Got this error on rkhunter 1.3.2
Quote:
[12:16:24] /usr/bin/wget [ Warning ]
[12:16:24] Warning: File '/usr/bin/wget' has the immutable-bit set.
Is that a concern? What does it mean?
After few days of not getting even "one" spam out of average 70 messages a day...the company manager got angry! He thought the mail system is down.
Our provider - a VDS subscriber who rent us shared plan for a website - said: we changed nothing. I confirmed: did you install any new anti-spam software on the site...they said: NO.
In a next conversation with the company manager, they told him they installed a new anti-spam software on the whole server and cannot make it off for our site specifically.
The problem is, they already had a kind of anti-spam software which only "marks" spam-like messages with "**SPAM**" in the subject line, and doesn't mark others. I am afraid some customers' emails get marked and deleted with this new software they claim implemented, based on false positives.
Many times I get my emails in Yahoo and Hotmail go to Spam/Junk folder for some not-widely known reasons, like sending to myself, while putting recipients in CC, and other strange reasons like just using CC in an auto-reply!
something any non-tech person might do.
I am thinking in switching to a new host where we only host mails (mx record), so we don't have "any" email deleted without our check.
Rootkit Hunter version 1.3.2 ]
[1;33mChecking rkhunter version... [0;39m
This version : 1.3.2
Latest version: 1.3.2
[ Rootkit Hunter version 1.3.2 ]
[1;33mChecking rkhunter data files... [0;39m
Checking file mirrors.dat [34C[ [1;32mNo update [0;39m ]
Checking file programs_bad.dat [29C[ [1;32mNo update [0;39m ]
Checking file backdoorports.dat [28C[ [1;32mNo update [0;39m ]
Checking file suspscan.dat [33C[ [1;32mNo update [0;39m ]
Checking file i18n/cn [38C[ [1;32mNo update [0;39m ]
Checking file i18n/en [38C[ [1;32mNo update [0;39m ]
Checking file i18n/zh [38C[ [1;32mNo update [0;39m ]
Checking file i18n/zh.utf8 [33C[ [1;32mNo update [0;39m ]
Warning: Checking for preload file [ Warning ]
Warning: Found library preload file: /etc/ld.so.preload
Warning: The file properties have changed:
File: /bin/ps
Current hash: 36f3d8a9fcaebf5838e5e55ebdcac7e355477343
Stored hash : 8f1acf237e562043f8353f4ec5d0c3490c0d0cb3
Current inode: 1228803 Stored inode: 1228857
Current size: 61364 Stored size: 67088
Current file modification time: 1214487892
Stored file modification time : 1195262225
Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: The file properties have changed:
File: /usr/bin/top
Current hash: 15f1f743d73d9546a05a15644816139de7708327
Stored hash : 5e78fb7f0a02643a91964081ca03316dbaf01bdd
Current inode: 246165 Stored inode: 245920
Current size: 48536 Stored size: 48504
Current file modification time: 1214487892
Stored file modification time : 1195262225
Warning: The file properties have changed:
File: /usr/bin/vmstat
Current hash: 898351bc3be226caf6915715b23a1c7cc5d35fdd
Stored hash : edaa64f3921a0a2d873c14a5eb641ba883f4dcff
Current inode: 246561 Stored inode: 246020
Current size: 17872 Stored size: 20444
Current file modification time: 1214487892
Stored file modification time : 1195262225
Warning: The file properties have changed:
File: /usr/bin/w
Current hash: 480c2c2e4f1048e19fc075f4daebe79fa84e08d1
Stored hash : 87f39eeb583bc7f6622e95fd0266f093ed8b362b
Current inode: 246020 Stored inode: 246167
Current size: 9720 Stored size: 11720
Current file modification time: 1214487892
Stored file modification time : 1195262225
Warning: The file properties have changed:
File: /usr/bin/watch
Current inode: 246167 Stored inode: 245924
Current file modification time: 1214487892
Stored file modification time : 1195262225
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
Warning: The file properties have changed:
File: /sbin/sysctl
Current hash: b560099caf18d28bcc0249efaec75dcddb87b219
Stored hash : fa13202ac5897d9f7198e8afbbe7d0c835b07639
Current inode: 589893 Stored inode: 589875
Current size: 9144 Stored size: 11048
Current file modification time: 1214487892
Stored file modification time : 1195262225
I know some of these warnings like /usr/bin/GET - groups -ldd - whatis - ifdown – ifup are normal false positives.
