rhkunter errors

Discussion in 'Server Operation' started by Tom John, Nov 15, 2019.

  1. Tom John

    Tom John Active Member HowtoForge Supporter

    Hi guys,

    when doing rkhunter --check i get the following results:

    Code:
    Warning: The file '/usr/sbin/inetd' exists on the system, but it is not present in the 'rkhunter.dat' file.
    Warning: The file '/usr/sbin/tcpd' exists on the system, but it is not present in the 'rkhunter.dat' file.
    Warning: The file '/usr/bin/GET' exists on the system, but it is not present in the 'rkhunter.dat' file.
    Warning: The file '/usr/bin/lwp-request' exists on the system, but it is not present in the 'rkhunter.dat' file.
    Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script text executable
    Warning: The following suspicious (large) shared memory segments have been found:
             Process: /usr/sbin/apache2    PID: 18255    Owner: root    Size: 1.2MB (configured size allowed: 1.0MB)
    
    
    I dont know why the inetd for example did not exist in the system before, can it be that someone added these files or is the error because of other things?

    cat /usr/sbin/inetd get the following result:
    Code:
                             �D$
                                  �dH�%(H��$�1�H���������uGL��$�H�E1�j�t$E1��L��H���������ZYuQH�=�L��H��������DH�=�H��1������H��$�dH3%(u'H�Ġ[]A\��H�=�H��1��O�����������US��H��H���dH�%(H��1�H��������f�Hc�H���������H��~�H�����_������1��4���@ATU��SH��H���dH�%(H��1�I�����������H��f.���L���������H����;t�1������f.�SH�5�H�=��L���H��t/H���O���H��H��HcȾ1������H��[�M���D[�4 H��H�� H��H��dH�%(H�D$1����������H�$H�H H�DH9�HGȸH�� H��HG�H;
         $v>H�޿������xkH�$H��4 1�H�T$dH3%(uWH�� [�f.�H�)1���������������H��1���������������H���������@AVAU1�ATUSH��H���w�dH�%(H�D1��$�]������gH�SH�=P�H�����H�=[�H��H����@����@8��PH�==�H������A�H�������/����������I�غH�������1�H�������Hc;'5 ~%H��2 �5 H�H9�v�����f.�H�DdH3%(��H��[]e6 ���]D���L������������]���H���t�p��u�
    �3 E���W���A�H�����������������*���H��A��H���)���S������{H�S������@H�L�CH����1�����������H�L$A���)���D$��������DH�S�H���r���f�H����1�����������H�L�CH��1����p����������5 ������������X�^5 ����������@�5������I�غH���1����^���@������DD���@��������I�.���A�������fDH����1�������h���L���������������H�Z��1��h��������H�a��1��H������������@f.�USH�H�K4 �94 H��t\��DH���H��tD��u��K��
    ?1 H�qH�541 �H��H���u�H��AWAVA��AUATUSH��xH�D��dH�%(H�D$h1������L�%�0 M����H�L0 �
    H�l$f�D$XI���[��oH�[email protected])E�oCH�[email protected])E�oC )E �oC0)E0H���JH��L9�D��ID�����H��JuT0 �%����AWAVAUATA��USH�dH�%(H��$�1�H�=�/ �#H�\$ H��$�L�L$1ɺJD��I��H���D$��<���H��x
            H���������t+H��$�dH3%(��H�[]A\A]A^A_�f�L�5Y/ L�-�. M��M)�A��G��Mc�L��H��L�¹JL�D�����L�D�HH�5�. D)�Hc�J�|�����I��H�k. D�L$M9�I�غJLD�H���
    1�D��L�-#. f��$��v����6�����HL��H���������fD�3���H�
                                                        . H��- �����������f.�H��(1�H��dH�%(H�D$1������1҅�x
                            �$���~���H�L$dH3
                                              %(��uH��(��U���DSH�H��H�=
    H���L�H����H�=:- @����@8���H��H��
                                       �1��$���D�K,H�KH�=- E����H�D�C0H�MQ�K(�1������XZH�CHH�0
                   �K4L�[email protected]����H�=�, H��HD�H�H�,�sX�sPP1������H�� [�H��H��
                                                                              M���I��1�������[����H��
