#21  
Old 10th June 2009, 03:27
dragons dragons is offline
Junior Member
 
Join Date: Mar 2009
Posts: 18
Thanks: 2
Thanked 0 Times in 0 Posts
Default

I have done that and I am getting the emails to inspect machine, because it can be infected. below is a copy of the scan

Quote:
Rootkit Hunter 1.2.9 is running

Determining OS... Unknown
Warning: This operating system is not fully supported!
All MD5 checks will be skipped!


Checking binaries
* Selftests
Strings (command) [ OK ]


* System tools
Skipped!


Check rootkits
* Default files and directories
Rootkit '55808 Trojan - Variant A'... [ OK ]
ADM Worm... [ OK ]
Rootkit 'AjaKit'... [ OK ]
Rootkit 'aPa Kit'... [ OK ]
Rootkit 'Apache Worm'... [ OK ]
Rootkit 'Ambient (ark) Rootkit'... [ OK ]
Rootkit 'Balaur Rootkit'... [ OK ]
Rootkit 'BeastKit'... [ OK ]
Rootkit 'beX2'... [ OK ]
Rootkit 'BOBKit'... [ OK ]
Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
Rootkit 'Danny-Boy's Abuse Kit'... [ OK ]
Rootkit 'Devil RootKit'... [ OK ]
Rootkit 'Dica'... [ OK ]
Rootkit 'Dreams Rootkit'... [ OK ]
Rootkit 'Duarawkz'... [ OK ]
Rootkit 'Flea Linux Rootkit'... [ OK ]
Rootkit 'FreeBSD Rootkit'... [ OK ]
Rootkit 'Fuck`it Rootkit'... [ OK ]
Rootkit 'GasKit'... [ OK ]
Rootkit 'Heroin LKM'... [ OK ]
Rootkit 'HjC Kit'... [ OK ]
Rootkit 'ignoKit'... [ OK ]
Rootkit 'ImperalsS-FBRK'... [ OK ]
Rootkit 'Irix Rootkit'... [ OK ]
Rootkit 'Kitko'... [ OK ]
Rootkit 'Knark'... [ OK ]
Rootkit 'Li0n Worm'... [ OK ]
Rootkit 'Lockit / LJK2'... [ OK ]
Rootkit 'MRK'... [ OK ]
Rootkit 'Ni0 Rootkit'... [ OK ]
Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
Rootkit 'Optic Kit (Tux)'... [ OK ]
Rootkit 'Oz Rootkit'... [ OK ]
Rootkit 'Portacelo'... [ OK ]
Rootkit 'R3dstorm Toolkit'... [ OK ]
Rootkit 'RH-Sharpe's rootkit'... [ OK ]
Rootkit 'RSHA's rootkit'... [ OK ]
Sebek LKM... [ OK ]
Rootkit 'Scalper Worm'... [ OK ]
Rootkit 'Shutdown'... [ OK ]
Rootkit 'SHV4'... [ OK ]
Rootkit 'SHV5'... [ OK ]
Rootkit 'Sin Rootkit'... [ OK ]
Rootkit 'Slapper'... [ OK ]
Rootkit 'Sneakin Rootkit'... [ OK ]
Rootkit 'Suckit Rootkit'... [ OK ]
Rootkit 'SunOS Rootkit'... [ OK ]
Rootkit 'Superkit'... [ OK ]
Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
Rootkit 'TeLeKiT'... [ OK ]
Rootkit 'T0rn Rootkit'... [ OK ]
Rootkit 'Trojanit Kit'... [ OK ]
Rootkit 'Tuxtendo'... [ OK ]
Rootkit 'URK'... [ OK ]
Rootkit 'VcKit'... [ OK ]
Rootkit 'Volc Rootkit'... [ OK ]
Rootkit 'X-Org SunOS Rootkit'... [ OK ]
Rootkit 'zaRwT.KiT Rootkit'... [ OK ]

* Suspicious files and malware
Scanning for known rootkit strings [ OK ]
Scanning for known rootkit files [ OK ]
Testing running processes... [ OK ]
Miscellaneous Login backdoors [ OK ]
Miscellaneous directories [ OK ]
Software related files [ OK ]
Sniffer logs [ OK ]

* Trojan specific characteristics
shv4
Checking /etc/rc.d/rc.sysinit
Test 1 [ Clean ]
Test 2 [ Clean ]
Test 3 [ Clean ]
Checking /etc/inetd.conf [ Not found ]
Checking /etc/xinetd.conf [ Skipped ]

* Suspicious file properties
chmod properties
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
Script replacements
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]

* OS dependant tests

Linux
Checking loaded kernel modules... [ OK ]
Checking file attributes [ OK ]
Checking LKM module path [ OK ]


Networking
* Check: frequently used backdoors
Port 2001: Scalper Rootkit [ OK ]
Port 2006: CB Rootkit [ OK ]
Port 2128: MRK [ OK ]
Port 14856: Optic Kit (Tux) [ OK ]
Port 47107: T0rn Rootkit [ OK ]
Port 60922: zaRwT.KiT [ OK ]

* Interfaces
Scanning for promiscuous interfaces... [ OK ]


System checks
* Allround tests
Checking hostname... Found. Hostname is buildfits2.buildfit.com
Checking for passwordless user accounts... OK
Checking for differences in user accounts... OK. No changes.
Checking for differences in user groups... OK. No changes.
Checking boot.local/rc.local file...
- /etc/rc.local [ OK ]
- /etc/rc.d/rc.local [ OK ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
- /etc/init.d/boot.local [ Not found ]
Checking rc.d files...
Processing........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
.....................................
Result rc.d files check [ OK ]
Checking history files
Bourne Shell [ OK ]

* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ OK ]


Application advisories
* Application scan
Checking Apache2 modules ... [ Not found ]
Checking Apache configuration ... [ OK ]

* Application version scan
- GnuPG 1.4.5 [ OK ]
- Apache 2.2.3 [ OK ]
- Bind DNS 9.3.4-P1 [ Unknown ]
- OpenSSL 0.9.8e-fips-rhel5 [ Unknown ]
- PHP 5.1.6 [ OK ]
- Procmail MTA 3.22 [ OK ]
- OpenSSH 4.3p2 [ OK ]

Your system contains some unknown version numbers. Please run Rootkit Hunter
with the --update parameter or contact us through the Rootkit Hunter mailinglist
at rkhunter-users@lists.sourceforge.net.


Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]

* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... [ OK (Remote root login disabled) ]
Checking for allowed protocols... [ OK (Only SSH2 allowed) ]

* Check: Events and Logging
Search for syslog configuration... [ OK ]
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]


---------------------------- Scan results ----------------------------

MD5 scan
Skipped

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 0

Scanning took 568 seconds

-----------------------------------------------------------------------

Do you have some problems, undetected rootkits, false positives, ideas
or suggestions? Please e-mail us through the Rootkit Hunter mailinglist
at rkhunter-users@lists.sourceforge.net.

-----------------------------------------------------------------------
Thanks for your help
Reply With Quote
Sponsored Links
  #22  
Old 15th June 2009, 04:03
dragons dragons is offline
Junior Member
 
Join Date: Mar 2009
Posts: 18
Thanks: 2
Thanked 0 Times in 0 Posts
Question

I still have not figured out how to solve the issue rkhunter has so I can stop the warning emails, what else should I be looking for?
I dont wish to turn off email notification because I want to know if something is wrong, but I am getting 24 emails a day from the hourly cron job that does the scan.
Reply With Quote
  #23  
Old 13th May 2014, 23:03
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 392
Thanks: 29
Thanked 58 Times in 50 Posts
 
Default

Sorry to resurrect this old thread, but it is still entirely relevant.

I will preface my post by saying that I realize that this warning message can result from any number of different causes. My intention here is to provide basic troubleshooting steps that should help users identify the cause in each particular case.

Sometime in the last couple of months, this problem began for me, too. I managed to find the cause, which was rather ambiguous (and the result of an actual bug in the rkhunter source), so I thought I'd share with others, especially given that this thread is the first result for a relevant search on Google.

In short, every day as of late, I receive an email with the subject "[rkhunter] Warnings found for hostname" (where hostname is the machine's actual hostname) with the following in the body:

Code:
Please inspect this machine, because it may be infected.
I tried to locate the actual script that is running every day. Till stated earlier in this thread that ISPConfig executes rkhunter scans via the ISPConfig Monitoring system, and not via cron. So, don't bother looking in /etc/cron/* (there are other rkhunter scripts in there, but not the one from which this warning results).

So, I clicked "Show RKHunter-Log" in the ISPConfig Monitor, and indeed the summary mentions one or more warnings:

Code:
System checks summary
=====================

File properties checks...
Files checked: 137
Suspect files: 0

Rootkit checks...
Rootkits checked : 247
Possible rootkits: 0

Applications checks...
All checks skipped

The system checks took: 47 seconds

All results have been written to the log file (/var/log/rkhunter.log)

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
This is the key step in finding the offending rkhunter test/rule that is throwing the warning:

Code:
# grep -i "warning" /var/log/rkhunter.log
[16:00:10] Info: Emailing warnings to 'root@example.com' using command '/usr/bin/mail -s "[rkhunter] Warnings found for ${HOST_NAME}"'
[16:00:11] Warning: Download of 'i18n.ver' failed: Unable to determine the latest version number.
There we have it; the warning is probably due to an outdated update URL, and is described in this rkhunter bug report: http://sourceforge.net/p/rkhunter/bugs/105/

So, in my case, the fix appears to be updating rkhunter to the latest version, in which this should be fixed.

As a point of note, be advised that running a scan with

Code:
# rkhunter -c --createlogfile
can yield different results than when ISPConfig runs an rkhunter scan. More specifically, when I scan using the above command, no warnings are found, presumably because "rkhunter -c" doesn't attempt the network updates as part of the scanning process, which ISPConfig does attempt (presumably with something like "rkhunter --versioncheck --update --cronjob").

Here are the results with just "rkhunter -c":

Code:
System checks summary
=====================

File properties checks...
    Files checked: 137
    Suspect files: 0

Rootkit checks...
    Rootkits checked : 247
    Possible rootkits: 0

Applications checks...
    All checks skipped

The system checks took: 3 minutes and 5 seconds

All results have been written to the log file (/var/log/rkhunter.log)

No warnings were found while checking the system.

Last edited by cbj4074; 13th May 2014 at 23:08.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Installation Order? ISPConfig3 Jailkit Backup PC Snort/Ossec/Prelude RKHunter RolluS Installation/Configuration 6 23rd January 2009 22:55
rkhunter Found differences in user groups... stefan Installation/Configuration 2 12th June 2007 23:13
Trouble with Mail Server Jcorrea920 General 5 21st February 2006 20:42


All times are GMT +2. The time now is 15:11.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.