PDA

View Full Version : rkhunter


Tripple
8th April 2009, 20:58
My fresh ISPConfig 3.0.1.1 installation keeps warning me with rkhunter.

I receive a simple mail with this line:
Please inspect this machine, because it can be infected

No logfile to inspect so I ran rkhunter again:
# rkhunter -c --createlogfile

2 warnings in the logfile:
WARNING, found: /usr/share/man/man1/..1.gz (gzip compressed data, from Unix, max compression) /dev/.udev (directory)
Warning: root login possible. Change for your safety the 'PermitRootLogin'

I can fix the last warning but what about the first one?

till
9th April 2009, 09:19
Never seen the first warning. Did you take a look in the .udev directory?

Tripple
9th April 2009, 17:38
Fixed it like this:
https://bugzilla.redhat.com/show_bug.cgi?id=190248

When I run rkhunter, no more errors.
However, I'm still receiving those mails.

Tripple
19th April 2009, 21:35
I like to start this old topic again because I can't figure out what the problem is.

Every hour at xx:53 there's a mail to root like this:
Subject: [rkhunter] Warnings found for host@domain
Please inspect this machine, because it can be infected

I can't find any cron job that could cause this so the only way to reproduce this is, I guess, with the command #rkhunter -c --createlogfile, but I can't see any errors in the logfile.

falko
20th April 2009, 12:05
What's the output of ls -la /etc/cron.hourly?

Tripple
20th April 2009, 17:21
It's empty:

# ls -la /etc/cron.hourly/
totaal 24
drwxr-xr-x 2 root root 4096 apr 19 21:19 .
drwxr-xr-x 103 root root 12288 apr 20 17:16 ..

till
20th April 2009, 18:48
rkhunter is run by the ispconfig monitoruing system and not by a crojob. Maybe you selected to receive an email as you installed rkhunter as I dont receive such emails on my servers.

Tripple
20th April 2009, 20:37
rkhunter is run by the ispconfig monitoruing system and not by a crojob. Maybe you selected to receive an email as you installed rkhunter as I dont receive such emails on my servers.

I followed the perfect setup and forward all root mails to my mailbox.
Strange thing I'm the only one with this issue.

Could this be the cause: (I'm running CentOS 5.3)
Rootkit Hunter 1.2.9 is running
Determining OS... Unknown
Warning: This operating system is not fully supported!
All MD5 checks will be skipped!

Or this:
ClamAV update process started at Mon Apr 20 04:02:12 2009
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.94.2 Recommended version: 0.95.1
DON'T PANIC! Read http://www.clamav.net/support/faq
main.cld is up to date (version: 50, sigs: 500667, f-level: 38, builder: sven)
daily.cld is up to date (version: 9256, sigs: 41364, f-level: 42, builder: guitar)

airton
23rd April 2009, 00:49
Every hour i receive a message with text:

Please inspect this machine, because it may be infected.
why?

no other warning in /var/log/rkhunter.log:

[00:02:12] System checks summary
[00:02:12] =====================
[00:02:12]
[00:02:12] File properties checks...
[00:02:12] Files checked: 122
[00:02:12] Suspect files: 0
[00:02:12]
[00:02:12] Rootkit checks...
[00:02:12] Rootkits checked : 112
[00:02:12] Possible rootkits: 0
[00:02:12]
[00:02:12] Applications checks...
[00:02:12] Applications checked: 5
[00:02:12] Suspect applications: 0

edge
23rd April 2009, 07:27
Read the complete log file from RKhunter and not just the summary.
Some line(s) will say something about the warning(s)

airton
24th April 2009, 10:36
Thanks edge for your suggestion.
In my log i've found:

Checking for hidden processes [ Warning ]
Warning: Hidden processes found: 30562

but maybe could be a false positive as stated in
http://ubuntuforums.org/showthread.php?t=796192 infact i cannot cd in /proc/pid and if i execute rkhunter --check now no hidden process is reported.

