#11  
Old 24th April 2009, 10:36
airton airton is offline
Junior Member
 
Join Date: Jan 2009
Posts: 7
Thanks: 0
Thanked 10 Times in 4 Posts
Default

Thanks edge for your suggestion.
In my log i've found:

Checking for hidden processes [ Warning ]
Warning: Hidden processes found: 30562

but maybe could be a false positive as stated in
http://ubuntuforums.org/showthread.php?t=796192 infact i cannot cd in /proc/pid and if i execute rkhunter --check now no hidden process is reported.

I've built the following script to test unhide (used by rkhunter to discovery hidden processes):

Code:
ps -ef > processes.txt
unhide brute | grep 'Found HIDDEN PID' | while read line
do
	#echo $line
	pid=`echo $line | awk '{ print $4 }'`
	echo
	echo Hidden PID: [$pid];
	
	echo Testing dir "/proc/$pid"
	if [ -d "/proc/$pid" ]; then
		cat /proc/$pid/cmdline
	else
		echo "... Not Found (good)"
	fi
	
	echo Testing processes list
	pcregrep "\\w\\s+$pid" processes.txt
done
an this is a sample result:

Code:
Hidden PID: [20248]
Testing dir /proc/20248
... Not Found (good)
Testing processes list
postfix  20248 23453  0 10:30 ?        00:00:00 showq -t unix -u -c
sometime the "hidden" process cannot be identified... but all seem to confirm the theory of false positive.
I'd like to avoid it!
Reply With Quote
Sponsored Links
  #12  
Old 1st May 2009, 02:06
ggarcia24 ggarcia24 is offline
Junior Member
 
Join Date: Nov 2007
Posts: 20
Thanks: 1
Thanked 0 Times in 0 Posts
Question

Quote:
Originally Posted by till View Post
rkhunter is run by the ispconfig monitoruing system and not by a crojob. Maybe you selected to receive an email as you installed rkhunter as I dont receive such emails on my servers.
Is there some way to run it more spaced?, rkhunter is running every 30min and I get a 95% CPU Usage... can at least make it run every 2hs?
Reply With Quote
  #13  
Old 1st May 2009, 12:00
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 35,340
Thanks: 810
Thanked 5,167 Times in 4,051 Posts
Default

This has alraedy been changed in svn, please see svn log for details.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
ggarcia24 (2nd May 2009)
  #14  
Old 2nd May 2009, 07:09
ggarcia24 ggarcia24 is offline
Junior Member
 
Join Date: Nov 2007
Posts: 20
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Thank you very mach!!!!! I've added manually the changes, thanks!
Reply With Quote
  #15  
Old 9th June 2009, 03:35
dragons dragons is offline
Junior Member
 
Join Date: Mar 2009
Posts: 18
Thanks: 2
Thanked 0 Times in 0 Posts
Question

I have exactly the same issue with ispconfig3 and rk hunter with the same warnings. I uncommented the lines in rkhunter.conf that refer to the issues in the warnings but I still get the warnings and the emails every hour. I know how to stop the emails but I really want to stop the warning by fixing the problem
Its a brand new centos5.3 server install using the howto from here on ispconfig3 and centos5.3.

warning is same as others

Quote:
Checking /dev for suspicious files... [21C[ OK ]
Scanning for hidden files...[31C[ Warning! ]
---------------
/etc/.pwd.lock
/etc/.hosts.swp /usr/share/man/man1/..1.gz /dev/.udev
---------------
Please inspect: /etc/.hosts.swp (data)
rkhunter.conf is as follows

Code:
# This is the configuration file of Rootkit Hunter. Please change
# it to your needs.
#
# All lines beginning with a hash (#) or empty lines, will be ignored.
#
INSTALLDIR=/usr

# Links to files. Don't change if you don't need to.
LATESTVERSION=/rkhunter_latest.dat
UPDATEFILEINFO=/rkhunter_fileinfo.dat

# Send a warning message to the admin when one or more warnings
# are available (rootkit and MD5 check). Note: uses default 
# commmand to send the warning message.
MAIL-ON-WARNING=(my email address)

# Use a custom temporary directory (you can override it with the
# --tmpdir parameter)
# Note: don't use /tmp as your temporary directory, because some
# important files will be written to this directory. Be sure
# you have setup your permissions very tight.
TMPDIR=/var/rkhunter/tmp

# Use a custom database directory (you can override it with the
# --dbdir parameter)
DBDIR=/var/rkhunter/db

# Whitelist files (and their MD5 hash)
# Usage: MD5WHITELIST=<binary>:<MD5 hash>
#MD5WHITELIST=/bin/ps:9bd8bf260adc81d3a43a086fce6b430a
#MD5WHITELIST=/bin/ps:404583a6b166c2f7ac1287445a9de6b3

# Allow direct root login via SSH
# Don't use this option if you don't know what the warning about
# this option means!!
ALLOW_SSH_ROOT_USER=0

# Allow hidden directory
# One directory per line (use multiple ALLOWHIDDENDIR lines)
#
#ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENDIR=/dev/.udev
#ALLOWHIDDENDIR=/dev/.udevdb
#ALLOWHIDDENDIR=/dev/.udev.tdb
#ALLOWHIDDENDIR=/dev/.static
#ALLOWHIDDENDIR=/dev/.initramfs
#ALLOWHIDDENDIR=/dev/.SRC-unix

