RKHunter gibt Warnung aus

Privateer · Oct 15, 2011

Hab RKHunter installiert und gibt folgende Warnungen aus

PHP:

/usr/sbin/adduser                                        [ Warning ]

PHP:

/usr/bin/ldd                                             [ Warning ]

PHP:

/usr/bin/lwp-request                                     [ Warning ]

PHP:

/bin/which                                               [ Warning ]

PHP:

Performing Linux specific checks
    Checking loaded kernel modules                           [ Warning ]

Was könnte das sein und wie sind die Warnungen zu beheben?

Roger Wilco · Oct 15, 2011

Poste die komplette Ausgabe von rkhunter.

d4f · Oct 15, 2011

Hoechstwahrscheinlich kennt RkHunter nicht den korrekten aktuellen Hash der meisten Dateien.
Imho ist RkHunter uebrigens nicht ansatzweise vertrauenswuerdig wenn es auf dem Produktivsystem und nicht Rescue/readonly Medium lauft. Wenn jemand /bin/bash ersetzen kann kann er auch rkHunter ersetzen der dann sagt "aaaaaaalles perfekt"

GwenDragon · Oct 15, 2011

Wenn du in der Zwischenzeit Updates gemacht hast, ändern sich auch die Prüfsummen der Dateien; rkhunter kennt aber nur die alten oder nach der Installation hast du nicht
rkhunter --propupd --update aufgerufen.

Oder das System ist kompromittiert.

Lord Gurke · Oct 15, 2011

Diese Warnung ist meines Wissens Debian-Typisch, weil unter Debian die beanstandeten Dateien durch eigene Scripte ersetzt werden.
Wenn du dir /usr/sbin/adduser mal mit einem Texteditor ansiehst, wirst du feststellen dass das keine Binary sondern ein Perl-Script ist - das ist auch bereits auf einem frisch installiertem System so.

PapaBaer · Oct 15, 2011

Nope. Auch auf einem Debian läuft rkhunter sauber durch.

Es könnte sein, dass die Warnungen durch ein Update kommen, könnte aber auch ein Angriff sein. Von daher bitte --propupd nur, wenn du dir sicher bist, dass alles mit rechten Dingen zugeht. Sonst machst du zwar deine Warnungen weg, hast aber im Endeffekt nur einen erfolgreichen Angriff autorisiert.

Für genauere Aussagen bitte die ausführliche rkhunter-Meldung. Und wenn du hast, auch die letzten Logs deines Packet-Managers.

Privateer · Oct 15, 2011

PHP:

Checking system commands...

  Performing 'strings' command checks
    Checking 'strings' command                               [ OK ]

  Performing 'shared libraries' checks
    Checking for preloading variables                        [ None found ]
    Checking for preloaded libraries                         [ None found ]
    Checking LD_LIBRARY_PATH variable                        [ Not found ]

  Performing file properties checks
    Checking for prerequisites                               [ OK ]
    /usr/local/bin/rkhunter                                  [ OK ]
    /usr/sbin/adduser                                        [ Warning ]
    /usr/sbin/chroot                                         [ OK ]
    /usr/sbin/cron                                           [ OK ]
    /usr/sbin/groupadd                                       [ OK ]
    /usr/sbin/groupdel                                       [ OK ]
    /usr/sbin/groupmod                                       [ OK ]
    /usr/sbin/grpck                                          [ OK ]
    /usr/sbin/nologin                                        [ OK ]
    /usr/sbin/pwck                                           [ OK ]
    /usr/sbin/tcpd                                           [ OK ]
    /usr/sbin/useradd                                        [ OK ]
    /usr/sbin/userdel                                        [ OK ]
    /usr/sbin/usermod                                        [ OK ]
    /usr/sbin/vipw                                           [ OK ]
    /usr/sbin/xinetd                                         [ OK ]
    /usr/bin/awk                                             [ OK ]
    /usr/bin/basename                                        [ OK ]
    /usr/bin/chattr                                          [ OK ]
    /usr/bin/cut                                             [ OK ]
    /usr/bin/diff                                            [ OK ]
    /usr/bin/dirname                                         [ OK ]
    /usr/bin/dpkg                                            [ OK ]
    /usr/bin/dpkg-query                                      [ OK ]
    /usr/bin/du                                              [ OK ]
    /usr/bin/env                                             [ OK ]
    /usr/bin/file                                            [ OK ]
    /usr/bin/find                                            [ OK ]
    /usr/bin/GET                                             [ OK ]
    /usr/bin/groups                                          [ OK ]
    /usr/bin/head                                            [ OK ]
    /usr/bin/id                                              [ OK ]
    /usr/bin/killall                                         [ OK ]
    /usr/bin/last                                            [ OK ]
    /usr/bin/lastlog                                         [ OK ]
    /usr/bin/ldd                                             [ Warning ]
    /usr/bin/less                                            [ OK ]
    /usr/bin/locate                                          [ OK ]
    /usr/bin/logger                                          [ OK ]
    /usr/bin/lsattr                                          [ OK ]
    /usr/bin/lsof                                            [ OK ]
    /usr/bin/lynx                                            [ OK ]
    /usr/bin/mail                                            [ OK ]
    /usr/bin/md5sum                                          [ OK ]
    /usr/bin/mlocate                                         [ OK ]
    /usr/bin/newgrp                                          [ OK ]
    /usr/bin/passwd                                          [ OK ]
    /usr/bin/perl                                            [ OK ]
    /usr/bin/pgrep                                           [ OK ]
    /usr/bin/pstree                                          [ OK ]
    /usr/bin/runcon                                          [ OK ]
    /usr/bin/sha1sum                                         [ OK ]
    /usr/bin/sha224sum                                       [ OK ]
    /usr/bin/sha256sum                                       [ OK ]
    /usr/bin/sha384sum                                       [ OK ]
    /usr/bin/sha512sum                                       [ OK ]
    /usr/bin/size                                            [ OK ]
    /usr/bin/sort                                            [ OK ]
    /usr/bin/stat                                            [ OK ]
    /usr/bin/strings                                         [ OK ]
    /usr/bin/sudo                                            [ OK ]
    /usr/bin/tail                                            [ OK ]
    /usr/bin/test                                            [ OK ]
    /usr/bin/top                                             [ OK ]
    /usr/bin/touch                                           [ OK ]
    /usr/bin/tr                                              [ OK ]
    /usr/bin/uniq                                            [ OK ]
    /usr/bin/users                                           [ OK ]
    /usr/bin/vmstat                                          [ OK ]
    /usr/bin/w                                               [ OK ]
    /usr/bin/watch                                           [ OK ]
    /usr/bin/wc                                              [ OK ]
    /usr/bin/wget                                            [ OK ]
    /usr/bin/whatis                                          [ OK ]
    /usr/bin/whereis                                         [ OK ]
    /usr/bin/which                                           [ OK ]
    /usr/bin/who                                             [ OK ]
    /usr/bin/whoami                                          [ OK ]
    /usr/bin/gawk                                            [ OK ]
    /usr/bin/lwp-request                                     [ Warning ]
    /usr/bin/lynx.cur                                        [ OK ]
    /usr/bin/bsd-mailx                                       [ OK ]
    /usr/bin/w.procps                                        [ OK ]
    /usr/bin/tcsh                                            [ OK ]
    /sbin/depmod                                             [ OK ]
    /sbin/fsck                                               [ OK ]
    /sbin/ifconfig                                           [ OK ]
    /sbin/ifdown                                             [ OK ]
    /sbin/ifup                                               [ OK ]
    /sbin/init                                               [ OK ]
    /sbin/insmod                                             [ OK ]
    /sbin/ip                                                 [ OK ]
    /sbin/lsmod                                              [ OK ]
    /sbin/modinfo                                            [ OK ]
    /sbin/modprobe                                           [ OK ]
    /sbin/rmmod                                              [ OK ]
    /sbin/route                                              [ OK ]
    /sbin/runlevel                                           [ OK ]
    /sbin/sulogin                                            [ OK ]
    /sbin/sysctl                                             [ OK ]
    /sbin/syslogd                                            [ OK ]
    /bin/awk                                                 [ OK ]
    /bin/bash                                                [ OK ]
    /bin/cat                                                 [ OK ]
    /bin/chmod                                               [ OK ]
    /bin/chown                                               [ OK ]
    /bin/cp                                                  [ OK ]
    /bin/csh                                                 [ OK ]
    /bin/date                                                [ OK ]
    /bin/df                                                  [ OK ]
    /bin/dmesg                                               [ OK ]
    /bin/echo                                                [ OK ]
    /bin/ed                                                  [ OK ]
    /bin/egrep                                               [ OK ]
    /bin/fgrep                                               [ OK ]
    /bin/fuser                                               [ OK ]
    /bin/grep                                                [ OK ]
    /bin/ip                                                  [ OK ]
    /bin/kill                                                [ OK ]
    /bin/less                                                [ OK ]
    /bin/login                                               [ OK ]
    /bin/ls                                                  [ OK ]
    /bin/lsmod                                               [ OK ]
    /bin/mktemp                                              [ OK ]
    /bin/more                                                [ OK ]
    /bin/mount                                               [ OK ]
    /bin/mv                                                  [ OK ]
    /bin/netstat                                             [ OK ]
    /bin/ps                                                  [ OK ]
    /bin/pwd                                                 [ OK ]
    /bin/readlink                                            [ OK ]
    /bin/sed                                                 [ OK ]
    /bin/sh                                                  [ OK ]
    /bin/su                                                  [ OK ]
    /bin/touch                                               [ OK ]
    /bin/uname                                               [ OK ]
    /bin/which                                               [ Warning ]
    /bin/tcsh                                                [ OK ]
    /usr/local/etc/rkhunter.conf                             [ OK ]


