Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 18th December 2012, 22:36
stigge2000 stigge2000 is offline
Member
 
Join Date: Jul 2006
Posts: 32
Thanks: 10
Thanked 1 Time in 1 Post
Send a message via Skype™ to stigge2000
Default scriptdir and bindir in RKHUNTER

Hi!

The last couple of weeks the rkhunter log tells me that there is something wrong and i can't figure out what it is, so now i turn to you guys for help.

Code:
[root@dns1 /]# rkhunter --propupd
Invalid SCRIPTDIR configuration option: Invalid pathname: Binaryfile/etc/rkhunter.confmatches
and when i run --config-check

Code:
[root@dns1 /]# rkhunter --config-check
Invalid SCRIPTDIR configuration option: Invalid pathname: Binaryfile/etc/rkhunter.confmatches
Installation directory does not exist: Binaryfile/etc/rkhunter.confmatches
Invalid LOGFILE configuration option: Invalid pathname: Binaryfile/etc/rkhunter.confmatches
Invalid TMPDIR configuration option: Invalid pathname: Binaryfile/etc/rkhunter.confmatches
Invalid DBDIR configuration option: Invalid pathname: Binaryfile/etc/rkhunter.confmatches
The internationalisation directory does not exist: Binaryfile/etc/rkhunter.confmatches/i18n
Invalid AUTO_X_DETECT configuration option: not a valid number: Binaryfile/etc/rkhunter.confmatches
/usr/bin/rkhunter: line 2719: [: Binaryfile/etc/rkhunter.confmatches: integer expression expected
Invalid COLOR_SET2 configuration option: not a valid number: Binaryfile/etc/rkhunter.confmatches
Invalid WHITELISTED_IS_WHITE configuration option: not a valid number: Binaryfile/etc/rkhunter.confmatches
Invalid USE_LOCKING configuration option: not a valid number: Binaryfile/etc/rkhunter.confmatches
Unknown enabled test name given: binary
Unknown enabled test name given: file
Unknown enabled test name given: /etc/rkhunter.conf
Unknown enabled test name given: matches
Unknown disabled test name in the configuration file: Binary
Unknown disabled test name in the configuration file: file
Unknown disabled test name in the configuration file: /etc/rkhunter.conf
Unknown disabled test name in the configuration file: matches
Invalid MAIL_CMD configuration option - command 'Binary' is non-existent or not executable.
Invalid ALLOW_SSH_PROT_V1 configuration option: not a valid number: Binaryfile/etc/rkhunter.confmatches
Invalid ALLOW_SYSLOG_REMOTE_LOGGING configuration option: not a valid number: Binaryfile/etc/rkhunter.confmatches
Invalid syslog facility/priority value: binaryfile/etc/rkhunter.confmatches
Invalid ROOTKIT_PHALANX2_DIRTESTVAL configuration option: not a valid number: Binaryfile/etc/rkhunter.confmatches
Invalid ALLOWDEVFILE configuration option: Invalid pathname: Binary
Invalid ALLOWDEVFILE configuration option: Invalid pathname: file
Invalid ALLOWDEVFILE configuration option: Invalid pathname: matches
Invalid ALLOWHIDDENFILE configuration option: Invalid pathname: Binary
Invalid ALLOWHIDDENFILE configuration option: Invalid pathname: file
Invalid ALLOWHIDDENFILE configuration option: Invalid pathname: matches
Invalid ALLOWHIDDENDIR configuration option: Invalid pathname: Binary
Invalid ALLOWHIDDENDIR configuration option: Invalid pathname: file
Invalid ALLOWHIDDENDIR configuration option: Not a directory: /etc/rkhunter.conf
Invalid ALLOWHIDDENDIR configuration option: Invalid pathname: matches
Invalid package manager given: BINARYFILE/ETC/RKHUNTER.CONFMATCHES
Invalid IMMUTABLE_SET configuration option: not a valid number: Binaryfile/etc/rkhunter.confmatches
Invalid SCRIPTWHITELIST configuration option: Invalid pathname: Binary
Invalid SCRIPTWHITELIST configuration option: Invalid pathname: file
Invalid SCRIPTWHITELIST configuration option: Invalid pathname: matches
Invalid ROTATE_MIRRORS configuration option: not a valid number: Binaryfile/etc/rkhunter.confmatches
Invalid MIRRORS_MODE configuration option: not a valid number: Binaryfile/etc/rkhunter.confmatches
Unknown configuration file option: Binary file /etc/rkhunter.conf matches
I tried to update rkhunter via yum update but that didnt change a thing
__________________
Regards
S.Jensen

FB: http://facebook.com/stigge2000
Twitter: http://twitter.com/StigJensen
Skype: stigge2000
Reply With Quote
Sponsored Links
  #2  
Old 19th December 2012, 10:57
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,744 Times in 2,577 Posts
Default

Can you post the contents of /etc/rkhunter.conf?

