Knowledgebase

Portal Home > Knowledgebase > Articles Database > RK Hunter Warnings


RK Hunter Warnings




Posted by Kain, 10-01-2012, 06:28 AM
Hi I'm getting the following warnings from rk hunter. I think they are false positives. What do you think? [10:59:42] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable [10:59:42] /sbin/ifup [ Warning ] [10:59:42] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable [10:59:50] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable [10:59:50] /usr/bin/groups [ Warning ] [10:59:50] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable [10:59:51] /usr/bin/ldd [ Warning ] [10:59:51] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable [10:59:54] /usr/bin/whatis [ Warning ] [10:59:54] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable [10:59:58] /etc/rkhunter.conf [ Warning ] [10:59:58] Warning: The file properties have changed: [10:59:58] File: /etc/rkhunter.conf [10:59:58] Current hash: aa73f6423ce2ce60554208de0ed7b67450340d9f [10:59:58] Stored hash : abd46c79e524e6f0e3b58756b3332761019edf80 [10:59:58] Current size: 37379 Stored size: 37357 [10:59:58] Current file modification time: 1348835250 (28-Sep-2012 13:27:30) [10:59:58] Stored file modification time : 1348782497 (27-Sep-2012 22:48:17) We modified rkhunter.conf ourselves which is propable causing ths one Warning: Found enabled xinetd service: /etc/xinetd.d/nrpe 11:01:20] Warning: Suspicious file types found in /dev: [11:01:20] /dev/.udev/db/block@sda@sda1: ASCII text [11:01:20] /dev/.udev/db/block@sda@sda2: ASCII text [11:01:20] /dev/.udev/db/block@sda@sda3: ASCII text [11:01:20] /dev/.udev/db/block@sda: ASCII text [11:01:20] /dev/.udev/db/block@sdb@sdb1: ASCII text [11:01:20] /dev/.udev/db/class@usb_device@usbdev2.1: ASCII text [11:01:20] /dev/.udev/db/class@usb_device@usbdev2.2: ASCII text [11:01:20] /dev/.udev/db/class@usb_device@usbdev1.1: ASCII text [11:01:20] /dev/.udev/db/class@usb_device@usbdev1.2: ASCII text [11:01:20] /dev/.udev/db/devices@pci0000:00@0000:00:03.0@0000:01:00.1@controlC0: ASCII text [11:01:20] /dev/.udev/db/devices@pci0000:00@0000:00:03.0@0000:01:00.1@hwC0D0: ASCII text [11:01:20] /dev/.udev/db/devices@pci0000:00@0000:00:03.0@0000:01:00.1@pcmC0D3p: ASCII text [11:01:20] /dev/.udev/db/block@sdb: ASCII text [11:01:20] /dev/.udev/db/class@input@input0@event0: ASCII text [11:01:20] /dev/.udev/db/devices@seq: ASCII text [11:01:21] /dev/.udev/db/devices@timer: ASCII text [11:01:21] /dev/.udev/db/class@graphics@fb0: ASCII text [11:01:21] /dev/.udev/db/block@ram0: ASCII text [11:01:21] /dev/.udev/db/block@ram1: ASCII text [11:01:21] /dev/.udev/db/class@misc@device-mapper: ASCII text [11:01:21] /dev/.udev/db/class@input@mice: ASCII text [11:01:21] /dev/.udev/uevent_seqnum: ASCII text [11:01:21] Checking for hidden files and directories [ Warning ] [11:01:21] Warning: Hidden directory found: '/dev/.udev' [11:01:21] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression [11:01:21] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text [11:01:21] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text [11:01:21] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
Posted by Patrick, 10-01-2012, 08:11 AM
Those are common false positives, I wouldn't worry about it.
Posted by kpmedia, 10-01-2012, 09:29 AM
I'd verify it's a false positive at least once, and then on occasion from repeat warnings. I'd not ignore it entirely.
Posted by bloodyman, 10-02-2012, 02:01 PM
Hi What else rootkit scanner can be used in Linux? How to be sure that our linux server is free from rootkits and viruses? Rkhunter is preety old, I think we need something newer.
Posted by BestServerSupport, 10-03-2012, 09:35 AM
clamscan scans for a wide range of malicious scripts. chkrootkit and unhide are excellent programs which look for types of malicious softwares, sniffers, scanners, trojans. Also, there is a tool called lynis which can help you in securing. It also provides a hardening index.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Review : TheNuke.net - reseller packages (Views: 635)
Sago Problems This Morning? (Views: 629)
mod_security issues (Views: 596)
dedicated reseller (Views: 633)
If ($row['test'] >= foo) {echo "bar";} (Views: 576)