rkhunter writes host may be infected

Discussion in 'ISPConfig 3 Priority Support' started by Taleman, Nov 1, 2019.

  1. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Running on Debian 10 Buster host, ISPConfig 3.1.15p2. Logwatch keeps showing me:
     --------------------- Connections (secure-log) Begin ------------------------
     User Logins:
        root : 1 Time(s)
     **Unmatched Entries**
        rkhunter: Please inspect this machine, because it may be infected.: 1 Time(s)
        rkhunter: Rootkit hunter check started (version 1.4.6): 1 Time(s)
        rkhunter: Scanning took 3 minutes and 13 seconds: 1 Time(s)
     ---------------------- Connections (secure-log) End ------------------------- 
    I read every day rkhunter log but can not find any clue why rkhunter thinks host is infected. Yesterday I found it is in auth.log that string appears:
    Nov  1 06:28:21 myhost rkhunter: Please inspect this machine, because it may be infected.
    There are 91 warnings in rkhunter.log, but none of them seem serious enough to assume host is infected. I am almost certain there is no infection on that host, but I would like to know why rkhunter thinks there may be infection.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    There should be some info in the rkhunter log file, at least there was some in cases where I had rkhunter reporting an issue. maybe you should cross-check by using lynis https://www.howtoforge.com/tutorial/how-to-scan-linux-for-malware-and-rootkits/ Lynis is a tool from the same author that developed rkhunter and it does a wider security check of the server, Lynis is available for free as well.
  3. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I used lynis, seems it does not find anything wrong. But says it is more than 4 months old although I replaced the version in Tutorial with latest I found on Lynis website. I'll try to track down a later version next week.
    till likes this.

Share This Page