Has that file been modifed recently (maybe by someone else)?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 19th December 2012, 21:29
stigge2000 stigge2000 is offline
Member
 
Join Date: Jul 2006
Posts: 32
Thanks: 10
Thanked 1 Time in 1 Post
Send a message via Skype™ to stigge2000
Default

Here is the rkhunter.conf

Code:
#
# This is the main configuration file for Rootkit Hunter.
#
# You can either modify this file directly, or you can create a local
# configuration file. The local file must be named 'rkhunter.conf.local',
# and must reside in the same directory as this file. Please modify one
# or both files to your own requirements. It is suggested that the
# command 'rkhunter -C' is run after any changes have been made.
#
# Please review the documentation before posting bug reports or questions.
# To report bugs, obtain updates, or provide patches or comments, please go to:
# http://rkhunter.sourceforge.net
#
# To ask questions about rkhunter, please use the rkhunter-users mailing list.
# Note this is a moderated list: please subscribe before posting.
#
# Lines beginning with a hash (#), and blank lines, are ignored.
# End-of-line comments are not supported.
#
# Most of the following options need only be specified once. If
# they appear more than once, then the last one seen will be used.
# Some options are allowed to appear more than once, and the text
# describing the option will say if this is so.
#
# Some of the options are space-separated lists of pathnames. If
# wildcard characters (globbing) are allowed in the list, then the
# text describing the option will say so.
#


#
# If this option is set to 1, it specifies that the mirrors file
# ('mirrors.dat'), which is used when the '--update' and '--versioncheck'
# options are used, is to be rotated. Rotating the entries in the file
# allows a basic form of load-balancing between the mirror sites whenever
# the above options are used.
# If the option is set to 0, then the mirrors will be treated as if in
# a priority list. That is, the first mirror listed will always be used
# first. The second mirror will only be used if the first mirror fails,
# the third mirror will only be used if the second mirror fails, and so on.
#
# If the mirrors file is read-only, then the '--versioncheck' command-line
# option can only be used if this option is set to 0.
#
ROTATE_MIRRORS=1

#
# If this option is set to 1, it specifies that when the '--update'
# option is used, then the mirrors file is to be checked for updates
# as well. If the current mirrors file contains any local mirrors,
# these will be prepended to the updated file.
# If this option is set to 0, the mirrors file can only be updated
# manually. This may be useful if only using local mirrors.
#
UPDATE_MIRRORS=1

#
# The MIRRORS_MODE option tells rkhunter which mirrors are to be
# used when the '--update' or '--versioncheck' command-line options
# are given. Possible values are:
#     0 - use any mirror (the default)
#     1 - only use local mirrors
#     2 - only use remote mirrors
#
# Local and remote mirrors can be defined in the mirrors file
# by using the 'local=' and 'remote=' keywords respectively.
#
MIRRORS_MODE=0

#
# Email a message to this address if a warning is found when the
# system is being checked. Multiple addresses may be specified
# simply be separating them with a space. Setting this option to
# null disables the option.
#
# NOTE: This option should be present in the configuration file.
#
#MAIL-ON-WARNING=me@mydomain   root@mydomain
MAIL-ON-WARNING="info@sentig.com"

#
# Specify the mail command to use if MAIL-ON-WARNING is set.
#
# NOTE: Double quotes are not required around the command, but
# are required around the subject line if it contains spaces.
#
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"

#
# Specify the temporary directory to use.
#
# NOTE: Do not use /tmp as your temporary directory. Some
# important files will be written to this directory, so be
# sure that the directory permissions are tight.
#
#TMPDIR=/var/lib/rkhunter/tmp
TMPDIR=/var/lib/rkhunter

#
# Specify the database directory to use.
#
#DBDIR=/var/lib/rkhunter/db
DBDIR=/var/lib/rkhunter/db

#
# Specify the script directory to use.
#
#SCRIPTDIR=/usr/local/lib/rkhunter/scripts
SCRIPTDIR=/usr/share/rkhunter/scripts
#
# Specify the root directory to use.
#
#ROOTDIR=""

#
# This option can be used to modify the command directory list used
# by rkhunter to locate commands (that is, its PATH). By default
# this will be the root PATH, and an internal list of some common
# command directories.
#
# Any directories specified here will, by default, be appended to the
# default list. However, if a directory name begins with the '+'
# character, then that directory will be prepended to the list (that
# is, it will be put at the start of the list).
#
# This is a space-separated list of directory names. The option may
# be specified more than once.
#
#BINDIR="/bin /usr/bin /sbin /usr/sbin"
#BINDIR="+/usr/local/bin +/usr/local/sbin"

#
# Specify the default language to use. This should be similar
# to the ISO 639 language code.
#
# NOTE: Please ensure that the language you specify is supported.
# For a list of supported languages use the following command:
#
#       rkhunter --lang en --list languages
#
#LANGUAGE=en

#
# This option is a space-separated list of the languages that are to
# be updated when the '--update' option is used. If unset, then all
# the languages will be updated. If none of the languages are to be
# updated, then set this option to just 'en'.
#
# The default is for all the languages to be updated. The default
# language, specified above, and the English (en) language file will
# always be updated regardless of this option.
#
UPDATE_LANG=""

#
# Specify the log file pathname.
#
# NOTE: This option should be present in the configuration file.
#
LOGFILE=/var/log/rkhunter/rkhunter.log

#
# Set the following option to 1 if the log file is to be appended to
# whenever rkhunter is run.
#
APPEND_LOG=1

#
# Set the following option to 1 if the log file is to be copied when
# rkhunter finishes and an error or warning has occurred. The copied
# log file name will be appended with the current date and time
# (in YYYY-MM-DD_HH:MM:SS format).
# For example: rkhunter.log.2009-04-21_00:57:51
#
COPY_LOG_ON_ERROR=0

