rkhunter

Discussion in 'Installation/Configuration' started by Tripple, Apr 8, 2009.

  1. Tripple

    Tripple New Member

    My fresh ISPConfig 3.0.1.1 installation keeps warning me with rkhunter.

    I receive a simple mail with this line:
    Please inspect this machine, because it can be infected

    No logfile to inspect so I ran rkhunter again:
    # rkhunter -c --createlogfile

    2 warnings in the logfile:
    WARNING, found: /usr/share/man/man1/..1.gz (gzip compressed data, from Unix, max compression) /dev/.udev (directory)
    Warning: root login possible. Change for your safety the 'PermitRootLogin'

    I can fix the last warning but what about the first one?
     
  2. till

    till Super Moderator

    Never seen the first warning. Did you take a look in the .udev directory?
     
  3. Tripple

    Tripple New Member

  4. Tripple

    Tripple New Member

    I like to start this old topic again because I can't figure out what the problem is.

    Every hour at xx:53 there's a mail to root like this:
    Subject: [rkhunter] Warnings found for host@domain
    Please inspect this machine, because it can be infected

    I can't find any cron job that could cause this so the only way to reproduce this is, I guess, with the command #rkhunter -c --createlogfile, but I can't see any errors in the logfile.
     
  5. falko

    falko Super Moderator

    What's the output of
    Code:
    ls -la /etc/cron.hourly
    ?
     
  6. Tripple

    Tripple New Member

    It's empty:

    # ls -la /etc/cron.hourly/
    totaal 24
    drwxr-xr-x 2 root root 4096 apr 19 21:19 .
    drwxr-xr-x 103 root root 12288 apr 20 17:16 ..
     
  7. till

    till Super Moderator

    rkhunter is run by the ispconfig monitoruing system and not by a crojob. Maybe you selected to receive an email as you installed rkhunter as I dont receive such emails on my servers.
     
  8. Tripple

    Tripple New Member

    I followed the perfect setup and forward all root mails to my mailbox.
    Strange thing I'm the only one with this issue.

    Could this be the cause: (I'm running CentOS 5.3)
    Rootkit Hunter 1.2.9 is running
    Determining OS... Unknown
    Warning: This operating system is not fully supported!
    All MD5 checks will be skipped!

    Or this:
    ClamAV update process started at Mon Apr 20 04:02:12 2009
    WARNING: Your ClamAV installation is OUTDATED!
    WARNING: Local version: 0.94.2 Recommended version: 0.95.1
    DON'T PANIC! Read http://www.clamav.net/support/faq
    main.cld is up to date (version: 50, sigs: 500667, f-level: 38, builder: sven)
    daily.cld is up to date (version: 9256, sigs: 41364, f-level: 42, builder: guitar)
     
  9. airton

    airton New Member

    Please inspect this machine, because it may be infected.

    Every hour i receive a message with text:

    Please inspect this machine, because it may be infected.
    why?

    no other warning in /var/log/rkhunter.log:

    Code:
    [00:02:12] System checks summary
    [00:02:12] =====================
    [00:02:12]
    [00:02:12] File properties checks...
    [00:02:12] Files checked: 122
    [00:02:12] Suspect files: 0
    [00:02:12]
    [00:02:12] Rootkit checks...
    [00:02:12] Rootkits checked : 112
    [00:02:12] Possible rootkits: 0
    [00:02:12]
    [00:02:12] Applications checks...
    [00:02:12] Applications checked: 5
    [00:02:12] Suspect applications: 0
     
  10. edge

    edge HowtoForge Supporter

    Read the complete log file from RKhunter and not just the summary.
    Some line(s) will say something about the warning(s)
     
  11. airton

    airton New Member

    Thanks edge for your suggestion.
    In my log i've found:

    Checking for hidden processes [ Warning ]
    Warning: Hidden processes found: 30562

    but maybe could be a false positive as stated in
    http://ubuntuforums.org/showthread.php?t=796192 infact i cannot cd in /proc/pid and if i execute rkhunter --check now no hidden process is reported.

