Since I've installed rkhunter I'm getting blank RKhunter Scan Details emails. Any ideas what/where to check about issue? Thank You.

I have Perfect Setup CentOS 5.4 with ISPConfig 2

Does rkhunter -c show anything strange?

I only see warnings (please see below), Any ideas?

rkhunter -c results

/usr/bin/GET [ Warning ]
/usr/bin/groups [ Warning ]
/usr/bin/ldd [ Warning ]
/usr/bin/whatis [ Warning ]
/sbin/ifdown [ Warning ]
/sbin/ifup [ Warning ]

Checking for hidden files and directories [ Warning ]

Checking application versions...

Checking version of GnuPG [ OK ]
Checking version of Apache [ Warning ]
Checking version of Bind DNS [ Warning ]
Checking version of OpenSSL [ Warning ]
Checking version of PHP [ Warning ]
Checking version of Procmail MTA [ OK ]
Checking version of ProFTPd [ Skipped ]
Checking version of OpenSSH [ Warning ]

Warnings from rkhunter.log

[10:28:02] /usr/bin/GET [ Warning ]
[10:28:02] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable

[10:28:02] /usr/bin/groups [ Warning ]
[10:28:02] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable

[10:28:02] /usr/bin/ldd [ Warning ]
[10:28:03] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable

[10:28:07] /usr/bin/whatis [ Warning ]
[10:28:07] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable

[10:28:08] /sbin/ifdown [ Warning ]
[10:28:08] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable

[10:28:08] /sbin/ifup [ Warning ]
[10:28:08] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable

[10:32:08] Checking for hidden files and directories [ Warning ]
[10:32:08] Warning: Hidden directory found: /dev/.udev
[10:32:08] Warning: Hidden file found: /etc/.group.swp: data
[10:32:08] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[10:32:08] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[10:32:08] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[10:32:08] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text


This is my rkhunter.sh which is in /etc/cron.daily/rkhunter.sh

#!/bin/sh
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Run' myemail@gmail.com

What's the output of
/usr/local/bin/rkhunter --cronjob --report-warnings-only
?

Output of /usr/local/bin/rkhunter --cronjob --report-warnings-only is:

Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/g roups: Bourne shell script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/w hatis: Bourne shell script text executable
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bou rne-Again shell script text executable
Warning: Hidden directory found: /dev/.udev
Warning: Hidden file found: /etc/.group.swp: data
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
Warning: Application 'httpd', version '2.2.3', is out of date, and possibly a security risk.
Warning: Application 'named', version '9.3.6-P1', is out of date, and possibly a security risk.
Warning: Application 'openssl', version '0.9.8e', is out of date, and possibly a security risk.
Warning: Application 'php', version '5.1.6', is out of date, and possibly a security risk.
Warning: Application 'sshd', version '4.3p2', is out of date, and possibly a security risk.


Thank You!

Do you get a non-empty mail when you run
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Run' myemail@gmail.com
manually on the shell?

BTW, your scan results don't look good - maybe your system got hacked... :eek:

Does anyone know how do I check if my system got hacked? Any ideas how to fix the warnings? Do I need to re-install (centos & ispconfig) if system was hacked. Please advise? I appreciate any help - thanks!

Right now, I am getting the "rkhunter Daily Run" emails with following warnings:

[ Rootkit Hunter version 1.3.6 ]

[1;33mChecking rkhunter version... [0;39m
This version : 1.3.6
Latest version: 1.3.6
[ Rootkit Hunter version 1.3.6 ]

[1;33mChecking rkhunter data files... [0;39m
Checking file mirrors.dat [34C[ [1;32mNo update [0;39m ]
Checking file programs_bad.dat [29C[ [1;32mNo update [0;39m ]
Checking file backdoorports.dat [28C[ [1;32mNo update [0;39m ]
Checking file suspscan.dat [33C[ [1;32mNo update [0;39m ]
Checking file i18n/cn [38C[ [1;32mNo update [0;39m ]
Checking file i18n/de [38C[ [1;32mNo update [0;39m ]
Checking file i18n/en [38C[ [1;32mNo update [0;39m ]
Checking file i18n/zh [38C[ [1;32mNo update [0;39m ]
Checking file i18n/zh.utf8 [33C[ [1;32mNo update [0;39m ]
Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
Warning: The file properties have changed:
File: /etc/rkhunter.conf
Current hash: 9b3b72541ac896dc0d8c877e3dfda866bbc4761e
Stored hash : 1d76261698bc1d3d2e5729f801a5c9a7e2d761c6
Current size: 30928 Stored size: 30835
Current file modification time: 1270827265 (09-Apr-2010 10:34:25)
Stored file modification time : 1265344611 (04-Feb-2010 22:36:51)
Warning: Hidden directory found: /dev/.udev
Warning: Hidden file found: /etc/.group.swp: data
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
Warning: Application 'named', version '9.3.6-P1', is out of date, and possibly a security risk.

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

There is no end to RKHunter discussions. This might help where Ubuntu is concerned (10.04LTS):

(1) If you "apt-get install rkhunter" and let Ubuntu install the application from the default Universe repository, then you will have the approved RKHunter V1.3.6 for Ubuntu Server 10.04LTS 64-bit. When you run rkhunter, you will not get any warnings.

However, if you install RKHunter V1.3.8 (a new version) using wget, you will receive the following warnings upon running RKHunter: warnings for /usr/sbin/useradd, /usr/bin/ldd, /bin/which, warning for hidden directory, and warning for GnuPG and OpenSSL "out of date" versions. You would have to whitelist these in the rkhunter.conf to keep them from clashing ... a bad idea.

I suggest that you ALWAYS stick with default repository installs for ALL applications, paying no attention to the fact that newer versions exist. If you don't, you server is going to be goobered ... sooner, than later. AND, you will be living contantly on the forums trying to solve insolvable problems !