#
# Set the following option to enable the rkhunter check start and finish
# times to be logged by syslog. Warning messages will also be logged.
# The value of the option must be a standard syslog facility and
# priority, separated by a dot.  For example:
#
#     USE_SYSLOG=authpriv.warning
#
# Setting the value to 'none', or just leaving the option commented out,
# disables the use of syslog.
#
USE_SYSLOG=authpriv.notice

#
# Set the following option to 1 if the second colour set is to be used.
# This can be useful if your screen uses black characters on a white
# background (for example, a PC instead of a server).
#
COLOR_SET2=0

#
# Set the following option to 0 if rkhunter should not detect if X is
# being used. If X is detected as being used, then the second colour
# set will automatically be used.
#
AUTO_X_DETECT=1

#
# Set the following option to 1 if it is wanted that any 'Whitelisted'
# results are shown in white rather than green. For colour set 2 users,
# setting this option will cause the result to be shown in black.
#
WHITELISTED_IS_WHITE=0

#
# The following option is checked against the SSH configuration file
# 'PermitRootLogin' option. A warning will be displayed if they do not
# match. However, if a value has not been set in the SSH configuration
# file, then a value here of 'unset' can be used to avoid warning messages.
# This option has a default value of 'no'.
#
ALLOW_SSH_ROOT_USER=unset

#
# Set this option to '1' to allow the use of the SSH-1 protocol, but note
# that theoretically it is weaker, and therefore less secure, than the
# SSH-2 protocol. Do not modify this option unless you have good reasons
# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4
# authentication). If the 'Protocol' option has not been set in the SSH
# configuration file, then a value of '2' may be set here in order to
# suppress a warning message. This option has a default value of '0'.
#
ALLOW_SSH_PROT_V1=2

#
# This setting tells rkhunter the directory containing the SSH configuration
# file. This setting will be worked out by rkhunter, and so should not
# usually need to be set.
#
#SSH_CONFIG_DIR=/etc/ssh

#
# These two options determine which tests are to be performed.
# The ENABLE_TESTS option can use the word 'all' to refer to all the
# available tests. The DISABLE_TESTS option can use the word 'none' to
# mean that no tests are disabled. The list of disabled tests is applied to
# the list of enabled tests. Both options are space-separated lists of test
# names. The currently available test names can be seen by using the command
# 'rkhunter --list tests'.
#
# The program defaults are to enable all tests and disable none. However, if
# either of the options below are specified, then they will override the
# program defaults.
#
# The supplied configuration file has some tests already disabled, and these
# are tests that will be used only occasionally, can be considered
# "advanced" or that are prone to produce more than the average number of
# false-positives.
#
# Please read the README file for more details about enabling and disabling
# tests, the test names, and how rkhunter behaves when these options are used.
#
ENABLE_TESTS="all"
DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps"

#
# The HASH_FUNC option can be used to specify the command to use
# for the file hash value check. It can be specified as just the
# command name or the full pathname. If just the command name is
# given, and it is one of MD5, SHA1, SHA224, SHA256, SHA384 or
# SHA512, then rkhunter will first look for the relevant command,
# such as 'sha256sum', and then for 'sha256'. If neither of these
# are found, it will then look to see if a perl module has been
# installed which will support the relevant hash function. To see
# which perl modules have been installed use the command
# 'rkhunter --list perl'.
#
# The default is SHA1, or MD5 if SHA1 cannot be found.
#
# Systems using prelinking are restricted to using either the
# SHA1 or MD5 function.
#
# A value of 'NONE' (in uppercase) can be specified to indicate that
# no hash function should be used. Rootkit Hunter will detect this and
# automatically disable the file hash checks.
#
# Examples:
#   For Solaris 9 : HASH_FUNC=gmd5sum
#   For Solaris 10: HASH_FUNC=sha1sum
#   For AIX (>5.2): HASH_FUNC="csum -hMD5"
#   For NetBSD    : HASH_FUNC="cksum -a sha512"
#
# NOTE: If the hash function is changed then you MUST run rkhunter with
# the '--propupd' option to rebuild the file properties database.
#
#HASH_FUNC=sha1sum

#
# The HASH_FLD_IDX option specifies which field from the HASH_FUNC
# command output contains the hash value. The fields are assumed to
# be space-separated. The default value is 1, but for *BSD users
# rkhunter will, by default, use a value of 4 if the HASH_FUNC option
# has not been set. The option value must be an integer greater
# than zero.
#
#HASH_FLD_IDX=4

#
# The PKGMGR option tells rkhunter to use the specified package manager
# to obtain the file property information. This is used when updating
# the file properties file ('rkhunter.dat'), and when running the file
# properties check. For RedHat/RPM-based systems, 'RPM' can be used to
# get information from the RPM database. For Debian-based systems 'DPKG'
# can be used, for *BSD systems 'BSD' can be used, and for Solaris
# systems 'SOLARIS' can be used. No value, or a value of 'NONE',
# indicates that no package manager is to be used. The default is 'NONE'.
#
# The current package managers, except 'SOLARIS', store the file hash
# values using an MD5 hash function. The Solaris package manager includes
# a checksum value, but this is not used by default (see USE_SUNSUM below).
#
# The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
# The 'RPM' package manager additionally provides values for the inode,
# file permissions, uid, gid and other values. The 'SOLARIS' also provides
# most of the values, similar to 'RPM', but not the inode number.
#
# For any file not part of a package, rkhunter will revert to using the
# HASH_FUNC hash function instead.
#
# Whenever this option is changed 'rkhunter --propupd' must be run.
#
#PKGMGR=NONE
PKGMGR=RPM

