rootkit warnings..

[mike2010]

My server's running fine... but these rootkit hunter logs always make me paranoid.. why cant something eventually be done about this ? Even my techies till me WatchDog has issues and I should ignore most of the warnings.


All my stuff in my /bin/ folder has warnings on it similar to this -

[06:52:24] Checking for prerequisites [ OK ]
[06:52:24] /bin/awk [ Warning ]
[06:52:24] Warning: No hash value found for file '/bin/awk' in the rkhunter.dat file.
[06:52:24] /bin/basename [ Warning ]
[06:52:24] Warning: The file properties have changed:
[06:52:24] File: /bin/basename
[06:52:24] Current size: 18484 Stored size: 16056
[06:52:24] /bin/bash [ Warning ]
[06:52:24] Warning: The file properties have changed:
[06:52:24] File: /bin/bash
[06:52:24] Current size: 735004 Stored size: 729292
[06:52:25] /bin/cat [ Warning ]
[06:52:25] Warning: The file properties have changed:
[06:52:25] File: /bin/cat
[06:52:25] Current size: 23132 Stored size: 20648
[06:52:25] /bin/chmod [ Warning ]
[06:52:25] Warning: The file properties have changed:
[06:52:25] File: /bin/chmod
[06:52:25] Current size: 38564 Stored size: 35932
[06:52:25] /bin/chown [ Warning ]
[06:52:25] Warning: The file properties have changed:
[06:52:25] File: /bin/chown
[06:52:25] Current size: 44020 Stored size: 41320
[06:52:25] /bin/cp [ Warning ]
[06:52:25] Warning: The file properties have changed:
[06:52:25] File: /bin/cp
[06:52:25] Current size: 71524 Stored size: 68248
[06:52:25] /bin/csh [ Warning ]
[06:52:25] Warning: The file properties have changed:
[06:52:25] File: /bin/csh
[06:52:25] Current hash: 8d52c4e0045758989269e783510c98c48339de3ce626
[06:52:25] Stored hash : a4264d4d8b0ce01b73e21440186657786874ba8f4308
[06:52:26] Current file modification time: 1263407715
[06:52:26] Stored file modification time : 1262871459
[06:52:26] /bin/cut [ Warning ]
[06:52:26] Warning: The file properties have changed:
[06:52:26] File: /bin/cut
[06:52:26] Current size: 34408 Stored size: 31752
[06:52:26] /bin/date [ Warning ]

Maybe because when running 'Yum Update', those files are suppose to change as well ?




Also, there's always something up with xinet.d.

[06:53:31] Checking '/etc/xinetd.d/smtp_psa' for enabled services [ Warning ]
[06:53:31] Checking '/etc/xinetd.d/smtps_psa' for enabled services [ Warning ]
[06:53:32] Checking '/etc/xinetd.d/submission_psa' for enabled services [ Warning ]
[06:53:32] Checking '/etc/xinetd.d/tcpmux-server' for enabled services [ None found ]
[06:53:32] Checking '/etc/xinetd.d/time-dgram' for enabled services [ None found ]
[06:53:32] Checking '/etc/xinetd.d/time-stream' for enabled services [ None found ]
[06:53:32] Checking for enabled xinetd services [ Warning ]
[06:53:32] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
[06:53:32] Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa
[06:53:32] Warning: Found enabled xinetd service: /etc/xinetd.d/smtp_psa
[06:53:32] Warning: Found enabled xinetd service: /etc/xinetd.d/smtps_psa
[06:53:32] Warning: Found enabled xinetd service: /etc/xinetd.d/submission_psa
[06:53:32] Checking for Apache backdoor [ Not found ]

Can someone tell me all is good...so I dont always have to be paranoid when running Watchdog ?

a couple more -

[06:53:40] Checking for hidden files and directories [ Warning ]
[06:53:40] Warning: Hidden directory found: /dev/.udev
[06:53:40] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[06:53:41] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[06:53:41] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[06:53:41] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text

any help = much appreciated..

thinkin about installing ASL is the price comes down a tad.

 

[IgorG]

It is just warnings and if you meet really infected file or something else you see it I think that you should't worry about these warnings but you can check content of mentioned hidden files just in case.

 

[mike2010]

It is just warnings and if you meet really infected file or something else you see it I think that you should't worry about these warnings but you can check content of mentioned hidden files just in case.

not sure how to check the current files to match up with the originals ?

also, is there a way to view .gz files within Putty ? Like the last 300 lines or so ?

If anybody knows the command offhand, its much appreciated.

 

[IgorG]

Use 'zless' command for viewing .gz archives.

 

[mike2010]

so the command would be

zless -n 300 /usr/share/man/man1/..1.gz

to view the last 300 of a .gz file ?

 

[IgorG]

Well. As I see it is man pages. You shouldn't use zless for man pages. You can use zless for viewing content of gzipped files. For man pages just use 'man' command.

 

[atomicturtle]

These are all absolutely false positives, these are new files as of CentoS/RHEL 5.4. I believe I have these excluded in the atomic rkhunter build, but if you are running that already you might want to check if there is an /etc/rkhunter.conf.rpmnew file there. If you've got that, mv it to /etc/rkhunter.conf and these messages should go away.

 

[mike2010]

These are all absolutely false positives, these are new files as of CentoS/RHEL 5.4. I believe I have these excluded in the atomic rkhunter build, but if you are running that already you might want to check if there is an /etc/rkhunter.conf.rpmnew file there. If you've got that, mv it to /etc/rkhunter.conf and these messages should go away.

My rkhunter.conf is only at /usr/local/psa/etc/modules/watchdog/rkhunter.conf

is that good or no ? I haven't updated to 9.3 yet.. only 9.2.3

 

[atomicturtle]

That version is very very old, and no longer maintained. Its accuracy is fairly limited

 

[mike2010]

arghh.. well, thats how it installed with plesk.

what do you mean is very old... the Plesk 9.2.3... or rkhunter.conf location ?

 

[mike2010]

If talking about the rkhhunter.conf..how do I get it in the right place ? Shouldnt it remain in the Plesk location ? /psa/

 

[atomicturtle]

Its using rkhunter 1.2.7, which was released several years ago, and very out of date. The latest is 1.3.6

 

[mike2010]

I wonder why plesk doesn't update it when it updates to a new version..

 

[IgorG]

1.3.4 version there:

# cat /usr/local/psa/version
9.3.0 CentOS 5 93091230.06
# rpm -ql psa-watchdog-2.0.3-cos5.build93091230.06 | grep rkhunter-
/usr/local/psa/var/modules/watchdog/lib/rkhunter/doc/rkhunter-1.3.4

 

[mike2010]

ahhh, so 9.3 will update it ? noice.. haven't gone there yet.

soon...soon.

 

[atomicturtle]

rkhunter 1.3.4 was released in december of 2008. It's still considerably out of date for what you need.

 

[m0rpheu5]

same problem here, and i´m using rkhunter 1.3.6, i change the /etc/rhkunter.conf.rpmnew to /etc/rkhunter.conf and nothing change.

i got this

[11:58:33] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
[11:58:33] Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa


and more this:

Checking application versions...

Checking version of GnuPG [ OK ]
Checking version of Apache [ Warning ]
Checking version of Bind DNS [ Warning ]
Checking version of OpenSSL [ Warning ]
Checking version of PHP [ OK ]
Checking version of Procmail MTA [ OK ]
Checking version of ProFTPd [ Skipped ]
Checking version of OpenSSH [ Warning ]

i got an email everyday saying that my server is infected, to inspect my server.

What i need to do??

 

[GordonM]

same problem here, and i´m using rkhunter 1.3.6, i change the /etc/rhkunter.conf.rpmnew to /etc/rkhunter.conf and nothing change.

i got this

[11:58:33] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
[11:58:33] Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa


and more this:

Checking application versions...

Checking version of GnuPG [ OK ]
Checking version of Apache [ Warning ]
Checking version of Bind DNS [ Warning ]
Checking version of OpenSSL [ Warning ]
Checking version of PHP [ OK ]
Checking version of Procmail MTA [ OK ]
Checking version of ProFTPd [ Skipped ]
Checking version of OpenSSH [ Warning ]

i got an email everyday saying that my server is infected, to inspect my server.

What i need to do??

----

The applications ex: openssh is known as sshd in plesk
so to add apache, openssh, procmail mta you need to add the following:

APP_WHITELIST="OpenSSH httpd php sshd"

that worked for me

Hope it helps you

 

[phlampe]

Same problems here, running rkhunter 1.3.4 (shipped with Plesk 10.1.1) with warnings about several applications but also hidden files and xinetd services (like ftp_psa and poppassd_psa which aren't standard and are Plesk specific).

What I did to get rid of the problems: I reviewed the file /var/log/rkhunter.log, and added whitelist instructions in the config file (/usr/local/psa/etc/modules/watchdog/rkhunter.conf) for all warnings I found were false positives : APP_WHITELIST (as above), but also XINETD_ALLOWED_SVC and several ALLOWHIDDENDIR and ALLOWHIDDENFILE instructions.

Hope this helps,
Paul-Henri