But other warnings are new,
I think they changed after upgrading the cpanel to 11.23
I have cpanel on centos 4.6
I don't really know much about how mod_security rules work, I've just clicked on default configuration in WHM.
Anyway one user on our vbulletin board has pmed me saying he can't access the board. He gave me his fixed ip. And I noticed it is in CSF denied ip list as:
lfd: 5 (mod_security) login failures from xx.xx....
I've checked mod_security log and it has like twenty entries for this ip saying: ....
I tried a little searching both in Google and on here but this is probably going to be a private or member-based thing anyway.
I've gotten a couple comments that some of my outbound personal mail is ending up in spam folders. I think it's almost completely limited to having Outlook (or Express?) as a client... which I assume doesn't even do network-based lookups. Nonetheless I don't seem to be on any blacklists, and running it through my own spamassassin filter comes up basically zero score. But the fact that more than one person has had the problem concerns me greatly. Also, I haven't seen any significant reason why the content itself would trigger anything.
I realize a public spam test service would basically be a "testing ground" for spammers to evade detection, but there's obviously legitimate uses as well... is there such a tool somewhere? Thanks for any advice. Public information sharing is key to a forum, but PMs are welcome in this case.
Cronjob is not working for a script on a clients cpanel account:
He set it up to grab from the path below and it is giving this error:
/bin/sh: /usr/bin/wget: Permission denied
The cronjob that is running is:
/usr/bin/wget -O - -q [url]
This is a cpanel box with centos 5
I ran the Trojan scan in WHM and it came up with the list below. I have a strong feeling WHM is mis-reporting these as trojans, but I thought I would ask the experts here:
Scan for Trojan Horses
Appears Clean
/dev/stderr
Scanning for Trojan Horses.....
Possible Trojan - /usr/bin/cpan
Possible Trojan - /usr/bin/instmodsh
Possible Trojan - /usr/bin/prove
Possible Trojan - /usr/bin/xmlcatalog
Possible Trojan - /usr/bin/xmllint
Possible Trojan - /usr/bin/xml2-config
Possible Trojan - /usr/lib/libxml2.la
Possible Trojan - /usr/bin/mysqlhotcopy
Possible Trojan - /usr/bin/Wand-config
Possible Trojan - /usr/bin/animate
Possible Trojan - /usr/bin/compare
Possible Trojan - /usr/bin/composite
Possible Trojan - /usr/bin/conjure
Possible Trojan - /usr/bin/convert
Possible Trojan - /usr/bin/display
Possible Trojan - /usr/bin/identify
Possible Trojan - /usr/bin/import
Possible Trojan - /usr/bin/mogrify
Possible Trojan - /usr/bin/montage
Possible Trojan - /usr/bin/curl-config
Possible Trojan - /usr/bin/curl
Possible Trojan - /usr/lib/libcurl.so.3.0.0
Possible Trojan - /usr/lib/python2.3/site-packages/libxml2mod.la
Possible Trojan - /usr/lib/python2.3/site-packages/libxml2mod.so
Possible Trojan - /usr/sbin/pureauth
25 POSSIBLE Trojans Detected
Is there anything that looks fishy here?
when i use Hostname / Reverse IP Lookup and test it with my VPS ip. it show my main server name .
i am so worry about it and want to hide my main server name and other
We would like to offer root servers to customers, but we worry that they change the IP address to another IP address in our network and make troubles like this. I think, if a customer takes the same IP like our gateway router, our whole network is not reachable anymore. How can I avoid this?
View 10 Replies View RelatedI was surprised to see that they had 100% uptime in May according to their logs. I am used to see 99.98%, 98.97% etc. etc. with other hosts. But even 100% is quite possible.
