Facebook
Twitter
P_heck
Basic Pleskian
Environment:
OSDebian 7.11ProductPlesk Onyx
Version 17.5.3 Update #15, last updated on July 25, 2017 06:27 AM
I have used the Debian rkhunter package version 1.4.0 on another server and it works fine. On my Plesk server, I want to use the version shipped with Plesk but encounter the following problem:
Cheers Peter
OSDebian 7.11ProductPlesk Onyx
Version 17.5.3 Update #15, last updated on July 25, 2017 06:27 AM
I have used the Debian rkhunter package version 1.4.0 on another server and it works fine. On my Plesk server, I want to use the version shipped with Plesk but encounter the following problem:
- Mail is not send.
Mail is configured using the default settings:
Code:MAIL_CMD=/opt/psa/admin/bin/modules/watchdog/send-mail
E-Mail address (here anonymized) is set to:
Code:
When switching to the default rkhunter setting:
Code:MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
I get the following error:
Code:-s=[rkhunter] contains invalid character '['
Changing the original command in the rkhunter.conf file to
Code:MAIL_CMD=mail -s "rkhunter Warnings found for ${HOST_NAME}"
doesn't change anything (Strange).
Why is mail not being send? Normal Watchdog weekly mails are received.
- Warning in rkhunter.log:
Code:[15:17:05] /opt/psa/etc/modules/watchdog/rkhunter.conf [ Warning ] [15:17:05] Warning: Package manager verification has failed: [15:17:05] File: /opt/psa/etc/modules/watchdog/rkhunter.conf [15:17:05] The file hash value has changed
How can I update the hash value?
Always performed a
Code:/usr/local/psa/admin/bin/modules/watchdog/rkhunter --update --propupd
after changing the rkhunter.conf file.
- Warning in rkhunter.log:
Code:[15:17:42] Checking for suspicious shared memory segments [ Warning ] [15:17:42] Warning: The following suspicious shared memory segments have been found: [15:17:42] Process: PID: 29900 Owner: magicspam [15:17:42] Process: PID: 27522 Owner: root [15:17:42] Info: Found process pathname '/usr/lib/apache2/mpm-prefork/apache2': it is whitelisted.
I checked the processes with this script to determine the process: linuxplayer/who_attach_shm.pl at master · curu/linuxplayer · GitHub
Output:
Code:################################################################################ shm attach process list, group by shm key ################################################################################ 0x00000000: /opt/psa/admin/sbin/modules/magicspampro/magicspam-daemon 0x0102321d: /usr/lib/apache2/mpm-prefork/apache2 ################################################################################ process shm usage ################################################################################ /opt/psa/admin/sbin/modules/magicspampro/magicspam-daemon [1]: 0x00000000 /usr/lib/apache2/mpm-prefork/apache2 [1]: 0x0102321d
So I whitelisted these processes in the rkhunter.conf file:
Code:ALLOWIPCPROC=/usr/lib/apache2/mpm-prefork/apache2 ALLOWIPCPROC=/opt/psa/admin/sbin/modules/maagicspampro/magicspam-daemon
But the warning stays. Anything I have done wrong?
Cheers Peter
