Please help by providing comments/ideas for improvement/thanks/death-threats in the comments section below.  Ok, maybe not the death-threats.

Download and License

The current version of this script is v1.03, released under the GPL license.  Click here to download it.


This software is licensed under the CC-GNU GPL version 2.0 or later.

What it can do/Features:

• Keep track of changes (IP addresses, status: existent/gone) to a list of specified domains
• Resolve many many many domains into a greppable format for you!
• Multithreaded in Python
• Does logging to a logfile, and to console at the same time
• Configurable to a certain extent

How to get and use:

• Install the PyDNS library found in the Python Package Index, hosted at SourceForge
• Grab a copy from the download section above and extract the script out
• Configure the script if you need to (see below)
• Create a text file named dns-list.txt in the same folder as the dns_tracker.py script, list the DNS hosts that you want to track in the dns-list.txt file, one host per line
• Run the script from command line: python dns_tracker.py.  The log file written to would be called dns-track.log
• Profit!
• You can stop the script by pressing Ctrl-C in the console ONCE.  It will attempt to kill off the waiting threads and exit gracefully.

What you can configure:

• All the editable options are in the section marked ##Editable options.  Some of the options are...
• Use system configured resolvers: set 'use_server': False,
• Use a DNS resolver of your choice: set 'use_server': True, and also 'server': '<your resolver>',
• The logfile name can be changed too 'logfile': 'dns-track.log',

Changelog:

• v1.03 (15 Aug 2010)

fixed logging hierarchy!  now we can control console and file log levels!

• v1.02 (10 Aug 2010)

added SERVFAIL to recognise as possible status

changed DNS resolving fail behaviour: retry 1min later

changed monitoring start behaviour (faster by using threads)

orphaned threads will also stop themselves if the main thread's killed

• v1.01 (3 Aug 2010)

demarcated editable options section ("##Editable options")

changed logging to append instead of overwriting existing log

remember that CNAMEs are also extracted for comparison of changes

added in minimum delay checks to account for CNAMEs' TTL being 0

adjusted logging levels for logfile, console still outputs everything

• v1.00 (2 Aug 2010)

initial release!

TODO:

• Perhaps migrating configurable options out to command line parameters
  or a separate config file?

Of course, as there could be a root kit/trojan/malicious stuff running in your system as rkhunter's meant to detect, you should NOT fully trust anything running from the machine. But I had to rely on this solution temporarily until I can get it (rebooted and) checked out proper using a tool like Finnix.
Am reposting the script here for reference, but you can get the most recent copy of the script here .

#!/bin/bash
desc="
This script will verify whether files for which rkhunter has logged a
warning for is still valid. It does this by finding which debian package
it came out of, and downloads them, unpacks them, then checks
the checksums.

Run it by supplying a rkhunter log file as first argument
"

HASHER="sha256sum"

IFS="
"
function find_suspect_files
{
	echo "parsing $1 for suspect files" 1>&2
	grep -1 Warning "$1"| grep File | sed 's|.*File: ||'
}

function find_packages
{
	echo "finding packages" 1>&2
	for suspect_file in $1
	do
		package=$(dpkg -S $suspect_file|awk '{print $1}'|sed 's/.$//')
		echo "suspect file $suspect_file found in $package" 1>&2
		echo $package
	done

}

function make_aptitude_args
{
	echo "generating aptitude arguments" 1>&2
	for package in $1
	do
		version=$(dpkg -p $package | grep Version | awk '{print $2}')
		echo $package=$version
	done
}

function cleanup
{
	echo "cleaning up"
	popd
	rm -rf tmp
	exit $1
}

function setup
{
	echo "setting up"
	rm -rf tmp
	mkdir tmp
	pushd tmp
}

if [ $# -ne 1 ];
then
	echo "$desc"
	exit 1
fi

suspect_files=$(find_suspect_files "$1")

packages=$(find_packages "$suspect_files" | sort | uniq)

if [ -z "$packages" ];
then
	echo "***WARNING****"
	echo "No packages contain any of the suspect files!"
	cleanup 1
fi

aptitude_args=$(make_aptitude_args "$packages")

setup

echo "downloading packages"
aptitude download $aptitude_args 1>/dev/null
if [ $? -ne 0 ];
then
	echo "aptitude download failed!"
	echo "args=$aptitude_args"
	cleanup 1
fi

echo "unpacking"
for deb_file in *.deb
do
	ar -x $deb_file
	tar zxf data.tar.gz
	rm -rf data.tar.gz control.tar.gz
done

for suspect_file in $suspect_files
do
	if [ ! -f ".$suspect_file" ]
	then
		echo "***WARNING****"
		echo "For some reason .$suspect_file does not exis!"
		continue
	fi
	echo -n "verifying $suspect_file... "
	suspect_sum=$($HASHER $suspect_file | awk '{print $1}')
	clean_sum=$($HASHER ".$suspect_file" | awk '{print $1}')
	if [ $suspect_sum == $clean_sum ];
	then
		echo "OK"
	else
		echo
		echo "***WARNING****"
		echo "Checksum mistmatch for $suspect_file!!!"
		echo "Should be: $clean_sum"
		echo "Is: $suspect_sum"
	fi
done
cleanup