hat Linux 7.0
 - Added support for Mac OS X (Darwin kernel)
 - Added option '--report-mode' to remove footer and location of logfile
 - Added alias parameter '--createlog' for '--createlogfile'
 - Added alias parameter '--skipkeypress' for '--skip-keypress'
 - Added informational message when a user doesn't use '--checkall' or '--cronjob'

 Changes:
 - Updated hashes for Fedora Core 1. Thanks to Doncho N. Gunchev
 - Improved output of logfile
 - Changed warning message when a part of a rootkit has been found (show correct
   logfile instead of default file)
 - Changed footer message (and tell you guys you have to submit your undetected
   rootkits)
   
 Website:
 - Updated articles: Hyperlinks, Scanning Techniques
 
 --

 * 1.0.1

 New:
 - Added parameter '-h' (or --help, -?) to display the usage syntax (same thing
   when you give no options at all). Reported by Arthur E. Groen
 - Support for Linux SuSE 8.2 (i586 platform)
 
 Changes:
 - Improved scan for 'Suckit' (rootkit)
 - Updates hashes for Mandrake 9.2
 - Fixed a problem with the installer (wrong function declaration).
 - Had to strip down all colors in the installer, because of the complaints :-)
 - Changed installer so it could be used as a non-interactive installer (like it
   was before).. Languages are still usuable, but will be used in later versions
   (with a interactive switch)
 - Fixed the LANG function (renamed it, because of the reserved name).
 - Added Swedish translation for the installer. Thanks to Daniel Olsson
 - Improved logging when Perl has been found
 - Undo 'skip MD5 test' (MD5CHECK_SKIP=0) when Digest::MD5 available, but
   md5(sum) isn't, so we can still scanning.
 - Fixed a wrong path name (deleting of temporary passwd file)
 
 Website / Documentation:
 - Updated FAQ
 - Updated Project information (updated supported OSes, rootkits, added date of
   last modification)
 - Updated README
 
 --

 * 1.0.0
 
 Special remarks:
 - New developer: Stephane Dudzinski (a.k.a. FRLinux)

 New:
 * Operating system support
 - Added support for Fedora (tested with Core 1, Yarrow)
 - Added support for Gentoo (tested with 1.4 release)
 - Added support for Red Hat 7.3 (Valhalla)
 - Added support for Sun Solaris (not working yet..)
 - Added OpenBSD 3.3 (i386) hashes
 - Added Fedora Core 1 (i386) hashes
 - Added special verify section when prelinked binaries are found (like Fedora
   Core 1 uses). Thanks to Michael G. Rozman
 - Added support for IBM AIX. A big thanks to Iain Roberts!
   Versions 4.3.2, 4.3.3, 5.1, 5.2, 5.3, 5.4

 * Rootkit / backdoor support
 - Added 'Dreams' (rootkit). Thanks to Joshua Levitsky
 - Added 'Heroin' (LKM rootkit)
 - Added 'Sin' (rootkit)
 - Added 'Shutdown' (rootkit)
 - Added 'Sneakin' (rootkit)
 - Added 'Superkit' (rootkit)
 - Added 'T0rn' (rootkit)
 - Added 'Trojanit Kit' (rootkit)
 - Added 'zaRwT.KiT' (rootkit)
 - Added 'Volc' (rootkit)

 * Linux support
 - Added extra kernel check (2.4/2.6) when OS is Linux
 - Added Linux 2.6 kernel support.
 - Added extra check when using a RPM based distro, to display the package name
   in the logfile when filehashes are different. Thanks to Michael G. Rozman

 * Rootkit Hunter options
 - Added option '--quick'. Can be used with newly added scans and will use
   some tweaks to scan quicker (be carefull: can hide some usefull information
   at first scan, i.e. hidden files with trojaned binaries)
 - Added option '--skip-keypress'. Make rkhunter non-interactive, so you don't
   have to press [enter] after every test. Requested by Michael G. Rozman
 - Added option '--version'. Displays version and quits.
 - Added extra check for promiscuous interfaces, when 'ip' command is available
 - Added check for (rootdir)etc/conf.d/local.start file (Gentoo)
 - Added ksyms check to rootkitscan section
 - Added check for binaries like nmap, ls, lsof, ps (for future use)
 - Added Perl Digest::SHA1 module check
 - Added SSH 'PermitRootLogin without-password' (as an unsafe option). Thanks
   to Doncho
 - Added check for sniffer logfiles detection
 - Added support for grsec enabled Linux kernel. Thanks Steph ;-)