Checking for rootkits...

  Performing check of known rootkit files and directories
    55808 Trojan - Variant A                                 [ Not found ]
    ADM Worm                                                 [ Not found ]
    AjaKit Rootkit                                           [ Not found ]
    Adore Rootkit                                            [ Not found ]
    aPa Kit                                                  [ Not found ]
    Apache Worm                                              [ Not found ]
    Ambient (ark) Rootkit                                    [ Not found ]
    Balaur Rootkit                                           [ Not found ]
    BeastKit Rootkit                                         [ Not found ]
    beX2 Rootkit                                             [ Not found ]
    BOBKit Rootkit                                           [ Not found ]
    cb Rootkit                                               [ Not found ]
    CiNIK Worm (Slapper.B variant)                           [ Not found ]
    Danny-Boy's Abuse Kit                                    [ Not found ]
    Devil RootKit                                            [ Not found ]
    Dica-Kit Rootkit                                         [ Not found ]
    Dreams Rootkit                                           [ Not found ]
    Duarawkz Rootkit                                         [ Not found ]
    Enye LKM                                                 [ Not found ]
    Flea Linux Rootkit                                       [ Not found ]
    FreeBSD Rootkit                                          [ Not found ]
    Fu Rootkit                                               [ Not found ]
    Fuck`it Rootkit                                          [ Not found ]
    GasKit Rootkit                                           [ Not found ]
    Heroin LKM                                               [ Not found ]
    HjC Kit                                                  [ Not found ]
    ignoKit Rootkit                                          [ Not found ]
    iLLogiC Rootkit                                          [ Not found ]
    IntoXonia-NG Rootkit                                     [ Not found ]
    Irix Rootkit                                             [ Not found ]
    Kitko Rootkit                                            [ Not found ]
    Knark Rootkit                                            [ Not found ]
    ld-linuxv.so Rootkit                                     [ Not found ]
    Li0n Worm                                                [ Not found ]
    Lockit / LJK2 Rootkit                                    [ Not found ]
    Mood-NT Rootkit                                          [ Not found ]
    MRK Rootkit                                              [ Not found ]
    Ni0 Rootkit                                              [ Not found ]
    Ohhara Rootkit                                           [ Not found ]
    Optic Kit (Tux) Worm                                     [ Not found ]
    Oz Rootkit                                               [ Not found ]
    Phalanx Rootkit                                          [ Not found ]
    Phalanx2 Rootkit                                         [ Not found ]
    Phalanx2 Rootkit (extended tests)                        [ Not found ]
    Portacelo Rootkit                                        [ Not found ]
    R3dstorm Toolkit                                         [ Not found ]
    RH-Sharpe's Rootkit                                      [ Not found ]
    RSHA's Rootkit                                           [ Not found ]
    Scalper Worm                                             [ Not found ]
    Sebek LKM                                                [ Not found ]
    Shutdown Rootkit                                         [ Not found ]
    SHV4 Rootkit                                             [ Not found ]
    SHV5 Rootkit                                             [ Not found ]
    Sin Rootkit                                              [ Not found ]
    Slapper Worm                                             [ Not found ]
    Sneakin Rootkit                                          [ Not found ]
    'Spanish' Rootkit                                        [ Not found ]
    Suckit Rootkit                                           [ Not found ]
    SunOS Rootkit                                            [ Not found ]
    SunOS / NSDAP Rootkit                                    [ Not found ]
    Superkit Rootkit                                         [ Not found ]
    TBD (Telnet BackDoor)                                    [ Not found ]
    TeLeKiT Rootkit                                          [ Not found ]
    T0rn Rootkit                                             [ Not found ]
    trNkit Rootkit                                           [ Not found ]
    Trojanit Kit                                             [ Not found ]
    Tuxtendo Rootkit                                         [ Not found ]
    URK Rootkit                                              [ Not found ]
    Vampire Rootkit                                          [ Not found ]
    VcKit Rootkit                                            [ Not found ]
    Volc Rootkit                                             [ Not found ]
    Xzibit Rootkit                                           [ Not found ]
    X-Org SunOS Rootkit                                      [ Not found ]
    zaRwT.KiT Rootkit                                        [ Not found ]
    ZK Rootkit                                               [ Not found ]

  Performing additional rootkit checks
    Suckit Rookit additional checks                          [ OK ]
    Checking for possible rootkit files and directories      [ None found ]
    Checking for possible rootkit strings                    [ None found ]

  Performing malware checks
    Checking running processes for suspicious files          [ None found ]
    Checking for login backdoors                             [ None found ]
    Checking for suspicious directories                      [ None found ]
    Checking for sniffer log files                           [ None found ]
  Performing trojan specific checks
    Checking for enabled xinetd services                     [ None found ]
    Checking for Apache backdoor                             [ Not found ]

  Performing Linux specific checks
    Checking loaded kernel modules                           [ Warning ]
    Checking kernel module names                             [ OK ]

Checking the local host...

