rhkunter errors

Discussion in 'Server Operation' started by Tom John, Nov 15, 2019.

  1. Tom John

    Tom John Member HowtoForge Supporter

    Hi guys,

    when doing rkhunter --check i get the following results:

    Code:
    Warning: The file '/usr/sbin/inetd' exists on the system, but it is not present in the 'rkhunter.dat' file.
    Warning: The file '/usr/sbin/tcpd' exists on the system, but it is not present in the 'rkhunter.dat' file.
    Warning: The file '/usr/bin/GET' exists on the system, but it is not present in the 'rkhunter.dat' file.
    Warning: The file '/usr/bin/lwp-request' exists on the system, but it is not present in the 'rkhunter.dat' file.
    Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script text executable
    Warning: The following suspicious (large) shared memory segments have been found:
             Process: /usr/sbin/apache2    PID: 18255    Owner: root    Size: 1.2MB (configured size allowed: 1.0MB)
    
    
    I dont know why the inetd for example did not exist in the system before, can it be that someone added these files or is the error because of other things?

    cat /usr/sbin/inetd get the following result:
    Code:
                             �D$
                                  �dH�%(H��$�1�H���������uGL��$�H�E1�j�t$E1��L��H���������ZYuQH�=�L��H��������DH�=�H��1������H��$�dH3%(u'H�Ġ[]A\��H�=�H��1��O�����������US��H��H���dH�%(H��1�H��������f�Hc�H���������H��~�H�����_������1��4���@ATU��SH��H���dH�%(H��1�I�����������H��f.���L���������H����;t�1������f.�SH�5�H�=��L���H��t/H���O���H��H��HcȾ1������H��[�M���D[�4 H��H�� H��H��dH�%(H�D$1����������H�$H�H H�DH9�HGȸH�� H��HG�H;
         $v>H�޿������xkH�$H��4 1�H�T$dH3%(uWH�� [�f.�H�)1���������������H��1���������������H���������@AVAU1�ATUSH��H���w�dH�%(H�D1��$�]������gH�SH�=P�H�����H�=[�H��H����@����@8��PH�==�H������A�H�������/����������I�غH�������1�H�������Hc;'5 ~%H��2 �5 H�H9�v�����f.�H�DdH3%(��H��[]e6 ���]D���L������������]���H���t�p��u�
    �3 E���W���A�H�����������������*���H��A��H���)���S������{H�S������@H�L�CH����1�����������H�L$A���)���D$��������DH�S�H���r���f�H����1�����������H�L�CH��1����p����������5 ������������X�^5 ����������@�5������I�غH���1����^���@������DD���@��������I�.���A�������fDH����1�������h���L���������������H�Z��1��h��������H�a��1��H������������@f.�USH�H�K4 �94 H��t\��DH���H��tD��u��K��
    ?1 H�qH�541 �H��H���u�H��AWAVA��AUATUSH��xH�D��dH�%(H�D$h1������L�%�0 M����H�L0 �
    H�l$f�D$XI���[��oH�[email protected])E�oCH�[email protected])E�oC )E �oC0)E0H���JH��L9�D��ID�����H��JuT0 �%����AWAVAUATA��USH�dH�%(H��$�1�H�=�/ �#H�\$ H��$�L�L$1ɺJD��I��H���D$��<���H��x
            H���������t+H��$�dH3%(��H�[]A\A]A^A_�f�L�5Y/ L�-�. M��M)�A��G��Mc�L��H��L�¹JL�D�����L�D�HH�5�. D)�Hc�J�|�����I��H�k. D�L$M9�I�غJLD�H���
    1�D��L�-#. f��$��v����6�����HL��H���������fD�3���H�
                                                        . H��- �����������f.�H��(1�H��dH�%(H�D$1������1҅�x
                            �$���~���H�L$dH3
                                              %(��uH��(��U���DSH�H��H�=
    H���L�H����H�=:- @����@8���H��H��
                                       �1��$���D�K,H�KH�=- E����H�D�C0H�MQ�K(�1������XZH�CHH�0
                   �K4L�[email protected]����H�=�, H��HD�H�H�,�sX�sPP1������H�� [�H��H��
                                                                              M���I��1�������[����H��
                        �1��e����u���AWAVH�5�
                                              AUAT1�USH��8dH�%(H�D$(1��T�����������-H�H/ H��t1�f�P8H���H��u������H��H���jH�D$L�-e
                                                        L�%Y
                                                            H�DDH��. H��u��H���H����H��H��������t�H�}P�N���������H�[email protected]���H�[email protected][email protected]�UHH�[email protected]�CHH�SHH�UXH�EHH�CXH�SXH�EX�`f�H�H�LH�
                               H�TH�H=u�D�{,E���}�E,H��A��C,�E0�C0�+����CA�fD�s8���|��
    �{���L���H��M���/�j����5�* L���������E��L��H��ID�L���$���H��������f���H��- H�-�- L�%-
    H��trf�{8H�������H�EtH����a����������S,�����{���#* ����H���;���H�������H�]H��u�H�5�    1��
                       ���H�D$(dH3%(�H��8[]A\A]A^A_�f�H��E1������H�������DH���H�) H�Ņ������I�������DD�S,A�1�fD��ǃ����H��E��uO�b���f�f����f9���h���f��������H���0��������������C(������H������������fD�������H�H���l�&�����k�����H�L�CH�(
                           ��1��g��������f�D�C,�
    1�f��ǃ����H��E���E����X���f�f�������H�sH�|�
                                                     ����������H�|I��趿���LI�H���DJ�<H�H�t�1���H��H�( ���@�f9�������������������@H���P����v���H���@����{�U���H��]����o' ���L���H��L��������<�����{4�E4��������C4�����H����C����訿������H������H�������@�C(�#���H���&����������    ���@H�A���fD�����蠽��H�������������D�����H�sH�|�
                                      ����D�t$E��������"���HH�D��H��D�0E���p����$ H�a�������������讽��@f.�AWAVAUATUSH��H��% L�(H�$M����L��D$
                                                                          A�f�H�-� H�<�E1�H�56��H��H�����H��H�E�H��H��L���?�����ED�H��u�HcD$