#
# It is possible that a file which is part of a package may be modified
# by the administrator. Typically this occurs for configuration files.
# However, the package manager may list the file as being modified. For
# the RPM package manager this may well depend on how the package was
# built. This option specifies those pathnames which are to be exempt
# from the package manager verification process, and which will be treated
# as non-packaged files. As such, the file properties are still checked.
#
# This option only takes effect if the PKGMGR option has been set, and
# is not 'NONE'.
#
# This is a space-separated list of pathnames. The option may
# be specified more than once.
#
# Whenever this option is changed 'rkhunter --propupd' must be run.
#
#PKGMGR_NO_VRFY=""

#
# This option can be used to tell rkhunter to ignore any prelink
# dependency errors for the given commands. However, a warning will also
# be issued if the error does not occur for a given command. As such
# this option must only be used on commands which experience a persistent
# problem.
#
# Short-term prelink dependency errors can usually be resolved simply by
# running the 'prelink' command on the given pathname.
#
# NOTE: The command 'rkhunter --propupd' must be run whenever this option
# is changed.
#
# This is a space-separated list of command pathnames. The option can be
# specified more than once.
#
#IGNORE_PRELINK_DEP_ERR="/bin/ps /usr/bin/top"

#
# If the 'SOLARIS' package manager is used, then it is possible to use
# the checksum (hash) value stored for a file. However, this is only a
# 16-bit checksum, and as such is not nearly as secure as, for example,
# a SHA-2 value. For that reason, the checksum is not used by default,
# and the hash function given by HASH_FUNC is used instead. To enable
# this option, set its value to 1. The Solaris 'sum' command must be
# present on the system if this option is used.
#
#USE_SUNSUM=0

#
# This option is a space-separated list of commands, directories and file
# pathnames. This option can be specified more than once.
#
# Whenever this option is changed, 'rkhunter --propupd' must be run.
#
# Simple command names - for example, 'top' - and directory names are
# added to the internal list of directories to be searched for each of
# the command names in the command list. Additionally, full pathnames
# to files, which need not be commands, may be given. Any files or
# directories which are already part of the internal lists will be
# silently ignored from the configuration.
#
# Normal globbing wildcards are allowed, except for simple command names.
# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed.
#
# Specific files may be excluded by preceding their name with an
# exclamation mark (!). For example, '!/opt/top'. By combining this
# with wildcarding, whole directories can be excluded. For example,
# '/etc/* /etc/*/* !/etc/rc?.d/*'. This will look for files in the first
# two directory levels of '/etc'. However, anything in '/etc/rc0.d',
# '/etc/rc1.d', '/etc/rc2.d' and so on, will be excluded.
#
# NOTE: Only files and directories which have been added by the user,
# and are not part of the internal lists, can be excluded. So, for
# example, it is not possible to exclude the 'ps' command by using
# '!/bin/ps'. These will be silently ignored from the configuration.
#
#USER_FILEPROP_FILES_DIRS="top /usr/local/sbin !/opt/ps*"
#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf"
#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf.local"
#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/*"
#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/mirrors.dat"
#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/rkhunter*"
#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/i18n/*"

#
# This option whitelists files and directories from existing,
# or not existing, on the system at the time of testing. This
# option is used when the configuration file options themselves
# are checked, and during the file properties check, the hidden
# files and directories checks, and the filesystem check of the
# '/dev' directory.
#
# This is a space-separated list of pathnames. The option may be
# specified more than once. The option may use wildcard characters,
# but be aware that this is probably not what you want to do as the
# wildcarding will be expanded after files have been deleted. As
# such deleted files won't be whitelisted if wildcarded.
#
# NOTE: The user must take into consideration how often the file will
# appear and disappear from the system in relation to how often
# rkhunter is run. If the file appears, and disappears, too often
# then rkhunter may not notice this. All it will see is that the file
# has changed. The inode-number and DTM will certainly be different
# for each new file, and rkhunter will report this.
#
#EXISTWHITELIST=""

#
# Whitelist various attributes of the specified files.
# The attributes are those of the 'attributes' test.
# Specifying a file name here does not include it being
# whitelisted for the write permission test (see below).
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
#ATTRWHITELIST="/bin/ps /usr/bin/date"

#
# Allow the specified commands to have the 'others'
# (world) permission have the write-bit set.
#
# For example, files with permissions r-xr-xrwx
# or rwxrwxrwx.
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
#WRITEWHITELIST="/bin/ps /usr/bin/date"

#
# Allow the specified commands to be scripts.
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
#SCRIPTWHITELIST="/sbin/ifup /sbin/ifdown"
#SCRIPTWHITELIST="/usr/bin/groups"
SCRIPTWHITELIST=/usr/bin/whatis
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/GET
SCRIPTWHITELIST=/sbin/ifup
SCRIPTWHITELIST=/sbin/ifdown

