#1  
Old 8th April 2009, 20:58
Tripple Tripple is offline
Senior Member
 
Join Date: Jul 2007
Posts: 114
Thanks: 7
Thanked 3 Times in 3 Posts
Default rkhunter

My fresh ISPConfig 3.0.1.1 installation keeps warning me with rkhunter.

I receive a simple mail with this line:
Please inspect this machine, because it can be infected

No logfile to inspect so I ran rkhunter again:
# rkhunter -c --createlogfile

2 warnings in the logfile:
WARNING, found: /usr/share/man/man1/..1.gz (gzip compressed data, from Unix, max compression) /dev/.udev (directory)
Warning: root login possible. Change for your safety the 'PermitRootLogin'

I can fix the last warning but what about the first one?
Reply With Quote
Sponsored Links
  #2  
Old 9th April 2009, 09:19
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,647
Thanks: 794
Thanked 5,003 Times in 3,912 Posts
Default

Never seen the first warning. Did you take a look in the .udev directory?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 9th April 2009, 17:38
Tripple Tripple is offline
Senior Member
 
Join Date: Jul 2007
Posts: 114
Thanks: 7
Thanked 3 Times in 3 Posts
Default

Fixed it like this:
https://bugzilla.redhat.com/show_bug.cgi?id=190248

When I run rkhunter, no more errors.
However, I'm still receiving those mails.
Reply With Quote
  #4  
Old 19th April 2009, 21:35
Tripple Tripple is offline
Senior Member
 
Join Date: Jul 2007
Posts: 114
Thanks: 7
Thanked 3 Times in 3 Posts
Default

I like to start this old topic again because I can't figure out what the problem is.

Every hour at xx:53 there's a mail to root like this:
Subject: [rkhunter] Warnings found for host@domain
Please inspect this machine, because it can be infected

I can't find any cron job that could cause this so the only way to reproduce this is, I guess, with the command #rkhunter -c --createlogfile, but I can't see any errors in the logfile.
Reply With Quote
  #5  
Old 20th April 2009, 12:05
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,711
Thanks: 1,900
Thanked 2,703 Times in 2,546 Posts
Default

What's the output of
Code:
ls -la /etc/cron.hourly
?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #6  
Old 20th April 2009, 17:21
Tripple Tripple is offline
Senior Member
 
Join Date: Jul 2007
Posts: 114
Thanks: 7
Thanked 3 Times in 3 Posts
Default

It's empty:

# ls -la /etc/cron.hourly/
totaal 24
drwxr-xr-x 2 root root 4096 apr 19 21:19 .
drwxr-xr-x 103 root root 12288 apr 20 17:16 ..
Reply With Quote
  #7  
Old 20th April 2009, 18:48
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,647
Thanks: 794
Thanked 5,003 Times in 3,912 Posts
Default

rkhunter is run by the ispconfig monitoruing system and not by a crojob. Maybe you selected to receive an email as you installed rkhunter as I dont receive such emails on my servers.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #8  
Old 20th April 2009, 20:37
Tripple Tripple is offline
Senior Member
 
Join Date: Jul 2007
Posts: 114
Thanks: 7
Thanked 3 Times in 3 Posts
Default

Quote:
Originally Posted by till View Post
rkhunter is run by the ispconfig monitoruing system and not by a crojob. Maybe you selected to receive an email as you installed rkhunter as I dont receive such emails on my servers.
I followed the perfect setup and forward all root mails to my mailbox.
Strange thing I'm the only one with this issue.

Could this be the cause: (I'm running CentOS 5.3)
Rootkit Hunter 1.2.9 is running
Determining OS... Unknown
Warning: This operating system is not fully supported!
All MD5 checks will be skipped!

Or this:
ClamAV update process started at Mon Apr 20 04:02:12 2009
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.94.2 Recommended version: 0.95.1
DON'T PANIC! Read http://www.clamav.net/support/faq
main.cld is up to date (version: 50, sigs: 500667, f-level: 38, builder: sven)
daily.cld is up to date (version: 9256, sigs: 41364, f-level: 42, builder: guitar)
Reply With Quote
  #9  
Old 23rd April 2009, 00:49
airton airton is offline
Junior Member
 
Join Date: Jan 2009
Posts: 7
Thanks: 0
Thanked 10 Times in 4 Posts
Default Please inspect this machine, because it may be infected.

Every hour i receive a message with text:

Please inspect this machine, because it may be infected.
why?

no other warning in /var/log/rkhunter.log:

Code:
[00:02:12] System checks summary
[00:02:12] =====================
[00:02:12]
[00:02:12] File properties checks...
[00:02:12] Files checked: 122
[00:02:12] Suspect files: 0
[00:02:12]
[00:02:12] Rootkit checks...
[00:02:12] Rootkits checked : 112
[00:02:12] Possible rootkits: 0
[00:02:12]
[00:02:12] Applications checks...
[00:02:12] Applications checked: 5
[00:02:12] Suspect applications: 0
Reply With Quote
  #10  
Old 23rd April 2009, 07:27
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,033
Thanks: 261
Thanked 146 Times in 128 Posts
 
Default

Read the complete log file from RKhunter and not just the summary.
Some line(s) will say something about the warning(s)
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Installation Order? ISPConfig3 Jailkit Backup PC Snort/Ossec/Prelude RKHunter RolluS Installation/Configuration 6 23rd January 2009 22:55
rkhunter Found differences in user groups... stefan Installation/Configuration 2 12th June 2007 23:13
Trouble with Mail Server Jcorrea920 General 5 21st February 2006 20:42


All times are GMT +2. The time now is 03:32.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.