RKhunter Scan Details

Discussion in 'Installation/Configuration' started by onastvar, Apr 6, 2010.

  1. onastvar

    onastvar Member

    Since I've installed rkhunter I'm getting blank RKhunter Scan Details emails. Any ideas what/where to check about issue? Thank You.

    I have Perfect Setup CentOS 5.4 with ISPConfig 2
     
  2. falko

    falko Super Moderator ISPConfig Developer

    Does
    Code:
    rkhunter -c
    show anything strange?
     
  3. onastvar

    onastvar Member

    RKhunter

    I only see warnings (please see below), Any ideas?

    rkhunter -c results

    Code:
    /usr/bin/GET                                             [ Warning ]
    /usr/bin/groups                                          [ Warning ]
    /usr/bin/ldd                                             [ Warning ]
    /usr/bin/whatis                                          [ Warning ]
    /sbin/ifdown                                             [ Warning ]
    /sbin/ifup                                               [ Warning ]
    
    Checking for hidden files and directories                [ Warning ]
    
    Checking application versions...
    
    Checking version of GnuPG                                [ OK ]
    Checking version of Apache                               [ Warning ]
    Checking version of Bind DNS                             [ Warning ]
    Checking version of OpenSSL                              [ Warning ]
    Checking version of PHP                                  [ Warning ]
    Checking version of Procmail MTA                         [ OK ]
    Checking version of ProFTPd                              [ Skipped ]
    Checking version of OpenSSH                              [ Warning ]
    Warnings from rkhunter.log

    Code:
    [10:28:02] /usr/bin/GET                                      [ Warning ]
    [10:28:02] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
    
    [10:28:02] /usr/bin/groups                                   [ Warning ]
    [10:28:02] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
    
    [10:28:02] /usr/bin/ldd                                      [ Warning ]
    [10:28:03] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
    
    [10:28:07] /usr/bin/whatis                                   [ Warning ]
    [10:28:07] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
    
    [10:28:08] /sbin/ifdown                                      [ Warning ]
    [10:28:08] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
    
    [10:28:08] /sbin/ifup                                        [ Warning ]
    [10:28:08] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
    
    [10:32:08]   Checking for hidden files and directories       [ Warning ]
    [10:32:08] Warning: Hidden directory found: /dev/.udev
    [10:32:08] Warning: Hidden file found: /etc/.group.swp: data
    [10:32:08] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
    [10:32:08] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
    [10:32:08] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
    [10:32:08] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
    
    This is my rkhunter.sh which is in /etc/cron.daily/rkhunter.sh

    Code:
    #!/bin/sh
    (
    /usr/local/bin/rkhunter --versioncheck
    /usr/local/bin/rkhunter --update
    /usr/local/bin/rkhunter --cronjob --report-warnings-only
    ) | /bin/mail -s 'rkhunter Daily Run' [email protected]
     
  4. falko

    falko Super Moderator ISPConfig Developer

    What's the output of
    Code:
    /usr/local/bin/rkhunter --cronjob --report-warnings-only
    ?
     
  5. onastvar

    onastvar Member

    RKhunter

    Output of
    Code:
    /usr/local/bin/rkhunter --cronjob --report-warnings-only
    is:

    Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
    Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/g roups: Bourne shell script text executable
    Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
    Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/w hatis: Bourne shell script text executable
    Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
    Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bou rne-Again shell script text executable
    Warning: Hidden directory found: /dev/.udev
    Warning: Hidden file found: /etc/.group.swp: data
    Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
    Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
    Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
    Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
    Warning: Application 'httpd', version '2.2.3', is out of date, and possibly a security risk.
    Warning: Application 'named', version '9.3.6-P1', is out of date, and possibly a security risk.
    Warning: Application 'openssl', version '0.9.8e', is out of date, and possibly a security risk.
    Warning: Application 'php', version '5.1.6', is out of date, and possibly a security risk.
    Warning: Application 'sshd', version '4.3p2', is out of date, and possibly a security risk.


