Rkhunter - New False Positives

Jun 30, 2008

Rootkit Hunter version 1.3.2 ]

[1;33mChecking rkhunter version... [0;39m
This version : 1.3.2
Latest version: 1.3.2
[ Rootkit Hunter version 1.3.2 ]

[1;33mChecking rkhunter data files... [0;39m
Checking file mirrors.dat [34C[ [1;32mNo update [0;39m ]
Checking file programs_bad.dat [29C[ [1;32mNo update [0;39m ]
Checking file backdoorports.dat [28C[ [1;32mNo update [0;39m ]
Checking file suspscan.dat [33C[ [1;32mNo update [0;39m ]
Checking file i18n/cn [38C[ [1;32mNo update [0;39m ]
Checking file i18n/en [38C[ [1;32mNo update [0;39m ]
Checking file i18n/zh [38C[ [1;32mNo update [0;39m ]
Checking file i18n/zh.utf8 [33C[ [1;32mNo update [0;39m ]
Warning: Checking for preload file [ Warning ]
Warning: Found library preload file: /etc/ld.so.preload
Warning: The file properties have changed:
File: /bin/ps
Current hash: 36f3d8a9fcaebf5838e5e55ebdcac7e355477343
Stored hash : 8f1acf237e562043f8353f4ec5d0c3490c0d0cb3
Current inode: 1228803 Stored inode: 1228857
Current size: 61364 Stored size: 67088
Current file modification time: 1214487892
Stored file modification time : 1195262225
Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: The file properties have changed:
File: /usr/bin/top
Current hash: 15f1f743d73d9546a05a15644816139de7708327
Stored hash : 5e78fb7f0a02643a91964081ca03316dbaf01bdd
Current inode: 246165 Stored inode: 245920
Current size: 48536 Stored size: 48504
Current file modification time: 1214487892
Stored file modification time : 1195262225
Warning: The file properties have changed:
File: /usr/bin/vmstat
Current hash: 898351bc3be226caf6915715b23a1c7cc5d35fdd
Stored hash : edaa64f3921a0a2d873c14a5eb641ba883f4dcff
Current inode: 246561 Stored inode: 246020
Current size: 17872 Stored size: 20444
Current file modification time: 1214487892
Stored file modification time : 1195262225
Warning: The file properties have changed:
File: /usr/bin/w
Current hash: 480c2c2e4f1048e19fc075f4daebe79fa84e08d1
Stored hash : 87f39eeb583bc7f6622e95fd0266f093ed8b362b
Current inode: 246020 Stored inode: 246167
Current size: 9720 Stored size: 11720
Current file modification time: 1214487892
Stored file modification time : 1195262225
Warning: The file properties have changed:
File: /usr/bin/watch
Current inode: 246167 Stored inode: 245924
Current file modification time: 1214487892
Stored file modification time : 1195262225
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
Warning: The file properties have changed:
File: /sbin/sysctl
Current hash: b560099caf18d28bcc0249efaec75dcddb87b219
Stored hash : fa13202ac5897d9f7198e8afbbe7d0c835b07639
Current inode: 589893 Stored inode: 589875
Current size: 9144 Stored size: 11048
Current file modification time: 1214487892
Stored file modification time : 1195262225

I know some of these warnings like /usr/bin/GET - groups -ldd - whatis - ifdown – ifup are normal false positives.

But other warnings are new,

I think they changed after upgrading the cpanel to 11.23
I have cpanel on centos 4.6

View 6 Replies


ADVERTISEMENT

How Can I Stop The Rootkit Hunter False Positives

Apr 22, 2008

How can I stop the rootkit hunter false positives?

It is alerting on these, on a fresh OS install:

Checking for prerequisites [ Warning ]
/usr/bin/groups [ Warning ]
/usr/bin/ldd [ Warning ]
/usr/bin/whatis [ Warning ]
/sbin/ifdown [ Warning ]
/sbin/ifup [ Warning ]

View 2 Replies View Related

Is Immutable-bit Set On Wget An Rkhunter False Positive Or Do I Worry

Mar 12, 2008

Got this error on rkhunter 1.3.2

Quote:

[12:16:24] /usr/bin/wget [ Warning ]
[12:16:24] Warning: File '/usr/bin/wget' has the immutable-bit set.

Is that a concern? What does it mean?

View 5 Replies View Related

Spam...false Positive

May 21, 2008

After few days of not getting even "one" spam out of average 70 messages a day...the company manager got angry! He thought the mail system is down.

