Knowledgebase

Portal Home > Knowledgebase > Articles Database > rkhunter: is this a false positive?


rkhunter: is this a false positive?




Posted by SlAiD, 12-10-2011, 06:21 AM
Hi Guys, This day security is becomming a big consern for me. I try my best to learn by googling and asking friends, but this is beyond anything I could ask anyone I know personaly. I run rkhunter weekly and this week I found the fowlling: For the groups I did think it's a false positive: However I can't exactly get a positive or negative information in the rest of the files, specialy the hidden ones, witch I don't know how to confirm. I'm running a VPS on this box, kermel is 2.6.18-238.12.1.el5.028stab091.1PAE. Any help here? Thanks. Rui
Posted by fshagan, 12-10-2011, 11:13 AM
The "replaced by a script" messages are common on cPanel servers. If you look in /etc/rkunter.conf you will see these lines: Un-comment those (remove the "#") and you won't get notified of them any longer. You can also allow the hidden directories by un-commenting them as well. The tactic I take is that I start with a system I know is clean, then allow some of the errors through the .conf file.
Posted by SlAiD, 12-10-2011, 09:49 PM
Hi, Someone (the "hacker") told me that I have a GNY shell on the box. If this is not caused by anything that rkhunter can detect, how do you suggest I find it? It seven send me the print with a ls of my /home/, pretty convincent in my opinion. I might just backup, format and restore. However if I don't know how the problem was created, for example, witch account has this shell script, the problem will appear again in some time. Thanks for your help! Rui
Posted by fshagan, 12-12-2011, 12:14 AM
Have you tried LMD (Linux Malware Detect) ... free .. or http://configserver.com's CXS ($50 per server, one time fee).
Posted by SlAiD, 12-12-2011, 06:17 AM
Hi, I identify the shell using ClamAV. However, I saved your links for further review but from what I look, good stuff! I allready know the CXS but I was looking for the free solution. Thanks, Rui
Posted by iLoveHosting-UK, 12-12-2011, 06:22 AM
I would also recommend Maldet. install it and do a full scan of your system. Find the shell and suspend the account in question and get them to update there software. - Ashton


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Conversion from Windows 2003 Dynamic to Basic (Views: 602)
Please help me in buying reseller hosting (Views: 561)
problem with ftp and apf (Views: 772)
SUHOSIN and eval(base64_decode (Views: 583)
how to instant new PM notice?? (Views: 577)