rkhunter config problem

[TobiasP]

When trying to run rkhunter manually I get the error:
"Installation directory does not exist: /opt/psa"
I haven't changed the install directory setting in the rkhunter config file.

Could you someone send me the "default" rkhunter config file?
Or tell me a way to reset / reinstall rkhunter?

 

[IgorG]

Path to rkhunter config file you may found here - http://kb.odin.com/en/111283

 

[TobiasP]

Path to rkhunter config file you may found here - http://kb.odin.com/en/111283

have you even read my question?

 

[IgorG]

rkhunter is a part of psa-watchdog package. Try to reinstall this package.

 

[TobiasP]

rkhunter is a part of psa-watchdog package. Try to reinstall this package.

is it possible via apt-get or should it be done via plesk updates/upgrades manager?

 

[IgorG]

Yes, you can do it with autoinstaller. Just uncheck Watchdog there and then install it back.

 

[TobiasP]

Thank you that helped.
Updating i18n fails. Log entry:
[11:00:06] Info: Executing download command '/usr/bin/wget -q -O /opt/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/tmp/rkhunter.upd.r9MIzDUis4 http://rkhunter.sourceforge.net/1.3/i18n/1.3.4/i18n.ver'
[11:00:06] Checking file i18n versions [ Update failed ]
[11:00:06] Warning: Download of 'i18n.ver' failed: Unable to determine the latest version number.

any ideas?

 

[IgorG]

Looks like rkhunter internal issue - http://ubuntuforums.org/showthread.php?t=2215941

 

[TobiasP]

Looks like rkhunter internal issue - http://ubuntuforums.org/showthread.php?t=2215941

ok so it seems the problem is that plesk is using an old version (1.3.4) instead of the current version available for Debian 1.4.0 (https://packages.debian.org/wheezy/rkhunter).
Is it possible that Plesk updates to the current rkhunter version?

 

[IgorG]

Try to use this extension - http://talk.plesk.com/threads/a-ast-rkhunter-parallels-plesk-extension.292609/

 

[Richieboydev]

Is there a simple way to update rkhunter in Plesk without buying an extension?

Why does watchdog still have an ancient version still?

 

[UFHH01]

Yes, there is a "simple" way to upgrade rkhunter... but be aware, that Plesk updates/upgrades/patches may overwrite any of your changes, so please don't blame Parallels, because you changed an integrated extension. ^^

Tutorial to upgrade rkhunter from the integrated Plesk version to the actual version 1.4.2 based on Ubuntu systems :
( Please make sure that the used paths in this tutorial exist on your system, because "/opt/psa/" for example may be "/usr/local/psa/ on your system - change the paths to YOUR system environment to make this work as expected !!! )​

• Preparation, download, untar :

mkdir -p /root/addons/rkhunter
cd /root/addons/rkhunter
wget http://jaist.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz
tar -zxvf rkhunter-1.4.2.tar.gz
cd rkhunter-1.4.2

mkdir /opt/psa/var/modules/watchdog/lib/rkhunter-1.4.2

• Control what is going to be installed, install rkhunter 1.4.2 and modify the permissions :

./installer.sh --layout custom /opt/psa/var/modules/watchdog/lib/rkhunter-1.4.2 --striproot /opt/psa --install --show

./installer.sh --layout custom /opt/psa/var/modules/watchdog/lib/rkhunter-1.4.2 --striproot /opt/psa --install

chown -hR root:psaadm /opt/psa/var/modules/watchdog/lib/rkhunter-1.4.2

• Make some backups and move/copy/rsync files and folders :

mv /opt/psa/etc/modules/watchdog/rkhunter.conf /opt/psa/etc/modules/watchdog/rkhunter.conf.backup
cp /opt/psa/var/modules/watchdog/lib/rkhunter-1.4.2/etc/rkhunter.conf /opt/psa/etc/modules/watchdog/rkhunter.conf

mv /opt/psa/admin/sbin/modules/watchdog/rkhunter /opt/psa/admin/sbin/modules/watchdog/rkhunter.backup
cp /opt/psa/var/modules/watchdog/lib/rkhunter-1.4.2/bin/rkhunter /opt/psa/admin/sbin/modules/watchdog/rkhunter


rsync -r /opt/psa/var/modules/watchdog/lib/rkhunter-1.4.2/lib64/rkhunter/scripts/* /opt/psa/var/modules/watchdog/lib/rkhunter/rkhunter/scripts
rsync -r /opt/psa/var/modules/watchdog/lib/rkhunter-1.4.2/var/lib/rkhunter/db/* /opt/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db
rsync -r /opt/psa/var/modules/watchdog/lib/rkhunter-1.4.2/var/lib/rkhunter/tmp/* /opt/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/tmp

rsync -r /opt/psa/var/modules/watchdog/lib/rkhunter-1.4.2/share/doc/* /opt/psa/var/modules/watchdog/lib/rkhunter/doc
rsync -r /opt/psa/var/modules/watchdog/lib/rkhunter-1.4.2/share/man/* /opt/psa/var/modules/watchdog/lib/rkhunter/man

• Edit "/opt/psa/etc/modules/watchdog/rkhunter.conf" :

...and use the example configuration, based on the standard Plesk integrated rkhunter.conf, attached as TXT ( rkhunter.conf.example.Ubuntu.txt ), here in the post.​

• While you are still on your command line, please update rkhunter now, to be sure, that your version is up-to-date :

/opt/psa/admin/bin/modules/watchdog/rkhunter --update --configfile /opt/psa/etc/modules/watchdog/rkhunter.conf

• Please use the command "/opt/psa/admin/bin/modules/watchdog/rkhunter --help" for descriptions to additional commands for rkhunter.

 

[Richieboydev]

This is for install and not update. There is more to it than this as the old version would have to be removed first.

Also, I am on Centos, not Ubunto.

 

[UFHH01]

Hi Richieboydev,

are you serious with your post?

Yes this IS written for Ubuntu, but if you would have had a closer look, then you would have seen, that you just have to change "/opt/psa/" to "/usr/local/psa/" - I think this might even be possible, with only a few linux knowledge. The command "locate rkhunter" on your system would as well show you the paths, where Plesk installed the integrated version and you could then see as well, which part from the "Ubuntu tutorial" might need a change.

Btw.... the installation from rkhunter in the way it is described, is a "custom" installation, which means there are no other folders on your system being used. You could verify this as well with the command "./installer.sh --layout custom /opt/psa/var/modules/watchdog/lib/rkhunter-1.4.2 --striproot /opt/psa --install --show". Using the tutorial, you would as well see, that nearly all files of a previous Plesk-integrated-version will get overwritten with the steps - and even backuped. There is no "upgrade" - possibilty, so this way is the most recommended one, if you would like to use the current rkhunter version 1.4.2 instead of the Plesk integrated one.


If you would like an individual "CentOS" tutorial, because you don't want to change the described paths by yourself, I would recommend to order a Plesk Support ticket at Parallels - Support .

 

[Richieboydev]

I do not mind changing the paths.

What I meant about removing the old version is that it will most likely be reinstalled during some Plesk updates. I am afraid this will cause issues.

It may be a better solution to remove Watchdog completely and reinstall with out Plesk and then install this version. What do you think?

Also, in terms of this old version I know it shows some false positives but is it vulnerable at all?

 

[UFHH01]

Hi Richieboydev,

no... rkhunter is not vulnerable - you just can't update any new, updated language files in version 1.3.4 ( i18n ) - the other files are still updated, as you can see in your logs.

And as well "no"... it doesn't show any false positiv... you just should configure it to YOUR needs. The config file needs adjustement on every linux system when you use rkhunter, because paths, whitelists and scripts have to be configured, so that rkhunter doesn't warn about something that, without any definition, might being declared as a potential risk. The standard Plesk - pre-configuration is based on the standard vendor's configuration, where only a minimum is modified - some software need a documentation to understand the correct usage, please be so kind to read the one from rkhunter to modify your settings to your very own system configurations.

And no.... the "old" version will not "automatically" being re-installed... this as well depends on your very own Plesk usage. I prefer reading the changelogs, BEFORE I update/upgrade/patch a server, just to be sure, that I really want it. Maybe you should consider to switch of Plesk-auto-updates and try to follow my behaviour, if you would like to be sure, that YOUR changes still exist tomorrow. ^^

 

[Andreas Löwer]

Hi, I followed the instruction of UFHH01 setp by step. I'm able to start the "watchdog" in Plesk and it shows me the new version of rkhunter:

[ Rootkit Hunter version 1.4.2 ]

rkhunter seems to check the system. But the status bar in Plesk remains at 0% (ok, never mind). Finally, after all tests finished, Plesk shows the state "never checked". I even get a mail, but in this mail the only content is "Please inspect this machine, because it may be infected.". No log file as it was before upgrading rkhunter. Because of the status bar at 0% and the missing log file in the mail I suppose rkhunter can't find the logfile?

I checked all files and permissions. Seems OK. Can anyone help me? Thank you.

 

[Thomas Wilhelmi]

Hello,

I want to bump this post because I have the same issue. I posted this Long time ago in another thgread but I cannot find it.

I found out that the logfile is shown during the scan if you press the refresh-button. But it disappears if the scan is finished. Looking at the source-code of the site you find that there is the complete logfile inside but embedded in a a table wich is marked hidden.

So there is a condition wich lets it be hidden. Wich one and how can I prevent it?

 

[F.Mueller]

same issue here, any solution?