On June 7th the uptime suddenly dropped below 96% with avg. 7 outages. I was really disappoined as I was planning to signup. But after a day or so it again rose to 100% with 0 outages on all of their servers which clearly explained the 100% uptime of May.
According to them they had a attack because of which IPs of nodes had to be changed and subsequently they also changed it on hyperspin.com (their server monitoring service). I immediately signed up on hyperspin to verify this claim. Changing the IP or hostname of a monitored service on hyperspin doesn't reset its log is what i clearly observed. Its quite visible that the logs were reset intensionally to hide the actual server uptime and make it always show 100% percent. When i reverted back to them on this issue, they prefered to close the ticket. I just want to know from other hosts, it this practice common or primaryvps.com is an exception? Well as mentioned on their site, the uptime log is located at:
hyperspin.com/publicreport/30037/20077
But don't expect too much. It has only two figures 0 for outages and 100% for uptime.
Is there any way to avoid getting false name lookups when trying to resolv inexistent domains ? apart from using another nameserver.
I'm sorry if it was posted earlier, tried searching but it didn't help as it gave me large results.
Code:
[root@removed ~]# ping hjkdji284kajgafhj87da778dfsd.com
PING hjkdji284kajgafhj87da778dfsd..com.insertdchere.com (xx.xxx.xxx.xx) 56(84) bytes of data.
64 bytes from www.insertdchere.com (xx.xxx.xxx.xx): icmp_seq=0 ttl=61 time=1.00 ms
64 bytes from www.insertdchere.com (xx.xxx.xxx.xx): icmp_seq=1 ttl=61 time=0.952 ms
64 bytes from www.insertdchere.com (xx.xxx.xxx.xx): icmp_seq=2 ttl=61 time=1.34 ms
How can I stop the rootkit hunter false positives?
It is alerting on these, on a fresh OS install:
Checking for prerequisites [ Warning ]
/usr/bin/groups [ Warning ]
/usr/bin/ldd [ Warning ]
/usr/bin/whatis [ Warning ]
/sbin/ifdown [ Warning ]
/sbin/ifup [ Warning ]
Being using the free version of siteuptime.com but this month alone i have had so far 3 false alerts reported, i am always in the putty and does not get interrupted, and i am sure i am around on the site too while supposedly siteuptime reports down (i am guessing firewall blocks their server ip for w/e reason). So am wondering is there any really good public tracking site out there which can do public reports more accurately and not kak out on me?
Whats your experience with siteuptime for monitoring if any ? Sometimes it works "ok" other times its just off the charts.
Namecheap.com offers PositiveSSL certificate for free at the moment
[url]
I was wondering what is its encryption ability compared to RapidSSL certificate?
Since my Centos updated from 5.3 to 5.4 i am getting this "error" with rkhunter.
Warning: Possible promiscuous interfaces:
'ifconfig' command output: UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
'ip' command output: eth1
'ip' command output: eth0
I already ran:
rkhunter --propupd
about my rkhunter`s log. It gives some warnings but i dont know if they are really important ones.
Here are the warnings it gives :
Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa
Warning: Found enabled xinetd service: /etc/xinetd.d/smtp_psa
Warning: Found enabled xinetd service: /etc/xinetd.d/smtps_psa
Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
Warning: Application 'gpg', version '1.2.6', is out of date, and possibly a security risk.
Warning: Application 'openssl', version '0.9.7a', is out of date, and possibly a security risk.
Warning: Application 'php', version '4.3.9', is out of date, and possibly a security risk.
I am using plesk and i am using yum update for updating files and scripts. So i dont know how can i update gpg php and openssl. Plus for some time it said like port 2006 is open and possible trojan backdoor. But when i check now it doesnt give any error like that.
if there is any major problem at those logs or not?
if someone also wants i can attach the full rkhunter.log or only warning output rkhunter.log
Every time I log on plesk 11.09 I get an email from admin saying that due to maximum number of failed login attempts for admin, the account was blocked for 30 minutes.
First, I do not get failed login attempts, I log in every time.