                        �1��e����u���AWAVH�5�
                                              AUAT1�USH��8dH�%(H�D$(1��T�����������-H�H/ H��t1�f�P8H���H��u������H��H���jH�D$L�-e
                                                        L�%Y
                                                            H�DDH��. H��u��H���H����H��H��������t�H�}P�N���������H�[email protected]���H�[email protected][email protected]�UHH�[email protected]�CHH�SHH�UXH�EHH�CXH�SXH�EX�`f�H�H�LH�
                               H�TH�H=u�D�{,E���}�E,H��A��C,�E0�C0�+����CA�fD�s8���|��
    �{���L���H��M���/�j����5�* L���������E��L��H��ID�L���$���H��������f���H��- H�-�- L�%-
    H��trf�{8H�������H�EtH����a����������S,�����{���#* ����H���;���H�������H�]H��u�H�5�    1��
                       ���H�D$(dH3%(�H��8[]A\A]A^A_�f�H��E1������H�������DH���H�) H�Ņ������I�������DD�S,A�1�fD��ǃ����H��E��uO�b���f�f����f9���h���f��������H���0��������������C(������H������������fD�������H�H���l�&�����k�����H�L�CH�(
                           ��1��g��������f�D�C,�
    1�f��ǃ����H��E���E����X���f�f�������H�sH�|�
                                                     ����������H�|I��趿���LI�H���DJ�<H�H�t�1���H��H�( ���@�f9�������������������@H���P����v���H���@����{�U���H��]����o' ���L���H��L��������<�����{4�E4��������C4�����H����C����訿������H������H�������@�C(�#���H���&����������    ���@H�A���fD�����蠽��H�������������D�����H�sH�|�
                                      ����D�t$E��������"���HH�D��H��D�0E���p����$ H�a�������������讽��@f.�AWAVAUATUSH��H��% L�(H�$M����L��D$
                                                                          A�f�H�-� H�<�E1�H�56��H��H�����H��H�E�H��H��L���?�����ED�H��u�HcD$
                                                                   H�
    �D$                                                              $H��E��H�u
       L�*H�TI�M�o�M�������H�H��[]A\A]A^A_�H�$��@AWAVA��AUATL�%� UH�-� SI��I��L)�H�H������H��t 1��L��L��D��A��H��H9�u�H�[]A\A]A^A_Ðf.���H�H��WATCHDOG=1
    reaping asked for
    %ld reaped, status %x
    %s: exit status %d%s: exit signal %drestored %s, fd %d
    %.24s
    strdup: %m%s: getproto: %m%s/%s: getsockname: %mpmap_set: %u %u %u %u
    pmap_unset(%u, %u)
    pmap_unset(%u, %u)STOPPING=1
    /run/inetd.pidOut of memory.*someone wants %s
    fork: %m/usr/sbin/tcpdgetpwnam: %s: No such user%s: setsid: %mgetgrnam: %s: No such group%s/%s: can't set gid %d: %m%s/%s: can't set uid %d: %m%ld execv %s
    execv %s: %maccept, ctrl %d
    accept (for %s): %mcould not getpeernamecalloc: %mstreamdgramrdmseqpacketraw%s: too many buffer sizes%s: invalid buffer size `%s'sndbufrcvbufunixrpc/%s: no rpc version%s/%s: bad rpc versionwaitinternal0%s/%s: %s: %sinternal service %s unknown-%s [%s]-%s [?]-%s%ld
    getrlimit: %msetrlimit: %m%s/%s: socket: %mtcp6setsockopt (IPV6_V6ONLY): %mtcp46tcpsetsockopt (SO_DEBUG): %msetsockopt (SO_REUSEADDR): %m%s/%s: bind: %m(default)%s: %s %s: %s:%s proto=%s,REDOADDRELOADING=1
    %s: unknown rpc service%s/%s: unknown serviceFREEREADY=1
    DISPLAY=CVSdEilq:R:NOTIFY_SOCKETdaemon(0, 0): %minetdinetd_dummyEDITOR=GROUP=HOME=IFS=LD_LOGNAME=MAIL=PATH=PRINTER=PWD=SHELL=SHLVL=SSHTERMTMPUSER=VISUAL=/etc/inetd.confechodiscarddaytimechargen%s %s: pmap_set: %u %u %u %u: %msyntax error in inetd config file%s/%s server failing (looping), service terminated for %d minrefused connection from %.500s, service %s (%s)%s/%s: can't initgroups(%s): %m%s: malformed buffer size option `%s'%s/%s: %s: the address family is not supported by the kernel%s: illegal max field "%s", setting to %dbump_nofile: cannot extend file limit, max = %drpcprog=%d, rpcvers=%d/%d, proto=%s, wait.max=%d.%d user:group=%s:%s builtin=%lx server=%s