  Performing system boot checks
    Checking for local host name                             [ Found ]
    Checking for system startup files                        [ Found ]
    Checking system startup files for malware                [ None found ]

  Performing group and account checks
    Checking for passwd file                                 [ Found ]
    Checking for root equivalent (UID 0) accounts            [ None found ]
    Checking for passwordless accounts                       [ None found ]
    Checking for passwd file changes                         [ None found ]
    Checking for group file changes                          [ None found ]
    Checking root account shell history files                [ OK ]

  Performing system configuration file checks
    Checking for SSH configuration file                      [ Found ]
    Checking if SSH root access is allowed                   [ Not allowed ]
    Checking if SSH protocol v1 is allowed                   [ Not allowed ]
    Checking for running syslog daemon                       [ Found ]
    Checking for syslog configuration file                   [ Found ]
    Checking if syslog remote logging is allowed             [ Not allowed ]

  Performing filesystem checks
    Checking /dev for suspicious file types                  [ Warning ]
    Checking for hidden files and directories                [ None found ]



Checking application versions...

    Checking version of GnuPG                                [ Warning ]
    Checking version of Bind DNS                             [ OK ]
    Checking version of OpenSSL                              [ Warning ]
    Checking version of PHP                                  [ OK ]
    Checking version of Procmail MTA                         [ OK ]
    Checking version of ProFTPD                              [ Warning ]
    Checking version of OpenSSH                              [ Warning ]

Auszug aus RKHunter.log

PHP:

[14:04:35] Running Rootkit Hunter version 1.3.8 on bogis-computer
[14:04:35]
[14:04:35] Info: Start date is Sa 15. Okt 14:04:35 CEST 2011
[14:04:35]
[14:04:35] Checking configuration file and command-line options...
[14:04:35] Info: Detected operating system is 'Linux'
[14:04:35] Info: Found O/S name: Debian 6.0.3
[14:04:35] Info: Command line is /usr/local/bin/rkhunter --check
[14:04:35] Info: Environment shell is /bin/bash; rkhunter is using bash
[14:04:35] Info: Using configuration file '/usr/local/etc/rkhunter.conf'
[14:04:35] Info: Installation directory is '/usr/local'
[14:04:35] Info: Using language 'en'
[14:04:35] Info: Using '/var/lib/rkhunter/db' as the database directory
[14:04:35] Info: Using '/usr/local/lib/rkhunter/scripts' as the support script directory
[14:04:35] Info: Using '/usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin' as the command directories
[14:04:35] Info: Using '/' as the root directory by default
[14:04:36] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[14:04:36] Info: No mail-on-warning address configured
[14:04:36] Info: X will be automatically detected
[14:04:36] Info: Found the 'basename' command: /usr/bin/basename
[14:04:36] Info: Found the 'diff' command: /usr/bin/diff
[14:04:36] Info: Found the 'dirname' command: /usr/bin/dirname
[14:04:36] Info: Found the 'file' command: /usr/bin/file
[14:04:36] Info: Found the 'find' command: /usr/bin/find
[14:04:36] Info: Found the 'ifconfig' command: /sbin/ifconfig
[14:04:36] Info: Found the 'ip' command: /sbin/ip
[14:04:36] Info: Found the 'ldd' command: /usr/bin/ldd
[14:04:36] Info: Found the 'lsattr' command: /usr/bin/lsattr
[14:04:36] Info: Found the 'lsmod' command: /sbin/lsmod
[14:04:36] Info: Found the 'lsof' command: /usr/bin/lsof
[14:04:36] Info: Found the 'mktemp' command: /bin/mktemp
[14:04:36] Info: Found the 'netstat' command: /bin/netstat
[14:04:36] Info: Found the 'perl' command: /usr/bin/perl
[14:04:36] Info: Found the 'pgrep' command: /usr/bin/pgrep
[14:04:36] Info: Found the 'ps' command: /bin/ps
[14:04:36] Info: Found the 'pwd' command: /bin/pwd
[14:04:36] Info: Found the 'readlink' command: /bin/readlink
[14:04:36] Info: Found the 'stat' command: /usr/bin/stat
[14:04:36] Info: Found the 'strings' command: /usr/bin/strings
[14:04:36] Info: System is not using prelinking
[14:04:36] Info: Using the '/usr/bin/sha1sum' command for the file hash checks
[14:04:36] Info: Stored hash values used hash function '/usr/bin/sha1sum'
[14:04:36] Info: Stored hash values did not use a package manager
[14:04:36] Info: The hash function field index is set to 1
[14:04:36] Info: No package manager specified: using hash function '/usr/bin/sha1sum'
[14:04:36] Info: Previous file attributes were stored
[14:04:36] Info: Enabled tests are: all
[14:04:36] Info: Disabled tests are: suspscan hidden_ports hidden_procs deleted_files packet_cap_apps
[14:04:36] Info: Including user files for file properties check:
[14:04:36]       /usr/local/etc/rkhunter.conf
[14:04:36] Info: All ksyms and kallsyms checks will be skipped - neither file is present on the system.
[14:04:36] Info: Using 'date' to process epoch second times.
[14:04:36] Info: Nothing seems to have changed.
[14:04:36] Info: Locking is not being used
[14:04:36]
[14:04:36] Starting system checks...
[14:04:36]
[14:04:36] Info: Starting test name 'system_commands'
[14:04:36] Checking system commands...
[14:04:36]
[14:04:36] Info: Starting test name 'strings'
[14:04:36] Performing 'strings' command checks
[14:04:37]   Scanning for string /usr/sbin/ntpsx             [ OK ]
[14:04:37]   Scanning for string /usr/sbin/.../bkit-ava      [ OK ]
[14:04:37]   Scanning for string /usr/sbin/.../bkit-d        [ OK ]
[14:04:37]   Scanning for string /usr/sbin/.../bkit-shd      [ OK ]
[14:04:37]   Scanning for string /usr/sbin/.../bkit-f        [ OK ]
[14:04:37]   Scanning for string /usr/include/.../proc.h     [ OK ]
[14:04:37]   Scanning for string /usr/include/.../.bash_history [ OK ]
[14:04:37]   Scanning for string /usr/include/.../bkit-get   [ OK ]
[14:04:37]   Scanning for string /usr/include/.../bkit-dl    [ OK ]
[14:04:37]   Scanning for string /usr/include/.../bkit-screen [ OK ]
[14:04:37]   Scanning for string /usr/include/.../bkit-sleep [ OK ]
[14:04:37]   Scanning for string /usr/lib/.../bkit-adore.o   [ OK ]
[14:04:37]   Scanning for string /usr/lib/.../ls             [ OK ]
[14:04:37]   Scanning for string /usr/lib/.../netstat        [ OK ]
[14:04:37]   Scanning for string /usr/lib/.../lsof           [ OK ]
[14:04:37]   Scanning for string /usr/lib/.../bkit-ssh/bkit-shdcfg [ OK ]
[14:04:37]   Scanning for string /usr/lib/.../bkit-ssh/bkit-shhk [ OK ]
[14:04:37]   Scanning for string /usr/lib/.../bkit-ssh/bkit-pw [ OK ]
[14:04:37]   Scanning for string /usr/lib/.../bkit-ssh/bkit-shrs [ OK ]
[14:04:37]   Scanning for string /usr/lib/.../bkit-ssh/bkit-mots [ OK ]
[14:04:37]   Scanning for string /usr/lib/.../uconf.inv      [ OK ]
[14:04:38]   Scanning for string /usr/lib/.../psr            [ OK ]
[14:04:38]   Scanning for string /usr/lib/.../find           [ OK ]
[14:04:38]   Scanning for string /usr/lib/.../pstree         [ OK ]
[14:04:38]   Scanning for string /usr/lib/.../slocate        [ OK ]
[14:04:38]   Scanning for string /usr/lib/.../du             [ OK ]
[14:04:38]   Scanning for string /usr/lib/.../top            [ OK ]
[14:04:38]   Scanning for string /usr/sbin/...               [ OK ]
[14:04:38]   Scanning for string /usr/include/...            [ OK ]
[14:04:38]   Scanning for string /usr/include/.../.tmp       [ OK ]
[14:04:38]   Scanning for string /usr/lib/...                [ OK ]
[14:04:38]   Scanning for string /usr/lib/.../.ssh           [ OK ]
[14:04:38]   Scanning for string /usr/lib/.../bkit-ssh       [ OK ]
[14:04:38]   Scanning for string /usr/lib/.bkit-             [ OK ]
[14:04:38]   Scanning for string /tmp/.bkp                   [ OK ]
[14:04:38]   Scanning for string /tmp/.cinik                 [ OK ]
[14:04:38]   Scanning for string /tmp/.font-unix/.cinik      [ OK ]
[14:04:38]   Scanning for string /lib/.sso                   [ OK ]
[14:04:38]   Scanning for string /lib/.so                    [ OK ]
[14:04:38]   Scanning for string /var/run/...dica/clean      [ OK ]
[14:04:38]   Scanning for string /var/run/...dica/dxr        [ OK ]
[14:04:38]   Scanning for string /var/run/...dica/read       [ OK ]
[14:04:38]   Scanning for string /usr/lib/.../psr            [ OK ]
[14:04:38]   Scanning for string /usr/lib/.../find           [ OK ]
[14:04:38]   Scanning for string /usr/lib/.../pstree         [ OK ]
[14:04:38]   Scanning for string /usr/lib/.../slocate        [ OK ]
[14:04:38]   Scanning for string /usr/lib/.../du             [ OK ]
[14:04:38]   Scanning for string /usr/lib/.../top            [ OK ]
[14:04:38]   Scanning for string /usr/sbin/...               [ OK ]
[14:04:38]   Scanning for string /usr/include/...            [ OK ]
[14:04:38]   Scanning for string /usr/include/.../.tmp       [ OK ]
[14:04:38]   Scanning for string /usr/lib/...                [ OK ]
[14:04:38]   Scanning for string /usr/lib/.../.ssh           [ OK ]
[14:04:38]   Scanning for string /usr/lib/.../bkit-ssh       [ OK ]
[14:04:38]   Scanning for string /usr/lib/.bkit-             [ OK ]
[14:04:38]   Scanning for string /tmp/.bkp                   [ OK ]
[14:04:38]   Scanning for string /tmp/.cinik                 [ OK ]
[14:04:38]   Scanning for string /tmp/.font-unix/.cinik      [ OK ]
[14:04:38]   Scanning for string /lib/.sso                   [ OK ]
[14:04:38]   Scanning for string /lib/.so                    [ OK ]
[14:04:38]   Scanning for string /var/run/...dica/clean      [ OK ]
[14:04:38]   Scanning for string /var/run/...dica/dxr        [ OK ]
[14:04:38]   Scanning for string /var/run/...dica/read       [ OK ]
[14:04:38]   Scanning for string /var/run/...dica/write      [ OK ]
[14:04:39]   Scanning for string /var/run/...dica/lf         [ OK ]
[14:04:39]   Scanning for string /var/run/...dica/xl         [ OK ]
[14:04:39]   Scanning for string /var/run/...dica/xdr        [ OK ]
[14:04:39]   Scanning for string /var/run/...dica/psg        [ OK ]
[14:04:39]   Scanning for string /var/run/...dica/secure     [ OK ]
[14:04:39]   Scanning for string /var/run/...dica/rdx        [ OK ]
[14:04:39]   Scanning for string /var/run/...dica/va         [ OK ]
[14:04:39]   Scanning for string /var/run/...dica/cl.sh      [ OK ]