    Thank You!
     
  6. falko

    falko Super Moderator ISPConfig Developer

    Do you get a non-empty mail when you run
    Code:
    (
    /usr/local/bin/rkhunter --versioncheck
    /usr/local/bin/rkhunter --update
    /usr/local/bin/rkhunter --cronjob --report-warnings-only
    ) | /bin/mail -s 'rkhunter Daily Run' [email protected]
    manually on the shell?

    BTW, your scan results don't look good - maybe your system got hacked... :eek:
     
  7. onastvar

    onastvar Member

    RKhunter Scan Warnings

    Does anyone know how do I check if my system got hacked? Any ideas how to fix the warnings? Do I need to re-install (centos & ispconfig) if system was hacked. Please advise? I appreciate any help - thanks!

    Right now, I am getting the "rkhunter Daily Run" emails with following warnings:

    Code:
    [ Rootkit Hunter version 1.3.6 ]
    
     [1;33mChecking rkhunter version... [0;39m
     This version  : 1.3.6
     Latest version: 1.3.6
    [ Rootkit Hunter version 1.3.6 ]
    
     [1;33mChecking rkhunter data files... [0;39m
     Checking file mirrors.dat [34C[  [1;32mNo update [0;39m ]
     Checking file programs_bad.dat [29C[  [1;32mNo update [0;39m ]
     Checking file backdoorports.dat [28C[  [1;32mNo update [0;39m ]
     Checking file suspscan.dat [33C[  [1;32mNo update [0;39m ]
     Checking file i18n/cn [38C[  [1;32mNo update [0;39m ]
     Checking file i18n/de [38C[  [1;32mNo update [0;39m ]
     Checking file i18n/en [38C[  [1;32mNo update [0;39m ]
     Checking file i18n/zh [38C[  [1;32mNo update [0;39m ]
     Checking file i18n/zh.utf8 [33C[  [1;32mNo update [0;39m ]
    Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
    Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
    Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
    Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
    Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
    Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
    Warning: The file properties have changed:
            File: /etc/rkhunter.conf
            Current hash: 9b3b72541ac896dc0d8c877e3dfda866bbc4761e
            Stored hash : 1d76261698bc1d3d2e5729f801a5c9a7e2d761c6
            Current size: 30928    Stored size: 30835
            Current file modification time: 1270827265 (09-Apr-2010 10:34:25)
            Stored file modification time : 1265344611 (04-Feb-2010 22:36:51)
    Warning: Hidden directory found: /dev/.udev
    Warning: Hidden file found: /etc/.group.swp: data
    Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
    Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
    Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
    Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
    Warning: Application 'named', version '9.3.6-P1', is out of date, and possibly a security risk.
    
    One or more warnings have been found while checking the system.
    Please check the log file (/var/log/rkhunter.log)
     
  8. daddyfish

    daddyfish New Member

    Use Approved RKHunter Version

    There is no end to RKHunter discussions. This might help where Ubuntu is concerned (10.04LTS):

    (1) If you "apt-get install rkhunter" and let Ubuntu install the application from the default Universe repository, then you will have the approved RKHunter V1.3.6 for Ubuntu Server 10.04LTS 64-bit. When you run rkhunter, you will not get any warnings.

    However, if you install RKHunter V1.3.8 (a new version) using wget, you will receive the following warnings upon running RKHunter: warnings for /usr/sbin/useradd, /usr/bin/ldd, /bin/which, warning for hidden directory, and warning for GnuPG and OpenSSL "out of date" versions. You would have to whitelist these in the rkhunter.conf to keep them from clashing ... a bad idea.

    I suggest that you ALWAYS stick with default repository installs for ALL applications, paying no attention to the fact that newer versions exist. If you don't, you server is going to be goobered ... sooner, than later. AND, you will be living contantly on the forums trying to solve insolvable problems !
     

Share This Page