    %s/%s: UNIX domain socket path too long-R %s: bad value for service invocation rateusage: inetd [-dEil] [-q len] [-R rate] [configuration_file]
    inetd: non-root must specify a config file
    inetd: more than one argument specified
    ����E���E���E���E���E���E���E���E���E���E���E���E���h���E���E���E���E���E���E���E���E���E���E���E���E���E���E���E���E���E���X���E���E���E���E���H���E���E���8���E���E���E���E�����xxxxxxxxxxxxxxxx;|.����p�������������h    ������ �������X ���t�����`������������(����\����������P�������,����D���d�����p���������������������X���t0�������@���L���������� �������4����T����x`���������0����P������� ���0�������    �����    ���
    zRx
            �`���+zRx
                              �[email protected]���`FJ
                                            �?;*3$"Dx��\���8p�����B�B�A �A(�[email protected]
    (A ABI
            �p���GG� z
    A
     (�����dA�A�[email protected]
    AA
        (������A�A�K��
    AA
        ����&P4x����0H����B�A�C �N�!e
     AAC
          0|p���B�A�D �I�{
     AAA
          0�\����B�A�C �N�`
     AAH
          �����L������B�A�A �GP�XW`LXAPxXT`UhEpKPk
     AAF
          4HT����B�B�A �A(�D0�(A AB������A��D���iA�G
    A
     8������B�D�D �U
    AF
        E
    AH
         �H���}DB
    J
     d
    D
     ����AD$0�����A�A�R �AXt���CN8p�����B�A�D �m
    AI
        y
    AD
        �p���&KU
    A
     T�����-B�B�B �A(�C0�J��
    0A(A BBE
              ��LW�B�L \����B�B�A �A(�J��
    (A ABG
            ��D�Z�A�,p����+B�A�D ��
    AA
        \������
                B�B�G �B(�F0�A8�G��
    8A0A(B BBC
                i    �L�Y�A�@,����B�A�D �I�    }�    E�    Z�    A�    F
     AAI
          D����\A�A�I�  ���fB�A�C �G� �T���JA�}
    J
      ������A�I0�
    K
      @�P����B�B�D �A(�A0�[email protected]
    0A(A BBH
              $����A�A�D vA8����PK0P,���B�B�E �B(�A0�A8�D�H����uB�B�B �B(�D0�A8�G�
    8A0A(B BBC
                �L���KD0A
    A
     4�����A�gL PApJ C(A0KA
    A
     H$X����B�B�I �B(�C0�A8�Dpu
    8A0A(B BBJ
                Hp�����B�B�B �B(�A0�A8�DP�
    8A0A(B BBA
                L�@���GB�B�E �B(�D0�A8�]��
    8A0A(B BBA
                D
                ����eB�B�E �B(�H0�H8�[email protected](B BB���5�4cqZq�q�q�q�q�q�q�q�q�q�q�q�q�q�q�q�qr��Ao
    $m�� �� ���o�p�           �'
    �
     �� x    �p    ���o���o����o���oZ���o+`� &(6(F(V(f(v(�(�(�(�(�(�(�(�())&)6)F)V)f)v)�)�)�)�)�)�)�)�)**&*6*F*V*f*v*�*�*�*�*�*�*�*�*++&+6+F+V+f+v+�+�+�+�+�+�+�+�+,,&,6,F,V,f,v,�,�,�,�,�,�,�,�,--&-6-F-V-f-v-�-�-�-�-�-�-�-�-..&.6.F.V.f� @�
                        rr�Yr9 r Z r�6+r 7+r�:(r�7(r�90r0a0rPb9444f5677322c33281f085c1ecc8eaa81650e8.debug��9.shstrtab.interp.note.ABI-tag.note.gnu.build-id.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.init.plt.got.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.data.rel.ro.dynamic.data.bss.gnu_debuglink
                                    88TT !tt$4���o��X>
    Fpp�N���oZZ [���o���jpptB��x   ~�'�'y((`�p��.�.�>�$m$m    �0m0m�vv|��w���������� ��� �`� `�0��� ���� �H `� H�� �H�4|�[email protected]:~# 
    