Our provider - a VDS subscriber who rent us shared plan for a website - said: we changed nothing. I confirmed: did you install any new anti-spam software on the site...they said: NO.

In a next conversation with the company manager, they told him they installed a new anti-spam software on the whole server and cannot make it off for our site specifically.

The problem is, they already had a kind of anti-spam software which only "marks" spam-like messages with "**SPAM**" in the subject line, and doesn't mark others. I am afraid some customers' emails get marked and deleted with this new software they claim implemented, based on false positives.

Many times I get my emails in Yahoo and Hotmail go to Spam/Junk folder for some not-widely known reasons, like sending to myself, while putting recipients in CC, and other strange reasons like just using CC in an auto-reply!

something any non-tech person might do.

I am thinking in switching to a new host where we only host mails (mx record), so we don't have "any" email deleted without our check.

View 5 Replies View Related

PRIMARYVPS.COM's False Tactics: IS IT OK

Jun 13, 2007

I was surprised to see that they had 100% uptime in May according to their logs. I am used to see 99.98%, 98.97% etc. etc. with other hosts. But even 100% is quite possible.

On June 7th the uptime suddenly dropped below 96% with avg. 7 outages. I was really disappoined as I was planning to signup. But after a day or so it again rose to 100% with 0 outages on all of their servers which clearly explained the 100% uptime of May.

According to them they had a attack because of which IPs of nodes had to be changed and subsequently they also changed it on hyperspin.com (their server monitoring service). I immediately signed up on hyperspin to verify this claim. Changing the IP or hostname of a monitored service on hyperspin doesn't reset its log is what i clearly observed. Its quite visible that the logs were reset intensionally to hide the actual server uptime and make it always show 100% percent. When i reverted back to them on this issue, they prefered to close the ticket. I just want to know from other hosts, it this practice common or primaryvps.com is an exception? Well as mentioned on their site, the uptime log is located at:

hyperspin.com/publicreport/30037/20077

But don't expect too much. It has only two figures 0 for outages and 100% for uptime.

View 14 Replies View Related

If Mod_security Gave False Positive

Mar 11, 2008

I don't really know much about how mod_security rules work, I've just clicked on default configuration in WHM.

Anyway one user on our vbulletin board has pmed me saying he can't access the board. He gave me his fixed ip. And I noticed it is in CSF denied ip list as:

lfd: 5 (mod_security) login failures from xx.xx....
I've checked mod_security log and it has like twenty entries for this ip saying: ....

View 3 Replies View Related

Nameserver Giving False Results

Mar 25, 2007

Is there any way to avoid getting false name lookups when trying to resolv inexistent domains ? apart from using another nameserver.

I'm sorry if it was posted earlier, tried searching but it didn't help as it gave me large results.

Code:
[root@removed ~]# ping hjkdji284kajgafhj87da778dfsd.com
PING hjkdji284kajgafhj87da778dfsd..com.insertdchere.com (xx.xxx.xxx.xx) 56(84) bytes of data.
64 bytes from www.insertdchere.com (xx.xxx.xxx.xx): icmp_seq=0 ttl=61 time=1.00 ms
64 bytes from www.insertdchere.com (xx.xxx.xxx.xx): icmp_seq=1 ttl=61 time=0.952 ms
64 bytes from www.insertdchere.com (xx.xxx.xxx.xx): icmp_seq=2 ttl=61 time=1.34 ms

View 2 Replies View Related

Spam Test For Outbound False Positive Mail

Jul 9, 2007

I tried a little searching both in Google and on here but this is probably going to be a private or member-based thing anyway.

I've gotten a couple comments that some of my outbound personal mail is ending up in spam folders. I think it's almost completely limited to having Outlook (or Express?) as a client... which I assume doesn't even do network-based lookups. Nonetheless I don't seem to be on any blacklists, and running it through my own spamassassin filter comes up basically zero score. But the fact that more than one person has had the problem concerns me greatly. Also, I haven't seen any significant reason why the content itself would trigger anything.

I realize a public spam test service would basically be a "testing ground" for spammers to evade detection, but there's obviously legitimate uses as well... is there such a tool somewhere? Thanks for any advice. Public information sharing is key to a forum, but PMs are welcome in this case.