# Allow hidden file
# One file per line (use multiple ALLOWHIDDENFILE lines)
# 
#ALLOWHIDDENFILE=/etc/.java
ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
ALLOWHIDDENFILE=/etc/.pwd.lock
#ALLOWHIDDENFILE=/etc/.init.state

# Allow process to use deleted files
# One process per line (use multiple ALLOWPROCDELFILE lines)
#
#ALLOWPROCDELFILE=/sbin/cardmgr
#ALLOWPROCDELFILE=/usr/sbin/gpm
#ALLOWPROCDELFILE=/usr/libexec/gconfd-2
#ALLOWPROCDELFILE=/usr/sbin/mysqld

# Allow process to listen on any interface
# One process per line (use multiple ALLOWPROCLISTEN lines)
#
#ALLOWPROCLISTEN=/sbin/dhclient
#ALLOWPROCLISTEN=/usr/bin/dhcpcd
#ALLOWPROCLISTEN=/usr/sbin/pppoe
#ALLOWPROCLISTEN=/usr/sbin/tcpdump
#ALLOWPROCLISTEN=/usr/sbin/snort-plain
#ALLOWPROCLISTEN=/usr/local/bin/wpa_supplicant

# The End
edit:
and the .hosts.swp file only as this in it

[CODE]b0VIM 7.0{/CODE]
Reply With Quote
  #16  
Old 9th June 2009, 04:05
dragons dragons is offline
Junior Member
 
Join Date: Mar 2009
Posts: 18
Thanks: 2
Thanked 0 Times in 0 Posts
Default

OK I sorted out one of the warnings by adding this line to rkhunter.conf

Code:
ALLOWHIDDENFILE=/etc/.hosts.swp
I now just have one warning about root logins as follows

Quote:
* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
info: No 'PermitRootLogin' entry found in file /etc/ssh/sshd_config
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ OK (Only SSH2 allowed) ]

* Check: Events and Logging
Search for syslog configuration... [ OK ]
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]
and sshd_config has this

Code:
# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication mechanism. 
# Depending on your PAM configuration, this may bypass the setting of 
# PasswordAuthentication, PermitEmptyPasswords, and 
# "PermitRootLogin without-password". If you just want the PAM account and 
# session checks to run without PAM authentication, then enable this but set 
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes
what should this setting be I am assuming this is what is spitting out the error and sending me the email with the following quote

Quote:
Please inspect this machine, because it can be infected
Reply With Quote
  #17  
Old 9th June 2009, 05:06
dragons dragons is offline
Junior Member
 
Join Date: Mar 2009
Posts: 18
Thanks: 2
Thanked 0 Times in 0 Posts
Default

Ok finally happy after more searching around I have fixed all the issues.
I had to modify sshd_conf

Quote:
Protocol 2
PermitRootLogin no
and restart sshd

I ran the rkhunter -c scan again it returned no warnings and this time I did not receive the email, meaning the hourly scan now will stop harrassing me by email unless there is a problem

Thanks to you guys for some of the previous posts which did eventually give me clues as to sorting out what he underlying issue was, as searches on the warnings generally show up more confused souls lol
Reply With Quote
  #18  
Old 9th June 2009, 05:49
ggarcia24 ggarcia24 is offline
Junior Member
 
Join Date: Nov 2007
Posts: 20
Thanks: 1
Thanked 0 Times in 0 Posts
Smile

If my memory doesn't fails me, the .hosts.swp is a file that vi or vim create when hosts file is opened but if vi or vim unexpectedly closes this file remains, so if you remove it everything will be fine...

I believe that some thing similar mus happen with .pwd.lock file.

I definitely have to recommend you that don't add any hidden file unless of course you know what you are doing.

About allowing or not root to login via ssh everybody has its tastes (if you have sudo/su you don't need root ssh access). But of course always have a very strong password for root (something like "xEw-Rki66;5vb4").
Reply With Quote
  #19  
Old 9th June 2009, 08:40
dragons dragons is offline
Junior Member
 
Join Date: Mar 2009
Posts: 18
Thanks: 2
Thanked 0 Times in 0 Posts
Default

Hi ggarcia24 thanks for the reply

do you think i should remove the "ALLOWHIDDENFILE=/etc/.hosts.swp" exception I put in rkhunter.conf for ".hosts.swp" and delete the "b0VIM 7.0" entry in the ".hosts.swp" to fix the warning error instead?
Reply With Quote
  #20  
Old 9th June 2009, 12:48
ggarcia24 ggarcia24 is offline
Junior Member
 
Join Date: Nov 2007
Posts: 20
Thanks: 1
Thanked 0 Times in 0 Posts
 
Default

Yes, but don't remove the content, just remove the whole file... I'm sure that's a temporary file for VI
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Installation Order? ISPConfig3 Jailkit Backup PC Snort/Ossec/Prelude RKHunter RolluS Installation/Configuration 6 23rd January 2009 22:55
rkhunter Found differences in user groups... stefan Installation/Configuration 2 12th June 2007 23:13
Trouble with Mail Server Jcorrea920 General 5 21st February 2006 20:42


All times are GMT +2. The time now is 16:18.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.