#
# Allow the specified commands to have the immutable attribute set.
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
#IMMUTWHITELIST="/sbin/ifup /sbin/ifdown"

#
# If this option is set to 1, then the immutable-bit test is
# reversed. That is, the files are expected to have the bit set.
#
IMMUTABLE_SET=0

#
# Allow the specified hidden directories to be whitelisted.
#
# This is a space-separated list of directory pathnames.
# The option may be specified more than once. The option
# may use wildcard characters.
#
#ALLOWHIDDENDIR="/etc/.java"
#ALLOWHIDDENDIR="/dev/.udev /dev/.udevdb /dev/.udev.tdb"
#ALLOWHIDDENDIR="/dev/.static"
#ALLOWHIDDENDIR="/dev/.initramfs"
#ALLOWHIDDENDIR="/dev/.SRC-unix"
#ALLOWHIDDENDIR="/dev/.mdadm"
ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENDIR=/dev/.udevdb
ALLOWHIDDENDIR=/dev/.udev.tdb
ALLOWHIDDENDIR=/dev/.static
ALLOWHIDDENDIR=/dev/.initramfs
ALLOWHIDDENDIR=/dev/.SRC-unix
ALLOWHIDDENDIR=/dev/.mdadm
ALLOWHIDDENDIR=/dev/.systemd

#
# Allow the specified hidden files to be whitelisted.
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
# 
#ALLOWHIDDENFILE="/etc/.java"
#ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz"
#ALLOWHIDDENFILE="/etc/.pwd.lock"
#ALLOWHIDDENFILE="/etc/.init.state"
#ALLOWHIDDENFILE="/lib/.libcrypto.so.0.9.8e.hmac /lib/.libcrypto.so.6.hmac"
#ALLOWHIDDENFILE="/lib/.libssl.so.0.9.8e.hmac /lib/.libssl.so.6.hmac"
#ALLOWHIDDENFILE="/usr/bin/.fipscheck.hmac"
#ALLOWHIDDENFILE="/usr/bin/.ssh.hmac"
#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.1.0.hmac"
#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.hmac"
#ALLOWHIDDENFILE="/usr/lib/.libgcrypt.so.11.hmac"
#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha1hmac.hmac"
#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha256hmac.hmac"
#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac"
#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac"
#ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac"
ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
ALLOWHIDDENFILE=/lib*/.libcrypto.so.*.hmac
ALLOWHIDDENFILE=/lib*/.libssl.so.*.hmac
ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac
ALLOWHIDDENFILE=/usr/lib*/.libfipscheck.so.*.hmac
ALLOWHIDDENFILE=/usr/lib*/.libgcrypt.so.*.hmac
ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha1hmac.hmac
ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha256hmac.hmac
ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha384hmac.hmac
ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha512hmac.hmac
ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
ALLOWHIDDENFILE=/dev/.mdadm.map
ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
ALLOWHIDDENFILE=/usr/sbin/.ipsec.hmac
ALLOWHIDDENFILE=/sbin/.cryptsetup.hmac

#
# Allow the specified processes to use deleted files. The
# process name may be followed by a colon-separated list of
# full pathnames. The process will then only be whitelisted
# if it is using one of the given files. For example:
#
#     ALLOWPROCDELFILE="/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz"
#
# This is a space-separated list of process names. The option
# may be specified more than once.
#
#ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc"
#ALLOWPROCDELFILE="/usr/libexec/gconfd-2"
#ALLOWPROCDELFILE="/usr/sbin/mysqld"

#
# Allow the specified processes to listen on any network interface.
#
# This is a space-separated list of process names. The option
# may be specified more than once.
#
#ALLOWPROCLISTEN="/sbin/dhclient /usr/bin/dhcpcd"
#ALLOWPROCLISTEN="/usr/sbin/pppoe /usr/sbin/tcpdump"
#ALLOWPROCLISTEN="/usr/sbin/snort-plain"
#ALLOWPROCLISTEN="/usr/local/bin/wpa_supplicant"

#
# Allow the specified network interfaces to be in promiscuous mode.
#
# This is a space-separated list of interface names. The option may
# be specified more than once.
#
#ALLOWPROMISCIF="eth0"

#
# SCAN_MODE_DEV governs how we scan '/dev' for suspicious files.
# The two allowed options are: THOROUGH or LAZY.
# If commented out we do a THOROUGH scan which will increase the runtime.
# Even though this adds to the running time it is highly recommended to
# leave it like this.
#
#SCAN_MODE_DEV=THOROUGH

#
# The PHALANX2_DIRTEST option is used to indicate if the Phalanx2 test is to
# perform a basic check, or a more thorough check. If the option is set to 0,
# then a basic check is performed. If it is set to 1, then all the directries
# in the /etc and /usr directories are scanned. The default value is 0. Users
# should note that setting this option to 1 will cause the test to take longer
# to complete.
#
PHALANX2_DIRTEST=0

#
# Allow the specified files to be present in the /dev directory,
# and not regarded as suspicious.
#
# This is a space-separated list of pathnames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
#ALLOWDEVFILE="/dev/shm/pulse-shm-*"
#ALLOWDEVFILE="/dev/shm/sem.ADBE_*"
ALLOWDEVFILE=/dev/shm/pulse-shm-*
ALLOWDEVFILE=/dev/md/md-device-map