                                                                   H�
    �D$                                                              $H��E��H�u
       L�*H�TI�M�o�M�������H�H��[]A\A]A^A_�H�$��@AWAVA��AUATL�%� UH�-� SI��I��L)�H�H������H��t 1��L��L��D��A��H��H9�u�H�[]A\A]A^A_Ðf.���H�H��WATCHDOG=1
    reaping asked for
    %ld reaped, status %x
    %s: exit status %d%s: exit signal %drestored %s, fd %d
    %.24s
    strdup: %m%s: getproto: %m%s/%s: getsockname: %mpmap_set: %u %u %u %u
    pmap_unset(%u, %u)
    pmap_unset(%u, %u)STOPPING=1
    /run/inetd.pidOut of memory.*someone wants %s
    fork: %m/usr/sbin/tcpdgetpwnam: %s: No such user%s: setsid: %mgetgrnam: %s: No such group%s/%s: can't set gid %d: %m%s/%s: can't set uid %d: %m%ld execv %s
    execv %s: %maccept, ctrl %d
    accept (for %s): %mcould not getpeernamecalloc: %mstreamdgramrdmseqpacketraw%s: too many buffer sizes%s: invalid buffer size `%s'sndbufrcvbufunixrpc/%s: no rpc version%s/%s: bad rpc versionwaitinternal0%s/%s: %s: %sinternal service %s unknown-%s [%s]-%s [?]-%s%ld
    getrlimit: %msetrlimit: %m%s/%s: socket: %mtcp6setsockopt (IPV6_V6ONLY): %mtcp46tcpsetsockopt (SO_DEBUG): %msetsockopt (SO_REUSEADDR): %m%s/%s: bind: %m(default)%s: %s %s: %s:%s proto=%s,REDOADDRELOADING=1
    %s: unknown rpc service%s/%s: unknown serviceFREEREADY=1
    DISPLAY=CVSdEilq:R:NOTIFY_SOCKETdaemon(0, 0): %minetdinetd_dummyEDITOR=GROUP=HOME=IFS=LD_LOGNAME=MAIL=PATH=PRINTER=PWD=SHELL=SHLVL=SSHTERMTMPUSER=VISUAL=/etc/inetd.confechodiscarddaytimechargen%s %s: pmap_set: %u %u %u %u: %msyntax error in inetd config file%s/%s server failing (looping), service terminated for %d minrefused connection from %.500s, service %s (%s)%s/%s: can't initgroups(%s): %m%s: malformed buffer size option `%s'%s/%s: %s: the address family is not supported by the kernel%s: illegal max field "%s", setting to %dbump_nofile: cannot extend file limit, max = %drpcprog=%d, rpcvers=%d/%d, proto=%s, wait.max=%d.%d user:group=%s:%s builtin=%lx server=%s
    %s/%s: UNIX domain socket path too long-R %s: bad value for service invocation rateusage: inetd [-dEil] [-q len] [-R rate] [configuration_file]
    inetd: non-root must specify a config file
    inetd: more than one argument specified
    ����E���E���E���E���E���E���E���E���E���E���E���E���h���E���E���E���E���E���E���E���E���E���E���E���E���E���E���E���E���E���X���E���E���E���E���H���E���E���8���E���E���E���E�����xxxxxxxxxxxxxxxx;|.����p�������������h    ������ �������X ���t�����`������������(����\����������P�������,����D���d�����p���������������������X���t0�������@���L���������� �������4����T����x`���������0����P������� ���0�������    �����    ���
    zRx
            �`���+zRx
                              �[email protected]���`FJ
                                            �?;*3$"Dx��\���8p�����B�B�A �A(�[email protected]
    (A ABI
            �p���GG� z
    A
     (�����dA�A�[email protected]
    AA
        (������A�A�K��
    AA
        ����&P4x����0H����B�A�C �N�!e
     AAC
          0|p���B�A�D �I�{
     AAA
          0�\����B�A�C �N�`
     AAH
          �����L������B�A�A �GP�XW`LXAPxXT`UhEpKPk
     AAF
          4HT����B�B�A �A(�D0�(A AB������A��D���iA�G
    A
     8������B�D�D �U
    AF
        E
    AH
         �H���}DB
    J
     d
    D
     ����AD$0�����A�A�R �AXt���CN8p�����B�A�D �m
    AI
        y
    AD
        �p���&KU
    A
     T�����-B�B�B �A(�C0�J��
    0A(A BBE
              ��LW�B�L \����B�B�A �A(�J��
    (A ABG
            ��D�Z�A�,p����+B�A�D ��
    AA
        \������
                B�B�G �B(�F0�A8�G��
    8A0A(B BBC
                i    �L�Y�A�@,����B�A�D �I�    }�    E�    Z�    A�    F
     AAI
          D����\A�A�I�  ���fB�A�C �G� �T���JA�}
    J
      ������A�I0�
    K
      @�P����B�B�D �A(�A0�[email protected]
    0A(A BBH
              $����A�A�D vA8����PK0P,���B�B�E �B(�A0�A8�D�H����uB�B�B �B(�D0�A8�G�
    8A0A(B BBC
                �L���KD0A
    A
     4�����A�gL PApJ C(A0KA
    A
     H$X����B�B�I �B(�C0�A8�Dpu
    8A0A(B BBJ
                Hp�����B�B�B �B(�A0�A8�DP�
    8A0A(B BBA
                L�@���GB�B�E �B(�D0�A8�]��
    8A0A(B BBA
                D
                ����eB�B�E �B(�H0�H8�[email protected](B BB���5�4cqZq�q�q�q�q�q�q�q�q�q�q�q�q�q�q�q�qr��Ao
    $m�� �� ���o�p�           �'
    �
     �� x    �p    ���o���o����o���oZ���o+`� &(6(F(V(f(v(�(�(�(�(�(�(�(�())&)6)F)V)f)v)�)�)�)�)�)�)�)�)**&*6*F*V*f*v*�*�*�*�*�*�*�*�*++&+6+F+V+f+v+�+�+�+�+�+�+�+�+,,&,6,F,V,f,v,�,�,�,�,�,�,�,�,--&-6-F-V-f-v-�-�-�-�-�-�-�-�-..&.6.F.V.f� @�
                        rr�Yr9 r Z r�6+r 7+r�:(r�7(r�90r0a0rPb9444f5677322c33281f085c1ecc8eaa81650e8.debug��9.shstrtab.interp.note.ABI-tag.note.gnu.build-id.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.init.plt.got.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.data.rel.ro.dynamic.data.bss.gnu_debuglink
                                    88TT !tt$4���o��X>
    Fpp�N���oZZ [���o���jpptB��x   ~�'�'y((`�p��.�.�>�$m$m    �0m0m�vv|��w���������� ��� �`� `�0��� ���� �H `� H�� �H�4|�[email protected]:~# 
    