I've built the following script to test unhide (used by rkhunter to discovery hidden processes):

ps -ef > processes.txt
unhide brute | grep 'Found HIDDEN PID' | while read line
do
#echo $line
pid=`echo $line | awk '{ print $4 }'`
echo
echo Hidden PID: [$pid];

echo Testing dir "/proc/$pid"
if [ -d "/proc/$pid" ]; then
cat /proc/$pid/cmdline
else
echo "... Not Found (good)"
fi

echo Testing processes list
pcregrep "\\w\\s+$pid" processes.txt
done

an this is a sample result:

Hidden PID: [20248]
Testing dir /proc/20248
... Not Found (good)
Testing processes list
postfix 20248 23453 0 10:30 ? 00:00:00 showq -t unix -u -c

sometime the "hidden" process cannot be identified... but all seem to confirm the theory of false positive.
I'd like to avoid it!

ggarcia24
1st May 2009, 02:06
rkhunter is run by the ispconfig monitoruing system and not by a crojob. Maybe you selected to receive an email as you installed rkhunter as I dont receive such emails on my servers.

Is there some way to run it more spaced?, rkhunter is running every 30min and I get a 95% CPU Usage... can at least make it run every 2hs?

till
1st May 2009, 12:00
This has alraedy been changed in svn, please see svn log for details.

ggarcia24
2nd May 2009, 07:09
Thank you very mach!!!!! I've added manually the changes, thanks!

dragons
9th June 2009, 03:35
I have exactly the same issue with ispconfig3 and rk hunter with the same warnings. I uncommented the lines in rkhunter.conf that refer to the issues in the warnings but I still get the warnings and the emails every hour. I know how to stop the emails but I really want to stop the warning by fixing the problem
Its a brand new centos5.3 server install using the howto from here on ispconfig3 and centos5.3.

warning is same as others

Checking /dev for suspicious files... [21C[ OK ]
Scanning for hidden files...[31C[ Warning! ]
---------------
/etc/.pwd.lock
/etc/.hosts.swp /usr/share/man/man1/..1.gz /dev/.udev
---------------
Please inspect: /etc/.hosts.swp (data)

rkhunter.conf is as follows

# This is the configuration file of Rootkit Hunter. Please change
# it to your needs.
#
# All lines beginning with a hash (#) or empty lines, will be ignored.
#
INSTALLDIR=/usr

# Links to files. Don't change if you don't need to.
LATESTVERSION=/rkhunter_latest.dat
UPDATEFILEINFO=/rkhunter_fileinfo.dat

# Send a warning message to the admin when one or more warnings
# are available (rootkit and MD5 check). Note: uses default
# commmand to send the warning message.
MAIL-ON-WARNING=(my email address)

# Use a custom temporary directory (you can override it with the
# --tmpdir parameter)
# Note: don't use /tmp as your temporary directory, because some
# important files will be written to this directory. Be sure
# you have setup your permissions very tight.
TMPDIR=/var/rkhunter/tmp

# Use a custom database directory (you can override it with the
# --dbdir parameter)
DBDIR=/var/rkhunter/db

# Whitelist files (and their MD5 hash)
# Usage: MD5WHITELIST=<binary>:<MD5 hash>
#MD5WHITELIST=/bin/ps:9bd8bf260adc81d3a43a086fce6b430a
#MD5WHITELIST=/bin/ps:404583a6b166c2f7ac1287445a9de6b3

# Allow direct root login via SSH
# Don't use this option if you don't know what the warning about
# this option means!!
ALLOW_SSH_ROOT_USER=0

# Allow hidden directory
# One directory per line (use multiple ALLOWHIDDENDIR lines)
#
#ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENDIR=/dev/.udev
#ALLOWHIDDENDIR=/dev/.udevdb
#ALLOWHIDDENDIR=/dev/.udev.tdb
#ALLOWHIDDENDIR=/dev/.static
#ALLOWHIDDENDIR=/dev/.initramfs
#ALLOWHIDDENDIR=/dev/.SRC-unix

# Allow hidden file
# One file per line (use multiple ALLOWHIDDENFILE lines)
#
#ALLOWHIDDENFILE=/etc/.java
ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
ALLOWHIDDENFILE=/etc/.pwd.lock
#ALLOWHIDDENFILE=/etc/.init.state

# Allow process to use deleted files
# One process per line (use multiple ALLOWPROCDELFILE lines)
#
#ALLOWPROCDELFILE=/sbin/cardmgr
#ALLOWPROCDELFILE=/usr/sbin/gpm
#ALLOWPROCDELFILE=/usr/libexec/gconfd-2
#ALLOWPROCDELFILE=/usr/sbin/mysqld