[14:04:39]   Scanning for string /var/run/...dica/last.log   [ OK ]
[14:04:39]   Scanning for string /usr/bin/.etc               [ OK ]
[14:04:39]   Scanning for string /etc/sshd_config            [ OK ]
[14:04:39]   Scanning for string /etc/ssh_host_key           [ OK ]
[14:04:39]   Scanning for string /etc/ssh_random_seed        [ OK ]
[14:04:39]   Scanning for string /dev/ptyp                   [ OK ]
[14:04:39]   Scanning for string /dev/ptyq                   [ OK ]
[14:04:39]   Scanning for string /dev/ptyr                   [ OK ]
[14:04:39]   Scanning for string /dev/ptys                   [ OK ]
[14:04:39]   Scanning for string /dev/ptyt                   [ OK ]
[14:04:39]   Scanning for string /dev/fd/.88/freshb-bsd      [ OK ]
[14:04:39]   Scanning for string /dev/fd/.88/fresht          [ OK ]
[14:04:39]   Scanning for string /dev/fd/.88/zxsniff         [ OK ]
[14:04:39]   Scanning for string /dev/fd/.88/zxsniff.log     [ OK ]
[14:04:40]   Scanning for string /dev/fd/.99/.ttyf00         [ OK ]
[14:04:40]   Scanning for string /dev/fd/.99/.ttyp00         [ OK ]
[14:04:40]   Scanning for string /dev/fd/.99/.ttyq00         [ OK ]
[14:04:40]   Scanning for string /dev/fd/.99/.ttys00         [ OK ]
[14:04:41]   Scanning for string /dev/.lib/lib/lib/tfn       [ OK ]
[14:04:41]   Scanning for string /dev/.lib/lib/lib/name      [ OK ]
[14:04:41]   Scanning for string /dev/.lib/lib/lib/getip.sh  [ OK ]
[14:04:41]   Scanning for string /usr/info/.torn/sh*         [ OK ]
[14:04:41]   Scanning for string /usr/src/.puta/.1addr       [ OK ]
[14:04:41]   Scanning for string /usr/src/.puta/.1file       [ OK ]
[14:04:41]   Scanning for string /usr/src/.puta/.1proc       [ OK ]
[14:04:42]   Scanning for string /usr/src/.puta/.1logz       [ OK ]
[14:04:42]   Scanning for string /usr/info/.t0rn             [ OK ]
[14:04:42]   Scanning for string /dev/.lib                   [ OK ]
[14:04:42]   Scanning for string /dev/.lib/lib               [ OK ]
[14:04:42]   Scanning for string /dev/.lib/lib/lib           [ OK ]
[14:04:42]   Scanning for string /dev/.lib/lib/lib/dev       [ OK ]
[14:04:42]   Scanning for string /dev/.lib/lib/scan          [ OK ]
[14:04:42]   Scanning for string /usr/src/.puta              [ OK ]
[14:04:42]   Scanning for string /usr/man/man1/man1          [ OK ]
[14:04:42]   Scanning for string /usr/man/man1/man1/lib      [ OK ]
[14:04:42]   Scanning for string /usr/man/man1/man1/lib/.lib [ OK ]
[14:04:42]   Scanning for string /usr/man/man1/man1/lib/.lib/.backup [ OK ]
[14:04:42]
[14:04:42] Info: Starting test name 'shared_libs'
[14:04:42] Performing 'shared libraries' checks
[14:04:42]   Checking for preloading variables               [ None found ]
[14:04:42]   Checking for preloaded libraries                [ None found ]
[14:04:42]
[14:04:42] Info: Starting test name 'shared_libs_path'
[14:04:42]   Checking LD_LIBRARY_PATH variable               [ Not found ]
[14:04:42]
[14:04:42] Info: Starting test name 'properties'
[14:04:42] Performing file properties checks
[14:04:42]   Checking for prerequisites                      [ OK ]
[14:04:46]   /usr/local/bin/rkhunter                         [ OK ]
[14:04:47]   /usr/sbin/adduser                               [ Warning ]
[14:04:47] Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: a /usr/bin/perl script text executable
[14:04:47]   /usr/sbin/chroot                                [ OK ]
[14:04:47]   /usr/sbin/cron                                  [ OK ]
[14:04:48]   /usr/sbin/groupadd                              [ OK ]
[14:04:48]   /usr/sbin/groupdel                              [ OK ]
[14:04:48]   /usr/sbin/groupmod                              [ OK ]
[14:04:48]   /usr/sbin/grpck                                 [ OK ]
[14:04:49]   /usr/sbin/nologin                               [ OK ]
[14:04:49]   /usr/sbin/pwck                                  [ OK ]
[14:04:50]   /usr/sbin/tcpd                                  [ OK ]
[14:04:50]   /usr/sbin/useradd                               [ OK ]
[14:04:50]   /usr/sbin/userdel                               [ OK ]
[14:04:50]   /usr/sbin/usermod                               [ OK ]
[14:04:50]   /usr/sbin/vipw                                  [ OK ]
[14:04:51]   /usr/sbin/xinetd                                [ OK ]
[14:04:51]   /usr/bin/basename                               [ OK ]
[14:04:51]   /usr/bin/chattr                                 [ OK ]
[14:04:51]   /usr/bin/cut                                    [ OK ]
[14:04:52]   /usr/bin/diff                                   [ OK ]
[14:04:52]   /usr/bin/dirname                                [ OK ]
[14:04:52]   /usr/bin/dpkg                                   [ OK ]
[14:04:52]   /usr/bin/dpkg-query                             [ OK ]
[14:04:52]   /usr/bin/du                                     [ OK ]
[14:04:52]   /usr/bin/env                                    [ OK ]
[14:04:52]   /usr/bin/file                                   [ OK ]
[14:04:52]   /usr/bin/find                                   [ OK ]
[14:04:53]   /usr/bin/GET                                    [ OK ]
[14:04:53]   /usr/bin/groups                                 [ OK ]
[14:04:53]   /usr/bin/head                                   [ OK ]
[14:04:53]   /usr/bin/id                                     [ OK ]
[14:04:53]   /usr/bin/killall                                [ OK ]
[14:04:53]   /usr/bin/last                                   [ OK ]
[14:04:54]   /usr/bin/lastlog                                [ OK ]
[14:04:54]   /usr/bin/ldd                                    [ Warning ]
[14:04:54] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable
[14:04:54]   /usr/bin/less                                   [ OK ]
[14:04:54]   /usr/bin/locate                                 [ OK ]
[14:04:54]   /usr/bin/logger                                 [ OK ]
[14:04:54]   /usr/bin/lsattr                                 [ OK ]
[14:04:54]   /usr/bin/lsof                                   [ OK ]
[14:04:54]   /usr/bin/lynx                                   [ OK ]
[14:04:55]   /usr/bin/mail                                   [ OK ]
[14:04:55]   /usr/bin/md5sum                                 [ OK ]
[14:04:55]   /usr/bin/mlocate                                [ OK ]
[14:04:55]   /usr/bin/newgrp                                 [ OK ]
[14:04:55]   /usr/bin/passwd                                 [ OK ]
[14:04:55]   /usr/bin/perl                                   [ OK ]
[14:04:56]   /usr/bin/pgrep                                  [ OK ]
[14:04:56]   /usr/bin/pstree                                 [ OK ]
[14:04:56]   /usr/bin/runcon                                 [ OK ]
[14:04:56]   /usr/bin/sha1sum                                [ OK ]
[14:04:56]   /usr/bin/sha224sum                              [ OK ]
[14:04:56]   /usr/bin/sha256sum                              [ OK ]
[14:04:57]   /usr/bin/sha384sum                              [ OK ]
[14:04:57]   /usr/bin/sha512sum                              [ OK ]
[14:04:57]   /usr/bin/size                                   [ OK ]
[14:04:57]   /usr/bin/sort                                   [ OK ]
[14:04:57]   /usr/bin/stat                                   [ OK ]
[14:04:57]   /usr/bin/strings                                [ OK ]
[14:04:57]   /usr/bin/sudo                                   [ OK ]
[14:04:58]   /usr/bin/tail                                   [ OK ]
[14:04:58]   /usr/bin/test                                   [ OK ]
[14:04:58]   /usr/bin/top                                    [ OK ]
[14:04:58]   /usr/bin/touch                                  [ OK ]
[14:04:58]   /usr/bin/tr                                     [ OK ]
[14:05:10]   /bin/sh                                         [ OK ]
[14:05:10]   /bin/su                                         [ OK ]
[14:05:10]   /bin/touch                                      [ OK ]
[14:05:10]   /bin/uname                                      [ OK ]
[14:05:11]   /bin/which                                      [ Warning ]
[14:05:11] Warning: The command '/bin/which' has been replaced by a script: /bin/which: POSIX shell script text executable
[14:05:11]   /bin/tcsh                                       [ OK ]
[14:05:11]   /usr/local/etc/rkhunter.conf                    [ OK ]
[14:05:49]
[14:05:49] Info: Starting test name 'rootkits'
