anyone else suddenly getting loads of rkhunter alerts?

Discussion in 'General' started by vmos, Feb 25, 2014.

  1. vmos

    vmos Member

    Hello, we get the odd false rkhunter alert from time to time, but this morning we've got about 25 from different servers. There's nothing in the logs and rkhunter --rwo -c shows nothing.

    They're all ubuntu running ispconfig and wordpress. We're still investigating but I was just wondering if anyone else had seen similar
  2. sjau

    sjau Local Meanie Moderator

    there's a command to update rkhunter files when you have large changes on installed packages... something like:

    rkhunter --propupd

    maybe that helps.
  3. vmos

    vmos Member

    I don't like doing that until I've established the cause. we did it on a few servers anyway and those servers have alerted again this morning.
  4. edge

    edge Active Member Moderator

    I'm all of a sudden getting an error on "i18n.ver failed" for the last couple of days.
    Not sure if this is the same error as you are getting?
  5. osterhase

    osterhase New Member

    Same here.

    #rkhunter --update
    Checking file i18n versions                                [ Update failed ]
  6. osterhase

    osterhase New Member

    Alright it seems like the rkhunter team released a new version (1.4.x) - see changelog here.

    Due to the fact that our servers run Debian squeeze - the Squeeze-Team did not yet update the packages list. The rkhunter Team removed the 1.3. version from the their sourceforge servers. Therefore the update done by the daily rkhunter scan which is issued against sourceforge fails. Therefore a warning is generated.

    We will just lay back for a couple of days and wait for the squeeze-team to accomplish their tasks. I reckon for youz guys it's the same - but better double check.

    Kind regards
  7. edge

    edge Active Member Moderator

    I did an apt-get --purge remove rkhunter
    And after this an apt-get install rkhunter

    I'm now on "Rootkit Hunter 1.4.2"

    If you made changes to rkhunter.conf, than make sure that you make a copy of it for references!
  8. osterhase

    osterhase New Member

    For the Squeeze-Guys: We remain on 1.3.6 for the moment.
  9. JeffryL

    JeffryL New Member

    Same problem here but it's not solved after removing rkhunter (purge). I even removed ruby with a full purge but still I get:

    Checking file i18n versions                                [ Update failed ]
    Ubuntu 12.04.4 with rkhunter 1.3.8
    Last edited: Mar 3, 2014
  10. osterhase

    osterhase New Member

    @JeffryL: What linux distribution and version do you use? If you use debian see my post before yours.

    Kind regards
  11. Spawnsworth

    Spawnsworth Member

    I've tried this on Ubuntu 12.04.1 LTS but still getting version 1.3.8

    Also have been getting the same errors at the same time each night from about 20 ISP Config servers.

    The command I use to run the rkhunter check is:

    rkhunter --rwo -c

    Anyone else got any suggestions?

  12. edge

    edge Active Member Moderator

    Not sure why I got 1.4.2, but I am really running it!
    All I did was a
  13. Spawnsworth

    Spawnsworth Member

    Still none the wiser here. Anyone else got any ideas?

  14. JeffryL

    JeffryL New Member

    Same problem still… quite annoying actually all these false positives...
  15. primal23

    primal23 New Member

    I am having the same issue. Using Ubuntu 12.04 and RKHunter 1.3.8-10
  16. JeffryL

    JeffryL New Member

    Last edited: Mar 17, 2014
  17. JeffryL

    JeffryL New Member

    I installed rkhunter 1.4.2 as described in the explanation in the link on top of 1.3.8. So I didn't remove or purge 1.3.8. Bit quick and dirty but it does work.

    Advantages: dependencies are already installed and if rkhunter gets updated as a package it rolls the official package out on top of the version installed without the package manager. But since rkhunter isn't updated since 2011 and 12.04.4 support ends in 2017 chances are it won't get updated anyway.

    Disadvantages: if it gets updated to a version below 1.4.2 you might have a problem with non-existent options in the configfile. Probably better then to not update rkhunter, but then rkhunter shows up every time during an update through the package manager.

    So in short:
    mv download rkhunter-1.4.2.tar.gz
    tar xzvf rkhunter-1.4.2.tar.gz
    cd rkhunter-1.4.2
    mv /etc/rkhunter.conf /etc/rkhunter.conf.old
    ./ --layout /usr --install
    rkhunter --update
    rkhunter --c --rwo
    Correct warnings by whitelisting and changing the rkhunter.conf. And of course make sure there are no unclarified issues before running --propupd!!! See the link:

    I also had to add lwp-request.

    rkhunter --propupd
    rkhunter -c --rwo
    If you made a lot of changes in rkhunter.conf it's probably better NOT to start off with the newer original, but rkhunter won't run with the old config file!

    No need to setup the cron if you installed 1.3.8 first through aptitude.
    Last edited: Mar 19, 2014
  18. r00tsnake

    r00tsnake New Member

    I am also affected by this using Ubuntu 12.04.4 LTS. I am debating either or not to uninstall rkhunter and install it from the sourceforge site, but I am very angry that the repos for Ubuntu have not been updated and that the repos for version 14.04 contain the updated rkhunter files...what on earth?

    I am aware I can install it via the tarball, but I would assume that Ubuntu or Debian would be able to update their repos to contain these new files,. if in fact these programs do help security?

    When it comes to Ubuntu you have two options; download the source forge tarball or upgrade your system to version 14.04 (an unstable release as of now)
    Last edited: Apr 9, 2014
  19. mitsos

    mitsos New Member

    Debian Wheezy (7.4, 7.5 to be released next weekend btw, all production machines scheduled to be updated as soon as the new versions hit the mirrors), rkhunter 1.4.0, not getting any FPs.

    On that note, a slightly offtopic hint: Always use stable, NOT oldstable for production environments.

Share This Page