Is that a false positive?

Discussion in 'Server Operation' started by fernandoch, Jan 12, 2020.

  1. fernandoch

    fernandoch Member HowtoForge Supporter

    Hello,
    I tried the chkrootkit and got these alerts.
    Are they false positive? Or should I be worried?

    Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
    /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/noentry/.htaccess
    /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess
    /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd
    /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess
    /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htpasswd
    /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess
    /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htpasswd
    /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess
    /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd
    /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htaccess
    /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htpasswd
    /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htaccess
    /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htpasswd

    Some of them have username and password, is that normal???
    Thanks
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You did not say what OS is running on that host. You should try to determine that, then examine that OS repositories to see if those .htaccess files come with the fail2ban installation packages of that OS.
    For what it is worth, on my Debian GNU/Linux 10.2 there are those same files:
    Code:
    ls -lha /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest*/.ht*
    -rw-r--r-- 1 root root 231 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess
    -rw-r--r-- 1 root root 117 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htpasswd
    -rw-r--r-- 1 root root 159 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess
    -rw-r--r-- 1 root root  62 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htpasswd
    -rw-r--r-- 1 root root 195 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess
    -rw-r--r-- 1 root root  62 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd
    -rw-r--r-- 1 root root 179 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess
    -rw-r--r-- 1 root root  62 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd
    For Debian, this can also be verified by looking at the listing of files in the installation package:
    https://packages.debian.org/buster/all/fail2ban/filelist
     
  3. fernandoch

    fernandoch Member HowtoForge Supporter

    Sorry, I missed that, I am on Ubuntu.
    Your files .htpasswd have a username and password in some of them?
     
  4. EticWeb

    EticWeb New Member

    Thanks for the trick.
    So the files are part of the official Fail2ban Debian package.
    But is it normal to have them report by chkrootkit every day?
    Is there a way to remove them from the daily report or tell to chkrootkit they are not positive files?
     
  5. Steini86

    Steini86 Active Member

    If they are part from the official package, a "rkhunter --propupd" should get rid of the messages. This updates rkhunters file properties database with the information from the package manager (needs to be repeated at every bigger update)
    rkhunter does not exclude even known false positives from scanning, because otherwise a malware could just overwrite these files and would not be found.
     

Share This Page