#
# This setting tells rkhunter where the inetd configuration
# file is located.
#
#INETD_CONF_PATH=/etc/inetd.conf

#
# Allow the following enabled inetd services.
#
# This is a space-separated list of service names. The option may
# be specified more than once.
#
# For non-Solaris users the simple service name should be used.
# For example:
#
#     INETD_ALLOWED_SVC=echo
#
# For Solaris 9 users the simple service name should also be used, but
# if it is an RPC service, then the executable pathname should be used.
# For example:
#     INETD_ALLOWED_SVC=imaps
#     INETD_ALLOWED_SVC="/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd"
#
# For Solaris 10 users the service/FMRI name should be used. For example:
#
#     INETD_ALLOWED_SVC=/network/rpc/meta
#     INETD_ALLOWED_SVC=/network/rpc/metamed
#     INETD_ALLOWED_SVC=/application/font/stfsloader
#     INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
#
#INETD_ALLOWED_SVC=echo

#
# This setting tells rkhunter where the xinetd configuration
# file is located.
#
#XINETD_CONF_PATH=/etc/xinetd.conf

#
# Allow the following enabled xinetd services. Whilst it would be
# nice to use the service names themselves, at the time of testing
# we only have the pathname available. As such, these entries are
# the xinetd file pathnames.
#
# This is a space-separated list of service names. The option may
# be specified more than once.
#
#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo

#
# This option tells rkhunter the local system startup file pathnames.
# The directories will be searched for files. By default rkhunter
# will use certain filenames and directories. If the option is set
# to 'none', then certain tests will be skipped.
#
# This is a space-separated list of file and directory pathnames.
# The option may be specified more than once. The option may use
# wildcard characters.
#
#STARTUP_PATHS="/etc/rc.d /etc/rc.local"

#
# This setting tells rkhunter the pathname to the file containing the
# user account passwords. This setting will be worked out by rkhunter,
# and so should not usually need to be set. Users of TCB shadow files
# should not set this option.
#
#PASSWORD_FILE=/etc/shadow

#
# Allow the following accounts to be root equivalent. These accounts
# will have a UID value of zero. The 'root' account does not need to
# be listed as it is automatically whitelisted.
#
# This is a space-separated list of account names. The option may
# be specified more than once.
#
# NOTE: For *BSD systems you will probably need to use this option
# for the 'toor' account.
#
#UID0_ACCOUNTS="toor rooty"

#
# Allow the following accounts to have no password. NIS/YP entries do
# not need to be listed as they are automatically whitelisted.
#
# This is a space-separated list of account names. The option may
# be specified more than once.
#
#PWDLESS_ACCOUNTS="abc"

#
# This setting tells rkhunter the pathname to the syslog configuration
# file. This setting will be worked out by rkhunter, and so should not
# usually need to be set. A value of 'NONE' can be used to indicate
# that there is no configuration file, but that the syslog daemon process
# may be running.
#
# This is a space-separated list of pathnames. The option may
# be specified more than once.
#
#SYSLOG_CONFIG_FILE=/etc/syslog.conf

#
# This option permits the use of syslog remote logging.
#
ALLOW_SYSLOG_REMOTE_LOGGING=0

#
# Allow the following applications, or a specific version of an application,
# to be whitelisted. This option may be specified more than once, and is a
# space-separated list consisting of the application names. If a specific
# version is to be whitelisted, then the name must be followed by a colon
# and then the version number. For example:
#
#     APP_WHITELIST="openssl:0.9.7d gpg httpd:1.3.29"
#
# Note above that for the Apache web server, the name 'httpd' is used.
#
#APP_WHITELIST=""

# 
# Scan for suspicious files in directories containing temporary files and
# directories posing a relatively higher risk due to user write access.
# Please do not enable by default as suspscan is CPU and I/O intensive and prone to
# producing false positives. Do review all settings before usage.
# Also be aware that running suspscan in combination with verbose logging on,
# RKH's default, will show all ignored files.
# Please consider adding all directories the user the (web)server runs as has 
# write access to including the document root (example: "/var/www") and log
# directories (example: "/var/log/httpd"). 
#
# This is a space-separated list of directory pathnames.
# The option may be specified more than once.
#
#SUSPSCAN_DIRS="/tmp /var/tmp"
SUSPSCAN_DIRS="/tmp /var/tmp"

#
# Directory for temporary files. A memory-based one is better (faster).
# Do not use a directory name that is listed in SUSPSCAN_DIRS.
# Please make sure you have a tempfs mounted and the directory exists.
#
SUSPSCAN_TEMP=/dev/shm

#
# Maximum filesize in bytes. Files larger than this will not be inspected.
# Do make sure you have enough space left in your temporary files directory.
#
SUSPSCAN_MAXSIZE=10240000

#
# Score threshold. Below this value no hits will be reported.
# A value of "200" seems "good" after testing on malware. Please adjust
# locally if necessary. 
#
SUSPSCAN_THRESH=200