[14:05:49] Checking for rootkits...
[14:05:49]
[14:05:49] Info: Starting test name 'known_rkts'
[14:05:49] Performing check of known rootkit files and directories
[14:05:49]
[14:05:49] Checking for 55808 Trojan - Variant A...
[14:05:49]   Checking for file '/tmp/.../r'                  [ Not found ]
[14:05:49]   Checking for file '/tmp/.../a'                  [ Not found ]
[14:05:49] 55808 Trojan - Variant A                          [ Not found ]
[14:05:49]
[14:05:49] Checking for ADM Worm...
[14:05:49]   Checking for string 'w0rm'                      [ Not found ]
[14:05:49] ADM Worm                                          [ Not found ]
[14:05:49]
[14:05:49] Checking for AjaKit Rootkit...
[14:05:49]   Checking for file '/dev/tux/.addr'              [ Not found ]
[14:05:49]   Checking for file '/dev/tux/.proc'              [ Not found ]
[14:05:49]   Checking for file '/dev/tux/.file'              [ Not found ]
[14:05:49]   Checking for file '/lib/.libgh-gh/cleaner'      [ Not found ]
[14:05:49]   Checking for file '/lib/.libgh-gh/Patch/patch'  [ Not found ]
[14:05:49]   Checking for file '/lib/.libgh-gh/sb0k'         [ Not found ]
[14:05:49]   Checking for directory '/dev/tux'               [ Not found ]
[14:05:49]   Checking for directory '/lib/.libgh-gh'         [ Not found ]
[14:05:49]   Checking for file '/usr/doc/sys/crond'          [ Not found ]
[14:05:49]   Checking for file '/usr/sbin/kfd'               [ Not found ]
[14:05:49]   Checking for file '/usr/doc/kern/var'           [ Not found ]
[14:05:49]   Checking for file '/usr/doc/kern/string.o'      [ Not found ]
[14:05:50]   Checking for file '/usr/doc/kern/ava'           [ Not found ]
[14:05:50]   Checking for file '/usr/doc/kern/adore.o'       [ Not found ]
[14:05:50]   Checking for file '/var/log/ssh/old'            [ Not found ]
[14:05:50]   Checking for directory '/lib/security/.config/ssh' [ Not found ]
[14:05:50]   Checking for directory '/usr/doc/kern'          [ Not found ]
[14:05:50]   Checking for directory '/usr/doc/backup'        [ Not found ]
[14:05:50]   Checking for directory '/usr/doc/backup/txt'    [ Not found ]
[14:05:50]   Checking for directory '/lib/backup'            [ Not found ]
[14:05:50]   Checking for directory '/lib/backup/txt'        [ Not found ]
[14:05:50]   Checking for directory '/usr/doc/work'          [ Not found ]
[14:05:50]   Checking for directory '/usr/doc/sys'           [ Not found ]
[14:05:50]   Checking for directory '/var/log/ssh'           [ Not found ]
[14:05:50]   Checking for directory '/usr/doc/.spool'        [ Not found ]
[14:05:50]   Checking for directory '/usr/lib/kterm'         [ Not found ]
[14:05:50] Adore Rootkit                                     [ Not found ]
[14:05:50]
[14:05:50] Checking for aPa Kit...
[14:05:50]   Checking for file '/usr/share/.aPa'             [ Not found ]
[14:05:50] aPa Kit                                           [ Not found ]
[14:05:50]
[14:05:50] Checking for Apache Worm...
[14:05:50]   Checking for file '/bin/.log'                   [ Not found ]
[14:05:50] Apache Worm                                       [ Not found ]
[14:05:50]
[14:05:50] Checking for Ambient (ark) Rootkit...
[14:05:50]   Checking for file '/usr/lib/.ark?'              [ Not found ]
[14:05:50]   Checking for file '/dev/ptyxx/.log'             [ Not found ]
[14:05:50]   Checking for file '/dev/ptyxx/.file'            [ Not found ]
[14:05:50]   Checking for file '/dev/ptyxx/.proc'            [ Not found ]
[14:05:50]   Checking for file '/dev/ptyxx/.addr'            [ Not found ]
[14:05:50]   Checking for directory '/dev/ptyxx'             [ Not found ]
[14:05:51] Ambient (ark) Rootkit                             [ Not found ]
[14:05:51]
[14:05:51] Checking for Balaur Rootkit...
[14:05:51]   Checking for file '/usr/lib/liblog.o'           [ Not found ]
[14:05:51]   Checking for directory '/usr/lib/.kinetic'      [ Not found ]
[14:05:51]   Checking for directory '/usr/lib/.egcs'         [ Not found ]
[14:05:51]   Checking for directory '/usr/lib/.wormie'       [ Not found ]
[14:05:51] Balaur Rootkit                                    [ Not found ]
[14:05:51]
[14:05:51] Checking for BeastKit Rootkit...
[14:05:51]   Checking for file '/usr/sbin/arobia'            [ Not found ]
[14:05:51]   Checking for file '/usr/sbin/idrun'             [ Not found ]
[14:05:51]   Checking for file '/usr/lib/elm/arobia/elm'     [ Not found ]
[14:05:51]   Checking for file '/usr/lib/elm/arobia/elm/sd.pp' [ Not found ]
[14:05:51]   Checking for file '/usr/lib/elm/arobia/elm/sdco' [ Not found ]
[14:05:51]   Checking for file '/usr/lib/elm/arobia/elm/srsd' [ Not found ]
[14:05:51]   Checking for directory '/lib/ldd.so/bktools'    [ Not found ]
[14:05:51] BeastKit Rootkit                                  [ Not found ]
[14:05:51]
[14:05:51] Checking for beX2 Rootkit...
[14:05:51]   Checking for file '/usr/info/termcap.info-5.gz' [ Not found ]
[14:05:51]   Checking for file '/usr/bin/sshd2'              [ Not found ]
[14:05:51]   Checking for directory '/usr/include/bex'       [ Not found ]
[14:05:51] beX2 Rootkit                                      [ Not found ]
[14:05:51]
[14:05:51] Checking for BOBKit Rootkit...
[14:05:51]   Checking for file '/usr/sbin/ntpsx'             [ Not found ]
[14:05:51]   Checking for file '/usr/sbin/.../bkit-ava'      [ Not found ]
[14:05:52]   Checking for file '/usr/sbin/.../bkit-d'        [ Not found ]
[14:05:52]   Checking for file '/usr/sbin/.../bkit-shd'      [ Not found ]
[14:05:52]   Checking for file '/usr/sbin/.../bkit-f'        [ Not found ]
[14:05:52]   Checking for file '/usr/include/.../proc.h'     [ Not found ]
[14:05:52]   Checking for file '/usr/include/.../.bash_history' [ Not found ]
[14:05:52]   Checking for file '/usr/include/.../bkit-get'   [ Not found ]
[14:05:52]   Checking for file '/usr/include/.../bkit-dl'    [ Not found ]
[14:05:52]   Checking for file '/usr/include/.../bkit-screen' [ Not found ]
[14:05:52]   Checking for file '/usr/include/.../bkit-sleep' [ Not found ]
[14:05:52]   Checking for file '/usr/lib/.../bkit-adore.o'   [ Not found ]
[14:05:52]   Checking for file '/usr/lib/.../ls'             [ Not found ]
[14:05:52]   Checking for file '/usr/lib/.../netstat'        [ Not found ]
[14:05:52]   Checking for file '/usr/lib/.../lsof'           [ Not found ]
[14:05:52]   Checking for file '/usr/lib/.../bkit-ssh/bkit-shdcfg' [ Not found ]
[14:05:52]   Checking for file '/usr/lib/.../bkit-ssh/bkit-shhk' [ Not found ]
[14:05:52]   Checking for file '/usr/lib/.../bkit-ssh/bkit-pw' [ Not found ]
[14:05:52]   Checking for file '/usr/lib/.../bkit-ssh/bkit-shrs' [ Not found ]
[14:05:52]   Checking for file '/usr/lib/.../bkit-ssh/bkit-mots' [ Not found ]
[14:05:52]   Checking for file '/usr/lib/.../uconf.inv'      [ Not found ]
[14:05:52]   Checking for file '/usr/lib/.../psr'            [ Not found ]
[14:05:52]   Checking for file '/usr/lib/.../find'           [ Not found ]
[14:05:52]   Checking for file '/usr/lib/.../pstree'         [ Not found ]
[14:05:52]   Checking for file '/usr/lib/.../slocate'        [ Not found ]
[14:05:52]   Checking for file '/usr/lib/.../du'             [ Not found ]
[14:05:52]   Checking for file '/usr/lib/.../top'            [ Not found ]
[14:05:52]   Checking for directory '/usr/sbin/...'          [ Not found ]
[14:05:53]   Checking for directory '/usr/include/...'       [ Not found ]
[14:05:53]   Checking for directory '/usr/include/.../.tmp'  [ Not found ]
[14:05:53]   Checking for directory '/usr/lib/...'           [ Not found ]
[14:05:53]   Checking for directory '/usr/lib/.../.ssh'      [ Not found ]
[14:05:53]   Checking for directory '/usr/lib/.../bkit-ssh'  [ Not found ]
[14:05:53]   Checking for directory '/usr/lib/.bkit-'        [ Not found ]
[14:05:53]   Checking for directory '/tmp/.bkp'              [ Not found ]
[14:05:53] BOBKit Rootkit                                    [ Not found ]
[14:05:53]
[14:05:53] Checking for cb Rootkit...
[14:06:01]
[14:06:01] Checking for GasKit Rootkit...
[14:06:01]   Checking for file '/dev/dev/gaskit/sshd/sshdd'  [ Not found ]
[14:06:01]   Checking for directory '/dev/dev'               [ Not found ]
[14:06:01]   Checking for directory '/dev/dev/gaskit'        [ Not found ]
[14:06:01]   Checking for directory '/dev/dev/gaskit/sshd'   [ Not found ]
[14:06:01] GasKit Rootkit                                    [ Not found ]
