Portal Home > Knowledgebase > Articles Database > logwatch warnings
logwatch warnings
Posted by monitor2000com, 03-09-2010, 04:30 AM |
Hello
My logwatch is showing the following Warnings ... i was wondering if anyone could explain what`s the problem and is it false report or not .
[ Rootkit Hunter version 1.3.4 ]
Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]
[ Rootkit Hunter version 1.3.4 ]
File updated: searched for 150 files, found 130
Warning: Hidden directory found: /dev/.udev
Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
|
Posted by madaboutlinux, 03-09-2010, 05:03 AM |
The Hidden file found warning messages at the end of your output are legit and you may need to update RkHunter to not flag these files. I won't have worried about it.
|
Posted by monitor2000com, 03-09-2010, 06:52 AM |
Hello ,
Thank you for your reply ,
what do you think about the new warning which has mentioned below
Cron /root/chkrootkit.sh | grep -v .packlist
find: /proc/11505: No such file or directory
find: /proc/15948: No such file or directory
find: /proc/15950: No such file or directory
find: /proc/15952: No such file or directory
find: /proc/15953: No such file or directory
/var/www/mrtg/tcp.log
/usr/lib/.libfipscheck.so.1.hmac /usr/lib/gtk-2.0/immodules/.relocation-tag /usr/lib/.libgcrypt.so.11.hmac /usr/lib/php/.depdb /usr/lib/php/.filemap /usr/lib/php/.registry /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/php/.lock /usr/lib/php/.depdblock /usr/lib/.libfipscheck.so.1.1.0.hmac /lib/.libssl.so.0.9.8e.hmac /lib/.libcrypto.so.0.9.8e.hmac /lib/.libssl.so.6.hmac /lib/.libcrypto.so.6.hmac
/usr/lib/php/.registry /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.channels /usr/lib/php/.channels/.alias
INFECTED (PORTS: 465)
You have 4 process hidden for readdir command
You have 4 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 1552 tty8 /bin/bash
! root 3910 tty3 /sbin/mingetty tty3
|
Posted by madaboutlinux, 03-09-2010, 08:02 AM |
These processes are already over...
It's a false positive. 465 port is used for smtps
these are mostly generated when process or threads are created and destroyed when chkrootkit is running.
Other messages can be ignored safely.
|
Add to Favourites Print this Article
Also Read