    The apache2 segments should i change that in rkhunter config?

    thanks a lot for your kind help
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    rkhunter shows lots of warnings, you have to read what warning means and if it is not dangerous on your host then configure rkhunter to ignore it.
    It probably did exist, but you have not let rkhunter run the property update so it would know what files are there. Then next time it does not warn about those anymore.
    That is a binary file, as can be guessed from it being in sbin/ directory. Use command file before cat to see whether it is text file. If it is not text file cat does garbage.
     
  3. Tom John

    Tom John Member HowtoForge Supporter

    Hi,
    thanks for your answer.
    i run:
    Code:
    rkhunter --propupd
    
    then after running:
    Code:
    rkhunter --check --rwo
    
    i get the following error:
    Code:
    Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script text executable
    
    
    is my system compromised or why do i get this error?
    and i get another error:
    Code:
    Warning: The following suspicious (large) shared memory segments have been found:
             Process: /usr/sbin/apache2    PID: 18255    Owner: root    Size: 1.2MB (configured size allowed: 1.0MB)
    
    
    should i change in the rkhunter config file the max size of file to 1.2MB ?
    thanks in advance for your kind help
     
  4. Steini86

    Steini86 Active Member

    In file /etc/rkhunter.conf.local insert:
    Code:
    ALLOWIPCPROC=/usr/sbin/apache2
    You get this warning, because the file in question is not a binary, but a perl script (as intended by debian!). This warning should get away when you specify your package manager by adding
    Code:
    PKGMGR=DPKG
    to /etc/rkhunter.conf.local and then running "rkhunter --propupd" again
     

Share This Page