Hello, we get the odd false rkhunter alert from time to time, but this morning we've got about 25 from different servers. There's nothing in the logs and rkhunter --rwo -c shows nothing. They're all ubuntu running ispconfig and wordpress. We're still investigating but I was just wondering if anyone else had seen similar
there's a command to update rkhunter files when you have large changes on installed packages... something like: rkhunter --propupd maybe that helps.
I don't like doing that until I've established the cause. we did it on a few servers anyway and those servers have alerted again this morning.
I'm all of a sudden getting an error on "i18n.ver failed" for the last couple of days. Not sure if this is the same error as you are getting?
Alright it seems like the rkhunter team released a new version (1.4.x) - see changelog here. Due to the fact that our servers run Debian squeeze - the Squeeze-Team did not yet update the packages list. The rkhunter Team removed the 1.3. version from the their sourceforge servers. Therefore the update done by the daily rkhunter scan which is issued against sourceforge fails. Therefore a warning is generated. We will just lay back for a couple of days and wait for the squeeze-team to accomplish their tasks. I reckon for youz guys it's the same - but better double check. Kind regards osterhase
I did an apt-get --purge remove rkhunter And after this an apt-get install rkhunter I'm now on "Rootkit Hunter 1.4.2" If you made changes to rkhunter.conf, than make sure that you make a copy of it for references!
Same problem here but it's not solved after removing rkhunter (purge). I even removed ruby with a full purge but still I get: Code: Checking file i18n versions [ Update failed ] Ubuntu 12.04.4 with rkhunter 1.3.8
@JeffryL: What linux distribution and version do you use? If you use debian see my post before yours. Kind regards
I've tried this on Ubuntu 12.04.1 LTS but still getting version 1.3.8 Also have been getting the same errors at the same time each night from about 20 ISP Config servers. The command I use to run the rkhunter check is: rkhunter --rwo -c Anyone else got any suggestions? Thanks!
This will probably do the trick... haven't tried it yet. Dinner first... https://www.digitalocean.com/commun...er-to-guard-against-rootkits-on-an-ubuntu-vps Any suggestions or remarks regarding integration with ISPConfig are welcome of course! Oh and for you willing to try. The newest version is at the time of writing 1.4.2 so change the links
I installed rkhunter 1.4.2 as described in the explanation in the link on top of 1.3.8. So I didn't remove or purge 1.3.8. Bit quick and dirty but it does work. Advantages: dependencies are already installed and if rkhunter gets updated as a package it rolls the official package out on top of the version installed without the package manager. But since rkhunter isn't updated since 2011 and 12.04.4 support ends in 2017 chances are it won't get updated anyway. Disadvantages: if it gets updated to a version below 1.4.2 you might have a problem with non-existent options in the configfile. Probably better then to not update rkhunter, but then rkhunter shows up every time during an update through the package manager. So in short: Code: cd Code: wget http://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz/download Code: mv download rkhunter-1.4.2.tar.gz Code: tar xzvf rkhunter-1.4.2.tar.gz Code: cd rkhunter-1.4.2 Code: mv /etc/rkhunter.conf /etc/rkhunter.conf.old Code: ./installer.sh --layout /usr --install Code: rkhunter --update Code: rkhunter --c --rwo Correct warnings by whitelisting and changing the rkhunter.conf. And of course make sure there are no unclarified issues before running --propupd!!! See the link: https://www.digitalocean.com/commun...er-to-guard-against-rootkits-on-an-ubuntu-vps I also had to add lwp-request. Code: rkhunter --propupd Code: rkhunter -c --rwo If you made a lot of changes in rkhunter.conf it's probably better NOT to start off with the newer original, but rkhunter won't run with the old config file! No need to setup the cron if you installed 1.3.8 first through aptitude.
I am also affected by this using Ubuntu 12.04.4 LTS. I am debating either or not to uninstall rkhunter and install it from the sourceforge site, but I am very angry that the repos for Ubuntu have not been updated and that the repos for version 14.04 contain the updated rkhunter files...what on earth? I am aware I can install it via the tarball, but I would assume that Ubuntu or Debian would be able to update their repos to contain these new files,. if in fact these programs do help security? When it comes to Ubuntu you have two options; download the source forge tarball or upgrade your system to version 14.04 (an unstable release as of now)
Debian Wheezy (7.4, 7.5 to be released next weekend btw, all production machines scheduled to be updated as soon as the new versions hit the mirrors), rkhunter 1.4.0, not getting any FPs. On that note, a slightly offtopic hint: Always use stable, NOT oldstable for production environments.
