Hi guys, when doing rkhunter --check i get the following results: Code: Warning: The file '/usr/sbin/inetd' exists on the system, but it is not present in the 'rkhunter.dat' file. Warning: The file '/usr/sbin/tcpd' exists on the system, but it is not present in the 'rkhunter.dat' file. Warning: The file '/usr/bin/GET' exists on the system, but it is not present in the 'rkhunter.dat' file. Warning: The file '/usr/bin/lwp-request' exists on the system, but it is not present in the 'rkhunter.dat' file. Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script text executable Warning: The following suspicious (large) shared memory segments have been found: Process: /usr/sbin/apache2 PID: 18255 Owner: root Size: 1.2MB (configured size allowed: 1.0MB) I dont know why the inetd for example did not exist in the system before, can it be that someone added these files or is the error because of other things? cat /usr/sbin/inetd get the following result: Code: �D$ �dH�%(H��$�1�H���������uGL��$�H�E1�j�t$E1��L��H���������ZYuQH�=�L��H��������DH�=�H��1������H��$�dH3%(u'H�Ġ[]A\��H�=�H��1��O�����������US��H��H���dH�%(H��1�H��������f�Hc�H���������H��~�H�����_������1��4���@ATU��SH��H���dH�%(H��1�I�����������H��f.���L���������H����;t�1������f.�SH�5�H�=��L���H��t/H���O���H��H��HcȾ1������H��[�M���D[�4 H��H�� H��H��dH�%(H�D$1����������H�$H�H H�DH9�HGȸH�� H��HG�H; $v>H�������xkH�$H��4 1�H�T$dH3%(uWH�� [�f.�H�)1���������������H��1���������������H���������@AVAU1�ATUSH��H���w�dH�%(H�D1��$�]������gH�SH�=P�H�����H�=[�H��H����@����@8��PH�==�H������A�H�������/����������I�غH�������1�H�������Hc;'5 ~%H��2 �5 H�H9�v�����f.�H�DdH3%(��H��[]e6 ���]D���L������������]���H���t�p��u� �3 E���W���A�H�����������������*���H��A��H���)���S������{H�S������@H�L�CH����1�����������H�L$A���)���D$��������DH�S�H���r���f�H����1�����������H�L�CH��1����p����������5 ������������X�^5 ����������@�5������I�غH���1����^���@������DD���@��������I�.���A�������fDH����1�������h���L���������������H�Z��1��h��������H�a��1��H������������@f.�USH�H�K4 �94 H��t\��DH���H��tD��u��K�� ?1 H�qH�541 �H��H���u�H��AWAVA��AUATUSH��xH�D��dH�%(H�D$h1������L�%�0 M����H�L0 � H�l$f�D$XI���[��oH�[email protected])E�oCH�[email protected])E�oC )E �oC0)E0H���JH��L9�D��ID�����H��JuT0 �%����AWAVAUATA��USH�dH�%(H��$�1�H�=�/ �#H�\$ H��$�L�L$1ɺJD��I��H���D$��<���H��x H���������t+H��$�dH3%(��H�[]A\A]A^A_�f�L�5Y/ L�-�. M��M)�A��G��Mc�L��H��L�¹JL�D�����L�D�HH�5�. D)�Hc�J�|�����I��H�k. D�L$M9�I�غJLD�H��� 1�D��L�-#. f��$��v����6�����HL��H���������fD�3���H� . H��- �����������f.�H��(1�H��dH�%(H�D$1������1҅�x �$���~���H�L$dH3 %(��uH��(��U���DSH�H��H�= H���L�H����H�=:- @����@8���H��H�� �1��$���D�K,H�KH�=- E����H�D�C0H�MQ�K(�1������XZH�CHH�0 �K4L�[email protected]����H�=�, H��HD�H�H�,�sX�sPP1������H�� [�H��H�� M���I��1�������[����H�� �1��e����u���AWAVH�5� AUAT1�USH��8dH�%(H�D$(1��T�����������-H�H/ H��t1�f�P8H���H��u������H��H���jH�D$L�-e L�%Y H�DDH��. H��u��H���H����H��H��������t�H�}P�N���������H�[email protected]���H�[email protected]�[email protected]�UHH�[email protected]�CHH�SHH�UXH�EHH�CXH�SXH�EX�`f�H�H�LH� H�TH�H=u�D�{,E���}�E,H��A��C,�E0�C0�+����CA�fD�s8���|�� �{���L���H��M���/�j����5�* L���������E��L��H��ID�L���$���H��������f���H��- H�-�- L�%- H��trf�{8H�������H�EtH����a����������S,�����{���#* ����H���;���H�������H�]H��u�H�5� 