Watchdog report: Suspect files

[Azurel]

Hi, today I recived two mails for the first time (Panel version: 11.5.30 Update #5):

subject: Watchdog weekly report Jul 14, 2013 - Jul 20, 2013 on rsXXXXXX.rs.hosteurope.de

text:
Watchdog was stopped at Jul 22, 2013 01:00 AM.

Security scans number: 0.

No events registered for the period.

After 1 minute I get this email:

subject: [rkhunter] Warnings found for rsXXXXXX

text:
Please inspect this machine, because it may be infected. Scan log:
[01:00:08] Running Rootkit Hunter version 1.3.4 on rsXXXXXX
[01:00:08]
[01:00:08] Info: Start date is Mon Jul 22 01:00:08 CEST 2013
[01:00:08]
[01:00:08] Checking configuration file and command-line options...
[01:00:08] Info: Detected operating system is 'Linux'
[01:00:08] Info: Uname output is 'Linux rsXXXXXX 2.6.32-358.6.2.el6.x86_64 #1 SMP Thu May 16 20:59:36 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux'
[01:00:08] Info: Command line is /usr/local/psa/admin/sbin/modules//watchdog/rkhunter -c --configfile /usr/local/psa/etc/modules/watchdog/rkhunter.conf --cronjob --propupd --createlogfile
[01:00:08] Info: Environment shell is /bin/sh; rkhunter is using bash
[01:00:08] Info: Using configuration file '/usr/local/psa/etc/modules/watchdog/rkhunter.conf'
[01:00:08] Info: Installation directory is '/usr/local/psa'
[01:00:08] Info: Using language 'en'
[01:00:08] Info: Using '/usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db' as the database directory
[01:00:08] Info: Using '/usr/local/psa/var/modules/watchdog/lib/rkhunter/rkhunter/scripts' as the support script directory
[01:00:08] Info: Using '/usr/local/psa/admin/bin/modules/watchdog /usr/local/bin /usr/local/sbin /bin /sbin /usr/bin /usr/sbin /bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec' as the command directories
[01:00:08] Info: Using '/' as the root directory by default
[01:00:08] Info: Using '/usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/tmp' as the temporary directory

Here all [WARNING]

[01:00:24] Performing file properties checks
[01:00:24] Info: Starting test name 'properties'
[01:00:24] Warning: Checking for prerequisites [ Warning ]
[01:00:24] All file hash checks will be skipped because:
[01:00:24] The current hash function (/usr/bin/sha1sum) or package manager (RPM) is incompatible with the hash function (Unset) or package manager (Unset) used to store the values.

[01:00:36] /usr/bin/GET [ Warning ]
[01:00:36] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: a /usr/bin/perl -w script text executable

[01:00:49] /sbin/ifdown [ Warning ]
[01:00:49] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[01:00:49] /sbin/ifup [ Warning ]
[01:00:49] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable

[01:01:26] Checking '/etc/xinetd.d/poppassd_psa' for enabled services [ Warning ]

[01:01:26] Checking for enabled xinetd services [ Warning ]
[01:01:26] Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa

[01:01:30] Info: Starting test name 'passwd_changes'
[01:01:30] Checking for passwd file changes [ Warning ]
[01:01:30] Warning: Unable to check for passwd file differences: no copy of the passwd file exists.
[01:01:30] Info: Starting test name 'group_changes'
[01:01:30] Checking for group file changes [ Warning ]
[01:01:30] Warning: Unable to check for group file differences: no copy of the group file exists.

[01:01:31] Checking for hidden files and directories [ Warning ]
[01:01:31] Warning: Hidden directory found: /dev/.udev
[01:01:31] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[01:01:31] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[01:01:31] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[01:01:31] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[01:01:31] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[01:01:31] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text

[01:01:31] Checking version of Apache [ Warning ]
[01:01:31] Warning: Application 'httpd', version '2.2.15', is out of date, and possibly a security risk.

[01:01:32] System checks summary
[01:01:32] =====================
[01:01:32]
[01:01:32] File properties checks...
[01:01:32] Required commands check failed
[01:01:32] Files checked: 121
[01:01:32] Suspect files: 3
[01:01:32]
[01:01:32] Rootkit checks...
[01:01:32] Rootkits checked : 111
[01:01:32] Possible rootkits: 0
[01:01:32]
[01:01:32] Applications checks...
[01:01:32] Applications checked: 8
[01:01:32] Suspect applications: 1
[01:01:32]
[01:01:32] The system checks took: 1 minute and 11 seconds

Means suspect files: /usr/bin/GET, /sbin/ifdown and /sbin/ifup?

So I can use this article and set it as whitelist?: http://kb.parallels.com/en/7027

--------------

Suspect applications means "Apache"? How I can upgrade apache to 2.2.25? "yum update httpd" found no updates in centOS6.4
http://mirror.centos.org/centos-6/6.4/updates/x86_64/Packages => httpd-2.2.15-28.el6.centos.x86_64.rpm

 

[Azurel]

I get watchdog wanring for my first time and get a little shock with the subject "[rkhunter] Warnings found for rsXXXXX".

Can anybody help me here?

Is there a way to upgrade apache in centOS6.4 to version 2.2.25?

 

[netsetter]

Well, "just" warnings means you "should" have a look, but no important issues like rootkits found. Every update of files or the operating system is results in a warning from rkhunter.