Portal Home > Knowledgebase > Articles Database > rkhunter: is this a false positive?
rkhunter: is this a false positive?
Posted by SlAiD, 12-10-2011, 06:21 AM |
Hi Guys,
This day security is becomming a big consern for me. I try my best to learn by googling and asking friends, but this is beyond anything I could ask anyone I know personaly.
I run rkhunter weekly and this week I found the fowlling:
For the groups I did think it's a false positive:
However I can't exactly get a positive or negative information in the rest of the files, specialy the hidden ones, witch I don't know how to confirm.
I'm running a VPS on this box, kermel is 2.6.18-238.12.1.el5.028stab091.1PAE.
Any help here? Thanks.
Rui
|
Posted by fshagan, 12-10-2011, 11:13 AM |
The "replaced by a script" messages are common on cPanel servers. If you look in /etc/rkunter.conf you will see these lines:
Un-comment those (remove the "#") and you won't get notified of them any longer. You can also allow the hidden directories by un-commenting them as well.
The tactic I take is that I start with a system I know is clean, then allow some of the errors through the .conf file.
|
Posted by SlAiD, 12-10-2011, 09:49 PM |
Hi,
Someone (the "hacker") told me that I have a GNY shell on the box.
If this is not caused by anything that rkhunter can detect, how do you suggest I find it?
It seven send me the print with a ls of my /home/, pretty convincent in my opinion.
I might just backup, format and restore. However if I don't know how the problem was created, for example, witch account has this shell script, the problem will appear again in some time.
Thanks for your help!
Rui
|
Posted by fshagan, 12-12-2011, 12:14 AM |
Have you tried LMD (Linux Malware Detect) ... free .. or http://configserver.com's CXS ($50 per server, one time fee).
|
Posted by SlAiD, 12-12-2011, 06:17 AM |
Hi,
I identify the shell using ClamAV.
However, I saved your links for further review but from what I look, good stuff! I allready know the CXS but I was looking for the free solution.
Thanks,
Rui
|
Posted by iLoveHosting-UK, 12-12-2011, 06:22 AM |
I would also recommend Maldet. install it and do a full scan of your system. Find the shell and suspend the account in question and get them to update there software.
- Ashton
|
Add to Favourites Print this Article
Also Read