Is that a false positive?

Discussion in 'Server Operation' started by fernandoch, Jan 12, 2020.

  1. fernandoch

    fernandoch Member HowtoForge Supporter

    I tried the chkrootkit and got these alerts.
    Are they false positive? Or should I be worried?

    Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:

    Some of them have username and password, is that normal???
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You did not say what OS is running on that host. You should try to determine that, then examine that OS repositories to see if those .htaccess files come with the fail2ban installation packages of that OS.
    For what it is worth, on my Debian GNU/Linux 10.2 there are those same files:
    ls -lha /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest*/.ht*
    -rw-r--r-- 1 root root 231 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess
    -rw-r--r-- 1 root root 117 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htpasswd
    -rw-r--r-- 1 root root 159 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess
    -rw-r--r-- 1 root root  62 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htpasswd
    -rw-r--r-- 1 root root 195 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess
    -rw-r--r-- 1 root root  62 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd
    -rw-r--r-- 1 root root 179 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess
    -rw-r--r-- 1 root root  62 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd
    For Debian, this can also be verified by looking at the listing of files in the installation package:
  3. fernandoch

    fernandoch Member HowtoForge Supporter

    Sorry, I missed that, I am on Ubuntu.
    Your files .htpasswd have a username and password in some of them?
  4. EticWeb

    EticWeb New Member

    Thanks for the trick.
    So the files are part of the official Fail2ban Debian package.
    But is it normal to have them report by chkrootkit every day?
    Is there a way to remove them from the daily report or tell to chkrootkit they are not positive files?
  5. Steini86

    Steini86 Active Member

    If they are part from the official package, a "rkhunter --propupd" should get rid of the messages. This updates rkhunters file properties database with the information from the package manager (needs to be repeated at every bigger update)
    rkhunter does not exclude even known false positives from scanning, because otherwise a malware could just overwrite these files and would not be found.
  6. Ciprian Tomoiaga

    Ciprian Tomoiaga New Member

    Sorry to respawn an old thread, but EticWeb was asking about chkrootkit whereas the answer offers solution for rkhunter.

    So, for chkrootkit, it depends how it is set up. Normally, the script in `cron.daily` checks the output with an "expected output". It's kind of a poor man's database. If you want to set today's output as being the new "normal", you have to set it so by copying `/var/log/chkrootkit/` over `/var/log/chkrootkit/log.expected`. Their path may vary depending on the distribution, so check the output of the daily cron for exact instructions, or the script in `/etc/cron.daily/chkrootkit`

Share This Page