Hello Bibliopegist, When you say it seem to work - did it actually work?
Yes it works, but with "strange stuff" like: [37C[ [1;3"
below is the output of the scan:
> /usr/local/psa/admin/sbin/modules/watchdog/rkhunter --update
Running updater...
Mirrorfile /var/rkhunter/db/mirrors.dat rotated
Using mirror
http://rkhunter.sourceforge.net
[DB] Mirror file : Up to date
[DB] MD5 hashes system binaries : Up to date
[DB] Operating System information : Up to date
[DB] MD5 blacklisted tools/binaries : Up to date
[DB] Known good program versions : Up to date
[DB] Known bad program versions : Up to date
Ready.
> /usr/local/psa/admin/sbin/modules/watchdog/rkhunter -c
Rootkit Hunter 1.2.8 is running
Determining OS... Ready
[1;33mChecking binaries[0;39m
* Selftests[0;39m
Strings (command) /usr/bin/whoami[37C[ [1;32mOK[0;39m ]
[0;39m
* System tools[0;39m
Info: prelinked files found
[1;37mPerforming 'known good' check...[0;39m
/bin/cat[51C[ [1;32mOK[0;39m ]
/bin/chmod[49C[ [1;32mOK[0;39m ]
/bin/chown[49C[ [1;32mOK[0;39m ]
/bin/date[50C[ [1;32mOK[0;39m ]
/bin/dmesg[49C[ [1;32mOK[0;39m ]
/bin/env[51C[ [1;32mOK[0;39m ]
/bin/grep[50C[ [1;32mOK[0;39m ]
/bin/kill[50C[ [1;32mOK[0;39m ]
/bin/login[49C[ [1;32mOK[0;39m ]
m ]
========
=======
* Suspicious files and malware[0;39m
Scanning for known rootkit strings[25C[ [1;32mOK[0;39m ]
Scanning for known rootkit files[27C[ [1;32mOK[0;39m ]
Testing running processes... [30C[ [1;32mOK[0;39m ]
Miscellaneous Login backdoors[30C[ [1;32mOK[0;39m ]
Miscellaneous directories[34C[ [1;32mOK[0;39m ]
Software related files[37C[ [1;32mOK[0;39m ]
Sniffer logs[47C[ [1;32mOK[0;39m ]
[Press <ENTER> to continue]
* Trojan specific characteristics[0;39m
shv4
Checking /etc/rc.d/rc.sysinit
Test 1[49C[ [1;32mClean[0;39m ]
Test 2[49C[ [1;32mClean[0;39m ]
Test 3[49C[ [1;32mClean[0;39m ]
Checking /etc/inetd.conf[33C[ [1;32mNot found[0;39m ]
Checking /etc/xinetd.conf[32C[ [1;32mClean[0;39m ]
* Suspicious file properties[0;39m
[1;37mchmod properties[0;39m
Checking /bin/ps[41C[ [1;32mClean[0;39m ]
Checking /bin/ls[41C[ [1;32mClean[0;39m ]
Checking /usr/bin/w[38C[ [1;32mClean[0;39m ]
Checking /usr/bin/who[36C[ [1;32mClean[0;39m ]
Checking /bin/netstat[36C[ [1;32mClean[0;39m ]
Checking /bin/login[38C[ [1;32mClean[0;39m ]
[1;37mScript replacements[0;39m
Checking /bin/ps[41C[ [1;32mClean[0;39m ]
Checking /bin/ls[41C[ [1;32mClean[0;39m ]
Checking /usr/bin/w[38C[ [1;32mClean[0;39m ]
Checking /usr/bin/who[36C[ [1;32mClean[0;39m ]
Checking /bin/netstat[36C[ [1;32mClean[0;39m ]
Checking /bin/login[38C[ [1;32mClean[0;39m ]
* OS dependant tests[0;39m
[1;37mLinux[0;39m
Checking loaded kernel modules... [23C[ [1;32mOK[0;39m ]
Checking files attributes[32C[ [1;32mOK[0;39m ]
Checking LKM module path[33C[ [1;32mOK[0;39m ]
[1;33mNetworking[0;39m
* Check: frequently used backdoors[0;39m
Port 2001: Scalper Rootkit[34C[ [1;32mOK[0;39m ]
Port 2006: CB Rootkit[39C[ [1;32mOK[0;39m ]
Port 2128: MRK[46C[ [1;32mOK[0;39m ]
Port 14856: Optic Kit (Tux)[33C[ [1;32mOK[0;39m ]
Port 47107: T0rn Rootkit[36C[ [1;32mOK[0;39m ]
Port 60922: zaRwT.KiT[39C[ [1;32mOK[0;39m ]
* Interfaces[0;39m
Scanning for promiscuous interfaces[22C[ [1;32mOK[0;39m ]
[Press <ENTER> to continue]
[1;33mSystem checks[0;39m
* Allround tests[0;39m
Checking hostname... [1;32mFound. [0;39mHostname is u15185411.onlinehome-server.com
Checking for passwordless user accounts... [1;32mOK[0;39m
Checking for differences in user accounts... [1;32mOK. [0;39mNo changes.