#
# The following option can be used to whitelist network ports which
# are known to have been used by malware. This option may be specified
# more than once. The option is a space-separated list of one or more
# of four types of whitelisting. These are:
#
#   1) a 'protocol:port' pair       (e.g. TCP:25)
#   2) a pathname to an executable  (e.g. /usr/sbin/squid)
#   3) a combined pathname, protocol and port
#                                   (e.g. /usr/sbin/squid:TCP:3801)
#   4) an asterisk ('*')
#
# Only the UDP or TCP protocol may be specified, and the port number
# must be between 1 and 65535 inclusive.
#
# The asterisk can be used to indicate that any executable which rkhunter
# can locate as a command, is whitelisted. (See BINDIR in this file.)
#
# For example:
#
#     PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011"
#
# NOTE: In order to whitelist a pathname, or use the asterisk option,
# the 'lsof' command must be present.
#
#PORT_WHITELIST=""

#
# The following option can be used to tell rkhunter where the operating
# system 'release' file is located. This file contains information
# specifying the current O/S version. RKH will store this information
# itself, and check to see if it has changed between each run. If it has
# changed, then the user is warned that RKH may issue warning messages
# until RKH has been run with the '--propupd' option.
#
# Since the contents of the file vary according to the O/S distribution,
# RKH will perform different actions when it detects the file itself. As
# such, this option should not be set unless necessary. If this option is
# specified, then RKH will assume the O/S release information is on the
# first non-blank line of the file.
#
#OS_VERSION_FILE="/etc/release"

#
# The following two options can be used to whitelist files and directories
# that would normally be flagged with a warning during the various rootkit
# and malware checks. If the file or directory name contains a space, then
# the percent character ('%') must be used instead. Only existing files and
# directories can be specified, and these must be full pathnames not links.
#
# Additionally, the RTKT_FILE_WHITELIST option may include a string after the
# file name (separated by a colon). This will then only whitelist that string
# in that file (as part of the malware checks). For example:
#
#     RTKT_FILE_WHITELIST="/etc/rc.local:hdparm"
#
# If the option list includes the filename on its own as well, then the file
# will be whitelisted from rootkit checks of the files existence, but still
# only the specific string within the file will be whitelisted. For example:
#
#     RTKT_FILE_WHITELIST="/etc/rc.local:hdparm /etc/rc.local"
#
# To whitelist a file from the existence checks, but not from the strings
# checks, then include the filename on its own and on its own but with
# just a colon appended. For example:
#
#     RTKT_FILE_WHITELIST="/etc/rc.local /etc/rc.local:"
#
# NOTE: It is recommended that if you whitelist any files, then you include
# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
# configuration option.
#
# These are space-separated lists of file and directory pathnames.
# The options may be specified more than once.
#
#RTKT_DIR_WHITELIST=""
#RTKT_FILE_WHITELIST=""

#
# The following option can be used to whitelist shared library files that would
# normally be flagged with a warning during the preloaded shared library check.
# These library pathnames usually exist in the '/etc/ld.so.preload' file.
#
# NOTE: It is recommended that if you whitelist any files, then you include
# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
# configuration option.
#
# This is a space-separated list of library pathnames.
# The option may be specified more than once.
#
#SHARED_LIB_WHITELIST="/lib/snoopy.so"

#
# To force rkhunter to use the supplied script for the 'stat' or 'readlink'
# command, then the following two options can be used. The value must be
# set to 'BUILTIN'.
#
# NOTE: IRIX users will probably need to enable STAT_CMD.
#
#STAT_CMD=BUILTIN
#READLINK_CMD=BUILTIN

#
# In the file properties test any modification date/time is displayed as the
# number of epoch seconds. Rkhunter will try and use the 'date' command, or
# failing that the 'perl' command, to display the date and time in a
# human-readable format as well. This option may be used if some other command
# should be used instead. The given command must understand the '%s' and
# 'seconds ago' options found in the GNU date command.
#
# A value of 'NONE' may be used to request that only the epoch seconds be shown.
# A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if
# it is present.
#
#EPOCH_DATE_CMD=""

#
# This setting tells rkhunter the directory containing the available
# Linux kernel modules. This setting will be worked out by rkhunter,
# and so should not usually need to be set.
#
#MODULES_DIR=""
#
#
# The following option can be set to a command which rkhunter will use when
# downloading files from the Internet - that is, when the '--update' or
# '--versioncheck' option is used. The command can take options.
#
# This allows the user to use a command other than the one automatically
# selected by rkhunter, but still one which it already knows about.
# For example:
#
#     WEB_CMD=curl
#
# Alternatively, the user may specify a completely new command. However, note
# that rkhunter expects the downloaded file to be written to stdout, and that
# everything written to stderr is ignored. For example:
#
#     WEB_CMD="/opt/bin/dlfile --timeout 5m -q"
#
# *BSD users may want to use the 'ftp' command, provided that it supports
# the HTTP protocol:
#
#     WEB_CMD="ftp -o -"
#
#WEB_CMD=""

#
# Set the following option to 0 if you do not want to receive a warning if
# any O/S information has changed since the last run of 'rkhunter --propupd'.
# The warnings occur during the file properties check. The default is to
# issue a warning if something has changed.
#
#WARN_ON_OS_CHANGE=1

#
# Set the following option to 1 if you want rkhunter to automatically run
# a file properties update ('--propupd') if the O/S has changed. Detection
# of an O/S change occurs during the file properties check. The default is
# not to do an automatic update.
#
# WARNING: Only set this option if you are sure that the update will work
# correctly. That is, that the database directory is writeable, that a valid
# hash function is available, and so on. This can usually be checked simply
# by running 'rkhunter --propupd' at least once.
#
#UPDT_ON_OS_CHANGE=0