# Allow process to listen on any interface
# One process per line (use multiple ALLOWPROCLISTEN lines)
#
#ALLOWPROCLISTEN=/sbin/dhclient
#ALLOWPROCLISTEN=/usr/bin/dhcpcd
#ALLOWPROCLISTEN=/usr/sbin/pppoe
#ALLOWPROCLISTEN=/usr/sbin/tcpdump
#ALLOWPROCLISTEN=/usr/sbin/snort-plain
#ALLOWPROCLISTEN=/usr/local/bin/wpa_supplicant

# The End


edit:
and the .hosts.swp file only as this in it

[CODE]b0VIM 7.0{/CODE]

dragons
9th June 2009, 04:05
OK I sorted out one of the warnings by adding this line to rkhunter.conf

ALLOWHIDDENFILE=/etc/.hosts.swp

I now just have one warning about root logins as follows

* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
info: No 'PermitRootLogin' entry found in file /etc/ssh/sshd_config
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ OK (Only SSH2 allowed) ]

* Check: Events and Logging
Search for syslog configuration... [ OK ]
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]


and sshd_config has this

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

what should this setting be I am assuming this is what is spitting out the error and sending me the email with the following quote

Please inspect this machine, because it can be infected

dragons
9th June 2009, 05:06
Ok finally happy :) after more searching around I have fixed all the issues.
I had to modify sshd_conf

Protocol 2
PermitRootLogin no

and restart sshd

I ran the rkhunter -c scan again it returned no warnings and this time I did not receive the email, meaning the hourly scan now will stop harrassing me by email unless there is a problem :)

Thanks to you guys for some of the previous posts which did eventually give me clues as to sorting out what he underlying issue was, as searches on the warnings generally show up more confused souls lol :)

ggarcia24
9th June 2009, 05:49
If my memory doesn't fails me, the .hosts.swp is a file that vi or vim create when hosts file is opened but if vi or vim unexpectedly closes this file remains, so if you remove it everything will be fine...

I believe that some thing similar mus happen with .pwd.lock file.

I definitely have to recommend you that don't add any hidden file unless of course you know what you are doing.

About allowing or not root to login via ssh everybody has its tastes (if you have sudo/su you don't need root ssh access). But of course always have a very strong password for root (something like "xEw-Rki66;5vb4").

dragons
9th June 2009, 08:40
Hi ggarcia24 thanks for the reply

do you think i should remove the "ALLOWHIDDENFILE=/etc/.hosts.swp" exception I put in rkhunter.conf for ".hosts.swp" and delete the "b0VIM 7.0" entry in the ".hosts.swp" to fix the warning error instead?

ggarcia24
9th June 2009, 12:48
Yes, but don't remove the content, just remove the whole file... I'm sure that's a temporary file for VI

dragons
10th June 2009, 03:27
I have done that and I am getting the emails to inspect machine, because it can be infected. below is a copy of the scan

Rootkit Hunter 1.2.9 is running

Determining OS... Unknown
Warning: This operating system is not fully supported!
All MD5 checks will be skipped!


Checking binaries
* Selftests
Strings (command) [ OK ]


* System tools
Skipped!


