HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   rkhunter (http://www.howtoforge.com/forums/showthread.php?t=33429)

Tripple 8th April 2009 20:58

rkhunter
 
My fresh ISPConfig 3.0.1.1 installation keeps warning me with rkhunter.

I receive a simple mail with this line:
Please inspect this machine, because it can be infected

No logfile to inspect so I ran rkhunter again:
# rkhunter -c --createlogfile

2 warnings in the logfile:
WARNING, found: /usr/share/man/man1/..1.gz (gzip compressed data, from Unix, max compression) /dev/.udev (directory)
Warning: root login possible. Change for your safety the 'PermitRootLogin'

I can fix the last warning but what about the first one?

till 9th April 2009 09:19

Never seen the first warning. Did you take a look in the .udev directory?

Tripple 9th April 2009 17:38

Fixed it like this:
https://bugzilla.redhat.com/show_bug.cgi?id=190248

When I run rkhunter, no more errors.
However, I'm still receiving those mails.

Tripple 19th April 2009 21:35

I like to start this old topic again because I can't figure out what the problem is.

Every hour at xx:53 there's a mail to root like this:
Subject: [rkhunter] Warnings found for host@domain
Please inspect this machine, because it can be infected

I can't find any cron job that could cause this so the only way to reproduce this is, I guess, with the command #rkhunter -c --createlogfile, but I can't see any errors in the logfile.

falko 20th April 2009 12:05

What's the output of
Code:

ls -la /etc/cron.hourly
?

Tripple 20th April 2009 17:21

It's empty:

# ls -la /etc/cron.hourly/
totaal 24
drwxr-xr-x 2 root root 4096 apr 19 21:19 .
drwxr-xr-x 103 root root 12288 apr 20 17:16 ..

till 20th April 2009 18:48

rkhunter is run by the ispconfig monitoruing system and not by a crojob. Maybe you selected to receive an email as you installed rkhunter as I dont receive such emails on my servers.

Tripple 20th April 2009 20:37

Quote:

Originally Posted by till (Post 183137)
rkhunter is run by the ispconfig monitoruing system and not by a crojob. Maybe you selected to receive an email as you installed rkhunter as I dont receive such emails on my servers.

I followed the perfect setup and forward all root mails to my mailbox.
Strange thing I'm the only one with this issue.

Could this be the cause: (I'm running CentOS 5.3)
Rootkit Hunter 1.2.9 is running
Determining OS... Unknown
Warning: This operating system is not fully supported!
All MD5 checks will be skipped!

Or this:
ClamAV update process started at Mon Apr 20 04:02:12 2009
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.94.2 Recommended version: 0.95.1
DON'T PANIC! Read http://www.clamav.net/support/faq
main.cld is up to date (version: 50, sigs: 500667, f-level: 38, builder: sven)
daily.cld is up to date (version: 9256, sigs: 41364, f-level: 42, builder: guitar)

airton 23rd April 2009 00:49

Please inspect this machine, because it may be infected.
 
Every hour i receive a message with text:

Please inspect this machine, because it may be infected.
why?

no other warning in /var/log/rkhunter.log:

Code:

[00:02:12] System checks summary
[00:02:12] =====================
[00:02:12]
[00:02:12] File properties checks...
[00:02:12] Files checked: 122
[00:02:12] Suspect files: 0
[00:02:12]
[00:02:12] Rootkit checks...
[00:02:12] Rootkits checked : 112
[00:02:12] Possible rootkits: 0
[00:02:12]
[00:02:12] Applications checks...
[00:02:12] Applications checked: 5
[00:02:12] Suspect applications: 0


edge 23rd April 2009 07:27

Read the complete log file from RKhunter and not just the summary.
Some line(s) will say something about the warning(s)


All times are GMT +2. The time now is 05:28.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.