View 0 Replies View Related

Server Monitoring - Siteuptime Starting To Give False Alerts

Jun 26, 2008

Being using the free version of siteuptime.com but this month alone i have had so far 3 false alerts reported, i am always in the putty and does not get interrupted, and i am sure i am around on the site too while supposedly siteuptime reports down (i am guessing firewall blocks their server ip for w/e reason). So am wondering is there any really good public tracking site out there which can do public reports more accurately and not kak out on me?

Whats your experience with siteuptime for monitoring if any ? Sometimes it works "ok" other times its just off the charts.

View 9 Replies View Related

Rkhunter

Oct 25, 2009

Since my Centos updated from 5.3 to 5.4 i am getting this "error" with rkhunter.

Warning: Possible promiscuous interfaces:
'ifconfig' command output: UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
'ip' command output: eth1
'ip' command output: eth0

I already ran:
rkhunter --propupd

View 8 Replies View Related

Rkhunter Log

Sep 27, 2007

about my rkhunter`s log. It gives some warnings but i dont know if they are really important ones.

Here are the warnings it gives :

Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa
Warning: Found enabled xinetd service: /etc/xinetd.d/smtp_psa
Warning: Found enabled xinetd service: /etc/xinetd.d/smtps_psa
Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
Warning: Application 'gpg', version '1.2.6', is out of date, and possibly a security risk.
Warning: Application 'openssl', version '0.9.7a', is out of date, and possibly a security risk.
Warning: Application 'php', version '4.3.9', is out of date, and possibly a security risk.

I am using plesk and i am using yum update for updating files and scripts. So i dont know how can i update gpg php and openssl. Plus for some time it said like port 2006 is open and possible trojan backdoor. But when i check now it doesnt give any error like that.

if there is any major problem at those logs or not?

if someone also wants i can attach the full rkhunter.log or only warning output rkhunter.log

View 5 Replies View Related

Plesk 11.x / Linux :: False Notification (Maximum Number Of Failed Login Attempts)

Sep 28, 2014

Every time I log on plesk 11.09 I get an email from admin saying that due to maximum number of failed login attempts for admin, the account was blocked for 30 minutes.

First, I do not get failed login attempts, I log in every time.

Two, the account is not blocked, I can log in, out and back in as many times as I want without problem except that I get this email everytime.

View 3 Replies View Related

CHKROOTKIT Or RKHunter

Jul 29, 2009

which of the is better?

CHKROOTKIT or RKHunter?

i want to install and run it via ssh.

View 14 Replies View Related

Rkhunter & Chkrootkit?

Jun 30, 2008

I've honestly never had to worry about protecting myself from exploits until this week, when I found out somebody agined access t othe server using an old script on an old account (teach me to delete client accounts when they leave me, it did!)

I'm working on a new server and going through lots of posts on better securing it, and two things that are suggested is installing chkrootkit and rkhunter, and adding them to the daily cron jobs. Learned how to install and set up the daily script for chkrootkit, but here's what I'd like to do that I'm not sure how to go about, I'd like to a) be notified ONLY if there are changes in the daily scans (especially since there are a couple of false positives I'm aware of) and b) be e-mailed a full report once a week, whether or not there were any changes.

I've got rkhunter installed as well, but I can't seem to find a script that will properly execute it and e-mail it to me. Does anybody have one that works? I'd also like to only get an e-mail if there are changes, except for a once weekly scan result.

View 3 Replies View Related

Run Rkhunter And Got The Following Report

May 30, 2007

I have run rkhunter and got the following report, I have checked everything and seems to be fine. Also, I have run rkhunter --update and didn't help. How can remove this bad messages? Do I need to reinstall the package?

/bin/dmesg [ BAD ]
/bin/env [ BAD ]
/bin/grep [ BAD ]
/bin/kill [ BAD ]
/bin/login [ BAD ]

View 6 Replies View Related

Rkhunter Vs. Chkrootkit - Best Way To Run

Dec 31, 2007

A couple days ago, I installed Rkhunter 1.3.0. I updated it, ran it, and put in my my crontab.root

30 23 * * * /usr/local/bin/rkhunter --cronjob > /dev/null

I just finished installing chkrootkit 0.48. I ran it and everything seems fine.

Is there a way to run this as a service?? I ask because in my VPS control panel, the security check still shows that Chkrootkit isn't installed.

Do I put it in the crontab.root file, or does it run as a service?

Also... Does it do the same thing as Rkhunter, or should I have them both installed?