1�� ���H�D$(dH3%(�H��8[]A\A]A^A_�f�H��E1������H�������DH���H�) H�Ņ������I�������DD�S,A�1�fD��ǃ����H��E��uO�b���f�f����f9���h���f��������H���0��������������C(������H������������fD�������H�H���l�&�����k�����H�L�CH�( ��1��g��������f�D�C,� 1�f��ǃ����H��E���E����X���f�f�������H�sH�|� ����������H�|I��趿���LI�H���DJ�<H�H�t�1���H��H�( ���@�f9�������������������@H���P����v���H���@����{�U���H��]����o' ���L���H��L��������<�����{4�E4��������C4�����H����C����訿������H������H�������@�C(�#���H���&���������� ���@H�A���fD�����蠽��H�������������D�����H�sH�|� ����D�t$E��������"���HH�D��H��D�0E���p����$ H�a�������������讽��@f.�AWAVAUATUSH��H��% L�(H�$M����L��D$ A�f�H�-� H�<�E1�H�56��H��H�����H��H�E�H��H��L���?�����ED�H��u�HcD$ H� �D$ $H��E��H�u L�*H�TI�M�o�M�������H�H��[]A\A]A^A_�H�$��@AWAVA��AUATL�%� UH�-� SI��I��L)�H�H������H��t 1��L��L��D��A��H��H9�u�H�[]A\A]A^A_Ðf.���H�H��WATCHDOG=1 reaping asked for %ld reaped, status %x %s: exit status %d%s: exit signal %drestored %s, fd %d %.24s strdup: %m%s: getproto: %m%s/%s: getsockname: %mpmap_set: %u %u %u %u pmap_unset(%u, %u) pmap_unset(%u, %u)STOPPING=1 /run/inetd.pidOut of memory.*someone wants %s fork: %m/usr/sbin/tcpdgetpwnam: %s: No such user%s: setsid: %mgetgrnam: %s: No such group%s/%s: can't set gid %d: %m%s/%s: can't set uid %d: %m%ld execv %s execv %s: %maccept, ctrl %d accept (for %s): %mcould not getpeernamecalloc: %mstreamdgramrdmseqpacketraw%s: too many buffer sizes%s: invalid buffer size `%s'sndbufrcvbufunixrpc/%s: no rpc version%s/%s: bad rpc versionwaitinternal0%s/%s: %s: %sinternal service %s unknown-%s [%s]-%s [?]-%s%ld getrlimit: %msetrlimit: %m%s/%s: socket: %mtcp6setsockopt (IPV6_V6ONLY): %mtcp46tcpsetsockopt (SO_DEBUG): %msetsockopt (SO_REUSEADDR): %m%s/%s: bind: %m(default)%s: %s %s: %s:%s proto=%s,REDOADDRELOADING=1 %s: unknown rpc service%s/%s: unknown serviceFREEREADY=1 DISPLAY=CVSdEilq:R:NOTIFY_SOCKETdaemon(0, 0): %minetdinetd_dummyEDITOR=GROUP=HOME=IFS=LD_LOGNAME=MAIL=PATH=PRINTER=PWD=SHELL=SHLVL=SSHTERMTMPUSER=VISUAL=/etc/inetd.confechodiscarddaytimechargen%s %s: pmap_set: %u %u %u %u: %msyntax error in inetd config file%s/%s server failing (looping), service terminated for %d minrefused connection from %.500s, service %s (%s)%s/%s: can't initgroups(%s): %m%s: malformed buffer size option `%s'%s/%s: %s: the address family is not supported by the kernel%s: illegal max field "%s", setting to %dbump_nofile: cannot extend file limit, max = %drpcprog=%d, rpcvers=%d/%d, proto=%s, wait.max=%d.%d user:group=%s:%s builtin=%lx server=%s %s/%s: UNIX domain socket path too long-R %s: bad value for service invocation rateusage: inetd [-dEil] [-q len] [-R rate] [configuration_file] inetd: non-root must specify a config file inetd: more than one argument specified ����E���E���E���E���E���E���E���E���E���E���E���E���h���E���E���E���E���E���E���E���E���E���E���E���E���E���E���E���E���E���X���E���E���E���E���H���E���E���8���E���E���E���E�����xxxxxxxxxxxxxxxx;|.