[14:06:01]
[14:06:01] Checking for Heroin LKM...
[14:06:01]   Checking for kernel symbol 'heroin'             [ Skipped ]
[14:06:01] Heroin LKM                                        [ Not found ]
[14:06:01]
[14:06:01] Checking for HjC Kit...
[14:06:01]   Checking for directory '/dev/.hijackerz'        [ Not found ]
[14:06:01] HjC Kit                                           [ Not found ]
[14:06:01]
[14:06:03] Checking for IntoXonia-NG Rootkit...
[14:06:03]   Checking for kernel symbol 'funces'             [ Skipped ]
[14:06:03]   Checking for kernel symbol 'ixinit'             [ Skipped ]
[14:06:03]   Checking for kernel symbol 'tricks'             [ Skipped ]
[14:06:04]   Checking for kernel symbol 'kernel_unlink'      [ Skipped ]
[14:06:04]   Checking for kernel symbol 'rootme'             [ Skipped ]
[14:06:04]   Checking for kernel symbol 'hide_module'        [ Skipped ]
[14:06:04]   Checking for kernel symbol 'find_sys_call_tbl'  [ Skipped ]
[14:06:04] IntoXonia-NG Rootkit                              [ Not found ]
[14:06:04]
[14:06:04] Checking for Irix Rootkit...
[14:06:25]
[14:06:25] Checking for Vampire Rootkit...
[14:06:25]   Checking for kernel symbol 'new_getdents'       [ Skipped ]
[14:06:25]   Checking for kernel symbol 'old_getdents'       [ Skipped ]
[14:06:25]   Checking for kernel symbol 'should_hide_file_name' [ Skipped ]
[14:06:25]   Checking for kernel symbol 'should_hide_task_name' [ Skipped ]
[14:06:25] Vampire Rootkit                                   [ Not found ]
[14:06:27] Info: Starting test name 'additional_rkts'
[14:06:27] Performing additional rootkit checks
[14:06:27]
[14:06:27]   Performing Suckit Rookit additional checks
[14:06:27]     Checking hard link count on '/sbin/init'      [ OK ]
[14:06:27]     Checking for hidden file extensions           [ None found ]
[14:06:27]     Running skdet command                         [ Skipped ]
[14:06:28] Info: Unable to find the 'skdet' command
[14:06:28]   Suckit Rookit additional checks                 [ OK ]
[14:06:47]
[14:06:47]   Checking for software intrusions                [ Skipped ]
[14:06:47] Info: Check skipped - tripwire not installed
[14:06:47]
[14:06:47]   Performing check for sniffer log files
[14:06:47]     Checking for file '/usr/lib/libice.log'       [ Not found ]
[14:06:47]     Checking for file '/dev/prom/sn.l'            [ Not found ]
[14:06:47]     Checking for file '/dev/fd/.88/zxsniff.log'   [ Not found ]
[14:06:47]   Checking for sniffer log files                  [ None found ]
[14:06:47]
[14:06:47] Info: Starting test name 'trojans'
[14:06:47] Performing trojan specific checks
[14:06:47]   Checking for enabled inetd services             [ Skipped ]
14:06:48] Performing Linux specific checks
[14:06:48]   Checking loaded kernel modules                  [ Warning ]
[14:06:48] Warning: No output found from the lsmod command or the /proc/modules file:
[14:06:48]          /proc/modules output:
[14:06:48]          lsmod output:
[14:06:48] Info: Using modules pathname of '/lib/modules/2.6.32-028stab091.2'
[14:06:48]   Checking kernel module names                    [ OK ]
[14:07:25]
[14:07:25] Info: Starting test name 'network'
[14:07:25] Checking the network...
14:07:27]     Checking for TCP port 62883                   [ Not found ]
[14:07:27]     Checking for TCP port 65535                   [ Not found ]
[14:07:27]   Checking for backdoor ports                     [ None found ]
[14:07:27]
[14:07:27] Info: Test 'hidden_ports' disabled at users request.
[14:07:27]
[14:07:27] Performing checks on the network interfaces
[14:07:27] Info: Starting test name 'promisc'
[14:07:27]   Checking for promiscuous interfaces             [ None found ]
[14:07:27]
[14:07:27] Info: Test 'packet_cap_apps' disabled at users request.
[14:07:27]
[14:07:27] Info: Starting test name 'local_host'
[14:07:27] Checking the local host...
[14:07:27]
[14:07:27] Info: Starting test name 'startup_files'
[14:07:27] Performing system boot checks
[14:07:27]   Checking for local host name                    [ Found ]
[14:07:27]
[14:07:27] Info: Starting test name 'startup_malware'
[14:07:27]   Checking for system startup files               [ Found ]
[14:07:29]   Checking system startup files for malware       [ None found ]
[14:07:29]
[14:07:29] Info: Starting test name 'group_accounts'
[14:07:30] Performing group and account checks
[14:07:30]   Checking for passwd file                        [ Found ]
[14:07:30] Info: Found password file: /etc/passwd
[14:07:30]   Checking for root equivalent (UID 0) accounts   [ None found ]
[14:07:30] Info: Found shadow file: /etc/shadow
[14:07:30]   Checking for passwordless accounts              [ None found ]
[14:07:30]
[14:07:30] Info: Starting test name 'passwd_changes'
[14:07:30]   Checking for passwd file changes                [ None found ]
[14:07:30]
[14:07:30] Info: Starting test name 'group_changes'
[14:07:30]   Checking for group file changes                 [ None found ]
[14:07:30]   Checking root account shell history files       [ OK ]
[14:07:30]
[14:07:30] Info: Starting test name 'system_configs'
[14:07:30] Performing system configuration file checks
[14:07:30]   Checking for SSH configuration file             [ Found ]
[14:07:30] Info: Found SSH configuration file: /etc/ssh/sshd_config
[14:07:30] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[14:07:30] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[14:07:30]   Checking if SSH root access is allowed          [ Not allowed ]
[14:07:30]   Checking if SSH protocol v1 is allowed          [ Not allowed ]
[14:07:30]   Checking for running syslog daemon              [ Found ]
[14:07:30] Info: Found syslog configuration file: /etc/syslog.conf
[14:07:30]   Checking for syslog configuration file          [ Found ]
[14:07:30]   Checking if syslog remote logging is allowed    [ Not allowed ]
[14:07:30]   Checking if syslog remote logging is allowed    [ Not allowed ]
[14:07:30]
[14:07:30] Info: Starting test name 'filesystem'
[14:07:30] Performing filesystem checks
[14:07:31] Info: SCAN_MODE_DEV set to 'THOROUGH'
[14:07:31]   Checking /dev for suspicious file types         [ Warning ]
[14:07:31] Warning: Suspicious file types found in /dev:
[14:07:31]          /dev/shm/7gbhujb54g8z9hu43jre8: data
[14:07:31]   Checking for hidden files and directories       [ None found ]
[14:07:53]
[14:07:53] Info: Starting test name 'apps'
[14:07:53] Checking application versions...
[14:07:53] Info: Application 'exim' not found.
[14:07:53]   Checking version of GnuPG                       [ Warning ]
[14:07:53] Warning: Application 'gpg', version '1.4.10', is out of date, and possibly a security risk.
[14:07:53] Info: Application 'httpd' not found.
[14:07:53]   Checking version of Bind DNS                    [ OK ]
[14:07:53] Info: Application 'named' version '9.7.3' found.
[14:07:53]   Checking version of OpenSSL                     [ Warning ]
[14:07:53] Warning: Application 'openssl', version '0.9.8o', is out of date, and possibly a security risk.
[14:07:53]   Checking version of PHP                         [ OK ]
[14:07:53] Info: Application 'php' version '5.3.3' found.
[14:07:53]   Checking version of Procmail MTA                [ OK ]
[14:07:53] Info: Application 'procmail' version '3.22' found.
[14:07:53]   Checking version of ProFTPD                     [ Warning ]
[14:07:53] Warning: Application 'proftpd', version '1.3.3a', is out of date, and possibly a security risk.
[14:07:54]   Checking version of OpenSSH                     [ Warning ]
[14:07:54] Warning: Application 'sshd', version '5.5p1', is out of date, and possibly a security risk.
[14:07:54] Info: Applications checked: 7 out of 9
[14:07:54] Warning: Application 'sshd', version '5.5p1', is out of date, and possibly a security risk.
[14:07:54] Info: Applications checked: 7 out of 9
[14:07:54]
[14:07:54] System checks summary
[14:07:54] =====================
[14:07:54]
[14:07:54] File properties checks...
[14:07:54] Files checked: 139
[14:07:54] Suspect files: 4
[14:07:54]
[14:07:54] Rootkit checks...
[14:07:54] Rootkits checked : 247
[14:07:54] Possible rootkits: 0
[14:07:54]
[14:07:54] Applications checks...
[14:07:54] Applications checked: 7
[14:07:54] Suspect applications: 4
[14:07:54]
[14:07:54] The system checks took: 3 minutes and 18 seconds
[14:07:54]
[14:07:54] Info: End date is Sa 15. Okt 14:07:54 CEST 2011