#
# Set the following option to 1 if locking is to be used when rkhunter runs.
# The lock is set just before logging starts, and is removed when the program
# ends. It is used to prevent items such as the log file, and the file
# properties file, from becoming corrupted if rkhunter is running more than
# once. The mechanism used is to simply create a lock file in the TMPDIR
# directory. If the lock file already exists, because rkhunter is already
# running, then the current process simply loops around sleeping for 10 seconds
# and then retrying the lock.
#
# The default is not to use locking.
#
USE_LOCKING=0

#
# If locking is used, then rkhunter may have to wait to get the lock file.
# This option sets the total amount of time, in seconds, that rkhunter should
# wait. It will retry the lock every 10 seconds, until either it obtains the
# lock or the timeout value has been reached. If no value is set, then a
# default of 300 seconds (5 minutes) is used.
#
LOCK_TIMEOUT=300

#
# If locking is used, then rkhunter may be doing nothing for some time if it
# has to wait for the lock. Some simple messages are echo'd to the users screen
# to let them know that rkhunter is waiting for the lock. Set this option to 0
# if the messages are not to be displayed. The default is to show them.
#
SHOW_LOCK_MSGS=1

#
# If the option SCANROOTKITMODE is set to "THOROUGH" the scanrootkit() function
# will search (on a per rootkit basis) for filenames in all of the directories (as defined
# by the result of running 'find "${RKHROOTDIR}/" -xdev'). While still not optimal, as it 
# still searches for only file names as opposed to file contents, this is one step away
# from the rigidity of searching in known (evidence) or default (installation) locations.
#
# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT.
#
# You should only activate this feature as part of a more thorough investigation which
# should be based on relevant best practices and procedures. 
#
# Enabling this feature implies you have the knowledge to interpret the results properly. 
#
#SCANROOTKITMODE=THOROUGH

#
# The following option can be set to the name(s) of the tests the 'unhide' command is
# to use. In order to maintain compatibility with older versions of 'unhide', this
# option defaults to 'sys'. Options such as '-m' and '-v' may also be specified, but
# will only take effect when they are seen. The test names are a space-separated list,
# and will be executed in the order given.
#
#UNHIDE_TESTS="sys"

#
# If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system, then it
# is possible to disable the execution of one of the programs if desired. By default
# rkhunter will look for both programs, and execute each of them as they are found.
# If the value of this option is 0, then both programs will be executed if they are
# present. A value of 1 will disable execution of the C 'unhide' program, and a value
# of 2 will disable the Ruby 'unhide.rb' program. The default value is 0. To disable
# both programs, then disable the 'hidden_procs' test.
#
#DISABLE_UNHIDE=0

INSTALLDIR="/usr"
Maybe i should have removed all the # rows, but i like having them around.

Well, if i haven't been hacked, noone but me have root access
__________________
Regards
S.Jensen

FB: http://facebook.com/stigge2000
Twitter: http://twitter.com/StigJensen
Skype: stigge2000
Reply With Quote
  #4  
Old 20th December 2012, 13:04
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,744 Times in 2,577 Posts
Default

Can you post the outputs of
Code:
ls -la /usr/bin/rkhunter
and
Code:
grep Binaryfile /usr/bin/rkhunter
?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 20th December 2012, 23:35
stigge2000 stigge2000 is offline
Member
 
Join Date: Jul 2006
Posts: 32
Thanks: 10
Thanked 1 Time in 1 Post
Send a message via Skype™ to stigge2000
Default

The outputs:

Code:
[root@dns1 ~]# ls -la /usr/bin/rkhunter
-rwxr-x--- 1 root root 491628 May  3  2012 /usr/bin/rkhunter
[root@dns1 ~]# grep Binaryfile /usr/bin/rkhunter
[root@dns1 ~]#
The grep Binaryfile didnt have any output
__________________
Regards
S.Jensen

FB: http://facebook.com/stigge2000
Twitter: http://twitter.com/StigJensen
Skype: stigge2000
Reply With Quote
The Following User Says Thank You to stigge2000 For This Useful Post:
AbannyvabVask (11th November 2013)
  #6  
Old 21st December 2012, 11:41
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,744 Times in 2,577 Posts
Default

Strange... Did you check if there's an update available for rkhunter? Maybe this fixes the problem.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
AbannyvabVask (28th November 2013)
  #7  
Old 21st December 2012, 13:57
stigge2000 stigge2000 is offline
Member
 
Join Date: Jul 2006
Posts: 32
Thanks: 10
Thanked 1 Time in 1 Post
Send a message via Skype™ to stigge2000
 
Default

When i check for updates i pretty much get the same response:

Code:
[root@dns1 ~]# rkhunter --update
Invalid SCRIPTDIR configuration option: Invalid pathname: Binaryfile/etc/rkhunter.confmatches
[root@dns1 ~]#
__________________
Regards
S.Jensen

FB: http://facebook.com/stigge2000
Twitter: http://twitter.com/StigJensen
Skype: stigge2000
Reply With Quote
Reply

Bookmarks

Tags
bindir, rkhunter, scriptdir

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 08:46.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.