View 1 Replies View Related

Rkhunter 1.3.0 Warnings

Oct 5, 2007

I was testing the new RKHunter 1.3.0, and found a few warnings:

Code:
/usr/bin/GET [ Warning ]
/usr/bin/groups [ Warning ]
/usr/bin/ldd [ Warning ]
/usr/bin/whatis [ Warning ]
/sbin/ifdown [ Warning ]
/sbin/ifup [ Warning ]
Investigating the logs found this:

Code:
Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
Same result in two different RHE 4 boxes... just to verify that this is a false positive , do you have the same results in your RHE 4 boxes while running "rkhunter -c" ?

View 2 Replies View Related

Rkhunter Error Messages

Dec 29, 2007

I just ran 'rkhunter -c --quiet' and this is the error messages I got:

Line:
Warning: This operating system is not fully supported!
Line: Warning: This operating system is not fully supported!
Warning: Cannot find md5_not_known
Some errors has been found while checking. Please perform a manual check on this machine debian

Is this something I should be worried about??

I'm running CentOS 5.

View 6 Replies View Related

How To Know Valunable Applications In Rkhunter

Nov 11, 2007

Im not having a much knowledge of server managing well i have a question rkhunter showing after scan that there is two valunable applications he found but im unable to get the name of these files which are valunable how do i know the name of them ?

View 3 Replies View Related

Windows Equivalent Of Chkrootkit, Rkhunter

Oct 29, 2009

i use those 2 programs for scanning for rootkit programs.

are there any free programs for windows?

View 3 Replies View Related

Rkhunter :: Invalid Option Specified: -cronjob

Sep 18, 2009

Server Detail : Ceontos / Cpanel

i have installed RKhunter several days ago , after installation i`m receving below email everynight

subjectDaily Rkhunter Scan Report
Invalid option specified: -cronjob

View 6 Replies View Related

Rkhunter :: The Internationalisation Directory Does Not Exist

Nov 14, 2008

rkhunter -c
output:
Default logfile will be used (/var/log/rkhunter.log).
Default temporary directory will be used (/usr/local/rkhunter/lib/rkhunter/tmp).
Default database directory will be used (/usr/local/rkhunter/lib/rkhunter/db).
The internationalisation directory does not exist: /usr/local/rkhunter/lib/rkhunter/db/i18n
Centos

View 3 Replies View Related

Security: Rootkit/rkhunter/rootcheck

Aug 24, 2007

For securities purposes whats best to install?

Feel free to suggest any others.

Server is running cpanel

View 4 Replies View Related

Iframe Injection And Rkhunter Warnings

Aug 25, 2007

I have a major problem with injecting iframes into every files (header.php footer.php index.php login.php and vars.php ) on all server account.

Code:
<iframe src='h t t p : / / 8 1 . 9 5 . 1 4 5 . 2 4 0 / g o . p h p ? s i d = 1' style='border:0px solid gray;' WIDTH=0 HEIGHT=0 FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=no></iframe>
what is the reason and how to fix that ?


and I have the second problem is the rkhunter warnings I am not sure if that have relations with the first problem :
rkhunter results:

Code:
Checking system commands...

Performing 'strings' command checks
Checking 'strings' command [ OK ]

Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preload file [ Not found ]
Checking LD_LIBRARY_PATH variable [ Not found ]

