Is that a false positive?

Hello,
I tried the chkrootkit and got these alerts.
Are they false positive? Or should I be worried?

Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/noentry/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htaccess
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htpasswd

Some of them have username and password, is that normal???
Thanks

 

You did not say what OS is running on that host. You should try to determine that, then examine that OS repositories to see if those .htaccess files come with the fail2ban installation packages of that OS.
For what it is worth, on my Debian GNU/Linux 10.2 there are those same files:

Code:

ls -lha /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest*/.ht*
-rw-r--r-- 1 root root 231 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess
-rw-r--r-- 1 root root 117 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htpasswd
-rw-r--r-- 1 root root 159 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess
-rw-r--r-- 1 root root  62 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htpasswd
-rw-r--r-- 1 root root 195 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess
-rw-r--r-- 1 root root  62 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd
-rw-r--r-- 1 root root 179 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess
-rw-r--r-- 1 root root  62 Jan 18  2018 /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd

For Debian, this can also be verified by looking at the listing of files in the installation package:
https://packages.debian.org/buster/all/fail2ban/filelist

 

Sorry, I missed that, I am on Ubuntu.
Your files .htpasswd have a username and password in some of them?

 

Thanks for the trick.
So the files are part of the official Fail2ban Debian package.
But is it normal to have them report by chkrootkit every day?
Is there a way to remove them from the daily report or tell to chkrootkit they are not positive files?

 

If they are part from the official package, a "rkhunter --propupd" should get rid of the messages. This updates rkhunters file properties database with the information from the package manager (needs to be repeated at every bigger update)
rkhunter does not exclude even known false positives from scanning, because otherwise a malware could just overwrite these files and would not be found.

 

Sorry to respawn an old thread, but EticWeb was asking about chkrootkit whereas the answer offers solution for rkhunter.

So, for chkrootkit, it depends how it is set up. Normally, the script in `cron.daily` checks the output with an "expected output". It's kind of a poor man's database. If you want to set today's output as being the new "normal", you have to set it so by copying `/var/log/chkrootkit/log.today` over `/var/log/chkrootkit/log.expected`. Their path may vary depending on the distribution, so check the output of the daily cron for exact instructions, or the script in `/etc/cron.daily/chkrootkit`