Running on Debian 10 Buster host, ISPConfig 3.1.15p2. Logwatch keeps showing me: Code: --------------------- Connections (secure-log) Begin ------------------------ User Logins: root : 1 Time(s) **Unmatched Entries** rkhunter: Please inspect this machine, because it may be infected.: 1 Time(s) rkhunter: Rootkit hunter check started (version 1.4.6): 1 Time(s) rkhunter: Scanning took 3 minutes and 13 seconds: 1 Time(s) ---------------------- Connections (secure-log) End ------------------------- I read every day rkhunter log but can not find any clue why rkhunter thinks host is infected. Yesterday I found it is in auth.log that string appears: Code: Nov 1 06:28:21 myhost rkhunter: Please inspect this machine, because it may be infected. There are 91 warnings in rkhunter.log, but none of them seem serious enough to assume host is infected. I am almost certain there is no infection on that host, but I would like to know why rkhunter thinks there may be infection.
There should be some info in the rkhunter log file, at least there was some in cases where I had rkhunter reporting an issue. maybe you should cross-check by using lynis https://www.howtoforge.com/tutorial/how-to-scan-linux-for-malware-and-rootkits/ Lynis is a tool from the same author that developed rkhunter and it does a wider security check of the server, Lynis is available for free as well.
I used lynis, seems it does not find anything wrong. But says it is more than 4 months old although I replaced the version in Tutorial with latest I found on Lynis website. I'll try to track down a later version next week.