Hi guys, when doing rkhunter --check i get the following results: Code: Warning: The file '/usr/sbin/inetd' exists on the system, but it is not present in the 'rkhunter.dat' file. Warning: The file '/usr/sbin/tcpd' exists on the system, but it is not present in the 'rkhunter.dat' file. Warning: The file '/usr/bin/GET' exists on the system, but it is not present in the 'rkhunter.dat' file. Warning: The file '/usr/bin/lwp-request' exists on the system, but it is not present in the 'rkhunter.dat' file. Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script text executable Warning: The following suspicious (large) shared memory segments have been found: Process: /usr/sbin/apache2 PID: 18255 Owner: root Size: 1.2MB (configured size allowed: 1.0MB) I dont know why the inetd for example did not exist in the system before, can it be that someone added these files or is the error because of other things? cat /usr/sbin/inetd get the following result: Code: �D$ �dH�%(H��$�1�H���������uGL��$�H�E1�j�t$E1��L��H���������ZYuQH�=�L��H��������DH�=�H��1������H��$�dH3%(u'H�Ġ[]A\��H�=�H��1��O�����������US��H��H���dH�%(H��1�H��������f�Hc�H���������H��~�H�����_������1��4���@ATU��SH��H���dH�%(H��1�I�����������H��f.���L���������H����;t�1������f.�SH�5�H�=��L���H��t/H���O���H��H��HcȾ1������H��[�M���D[�4 H��H�� H��H��dH�%(H�D$1����������H�$H�H H�DH9�HGȸH�� H��HG�H; $v>H�������xkH�$H��4 1�H�T$dH3%(uWH�� [�f.�H�)1���������������H��1���������������H���������@AVAU1�ATUSH��H���w�dH�%(H�D1��$�]������gH�SH�=P�H�����H�=[�H��H����@����@8��PH�==�H������A�H�������/����������I�غH�������1�H�������Hc;'5 ~%H��2 �5 H�H9�v�����f.�H�DdH3%(��H��[]e6 ���]D���L������������]���H���t�p��u� �3 E���W���A�H�����������������*���H��A��H���)���S������{H�S������@H�L�CH����1�����������H�L$A���)���D$��������DH�S�H���r���f�H����1�����������H�L�CH��1����p����������5 ������������X�^5 ����������@�5������I�غH���1����^���@������DD���@��������I�.���A�������fDH����1�������h���L���������������H�Z��1��h��������H�a��1��H������������@f.�USH�H�K4 �94 H��t\��DH���H��tD��u��K�� ?1 H�qH�541 �H��H���u�H��AWAVA��AUATUSH��xH�D��dH�%(H�D$h1������L�%�0 M����H�L0 � H�l$f�D$XI���[��oH�[email protected])E�oCH�[email protected])E�oC )E �oC0)E0H���JH��L9�D��ID�����H��JuT0 �%����AWAVAUATA��USH�dH�%(H��$�1�H�=�/ �#H�\$ H��$�L�L$1ɺJD��I��H���D$��<���H��x H���������t+H��$�dH3%(��H�[]A\A]A^A_�f�L�5Y/ L�-�. M��M)�A��G��Mc�L��H��L�¹JL�D�����L�D�HH�5�. D)�Hc�J�|�����I��H�k. D�L$M9�I�غJLD�H��� 1�D��L�-#. f��$��v����6�����HL��H���������fD�3���H� . H��- �����������f.