Two, the account is not blocked, I can log in, out and back in as many times as I want without problem except that I get this email everytime.
It's been almost 3 weeks, more or less, since I signed up with XenVZ (xenvz.co.uk). Sean does a good job on support whenever I put in a ticket - fast responses, always.
As for network stability, it hasn't disconnected from Quakenet (IRC network) since I've gotten it - signon 17d 20h 40m 25s ago.
As for speed, 19:36:39 (10.80 MB/s) - `100mb.test' saved [104857600/104857600] (from cachefly).
I'm a VPS customer of Hostchum.
I found good customer support officers there.
They provide about 20 hours a day live-chat service .
Now I'm about two month with sologigabit.com and want to share some impressions with you.
Sologigabit was extremely helpful to me. I needed server with custom config and they ordered some hardware for me. They take only two month upfront.
While they didn't have hardware required, they set up server for me and made it available, so I could familiarize myself with a system. That helped me a lot when I started to install system later.
They didn't offered FreeBSD as available OS to install but downloaded image for me and put installation media into dvd drive, so I could install it myself. They also were helpful providing information about system while I was installing system, as I encountered some problem with FreeBSD default kernel.
I have dedicated remote APC and KVM, so I could resolve almost all my issues myself.
Running for two month with them I didn't encountered any problems, so I probably stay with them for a long time.
Any one have any thing to share with us regarding the one.com hosting company (located in UK)?
According to their awards page:
"#1 UK Budget Web Hosting Provider - UK Web Host Directory - June 2009"
I am a current customer of Burst for more than 6 months already and so far I am loving their service. There are very, very minor issues but it gets resolved in a timely manner. I have 7 servers with them and looking forward to expanding more. Their sales support Shawn and Benj are very considerate and their technical support Brian is very helpful, knowledgeable, polite and treats customers the right way.
Burst live chat support (AIM) is also the best I have seen with a host.
I recommend them to everybody who's looking for a reliable network and good support!
I did a search on this site, and read a lot of negative things about site5.com
Is it still a 'bad'company or has their service changed?
Is it better to take a hosting with hostgator.com
Because aren't they overselling their packages: 1500 gb (storage) and 15.000 gb (bandwithe)
Thought I would share my recent experience with VertexHost.
I run a vBulletin forum and I had a VPS for over 2 years through PowerVPS. However, due to irreconcilable differences with them offering my current package at a lower price than what I was paying, then refusing to give it to me at "todays price" unless I canceled my service and transfer my data, I parted with them.
I had a "contacting spree" weekend where I contacted 23 different hosts and talked about what I was looking for (I wanted to move to a dedicated server since I figured with my community growing I might as well select a place that I could grow into)
I needed a managed server with decent specs since VB is a server intense application.
Some of the managed server "top players" I talked to were LiquidWeb, AxisHost, and RackSpace. Others were smaller companies that I had saw posted on the dedicated forum offers section.
AH took far too long to get back to me, quite a few days actually. LW would meet at a price for me (my budget was $150- about $170) at $150; however, gave me a very 'downgraded server' compared to what was being offered other places. Finally RS was just way overprices and couldn't come down to my range. Most companies gave me a round-about answer, seemed flaky, or just weren't interested in really helping me.
I had known about VertexHost because I used to host/use Infopop's Eve forum software and they were also on the forums there because they had used UBBThreads before developing their own forum software. Anyway, long story short, I decided to see what they were up to.
Billy from VH was very quick to answer all of my questions and made my sales ticket critical and a top priority. He not only told me what would need to be done in terms of transferring my forum and files (I was coming from Plesk to CPanel) but offered to do it for me.
I agreed that it would be best to have him do it, and he happily did it, free of charge I might add.
Along with transferring my forums over, he also made it so I lost no time while waiting for my domain to propagate. He set it up so the old IP from PowerVPS would send people to the database on my new server with VH.
It was such a seamless transition... my forums were down for only about 2 hours total. I might also mention those 2 hours were from a little before midnight until about 2 AM; a time when the forums are slow any way.
