rkhunter

Discussion in 'Installation/Configuration' started by Tripple, Apr 8, 2009.

  1. dragons

    dragons New Member

    I have done that and I am getting the emails to inspect machine, because it can be infected. below is a copy of the scan

    Thanks for your help
     
  2. dragons

    dragons New Member

    I still have not figured out how to solve the issue rkhunter has so I can stop the warning emails, what else should I be looking for?
    I dont wish to turn off email notification because I want to know if something is wrong, but I am getting 24 emails a day from the hourly cron job that does the scan.
     
  3. cbj4074

    cbj4074 Member HowtoForge Supporter

    Sorry to resurrect this old thread, but it is still entirely relevant.

    I will preface my post by saying that I realize that this warning message can result from any number of different causes. My intention here is to provide basic troubleshooting steps that should help users identify the cause in each particular case.

    Sometime in the last couple of months, this problem began for me, too. I managed to find the cause, which was rather ambiguous (and the result of an actual bug in the rkhunter source), so I thought I'd share with others, especially given that this thread is the first result for a relevant search on Google.

    In short, every day as of late, I receive an email with the subject "[rkhunter] Warnings found for hostname" (where hostname is the machine's actual hostname) with the following in the body:

    Code:
    Please inspect this machine, because it may be infected.
    
    I tried to locate the actual script that is running every day. Till stated earlier in this thread that ISPConfig executes rkhunter scans via the ISPConfig Monitoring system, and not via cron. So, don't bother looking in /etc/cron/* (there are other rkhunter scripts in there, but not the one from which this warning results).

    So, I clicked "Show RKHunter-Log" in the ISPConfig Monitor, and indeed the summary mentions one or more warnings:

    Code:
    System checks summary
    =====================
    
    File properties checks...
    Files checked: 137
    Suspect files: 0
    
    Rootkit checks...
    Rootkits checked : 247
    Possible rootkits: 0
    
    Applications checks...
    All checks skipped
    
    The system checks took: 47 seconds
    
    All results have been written to the log file (/var/log/rkhunter.log)
    
    One or more warnings have been found while checking the system.
    Please check the log file (/var/log/rkhunter.log)
    
    This is the key step in finding the offending rkhunter test/rule that is throwing the warning:

    Code:
    # grep -i "warning" /var/log/rkhunter.log
    [16:00:10] Info: Emailing warnings to '[email protected]' using command '/usr/bin/mail -s "[rkhunter] Warnings found for ${HOST_NAME}"'
    [16:00:11] Warning: Download of 'i18n.ver' failed: Unable to determine the latest version number.
    
    There we have it; the warning is probably due to an outdated update URL, and is described in this rkhunter bug report: http://sourceforge.net/p/rkhunter/bugs/105/

    So, in my case, the fix appears to be updating rkhunter to the latest version, in which this should be fixed.

    As a point of note, be advised that running a scan with

    Code:
    # rkhunter -c --createlogfile
    
    can yield different results than when ISPConfig runs an rkhunter scan. More specifically, when I scan using the above command, no warnings are found, presumably because "rkhunter -c" doesn't attempt the network updates as part of the scanning process, which ISPConfig does attempt (presumably with something like "rkhunter --versioncheck --update --cronjob").

    Here are the results with just "rkhunter -c":

    Code:
    System checks summary
    =====================
    
    File properties checks...
        Files checked: 137
        Suspect files: 0
    
    Rootkit checks...
        Rootkits checked : 247
        Possible rootkits: 0
    
    Applications checks...
        All checks skipped
    
    The system checks took: 3 minutes and 5 seconds
    
    All results have been written to the log file (/var/log/rkhunter.log)
    
    No warnings were found while checking the system.
    
     
    Last edited: May 13, 2014

Share This Page