�H��(1�H��dH�%(H�D$1������1҅�x �$���~���H�L$dH3 %(��uH��(��U���DSH�H��H�= H���L�H����H�=:- @����@8���H��H�� �1��$���D�K,H�KH�=- E����H�D�C0H�MQ�K(�1������XZH�CHH�0 �K4L�[email protected]����H�=�, H��HD�H�H�,�sX�sPP1������H�� [�H��H�� M���I��1�������[����H�� �1��e����u���AWAVH�5� AUAT1�USH��8dH�%(H�D$(1��T�����������-H�H/ H��t1�f�P8H���H��u������H��H���jH�D$L�-e L�%Y H�DDH��. H��u��H���H����H��H��������t�H�}P�N���������H�[email protected]���H�[email protected]�[email protected]�UHH�[email protected]�CHH�SHH�UXH�EHH�CXH�SXH�EX�`f�H�H�LH� H�TH�H=u�D�{,E���}�E,H��A��C,�E0�C0�+����CA�fD�s8���|�� �{���L���H��M���/�j����5�* L���������E��L��H��ID�L���$���H��������f���H��- H�-�- L�%- H��trf�{8H�������H�EtH����a����������S,�����{���#* ����H���;���H�������H�]H��u�H�5� 1�� ���H�D$(dH3%(�H��8[]A\A]A^A_�f�H��E1������H�������DH���H�) H�Ņ������I�������DD�S,A�1�fD��ǃ����H��E��uO�b���f�f����f9���h���f��������H���0��������������C(������H������������fD�������H�H���l�&�����k�����H�L�CH�( ��1��g��������f�D�C,� 1�f��ǃ����H��E���E����X���f�f�������H�sH�|� ����������H�|I��趿���LI�H���DJ�<H�H�t�1���H��H�( ���@�f9�������������������@H���P����v���H���@����{�U���H��]����o' ���L���H��L��������<�����{4�E4��������C4�����H����C����訿������H������H�������@�C(�#���H���&���������� ���@H�A���fD�����蠽��H�������������D�����H�sH�|� ����D�t$E��������"���HH�D��H��D�0E���p����$ H�a�������������讽��@f.�AWAVAUATUSH��H��% L�(H�$M����L��D$ A�f�H�-� H�<�E1�H�56��H��H�����H��H�E�H��H��L���?�����ED�H��u�HcD$ H� �D$ $H��E��H�u L�*H�TI�M�o�M�������H�H��[]A\A]A^A_�H�$��@AWAVA��AUATL�%� UH�-� SI��I��L)�H�H������H��t 1��L��L��D��A��H��H9�u�H�[]A\A]A^A_Ðf.���H�H��WATCHDOG=1 reaping asked for %ld reaped, status %x %s: exit status %d%s: exit signal %drestored %s, fd %d %.24s strdup: %m%s: getproto: %m%s/%s: getsockname: %mpmap_set: %u %u %u %u pmap_unset(%u, %u) pmap_unset(%u, %u)STOPPING=1 /run/inetd.pidOut of memory.*someone wants %s fork: %m/usr/sbin/tcpdgetpwnam: %s: No such user%s: setsid: %mgetgrnam: %s: No such group%s/%s: can't set gid %d: %m%s/%s: can't set uid %d: %m%ld execv %s execv %s: %maccept, ctrl %d accept (for %s): %mcould not getpeernamecalloc: %mstreamdgramrdmseqpacketraw%s: too many buffer sizes%s: invalid buffer size `%s'sndbufrcvbufunixrpc/%s: no rpc version%s/%s: bad rpc versionwaitinternal0%s/%s: %s: %sinternal service %s unknown-%s [%s]-%s [?]-%s%ld getrlimit: %msetrlimit: %m%s/%s: socket: %mtcp6setsockopt (IPV6_V6ONLY): %mtcp46tcpsetsockopt (SO_DEBUG): %msetsockopt (SO_REUSEADDR): %m%s/%s: bind: %m(default)%s: %s %s: %s:%s proto=%s,REDOADDRELOADING=1 %s: unknown rpc service%s/%s: unknown serviceFREEREADY=1 DISPLAY=CVSdEilq:R:NOTIFY_SOCKETdaemon(0, 0): %minetdinetd_dummyEDITOR=GROUP=HOME=IFS=LD_LOGNAME=MAIL=PATH=PRINTER=PWD=SHELL=SHLVL=SSHTERMTMPUSER=VISUAL=/etc/inetd.confechodiscarddaytimechargen%s %s: pmap_set: %u %u %u %u: %msyntax error in inetd config file%s/%s server failing (looping), service terminated for %d minrefused connection from %.500s, service %s (%s)%s/%s: can't initgroups(%s): %m%s: malformed buffer size option `%s'%s/%s: %s: the address family is not supported by the kernel%s: illegal max field "%s", setting to %dbump_nofile: cannot extend file limit, max = %drpcprog=%d, rpcvers=%d/%d, proto=%s, wait.max=%d.%d user:group=%s:%s builtin=%lx server=%s %s/%s: UNIX domain socket path too long-R %s: bad value for service invocation rateusage: inetd [-dEil] [-q len] [-R rate] [configuration_file] inetd: non-root must specify a config file inetd: more than one argument specified ����E���E���E���E���E���E���E���E���E���E���E���E���h���E���E���E���E���E���E���E���E���E���E���E���E���E���E���E���E���E���X���E���E���E���E���H���E���E���8���E���E���E���E�����xxxxxxxxxxxxxxxx;|.����p�������������h ������ �������X ���t�����`������������(����\����������P�������,����D���d�����p���������������������X���t0�������@���L���������� �������4����T����x`���������0����P������� ���0������� ����� ��� zRx �`���+zRx �[email protected]���`FJ �?;*3$"Dx��\���8p�����B�B�A �A(�[email protected] (A ABI �p���GG� z A (�����dA�A�[email protected] AA (������A�A�K�� AA ����&P4x����0H����B�A�C �N�!e AAC 0|p���B�A�D �I�{ AAA 0�\����B�A�C �N�` AAH �����L������B�A�A �GP�XW`LXAPxXT`UhEpKPk AAF 4HT����B�B�A �A(�D0�(A AB������A��D���iA�G A 8������B�D�D �U AF E AH �H���}DB J d D ����AD$0�����A�A�R �AXt���CN8p�����B�A�D �m AI y AD �p���&KU A T�����-B�B�B �A(�C0�J�� 0A(A BBE ��LW�B�L \����B�B�A �A(�J�� (A ABG ��D�Z�A�,p����+B�A�D �� AA \������ B�B�G �B(�F0�A8�G�� 8A0A(B BBC i �L�Y�A�@,����B�A�D �I� }� E� Z� A� F AAI D����\A�A�I� ���fB�A�C �G� �T���JA�} J ������A�I0� K @�P����B�B�D �A(�A0�[email protected] 0A(A BBH $����A�A�D vA8����PK0P,���B�B�E �B(�A0�A8�D�H����uB�B�B �B(�D0�A8�G� 8A0A(B BBC �L���KD0A A 4�����A�gL PApJ C(A0KA A H$X����B�B�I �B(�C0�A8�Dpu 8A0A(B BBJ Hp�����B�B�B �B(�A0�A8�DP� 8A0A(B BBA L�@���GB�B�E �B(�D0�A8�]�� 8A0A(B BBA D ����eB�B�E �B(�H0�H8�[email protected](B BB���5�4cqZq�q�q�q�q�q�q�q�q�q�q�q�q�q�q�q�qr��Ao $m�� �� ���o�p� �' � �� x �p ���o���o����o���oZ���o+`� &(6(F(V(f(v(�(�(�(�(�(�(�(�())&)6)F)V)f)v)�)�)�)�)�)�)�)�)**&*6*F*V*f*v*�*�*�*�*�*�*�*�*++&+6+F+V+f+v+�+�+�+�+�+�+�+�+,,&,6,F,V,f,v,�,�,�,�,�,�,�,�,--&-6-F-V-f-v-�-�-�-�-�-�-�-�-..&.6.F.V.f� @� rr�Yr9 r Z r�6+r 7+r�:(r�7(r�90r0a0rPb9444f5677322c33281f085c1ecc8eaa81650e8.debug��9.shstrtab.interp.note.ABI-tag.note.gnu.build-id.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.init.plt.got.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.data.rel.ro.dynamic.data.bss.gnu_debuglink 88TT !tt$4���o��X> Fpp�N���oZZ [���o���jpptB��x ~�'�'y((`�p��.�.�>�$m$m �0m0m�vv|��w���������� ��� �`� `�0��� ���� �H `� H�� �H�4|�[email protected]:~# The apache2 segments should i change that in rkhunter config? thanks a lot for your kind help
rkhunter shows lots of warnings, you have to read what warning means and if it is not dangerous on your host then configure rkhunter to ignore it. It probably did exist, but you have not let rkhunter run the property update so it would know what files are there. Then next time it does not warn about those anymore. That is a binary file, as can be guessed from it being in sbin/ directory. Use command file before cat to see whether it is text file. If it is not text file cat does garbage.