    The apache2 segments should i change that in rkhunter config?

    thanks a lot for your kind help
     
    goldkkde likes this.
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    rkhunter shows lots of warnings, you have to read what warning means and if it is not dangerous on your host then configure rkhunter to ignore it.
    It probably did exist, but you have not let rkhunter run the property update so it would know what files are there. Then next time it does not warn about those anymore.
    That is a binary file, as can be guessed from it being in sbin/ directory. Use command file before cat to see whether it is text file. If it is not text file cat does garbage.
     
  3. Tom John

    Tom John Active Member HowtoForge Supporter

    Hi,
    thanks for your answer.
    i run:
    Code:
    rkhunter --propupd
    
    then after running:
    Code:
    rkhunter --check --rwo
    
    i get the following error:
    Code:
    Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script text executable
    
    
    is my system compromised or why do i get this error?
    and i get another error:
    Code:
    Warning: The following suspicious (large) shared memory segments have been found:
             Process: /usr/sbin/apache2    PID: 18255    Owner: root    Size: 1.2MB (configured size allowed: 1.0MB)
    
    
    should i change in the rkhunter config file the max size of file to 1.2MB ?
    thanks in advance for your kind help
     
  4. Steini86

    Steini86 Active Member

    In file /etc/rkhunter.conf.local insert:
    Code:
    ALLOWIPCPROC=/usr/sbin/apache2
    You get this warning, because the file in question is not a binary, but a perl script (as intended by debian!). This warning should get away when you specify your package manager by adding
    Code:
    PKGMGR=DPKG
    to /etc/rkhunter.conf.local and then running "rkhunter --propupd" again
     
  5. yupthatguy

    yupthatguy Member HowtoForge Supporter

    If anyone else runs across this post while configuring rkhunter, I add the following:

    when you run 'rkhunter -c --rwo' among the above mentioned warnings
    the best method to get rid of warnings on

    Code:
    Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
    Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
    Warning: The command '/usr/bin/which' has been replaced by a script: /usr/bin/which: POSIX shell script, ASCII text executable

    Install & upate the following packages:

    Code:
    # apt install debsums apt-file
    # apt-file update
    then run:
    Code:
    # debsums $(apt-file search -F --package-only /usr/bin/egrep)
    [review output for 100% "OK" response]
    
    # debsums $(apt-file search -F --package-only /usr/bin/fgrep)
    [review output for 100% "OK" response]
    
    # debsums $(apt-file search -F --package-only /usr/bin/which)
    [review output for 100% "OK" response]

    If all of the output shows as "OK", then it is safe to edit '/etc/rkhunter.conf.local' and add
    Code:
    SCRIPTWHITELIST=/usr/bin/egrep
    SCRIPTWHITELIST=/usr/bin/fgrep
    SCRIPTWHITELIST=/usr/bin/which
    REF: https://stackoverflow.com/questions...warnings-came-up-should-i-be-worried/44289033

    Also for the ssh warning:

    Code:
    Warning: The SSH and rkhunter configuration options should be the same:
             SSH configuration option 'PermitRootLogin': yes
             Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
    **Assuming, you have already configured key-based ssh authentication, you can do the following to remove the warning:

    edit: /etc/ssh/sshd_config
    Code:
    PermitRootLogin without-password
    
    Then edit: /etc/rkhunter.conf
    Code:
    ALLOW_SSH_ROOT_USER=without-password
     
    Last edited: Apr 15, 2021
  6. Steini86

    Steini86 Active Member

    Be aware, that if in the future something replaces this files with malicious code, you will not get any warning. I would not say that it is "safe" to whitelist system files.
    If the file really identical to the package manager version, a "rkhunter --propupd" should do the job.
     
  7. yupthatguy

    yupthatguy Member HowtoForge Supporter

    @Steini86 Appreciate the feedback.

    Here's the dilema:

    Based on your feedback, I just commented out my rkhunter.conf.local edits for
    Code:
    #SCRIPTWHITELIST=/usr/bin/egrep
    #SCRIPTWHITELIST=/usr/bin/fgrep
    #SCRIPTWHITELIST=/usr/bin/which

    Then, I ran 'rkhunter --propupd' command that you recommended and the warnings returned:

    Code:
    [email protected]:~# rkhunter --propupd
    [ Rootkit Hunter version 1.4.6 ]
    File updated: searched for 180 files, found 146
    [email protected]:~# rkhunter -c --rwo
    Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
    Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
    Warning: The command '/usr/bin/which' has been replaced by a script: /usr/bin/which: POSIX shell script, ASCII text executable
    You are correct my method of getting rid of the warnings, creates vulnerability against future threats. Can you recommend a method get rid of the warning & protect against future threats?
     
  8. Steini86

    Steini86 Active Member

    You are correct, this is the recommended method to replace this warning. It is also not a 'complete' whitelist, just allows scripts instead of binaries. In fact, the rkhunter.conf file includes these SCRIPTWHITELIST for egrep/fgrep/which/ldduser/... However, in the past egrep/fgrep were placed in /bin. In your system (ubuntu?) they are in /usr/bin, which is why the config file needs to be adjusted. This is due to the "usr-merge". More information here: https://www.freedesktop.org/wiki/Software/systemd/TheCaseForTheUsrMerge/
    Sorry for the confusion. In my view this is a bug in your distributions rkhunter.conf file and should be changed there.

    Ps.: If you copy answers from somewhere else it would be kind to mention that (it is a copyright violation)
     
  9. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I think this behaviour is due to the grep package not including the file /usr/bin/egrep, but creating it during installation.
    Code:
    $ dpkg --search /bin/egrep
    grep: /bin/egrep
    [email protected] ~/Lataukset
    $ dpkg --search /usr/bin/egrep
    dpkg-query: no path found matching pattern /usr/bin/egrep
    
    This is not good for rkhunter.
     
  10. yupthatguy

    yupthatguy Member HowtoForge Supporter

    I have added a reference to my original post... trying to "spread knowledge", not "step on toes" :)
     
    Steini86 likes this.

Share This Page