 Changes:
 - Improved installation
 - Splitted version number (from 1.00 --> 1.0.0) due future minor releases
 - Updated 'Ambient'
 - Updated 'BOBkit'
 - Updated 'Knark'
 - Updated 'Sebek'
 - Updated hashes for Red Hat 7.1 (fileutils, util-linux, SysVinit and xinetd).
   Thanks to Michael G. Rozman
 - Updated hashes for Debian 3.0 (IPv6 enabled version of tcpd). Thanks to Steph
 - Changed LKM check when kernelversion of Linux is the new 2.6
 - Improved support for other rootdirs (instead of '/')
 - Added check for empty files when searching for hidden files
 - Added check for real device fiels when searching for hidden files
 - Added colored layout, when performing file checks (for i.e. hidden files)
 - Little bugfix when perform LKM checking
 - Bugfix when scanning sshd_config for file if file isn't available in /etc/ssh
 - Improved logging for selftests
 - Improved logging when performing MD5 hash test
 - Improved logging for scanning of rootkits and malware
 - Improved logging of rootkitscan section (files and directories)
 - Improved logging for detection of binaries and Perl modules
 - Improved SSH 'root login allowed', to decrease false positives
 - Changed detection of users with an UID of 0 (zero)
 - Improved rootkitscan section for files and directories with spaces
 - Fixed wrong detection of Debian version (unstable/testing). Thanks to Daniel
   Olsson
 - Fixed wrong use of parameters when using --quick option, but not using -c.
   Thanks to Joost Peters
 - Added missing 'full OS' string, when RH doesn't recognise the operating
   system.
 - Fixed bad logging of rootkits (and files)
 - Fixed a problem when using --skip-keypress and a rootkit was found (skip
   keypress didn't work, and user input was required).   
 - Fixed installer for NetBSD and MacOS X, by commenting whereis functions (will
   be soon replaced)
 - A lot of code cleanups..

 Website:
 - Updated website (FAQ / Changelog, Project information)
 - Fixed a problem with the contact form (-moz-opacity CSS property failed with
   some browsers).


 --

 * 1.00 RC3

 New:
 - Added option --disable-md5-check to skip checking MD5 hashes (if you run 
   customized binaries/tools)
 - Added option --rootdir (or -r), to use with chrooted systems. Note: not
   completely integrated yet. Requested by Henk Wevers
 - Added functions logtext and displaytext to make script more powerfull and
   easier to use (for example with a new 'quiet' option)
 - Added support for OpenBSD 3.3 and OpenBSD 3.4 (MD5 fix added, due the
   missing of the -q (quiet) option of MD5). Thanks to Stefan

 Changes:
 - Updated 'Beastkit'
 - Updated 'BOBkit'
 - Updated hashes for Red Hat 9.0 (coreutils update). Thanks to Andrew Matthews
 - Fixed a little problem with support for multiple file hashes (see 1.00 RC2).
   When more than one hash was available, only the first one was checked. Thanks
   to Andrew Matthews for testing.
 - Solved two little issues with netstat check. Check reported possible backdoor
   if portnumber was present in another portnumber (like string '2001' is
   available in '20010'). Also the portnumber was found when the remote connection
   had the same portnumber as a possible backdoor (like a dynamic port 2001 was
   assigned to a SSH client). Thanks to Michael Firkins
 - Changed text when a possible backdoored file is found (because --debug option
   is not a valid). Thanks to Anton Pirnat
 - Changed check for OpenSSH sshd_config file (it will search now for more than
   1 place). Thanks to Jeroen Griede
 - Added extra check for file retrieval utilities (i.e. to do version checking)
 - Changed string at beginning of RH output (Determing OS... Ready)
 - Made some tweaks to the layout of the logfile (with --createlogfile option)

 --

 * 1.00 RC2
 
 New:
 - Added check for syslog-ng (instead of only checking for the presence of
   syslogd). Thanks to Chris Vaughan
 - Added check to allow more than one MD5/SHA1 for a single file. When a 'base'
   file will be updated, it's possible to add a second hash. Thanks to
   James Clark and Greg Bell
 - Added AIX check. Thanks to Val Baranov
 - Added hashes for SuSE 8.2 (i386)
 - Added hashes for Red Hat 9.0
 - Added hashes for Mandrake 9.2
 - Added hashes for Debian 3.0 (tested with release 2)
 - Added support for Mandrake (i.e. /dev/.devfsd file)
 - Added section to check the file type of every hidden file found
 - Added parameter 'nocolors' to disable colored output
 - Added support to run RH as a cronjob (parameter '--cronjob')
 - Added check to removed layout when running as cronjob
 - Added option to create a logfile (parameter '--createlogfile')
 - Added changelog on website (rootkit.nl)
 
 Changes:
 - Updated hashes for Red Hat 7.2
 - Cleanup logfile at startup
 - Just check /dev directory once for hidden files
 - Deleted unused consistency check (on Debian it showed several warnings)
 - Fixed a little problem with querying the default hashes database (added a
   slash to the query, to resolve the problem)
 - Layout fix for Linux distros
 - Fixed an error for Debian (where /etc/rc.d files not always exists..) by
   adding an extra check for the presence of this files.
 - Tweaked section to scan /dev directory. Scan is faster now (scan for
   unknown shellscripts and files)
 - Some little layout changes
 - Updated 'Beastkit' due false positive. Thanks to Dunay
 - Updated 'Suckit' (more checks added)
 - Changed FAQ

 --
 
 * 1.00 RC1

 Remarks:
 First release
 
 New:
 - Database: backdoor ports (DB:backdoorports.dat)
 - Added filtering for network connections
 - Added OS support for SuSE Linux:
 - Added OS support for Debian: 2.2/3.0/testing
 - Added OS support for FreeBSD 5.x: version 5.0/5.1
 - Added OS support for FreeBSD 4.x: version 4.3/4.7
 - Added OS support for Red Hat Linux 7.1/7.2
 - Added KLD tests (FreeBSD)
 - All other options...