Performing file properties checks
Checking for prerequisites [ Warning ]
/bin/awk [ OK ]
/bin/basename [ OK ]
/bin/bash [ OK ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/cp [ OK ]
/bin/csh [ OK ]
/bin/cut [ OK ]
/bin/date [ OK ]
/bin/df [ OK ]
/bin/dmesg [ OK ]
/bin/echo [ OK ]
/bin/ed [ OK ]
/bin/egrep [ OK ]
/bin/env [ OK ]
/bin/fgrep [ OK ]
/bin/grep [ OK ]
/bin/kill [ OK ]
/bin/login [ OK ]
/bin/ls [ OK ]
/bin/mail [ OK ]
/bin/mktemp [ OK ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/mv [ OK ]
/bin/netstat [ OK ]
/bin/passwd [ OK ]
/bin/ps [ OK ]
/bin/pwd [ OK ]
/bin/rpm [ OK ]
/bin/sed [ OK ]
/bin/sh [ OK ]
/bin/sort [ OK ]
/bin/su [ OK ]
/bin/touch [ OK ]
/bin/uname [ OK ]
/bin/gawk [ OK ]
/bin/tcsh [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/curl [ OK ]
/usr/bin/cut [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/du [ OK ]
/usr/bin/env [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/GET [ Warning ]
/usr/bin/groups [ Warning ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/kill [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/last [ OK ]
/usr/bin/lastlog [ OK ]
/usr/bin/ldd [ Warning ]
/usr/bin/less [ OK ]
/usr/bin/locate [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/lynx [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/newgrp [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/perl [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/readlink [ OK ]
/usr/bin/runcon [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/size [ OK ]
/usr/bin/slocate [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strace [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/sudo [ OK ]
/usr/bin/tail [ OK ]
/usr/bin/test [ OK ]
/usr/bin/top [ OK ]
/usr/bin/tr [ OK ]
/usr/bin/uniq [ OK ]
/usr/bin/users [ OK ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wc [ OK ]
/usr/bin/wget [ OK ]
/usr/bin/whatis [ Warning ]
/usr/bin/whereis [ OK ]
/usr/bin/which [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/usr/bin/gawk [ OK ]
/sbin/chkconfig [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/ifdown [ Warning ]
/sbin/ifup [ Warning ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/nologin [ OK ]
/sbin/rmmod [ OK ]
/sbin/runlevel [ OK ]
/sbin/sulogin [ OK ]
/sbin/sysctl [ OK ]
/sbin/syslogd [ OK ]
/usr/sbin/adduser [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/groupadd [ OK ]
/usr/sbin/groupdel [ OK ]
/usr/sbin/groupmod [ OK ]
/usr/sbin/grpck [ OK ]
/usr/sbin/kudzu [ OK ]
/usr/sbin/lsof [ OK ]
/usr/sbin/prelink [ OK ]
/usr/sbin/pwck [ OK ]
/usr/sbin/tcpd [ OK ]
/usr/sbin/useradd [ OK ]
/usr/sbin/userdel [ OK ]
/usr/sbin/usermod [ OK ]
/usr/sbin/vipw [ OK ]
/usr/sbin/xinetd [ OK ]
/usr/local/bin/perl [ OK ]
/usr/local/bin/rkhunter [ OK ]

Checking for rootkits...

Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
Balaur Rootkit [ Not found ]
BeastKit Rootkit [ Not found ]
beX2 Rootkit [ Not found ]
BOBKit Rootkit [ Not found ]
CiNIK Worm (Slapper.B variant) [ Not found ]
Danny-Boy's Abuse Kit [ Not found ]
Devil RootKit [ Not found ]
Dica-Kit Rootkit [ Not found ]
Dreams Rootkit [ Not found ]
Duarawkz Rootkit [ Not found ]
Enye LKM [ Not found ]
Flea Linux Rootkit [ Not found ]
FreeBSD Rootkit [ Not found ]
****`it Rootkit [ Not found ]
GasKit Rootkit [ Not found ]
Heroin LKM [ Not found ]
HjC Kit [ Not found ]
ignoKit Rootkit [ Not found ]
ImperalsS-FBRK Rootkit [ Not found ]
Irix Rootkit [ Not found ]
Kitko Rootkit [ Not found ]
Knark Rootkit [ Not found ]
Li0n Worm [ Not found ]
Lockit / LJK2 Rootkit [ Not found ]
Mood-NT Rootkit [ Not found ]
MRK Rootkit [ Not found ]
Ni0 Rootkit [ Not found ]
Ohhara Rootkit [ Not found ]
Optic Kit (Tux) Worm [ Not found ]
Oz Rootkit [ Not found ]
Phalanx Rootkit [ Not found ]
Phalanx Rootkit (strings) [ Not found ]
Portacelo Rootkit [ Not found ]
R3dstorm Toolkit [ Not found ]
RH-Sharpe's Rootkit [ Not found ]
RSHA's Rootkit [ Not found ]
Scalper Worm [ Not found ]
Sebek LKM [ Not found ]
Shutdown Rootkit [ Not found ]
SHV4 Rootkit [ Not found ]
SHV5 Rootkit [ Not found ]
Sin Rootkit [ Not found ]
Slapper Worm [ Not found ]
Sneakin Rootkit [ Not found ]
Suckit Rootkit [ Not found ]
SunOS Rootkit [ Not found ]
SunOS / NSDAP Rootkit [ Not found ]
Superkit Rootkit [ Not found ]
TBD (Telnet BackDoor) [ Not found ]
TeLeKiT Rootkit [ Not found ]
T0rn Rootkit [ Not found ]
Trojanit Kit [ Not found ]
Tuxtendo Rootkit [ Not found ]
URK Rootkit [ Not found ]
VcKit Rootkit [ Not found ]
Volc Rootkit [ Not found ]
X-Org SunOS Rootkit [ Not found ]
zaRwT.KiT Rootkit [ Not found ]