Checking for differences in user groups... [1;32mOK. [0;39mNo changes.
Checking boot.local/rc.local file...
- /etc/rc.local[42C[ [1;32mOK[0;39m ]
- /etc/rc.d/rc.local[37C[ [1;32mOK[0;39m ]
- /usr/local/etc/rc.local[32C[ [1;32mNot found[0;39m ]
- /usr/local/etc/rc.d/rc.local[27C[ [1;32mNot found[0;39m ]
- /etc/conf.d/local.start[32C[ [1;32mNot found[0;39m ]
- /etc/init.d/boot.local[33C[ [1;32mNot found[0;39m ]
Checking rc.d files...
Processing........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
.............
Result rc.d files check[36C[ [1;32mOK[0;39m ]
Checking history files
Bourne Shell[45C[ [1;32mOK[0;39m ]
* Filesystem checks[0;39m
Checking /dev for suspicious files... [21C[ [1;32mOK[0;39m ]
Scanning for hidden files...[31C[ [1;33mWarning![0;39m ]
---------------
/dev/.udevdb /etc/.pwd.lock
---------------
Please inspect: /dev/.udevdb (directory)
[Press <ENTER> to continue]
[1;33mApplication advisories[0;39m
* Application scan
Checking Apache2 modules ... [27C[ [1;32mNot found[0;39m ]
Checking Apache configuration ... [22C[ [1;32mOK[0;39m ]
* Application version scan
- GnuPG 1.4.5 [45C[ [1;32mOK[0;39m ]
- Apache 2.0.54 [43C[ [1;32mOK[0;39m ]
- Bind DNS 9.3.1 [42C[ [1;32mOK[0;39m ]
- OpenSSL 0.9.7f [42C[ [1;33mOld or patched version[0;39m ]
- PHP 5.0.4 [47C[ [1;32mOK[0;39m ]
- Procmail MTA 3.22 [39C[ [1;32mOK[0;39m ]
- ProFTPd 1.3.0 [43C[ [1;32mOK[0;39m ]
- OpenSSH 4.2p1 [43C[ [1;32mOK[0;39m ]
[1;33mSecurity advisories[0;39m
* Check: Groups and Accounts[0;39m
Searching for /etc/passwd... [30C[ [1;32mFound[0;39m ]
Checking users with UID '0' (root)... [21C[ [1;32mOK[0;39m ]
* Check: SSH[0;39m
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... [24C[ [1;32m OK[0;39m ( Remote root login disabled) ]
Checking for allowed protocols... [25C[ [1;32m OK[0;39m ( Only SSH2 allowed) ]
* Check: Events and Logging[0;39m
Search for syslog configuration... [24C[ [1;32m OK[0;39m ]
Checking for running syslog slave... [22C[ [1;32m OK[0;39m ]
Checking for logging to remote system... [18C[ [1;32m OK[0;39m ( no remote logging) ]
[Press <ENTER> to continue]
---------------------------- Scan results ----------------------------
[1;33mMD5[0;39m
MD5 compared: 53
Incorrect MD5 checksums: [1;32m0[0;39m
[1;33m File scan[0;39m
Scanned files: 342
Possible infected files: [1;32m0[0;39m
[1;33m Application scan[0;39m
Vulnerable applications: [1;31m1[0;39m
Scanning took 100 seconds
-----------------------------------------------------------------------