Knowledgebase

Portal Home > Knowledgebase > Articles Database > logwatch warnings


logwatch warnings




Posted by monitor2000com, 03-09-2010, 04:30 AM
Hello My logwatch is showing the following Warnings ... i was wondering if anyone could explain what`s the problem and is it false report or not . [ Rootkit Hunter version 1.3.4 ] Checking rkhunter data files... Checking file mirrors.dat [ No update ] Checking file programs_bad.dat [ No update ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ No update ] Checking file i18n/de [ No update ] Checking file i18n/en [ No update ] Checking file i18n/zh [ No update ] Checking file i18n/zh.utf8 [ No update ] [ Rootkit Hunter version 1.3.4 ] File updated: searched for 150 files, found 130 Warning: Hidden directory found: /dev/.udev Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text One or more warnings have been found while checking the system. Please check the log file (/var/log/rkhunter.log)
Posted by madaboutlinux, 03-09-2010, 05:03 AM
The Hidden file found warning messages at the end of your output are legit and you may need to update RkHunter to not flag these files. I won't have worried about it.
Posted by monitor2000com, 03-09-2010, 06:52 AM
Hello , Thank you for your reply , what do you think about the new warning which has mentioned below Cron /root/chkrootkit.sh | grep -v .packlist find: /proc/11505: No such file or directory find: /proc/15948: No such file or directory find: /proc/15950: No such file or directory find: /proc/15952: No such file or directory find: /proc/15953: No such file or directory /var/www/mrtg/tcp.log /usr/lib/.libfipscheck.so.1.hmac /usr/lib/gtk-2.0/immodules/.relocation-tag /usr/lib/.libgcrypt.so.11.hmac /usr/lib/php/.depdb /usr/lib/php/.filemap /usr/lib/php/.registry /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/php/.lock /usr/lib/php/.depdblock /usr/lib/.libfipscheck.so.1.1.0.hmac /lib/.libssl.so.0.9.8e.hmac /lib/.libcrypto.so.0.9.8e.hmac /lib/.libssl.so.6.hmac /lib/.libcrypto.so.6.hmac /usr/lib/php/.registry /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.channels /usr/lib/php/.channels/.alias INFECTED (PORTS: 465) You have 4 process hidden for readdir command You have 4 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! root 1552 tty8 /bin/bash ! root 3910 tty3 /sbin/mingetty tty3
Posted by madaboutlinux, 03-09-2010, 08:02 AM
These processes are already over... It's a false positive. 465 port is used for smtps these are mostly generated when process or threads are created and destroyed when chkrootkit is running. Other messages can be ignored safely.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Any good dedicated hosting server for 500k+ visitors a day (Views: 632)
2010 with WE3CARES.COM (Views: 608)
Simplehost -changing nameservers (Views: 571)
CSF Loaded With Thousands of IPs! Help with Firewall (Views: 623)
Can someone recommend a security expert? (Views: 657)