I don't want to get any more long winded than I already have, so in a nutshell VH not only met me on price, but they also transferred everything for me, made sure I had little down time, and were very knowledgeable about any question I had.
I cannot stress enough how highly I recommend them. I'm a loyal customer who likes to stick with what works and who appreciates my business. I do not foresee my leaving VH any time in the future. I can now sleep peacefully knowing my site is in good hands!
which of the is better?
CHKROOTKIT or RKHunter?
i want to install and run it via ssh.
I've honestly never had to worry about protecting myself from exploits until this week, when I found out somebody agined access t othe server using an old script on an old account (teach me to delete client accounts when they leave me, it did!)
I'm working on a new server and going through lots of posts on better securing it, and two things that are suggested is installing chkrootkit and rkhunter, and adding them to the daily cron jobs. Learned how to install and set up the daily script for chkrootkit, but here's what I'd like to do that I'm not sure how to go about, I'd like to a) be notified ONLY if there are changes in the daily scans (especially since there are a couple of false positives I'm aware of) and b) be e-mailed a full report once a week, whether or not there were any changes.
I've got rkhunter installed as well, but I can't seem to find a script that will properly execute it and e-mail it to me. Does anybody have one that works? I'd also like to only get an e-mail if there are changes, except for a once weekly scan result.
I have run rkhunter and got the following report, I have checked everything and seems to be fine. Also, I have run rkhunter --update and didn't help. How can remove this bad messages? Do I need to reinstall the package?
/bin/dmesg [ BAD ]
/bin/env [ BAD ]
/bin/grep [ BAD ]
/bin/kill [ BAD ]
/bin/login [ BAD ]
A couple days ago, I installed Rkhunter 1.3.0. I updated it, ran it, and put in my my crontab.root
30 23 * * * /usr/local/bin/rkhunter --cronjob > /dev/null
I just finished installing chkrootkit 0.48. I ran it and everything seems fine.
Is there a way to run this as a service?? I ask because in my VPS control panel, the security check still shows that Chkrootkit isn't installed.
Do I put it in the crontab.root file, or does it run as a service?
Also... Does it do the same thing as Rkhunter, or should I have them both installed?
I was testing the new RKHunter 1.3.0, and found a few warnings:
Code:
/usr/bin/GET [ Warning ]
/usr/bin/groups [ Warning ]
/usr/bin/ldd [ Warning ]
/usr/bin/whatis [ Warning ]
/sbin/ifdown [ Warning ]
/sbin/ifup [ Warning ]
Investigating the logs found this:
Code:
Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
Same result in two different RHE 4 boxes... just to verify that this is a false positive , do you have the same results in your RHE 4 boxes while running "rkhunter -c" ?
In this thread i would like to recommend about this company.
I was looking for a good anualy package in respectable price, and then Host-monkey offered a cheap deal and i said why not.
I just want to say that after i joined i got alot of help, anything i wanted and anything i needed.
The site contain realy good costumer system that provide many services.
After few days i decided to upgrade my plan and it was fast and courteous.
The server is realy strong and fast for me, even that im from far away land from usa.
I hope you will choose it too, you wont dissapoint.
[url]
I desperately need someone to trouble shoot and eventually fix a mySQL/PHP program we had a month ago. The problem was costing the company I do work for nearly $1,000 per day in lost money. I received 15 people contacting me off a post I made on WHT, and elected to work with Dingloo from auroinfotech.com. And what a great decision that was!
Dingloo and his associate from the get go showed great communication skills, professionalism, and most importantly... fixed the problem very fast!
I truly appreciated the work he and his associate did, and the speed in which they completed it. Our PHP script is 100% fixed (and its a very complicated PHP script) and is working great.
I love to give positive reviews, as I feel people who do an excellent job need to received praise. Thanks again Dingloo for your hard work, I truly appreciate it! You've made work around here a lot better, and we all thank you in the office!
We will continue to use your PHP/mySQL/Admin services in the very near future. I put this in the Ded. Server Forum as this included Admin work on 5 of my servers, and other Admin Duties beside programming.