����p�������������h ������ �������X ���t�����`������������(����\����������P�������,����D���d�����p���������������������X���t0�������@���L���������� �������4����T����x`���������0����P������� ���0������� ����� ��� zRx �`���+zRx �[email protected]���`FJ �?;*3$"Dx��\���8p�����B�B�A �A(�[email protected] (A ABI �p���GG� z A (�����dA�A�[email protected] AA (������A�A�K�� AA ����&P4x����0H����B�A�C �N�!e AAC 0|p���B�A�D �I�{ AAA 0�\����B�A�C �N�` AAH �����L������B�A�A �GP�XW`LXAPxXT`UhEpKPk AAF 4HT����B�B�A �A(�D0�(A AB������A��D���iA�G A 8������B�D�D �U AF E AH �H���}DB J d D ����AD$0�����A�A�R �AXt���CN8p�����B�A�D �m AI y AD �p���&KU A T�����-B�B�B �A(�C0�J�� 0A(A BBE ��LW�B�L \����B�B�A �A(�J�� (A ABG ��D�Z�A�,p����+B�A�D �� AA \������ B�B�G �B(�F0�A8�G�� 8A0A(B BBC i �L�Y�A�@,����B�A�D �I� }� E� Z� A� F AAI D����\A�A�I� ���fB�A�C �G� �T���JA�} J ������A�I0� K @�P����B�B�D �A(�A0�[email protected] 0A(A BBH $����A�A�D vA8����PK0P,���B�B�E �B(�A0�A8�D�H����uB�B�B �B(�D0�A8�G� 8A0A(B BBC �L���KD0A A 4�����A�gL PApJ C(A0KA A H$X����B�B�I �B(�C0�A8�Dpu 8A0A(B BBJ Hp�����B�B�B �B(�A0�A8�DP� 8A0A(B BBA L�@���GB�B�E �B(�D0�A8�]�� 8A0A(B BBA D ����eB�B�E �B(�H0�H8�[email protected](B BB���5�4cqZq�q�q�q�q�q�q�q�q�q�q�q�q�q�q�q�qr��Ao $m�� �� ���o�p� �' � �� x �p ���o���o����o���oZ���o+`� &(6(F(V(f(v(�(�(�(�(�(�(�(�())&)6)F)V)f)v)�)�)�)�)�)�)�)�)**&*6*F*V*f*v*�*�*�*�*�*�*�*�*++&+6+F+V+f+v+�+�+�+�+�+�+�+�+,,&,6,F,V,f,v,�,�,�,�,�,�,�,�,--&-6-F-V-f-v-�-�-�-�-�-�-�-�-..&.6.F.V.f� @� rr�Yr9 r Z r�6+r 7+r�:(r�7(r�90r0a0rPb9444f5677322c33281f085c1ecc8eaa81650e8.debug��9.shstrtab.interp.note.ABI-tag.note.gnu.build-id.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.init.plt.got.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.data.rel.ro.dynamic.data.bss.gnu_debuglink 88TT !tt$4���o��X> Fpp�N���oZZ [���o���jpptB��x ~�'�'y((`�p��.�.�>�$m$m �0m0m�vv|��w���������� ��� �`� `�0��� ���� �H `� H�� �H�4|�[email protected]:~# The apache2 segments should i change that in rkhunter config? thanks a lot for your kind help
rkhunter shows lots of warnings, you have to read what warning means and if it is not dangerous on your host then configure rkhunter to ignore it. It probably did exist, but you have not let rkhunter run the property update so it would know what files are there. Then next time it does not warn about those anymore. That is a binary file, as can be guessed from it being in sbin/ directory. Use command file before cat to see whether it is text file. If it is not text file cat does garbage.
Hi, thanks for your answer. i run: Code: rkhunter --propupd then after running: Code: rkhunter --check --rwo i get the following error: Code: Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script text executable is my system compromised or why do i get this error? and i get another error: Code: Warning: The following suspicious (large) shared memory segments have been found: Process: /usr/sbin/apache2 PID: 18255 Owner: root Size: 1.2MB (configured size allowed: 1.0MB) should i change in the rkhunter config file the max size of file to 1.2MB ? thanks in advance for your kind help
In file /etc/rkhunter.conf.local insert: Code: ALLOWIPCPROC=/usr/sbin/apache2 You get this warning, because the file in question is not a binary, but a perl script (as intended by debian!). This warning should get away when you specify your package manager by adding Code: PKGMGR=DPKG to /etc/rkhunter.conf.local and then running "rkhunter --propupd" again