    I've built the following script to test unhide (used by rkhunter to discovery hidden processes):

    Code:
    ps -ef > processes.txt
    unhide brute | grep 'Found HIDDEN PID' | while read line
    do
    	#echo $line
    	pid=`echo $line | awk '{ print $4 }'`
    	echo
    	echo Hidden PID: [$pid];
    	
    	echo Testing dir "/proc/$pid"
    	if [ -d "/proc/$pid" ]; then
    		cat /proc/$pid/cmdline
    	else
    		echo "... Not Found (good)"
    	fi
    	
    	echo Testing processes list
    	pcregrep "\\w\\s+$pid" processes.txt
    done
    an this is a sample result:

    Code:
    Hidden PID: [20248]
    Testing dir /proc/20248
    ... Not Found (good)
    Testing processes list
    postfix  20248 23453  0 10:30 ?        00:00:00 showq -t unix -u -c
    sometime the "hidden" process cannot be identified... but all seem to confirm the theory of false positive.
    I'd like to avoid it!
     
  12. ggarcia24

    ggarcia24 New Member

    Is there some way to run it more spaced?, rkhunter is running every 30min and I get a 95% CPU Usage... can at least make it run every 2hs?
     
  13. till

    till Super Moderator

    This has alraedy been changed in svn, please see svn log for details.
     
  14. ggarcia24

    ggarcia24 New Member

    Thank you very mach!!!!! I've added manually the changes, thanks!
     
  15. dragons

    dragons New Member

    I have exactly the same issue with ispconfig3 and rk hunter with the same warnings. I uncommented the lines in rkhunter.conf that refer to the issues in the warnings but I still get the warnings and the emails every hour. I know how to stop the emails but I really want to stop the warning by fixing the problem
    Its a brand new centos5.3 server install using the howto from here on ispconfig3 and centos5.3.

    warning is same as others

    rkhunter.conf is as follows

    Code:
    # This is the configuration file of Rootkit Hunter. Please change
    # it to your needs.
    #
    # All lines beginning with a hash (#) or empty lines, will be ignored.
    #
    INSTALLDIR=/usr
    
    # Links to files. Don't change if you don't need to.
    LATESTVERSION=/rkhunter_latest.dat
    UPDATEFILEINFO=/rkhunter_fileinfo.dat
    
    # Send a warning message to the admin when one or more warnings
    # are available (rootkit and MD5 check). Note: uses default 
    # commmand to send the warning message.
    MAIL-ON-WARNING=(my email address)
    
    # Use a custom temporary directory (you can override it with the
    # --tmpdir parameter)
    # Note: don't use /tmp as your temporary directory, because some
    # important files will be written to this directory. Be sure
    # you have setup your permissions very tight.
    TMPDIR=/var/rkhunter/tmp
    
    # Use a custom database directory (you can override it with the
    # --dbdir parameter)
    DBDIR=/var/rkhunter/db
    
    # Whitelist files (and their MD5 hash)
    # Usage: MD5WHITELIST=<binary>:<MD5 hash>
    #MD5WHITELIST=/bin/ps:9bd8bf260adc81d3a43a086fce6b430a
    #MD5WHITELIST=/bin/ps:404583a6b166c2f7ac1287445a9de6b3
    
    # Allow direct root login via SSH
    # Don't use this option if you don't know what the warning about
    # this option means!!
    ALLOW_SSH_ROOT_USER=0
    
    # Allow hidden directory
    # One directory per line (use multiple ALLOWHIDDENDIR lines)
    #
    #ALLOWHIDDENDIR=/etc/.java
    ALLOWHIDDENDIR=/dev/.udev
    #ALLOWHIDDENDIR=/dev/.udevdb
    #ALLOWHIDDENDIR=/dev/.udev.tdb
    #ALLOWHIDDENDIR=/dev/.static
    #ALLOWHIDDENDIR=/dev/.initramfs
    #ALLOWHIDDENDIR=/dev/.SRC-unix
    