Performing additional rootkit checks
Suckit Rookit additional checks [ OK ]
Checking for possible rootkit files and directories [ None found ]
Checking for possible rootkit strings [ None found ]

Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for login backdoors [ None found ]
Checking for suspicious directories [ None found ]
Checking for sniffer log files [ None found ]

Performing trojan specific checks
Checking for enabled xinetd services [ None found ]
Checking for Apache backdoor [ Not found ]

Performing Linux specific checks
Checking kernel module commands [ OK ]
Checking kernel module names [ OK ]
Checking the network...

Performing check for backdoor ports
Checking for UDP port 2001 [ Not found ]
Checking for TCP port 2006 [ Not found ]
Checking for TCP port 2128 [ Not found ]
Checking for TCP port 14856 [ Not found ]
Checking for TCP port 47107 [ Not found ]
Checking for TCP port 60922 [ Not found ]

Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]

Checking the local host...

Performing system boot checks
Checking for local host name [ Found ]
Checking for local startup files [ Found ]
Checking local startup files for malware [ None found ]
Checking system startup files for malware [ None found ]

Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ None found ]
Checking for group file changes [ None found ]
Checking root account shell history files [ OK ]

Performing system configuration file checks
Checking for SSH configuration file [ Found ]
Checking if SSH root access is allowed [ Warning ]
Checking if SSH protocol v1 is allowed [ Warning ]
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]

Performing filesystem checks
Checking /dev for suspicious file types [ None found ]
Checking for hidden files and directories [ Warning ]
Checking application versions...

Checking version of Exim MTA [ OK ]
Checking version of GnuPG [ Warning ]
Checking version of Apache [ Skipped ]
Checking version of Bind DNS [ OK ]
Checking version of OpenSSL [ Warning ]
Checking version of PHP [ OK ]
Checking version of Procmail MTA [ OK ]
Checking version of OpenSSH [ OK ]

System checks summary
=====================

File properties checks...
Required commands check failed
Files checked: 129
Suspect files: 6

Rootkit checks...
Rootkits checked : 114
Possible rootkits: 0

Applications checks...
Applications checked: 8
Suspect applications: 2

The system checks took: 3 minutes and 12 seconds

All results have been written to the logfile (/var/log/rkhunter.log)

One or more warnings have been found while checking the system.

Please check the log file (/var/log/rkhunter.log)

View 5 Replies View Related

Rkhunter :: 'not Found' In Local Files And Unknown For Exim And Php 5.2.5

Apr 11, 2008

how to fix rkhunter from; 'not found' in local files and unknown for exim and php 5.2.5.

System checks
* Allround tests
Checking hostname... Found. Hostname is
Checking for passwordless user accounts... OK
Checking for differences in user accounts... OK. No changes.
Checking for differences in user groups... OK. No changes.
Checking boot.local/rc.local file...
- /etc/rc.local [ OK ]
- /etc/rc.d/rc.local [ OK ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
- /etc/init.d/boot.local [ Not found ]

* Application version scan
- Exim MTA 4.68 [ Unknown ]
- GnuPG 1.2.6 [ Old or patched version ]
- Apache [unknown] [ OK ]
- Bind DNS 9.2.4 [ OK ]
- OpenSSL 0.9.7a [ Old or patched version ]
- PHP 5.2.5 [ Unknown ]
- PHP 5.2.5 [ Unknown ]
- Procmail MTA 3.22 [ OK ]
- OpenSSH 3.9p1 [ OK ]

View 4 Replies View Related

Plesk 12.x / Linux :: Enabled Rkhunter To Check System

Sep 20, 2014

I enabled rkhunter in Plesk 12 to check the system weekly. I get a warning now, which I never got in older versions of Plesk:

The current hash function (/usr/bin/sha1sum) or package manager (DPKG) is incompatible with the hash function (Unset) or package manager (Unset) used to store the values. Debian 7.6 x64

View 6 Replies View Related

Plesk 12.x / Linux :: Rkhunter Config - Installation Directory Does Not Exist

Oct 29, 2014

When trying to run rkhunter manually I get the error:

"Installation directory does not exist: /opt/psa"

I haven't changed the install directory setting in the rkhunter config file.

Looking for "default" rkhunter config file?

Or tell me a way to reset / reinstall rkhunter?

View 15 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved