Portal Home > Knowledgebase > Articles Database > RK Hunter Warnings
RK Hunter Warnings
Posted by Kain, 10-01-2012, 06:28 AM |
Hi
I'm getting the following warnings from rk hunter.
I think they are false positives.
What do you think?
[10:59:42] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[10:59:42] /sbin/ifup [ Warning ]
[10:59:42] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[10:59:50] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
[10:59:50] /usr/bin/groups [ Warning ]
[10:59:50] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
[10:59:51] /usr/bin/ldd [ Warning ]
[10:59:51] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
[10:59:54] /usr/bin/whatis [ Warning ]
[10:59:54] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
[10:59:58] /etc/rkhunter.conf [ Warning ]
[10:59:58] Warning: The file properties have changed:
[10:59:58] File: /etc/rkhunter.conf
[10:59:58] Current hash: aa73f6423ce2ce60554208de0ed7b67450340d9f
[10:59:58] Stored hash : abd46c79e524e6f0e3b58756b3332761019edf80
[10:59:58] Current size: 37379 Stored size: 37357
[10:59:58] Current file modification time: 1348835250 (28-Sep-2012 13:27:30)
[10:59:58] Stored file modification time : 1348782497 (27-Sep-2012 22:48:17)
We modified rkhunter.conf ourselves which is propable causing ths one
Warning: Found enabled xinetd service: /etc/xinetd.d/nrpe
11:01:20] Warning: Suspicious file types found in /dev:
[11:01:20] /dev/.udev/db/block@sda@sda1: ASCII text
[11:01:20] /dev/.udev/db/block@sda@sda2: ASCII text
[11:01:20] /dev/.udev/db/block@sda@sda3: ASCII text
[11:01:20] /dev/.udev/db/block@sda: ASCII text
[11:01:20] /dev/.udev/db/block@sdb@sdb1: ASCII text
[11:01:20] /dev/.udev/db/class@usb_device@usbdev2.1: ASCII text
[11:01:20] /dev/.udev/db/class@usb_device@usbdev2.2: ASCII text
[11:01:20] /dev/.udev/db/class@usb_device@usbdev1.1: ASCII text
[11:01:20] /dev/.udev/db/class@usb_device@usbdev1.2: ASCII text
[11:01:20] /dev/.udev/db/devices@pci0000:00@0000:00:03.0@0000:01:00.1@controlC0: ASCII text
[11:01:20] /dev/.udev/db/devices@pci0000:00@0000:00:03.0@0000:01:00.1@hwC0D0: ASCII text
[11:01:20] /dev/.udev/db/devices@pci0000:00@0000:00:03.0@0000:01:00.1@pcmC0D3p: ASCII text
[11:01:20] /dev/.udev/db/block@sdb: ASCII text
[11:01:20] /dev/.udev/db/class@input@input0@event0: ASCII text
[11:01:20] /dev/.udev/db/devices@seq: ASCII text
[11:01:21] /dev/.udev/db/devices@timer: ASCII text
[11:01:21] /dev/.udev/db/class@graphics@fb0: ASCII text
[11:01:21] /dev/.udev/db/block@ram0: ASCII text
[11:01:21] /dev/.udev/db/block@ram1: ASCII text
[11:01:21] /dev/.udev/db/class@misc@device-mapper: ASCII text
[11:01:21] /dev/.udev/db/class@input@mice: ASCII text
[11:01:21] /dev/.udev/uevent_seqnum: ASCII text
[11:01:21] Checking for hidden files and directories [ Warning ]
[11:01:21] Warning: Hidden directory found: '/dev/.udev'
[11:01:21] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[11:01:21] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[11:01:21] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[11:01:21] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
|
Posted by Patrick, 10-01-2012, 08:11 AM |
Those are common false positives, I wouldn't worry about it.
|
Posted by kpmedia, 10-01-2012, 09:29 AM |
I'd verify it's a false positive at least once, and then on occasion from repeat warnings.
I'd not ignore it entirely.
|
Posted by bloodyman, 10-02-2012, 02:01 PM |
Hi
What else rootkit scanner can be used in Linux? How to be sure that our linux server is free from rootkits and viruses? Rkhunter is preety old, I think we need something newer.
|
Posted by BestServerSupport, 10-03-2012, 09:35 AM |
clamscan scans for a wide range of malicious scripts.
chkrootkit and unhide are excellent programs which look for types of malicious softwares, sniffers, scanners, trojans. Also, there is a tool called lynis which can help you in securing. It also provides a hardening index.
|
Add to Favourites Print this Article
Also Read