    # Allow hidden file
    # One file per line (use multiple ALLOWHIDDENFILE lines)
    # 
    #ALLOWHIDDENFILE=/etc/.java
    ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
    ALLOWHIDDENFILE=/etc/.pwd.lock
    #ALLOWHIDDENFILE=/etc/.init.state
    
    # Allow process to use deleted files
    # One process per line (use multiple ALLOWPROCDELFILE lines)
    #
    #ALLOWPROCDELFILE=/sbin/cardmgr
    #ALLOWPROCDELFILE=/usr/sbin/gpm
    #ALLOWPROCDELFILE=/usr/libexec/gconfd-2
    #ALLOWPROCDELFILE=/usr/sbin/mysqld
    
    # Allow process to listen on any interface
    # One process per line (use multiple ALLOWPROCLISTEN lines)
    #
    #ALLOWPROCLISTEN=/sbin/dhclient
    #ALLOWPROCLISTEN=/usr/bin/dhcpcd
    #ALLOWPROCLISTEN=/usr/sbin/pppoe
    #ALLOWPROCLISTEN=/usr/sbin/tcpdump
    #ALLOWPROCLISTEN=/usr/sbin/snort-plain
    #ALLOWPROCLISTEN=/usr/local/bin/wpa_supplicant
    
    # The End
    
    edit:
    and the .hosts.swp file only as this in it

    Code:
    b0VIM 7.0{/CODE]
     
  16. dragons

    dragons New Member

    OK I sorted out one of the warnings by adding this line to rkhunter.conf

    Code:
    ALLOWHIDDENFILE=/etc/.hosts.swp
    I now just have one warning about root logins as follows

    and sshd_config has this

    Code:
    # Set this to 'yes' to enable PAM authentication, account processing, 
    # and session processing. If this is enabled, PAM authentication will 
    # be allowed through the ChallengeResponseAuthentication mechanism. 
    # Depending on your PAM configuration, this may bypass the setting of 
    # PasswordAuthentication, PermitEmptyPasswords, and 
    # "PermitRootLogin without-password". If you just want the PAM account and 
    # session checks to run without PAM authentication, then enable this but set 
    # ChallengeResponseAuthentication=no
    #UsePAM no
    UsePAM yes
    what should this setting be I am assuming this is what is spitting out the error and sending me the email with the following quote

     
  17. dragons

    dragons New Member

    Ok finally happy :) after more searching around I have fixed all the issues.
    I had to modify sshd_conf

    and restart sshd

    I ran the rkhunter -c scan again it returned no warnings and this time I did not receive the email, meaning the hourly scan now will stop harrassing me by email unless there is a problem :)

    Thanks to you guys for some of the previous posts which did eventually give me clues as to sorting out what he underlying issue was, as searches on the warnings generally show up more confused souls lol :)
     
  18. ggarcia24

    ggarcia24 New Member

    If my memory doesn't fails me, the .hosts.swp is a file that vi or vim create when hosts file is opened but if vi or vim unexpectedly closes this file remains, so if you remove it everything will be fine...

    I believe that some thing similar mus happen with .pwd.lock file.

    I definitely have to recommend you that don't add any hidden file unless of course you know what you are doing.

    About allowing or not root to login via ssh everybody has its tastes (if you have sudo/su you don't need root ssh access). But of course always have a very strong password for root (something like "xEw-Rki66;5vb4").
     
  19. dragons

    dragons New Member

    Hi ggarcia24 thanks for the reply

    do you think i should remove the "ALLOWHIDDENFILE=/etc/.hosts.swp" exception I put in rkhunter.conf for ".hosts.swp" and delete the "b0VIM 7.0" entry in the ".hosts.swp" to fix the warning error instead?
     
  20. ggarcia24

    ggarcia24 New Member

    Yes, but don't remove the content, just remove the whole file... I'm sure that's a temporary file for VI
     

Share This Page