Hi, thanks for your answer. i run: Code: rkhunter --propupd then after running: Code: rkhunter --check --rwo i get the following error: Code: Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script text executable is my system compromised or why do i get this error? and i get another error: Code: Warning: The following suspicious (large) shared memory segments have been found: Process: /usr/sbin/apache2 PID: 18255 Owner: root Size: 1.2MB (configured size allowed: 1.0MB) should i change in the rkhunter config file the max size of file to 1.2MB ? thanks in advance for your kind help
In file /etc/rkhunter.conf.local insert: Code: ALLOWIPCPROC=/usr/sbin/apache2 You get this warning, because the file in question is not a binary, but a perl script (as intended by debian!). This warning should get away when you specify your package manager by adding Code: PKGMGR=DPKG to /etc/rkhunter.conf.local and then running "rkhunter --propupd" again
If anyone else runs across this post while configuring rkhunter, I add the following: when you run 'rkhunter -c --rwo' among the above mentioned warnings the best method to get rid of warnings on Code: Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable Warning: The command '/usr/bin/which' has been replaced by a script: /usr/bin/which: POSIX shell script, ASCII text executable Install & upate the following packages: Code: # apt install debsums apt-file # apt-file update then run: Code: # debsums $(apt-file search -F --package-only /usr/bin/egrep) [review output for 100% "OK" response] # debsums $(apt-file search -F --package-only /usr/bin/fgrep) [review output for 100% "OK" response] # debsums $(apt-file search -F --package-only /usr/bin/which) [review output for 100% "OK" response] If all of the output shows as "OK", then it is safe to edit '/etc/rkhunter.conf.local' and add Code: SCRIPTWHITELIST=/usr/bin/egrep SCRIPTWHITELIST=/usr/bin/fgrep SCRIPTWHITELIST=/usr/bin/which REF: https://stackoverflow.com/questions...warnings-came-up-should-i-be-worried/44289033 Also for the ssh warning: Code: Warning: The SSH and rkhunter configuration options should be the same: SSH configuration option 'PermitRootLogin': yes Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no **Assuming, you have already configured key-based ssh authentication, you can do the following to remove the warning: edit: /etc/ssh/sshd_config Code: PermitRootLogin without-password Then edit: /etc/rkhunter.conf Code: ALLOW_SSH_ROOT_USER=without-password
Be aware, that if in the future something replaces this files with malicious code, you will not get any warning. I would not say that it is "safe" to whitelist system files. If the file really identical to the package manager version, a "rkhunter --propupd" should do the job.
@Steini86 Appreciate the feedback. Here's the dilema: Based on your feedback, I just commented out my rkhunter.conf.local edits for Code: #SCRIPTWHITELIST=/usr/bin/egrep #SCRIPTWHITELIST=/usr/bin/fgrep #SCRIPTWHITELIST=/usr/bin/which Then, I ran 'rkhunter --propupd' command that you recommended and the warnings returned: Code: [email protected]:~# rkhunter --propupd [ Rootkit Hunter version 1.4.6 ] File updated: searched for 180 files, found 146 [email protected]:~# rkhunter -c --rwo Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable Warning: The command '/usr/bin/which' has been replaced by a script: /usr/bin/which: POSIX shell script, ASCII text executable You are correct my method of getting rid of the warnings, creates vulnerability against future threats. Can you recommend a method get rid of the warning & protect against future threats?
You are correct, this is the recommended method to replace this warning. It is also not a 'complete' whitelist, just allows scripts instead of binaries. In fact, the rkhunter.conf file includes these SCRIPTWHITELIST for egrep/fgrep/which/ldduser/... However, in the past egrep/fgrep were placed in /bin. In your system (ubuntu?) they are in /usr/bin, which is why the config file needs to be adjusted. This is due to the "usr-merge". More information here: https://www.freedesktop.org/wiki/Software/systemd/TheCaseForTheUsrMerge/ Sorry for the confusion. In my view this is a bug in your distributions rkhunter.conf file and should be changed there. Ps.: If you copy answers from somewhere else it would be kind to mention that (it is a copyright violation)
I think this behaviour is due to the grep package not including the file /usr/bin/egrep, but creating it during installation. Code: $ dpkg --search /bin/egrep grep: /bin/egrep [email protected] ~/Lataukset $ dpkg --search /usr/bin/egrep dpkg-query: no path found matching pattern /usr/bin/egrep This is not good for rkhunter.