Check rootkits
* Default files and directories
Rootkit '55808 Trojan - Variant A'... [ OK ]
ADM Worm... [ OK ]
Rootkit 'AjaKit'... [ OK ]
Rootkit 'aPa Kit'... [ OK ]
Rootkit 'Apache Worm'... [ OK ]
Rootkit 'Ambient (ark) Rootkit'... [ OK ]
Rootkit 'Balaur Rootkit'... [ OK ]
Rootkit 'BeastKit'... [ OK ]
Rootkit 'beX2'... [ OK ]
Rootkit 'BOBKit'... [ OK ]
Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
Rootkit 'Danny-Boy's Abuse Kit'... [ OK ]
Rootkit 'Devil RootKit'... [ OK ]
Rootkit 'Dica'... [ OK ]
Rootkit 'Dreams Rootkit'... [ OK ]
Rootkit 'Duarawkz'... [ OK ]
Rootkit 'Flea Linux Rootkit'... [ OK ]
Rootkit 'FreeBSD Rootkit'... [ OK ]
Rootkit 'Fuck`it Rootkit'... [ OK ]
Rootkit 'GasKit'... [ OK ]
Rootkit 'Heroin LKM'... [ OK ]
Rootkit 'HjC Kit'... [ OK ]
Rootkit 'ignoKit'... [ OK ]
Rootkit 'ImperalsS-FBRK'... [ OK ]
Rootkit 'Irix Rootkit'... [ OK ]
Rootkit 'Kitko'... [ OK ]
Rootkit 'Knark'... [ OK ]
Rootkit 'Li0n Worm'... [ OK ]
Rootkit 'Lockit / LJK2'... [ OK ]
Rootkit 'MRK'... [ OK ]
Rootkit 'Ni0 Rootkit'... [ OK ]
Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
Rootkit 'Optic Kit (Tux)'... [ OK ]
Rootkit 'Oz Rootkit'... [ OK ]
Rootkit 'Portacelo'... [ OK ]
Rootkit 'R3dstorm Toolkit'... [ OK ]
Rootkit 'RH-Sharpe's rootkit'... [ OK ]
Rootkit 'RSHA's rootkit'... [ OK ]
Sebek LKM... [ OK ]
Rootkit 'Scalper Worm'... [ OK ]
Rootkit 'Shutdown'... [ OK ]
Rootkit 'SHV4'... [ OK ]
Rootkit 'SHV5'... [ OK ]
Rootkit 'Sin Rootkit'... [ OK ]
Rootkit 'Slapper'... [ OK ]
Rootkit 'Sneakin Rootkit'... [ OK ]
Rootkit 'Suckit Rootkit'... [ OK ]
Rootkit 'SunOS Rootkit'... [ OK ]
Rootkit 'Superkit'... [ OK ]
Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
Rootkit 'TeLeKiT'... [ OK ]
Rootkit 'T0rn Rootkit'... [ OK ]
Rootkit 'Trojanit Kit'... [ OK ]
Rootkit 'Tuxtendo'... [ OK ]
Rootkit 'URK'... [ OK ]
Rootkit 'VcKit'... [ OK ]
Rootkit 'Volc Rootkit'... [ OK ]
Rootkit 'X-Org SunOS Rootkit'... [ OK ]
Rootkit 'zaRwT.KiT Rootkit'... [ OK ]

* Suspicious files and malware
Scanning for known rootkit strings [ OK ]
Scanning for known rootkit files [ OK ]
Testing running processes... [ OK ]
Miscellaneous Login backdoors [ OK ]
Miscellaneous directories [ OK ]
Software related files [ OK ]
Sniffer logs [ OK ]

* Trojan specific characteristics
shv4
Checking /etc/rc.d/rc.sysinit
Test 1 [ Clean ]
Test 2 [ Clean ]
Test 3 [ Clean ]
Checking /etc/inetd.conf [ Not found ]
Checking /etc/xinetd.conf [ Skipped ]

* Suspicious file properties
chmod properties
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
Script replacements
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]

* OS dependant tests

Linux
Checking loaded kernel modules... [ OK ]
Checking file attributes [ OK ]
Checking LKM module path [ OK ]


Networking
* Check: frequently used backdoors
Port 2001: Scalper Rootkit [ OK ]
Port 2006: CB Rootkit [ OK ]
Port 2128: MRK [ OK ]
Port 14856: Optic Kit (Tux) [ OK ]
Port 47107: T0rn Rootkit [ OK ]
Port 60922: zaRwT.KiT [ OK ]

* Interfaces
Scanning for promiscuous interfaces... [ OK ]


System checks
* Allround tests
Checking hostname... Found. Hostname is buildfits2.buildfit.com
Checking for passwordless user accounts... OK
Checking for differences in user accounts... OK. No changes.
Checking for differences in user groups... OK. No changes.
Checking boot.local/rc.local file...
- /etc/rc.local [ OK ]
- /etc/rc.d/rc.local [ OK ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
- /etc/init.d/boot.local [ Not found ]
Checking rc.d files...
Processing........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
.....................................
Result rc.d files check [ OK ]
Checking history files
Bourne Shell [ OK ]

* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ OK ]


Application advisories
* Application scan
Checking Apache2 modules ... [ Not found ]
Checking Apache configuration ... [ OK ]

* Application version scan
- GnuPG 1.4.5 [ OK ]
- Apache 2.2.3 [ OK ]
- Bind DNS 9.3.4-P1 [ Unknown ]
- OpenSSL 0.9.8e-fips-rhel5 [ Unknown ]
- PHP 5.1.6 [ OK ]
- Procmail MTA 3.22 [ OK ]
- OpenSSH 4.3p2 [ OK ]

Your system contains some unknown version numbers. Please run Rootkit Hunter
with the --update parameter or contact us through the Rootkit Hunter mailinglist
at rkhunter-users@lists.sourceforge.net.


Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]

* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... [ OK (Remote root login disabled) ]
Checking for allowed protocols... [ OK (Only SSH2 allowed) ]

* Check: Events and Logging
Search for syslog configuration... [ OK ]
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]


---------------------------- Scan results ----------------------------

MD5 scan
Skipped

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 0

Scanning took 568 seconds

-----------------------------------------------------------------------

Do you have some problems, undetected rootkits, false positives, ideas
or suggestions? Please e-mail us through the Rootkit Hunter mailinglist
at rkhunter-users@lists.sourceforge.net.

-----------------------------------------------------------------------

Thanks for your help

dragons
15th June 2009, 04:03
I still have not figured out how to solve the issue rkhunter has so I can stop the warning emails, what else should I be looking for?
I dont wish to turn off email notification because I want to know if something is wrong, but I am getting 24 emails a day from the hourly cron job that does the scan.

cbj4074
13th May 2014, 23:03
Sorry to resurrect this old thread, but it is still entirely relevant.

I will preface my post by saying that I realize that this warning message can result from any number of different causes. My intention here is to provide basic troubleshooting steps that should help users identify the cause in each particular case.

Sometime in the last couple of months, this problem began for me, too. I managed to find the cause, which was rather ambiguous (and the result of an actual bug in the rkhunter source), so I thought I'd share with others, especially given that this thread is the first result for a relevant search on Google.

In short, every day as of late, I receive an email with the subject "[rkhunter] Warnings found for hostname" (where hostname is the machine's actual hostname) with the following in the body:


Please inspect this machine, because it may be infected.


I tried to locate the actual script that is running every day. Till stated earlier in this thread that ISPConfig executes rkhunter scans via the ISPConfig Monitoring system, and not via cron. So, don't bother looking in /etc/cron/* (there are other rkhunter scripts in there, but not the one from which this warning results).

So, I clicked "Show RKHunter-Log" in the ISPConfig Monitor, and indeed the summary mentions one or more warnings:


System checks summary
=====================

File properties checks...
Files checked: 137
Suspect files: 0

Rootkit checks...
Rootkits checked : 247
Possible rootkits: 0

Applications checks...
All checks skipped

The system checks took: 47 seconds

All results have been written to the log file (/var/log/rkhunter.log)

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)


This is the key step in finding the offending rkhunter test/rule that is throwing the warning:


# grep -i "warning" /var/log/rkhunter.log
[16:00:10] Info: Emailing warnings to 'root@example.com' using command '/usr/bin/mail -s "[rkhunter] Warnings found for ${HOST_NAME}"'
[16:00:11] Warning: Download of 'i18n.ver' failed: Unable to determine the latest version number.


There we have it; the warning is probably due to an outdated update URL, and is described in this rkhunter bug report: http://sourceforge.net/p/rkhunter/bugs/105/

So, in my case, the fix appears to be updating rkhunter to the latest version, in which this should be fixed.

As a point of note, be advised that running a scan with


# rkhunter -c --createlogfile


can yield different results than when ISPConfig runs an rkhunter scan. More specifically, when I scan using the above command, no warnings are found, presumably because "rkhunter -c" doesn't attempt the network updates as part of the scanning process, which ISPConfig does attempt (presumably with something like "rkhunter --versioncheck --update --cronjob").

Here are the results with just "rkhunter -c":


System checks summary
=====================

File properties checks...
Files checked: 137
Suspect files: 0

Rootkit checks...
Rootkits checked : 247
Possible rootkits: 0

Applications checks...
All checks skipped

The system checks took: 3 minutes and 5 seconds

All results have been written to the log file (/var/log/rkhunter.log)

No warnings were found while checking the system.