Since I've installed rkhunter I'm getting blank RKhunter Scan Details emails. Any ideas what/where to check about issue? Thank You. I have Perfect Setup CentOS 5.4 with ISPConfig 2
RKhunter I only see warnings (please see below), Any ideas? rkhunter -c results Code: /usr/bin/GET [ Warning ] /usr/bin/groups [ Warning ] /usr/bin/ldd [ Warning ] /usr/bin/whatis [ Warning ] /sbin/ifdown [ Warning ] /sbin/ifup [ Warning ] Checking for hidden files and directories [ Warning ] Checking application versions... Checking version of GnuPG [ OK ] Checking version of Apache [ Warning ] Checking version of Bind DNS [ Warning ] Checking version of OpenSSL [ Warning ] Checking version of PHP [ Warning ] Checking version of Procmail MTA [ OK ] Checking version of ProFTPd [ Skipped ] Checking version of OpenSSH [ Warning ] Warnings from rkhunter.log Code: [10:28:02] /usr/bin/GET [ Warning ] [10:28:02] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable [10:28:02] /usr/bin/groups [ Warning ] [10:28:02] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable [10:28:02] /usr/bin/ldd [ Warning ] [10:28:03] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable [10:28:07] /usr/bin/whatis [ Warning ] [10:28:07] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable [10:28:08] /sbin/ifdown [ Warning ] [10:28:08] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable [10:28:08] /sbin/ifup [ Warning ] [10:28:08] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable [10:32:08] Checking for hidden files and directories [ Warning ] [10:32:08] Warning: Hidden directory found: /dev/.udev [10:32:08] Warning: Hidden file found: /etc/.group.swp: data [10:32:08] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression [10:32:08] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text [10:32:08] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text [10:32:08] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text This is my rkhunter.sh which is in /etc/cron.daily/rkhunter.sh Code: #!/bin/sh ( /usr/local/bin/rkhunter --versioncheck /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --cronjob --report-warnings-only ) | /bin/mail -s 'rkhunter Daily Run' [email protected]
RKhunter Output of Code: /usr/local/bin/rkhunter --cronjob --report-warnings-only is: Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/g roups: Bourne shell script text executable Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/w hatis: Bourne shell script text executable Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bou rne-Again shell script text executable Warning: Hidden directory found: /dev/.udev Warning: Hidden file found: /etc/.group.swp: data Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text Warning: Application 'httpd', version '2.2.3', is out of date, and possibly a security risk. Warning: Application 'named', version '9.3.6-P1', is out of date, and possibly a security risk. Warning: Application 'openssl', version '0.9.8e', is out of date, and possibly a security risk. Warning: Application 'php', version '5.1.6', is out of date, and possibly a security risk. Warning: Application 'sshd', version '4.3p2', is out of date, and possibly a security risk. Thank You!
Do you get a non-empty mail when you run Code: ( /usr/local/bin/rkhunter --versioncheck /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --cronjob --report-warnings-only ) | /bin/mail -s 'rkhunter Daily Run' [email protected] manually on the shell? BTW, your scan results don't look good - maybe your system got hacked...
RKhunter Scan Warnings Does anyone know how do I check if my system got hacked? Any ideas how to fix the warnings? Do I need to re-install (centos & ispconfig) if system was hacked. Please advise? I appreciate any help - thanks! Right now, I am getting the "rkhunter Daily Run" emails with following warnings: Code: [ Rootkit Hunter version 1.3.6 ] [1;33mChecking rkhunter version... [0;39m This version : 1.3.6 Latest version: 1.3.6 [ Rootkit Hunter version 1.3.6 ] [1;33mChecking rkhunter data files... [0;39m Checking file mirrors.dat [34C[ [1;32mNo update [0;39m ] Checking file programs_bad.dat [29C[ [1;32mNo update [0;39m ] Checking file backdoorports.dat [28C[ [1;32mNo update [0;39m ] Checking file suspscan.dat [33C[ [1;32mNo update [0;39m ] Checking file i18n/cn [38C[ [1;32mNo update [0;39m ] Checking file i18n/de [38C[ [1;32mNo update [0;39m ] Checking file i18n/en [38C[ [1;32mNo update [0;39m ] Checking file i18n/zh [38C[ [1;32mNo update [0;39m ] Checking file i18n/zh.utf8 [33C[ [1;32mNo update [0;39m ] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable Warning: The file properties have changed: File: /etc/rkhunter.conf Current hash: 9b3b72541ac896dc0d8c877e3dfda866bbc4761e Stored hash : 1d76261698bc1d3d2e5729f801a5c9a7e2d761c6 Current size: 30928 Stored size: 30835 Current file modification time: 1270827265 (09-Apr-2010 10:34:25) Stored file modification time : 1265344611 (04-Feb-2010 22:36:51) Warning: Hidden directory found: /dev/.udev Warning: Hidden file found: /etc/.group.swp: data Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text Warning: Application 'named', version '9.3.6-P1', is out of date, and possibly a security risk. One or more warnings have been found while checking the system. Please check the log file (/var/log/rkhunter.log)
Use Approved RKHunter Version There is no end to RKHunter discussions. This might help where Ubuntu is concerned (10.04LTS): (1) If you "apt-get install rkhunter" and let Ubuntu install the application from the default Universe repository, then you will have the approved RKHunter V1.3.6 for Ubuntu Server 10.04LTS 64-bit. When you run rkhunter, you will not get any warnings. However, if you install RKHunter V1.3.8 (a new version) using wget, you will receive the following warnings upon running RKHunter: warnings for /usr/sbin/useradd, /usr/bin/ldd, /bin/which, warning for hidden directory, and warning for GnuPG and OpenSSL "out of date" versions. You would have to whitelist these in the rkhunter.conf to keep them from clashing ... a bad idea. I suggest that you ALWAYS stick with default repository installs for ALL applications, paying no attention to the fact that newer versions exist. If you don't, you server is going to be goobered ... sooner, than later. AND, you will be living contantly on the forums trying to solve insolvable problems !