Wegen den Fehlermeldungen bin ich jetzt ziemlich unsicher geworden, das System läuft erst seit einigen Tagen ist also fast frisch aufgesetzt. Derzeit ist Virtualmin, Usermin und Webmin, sowie TS3 installiert. Die Updates werden von mir manuell fast täglich durchgeführt

PapaBaer · Oct 15, 2011

Lief rkhunter jemals sauber durch? Wie hast du rkhunter installiert?

Privateer · Oct 15, 2011

rkhunter lief gleich nach der ersten Installation nicht fehlerfrei durch. Installiert habe ich rkhunter nach der Beschreibung nach von der offiziellen Website. Anhang von In und Ausgangstraffic konnte ich keine aussergewöhnliche Aktivität feststellen und sonst läuft der Server auch rund, NUR eben diese rkhunterfehlermeldungen machen mir Sorgen.
Wie würdet ihr die Gefahr einschätzen und wie verfährt man am besten weiter?

...ps. ist echt ein Spitzenforum in dem einen wirklich geholfen wird!

PapaBaer · Oct 16, 2011

Privateer said:
Installiert habe ich rkhunter nach der Beschreibung nach von der offiziellen Website.

Dann nehme ich mal an, dass du nicht die Version von Debian aus dem Paket-Manager genommen hast? Unter den Umständen hat Lord Gurke wohl recht. Und da es noch nie sauber lief, sagen die Warnungen alles und nix aus.

Ich würde nochmal rkhunter aus dem Debian-Repo installieren. Wäre schon besser, wenn es wenigstens einmal sauber läuft.

noci · Nov 10, 2012

bei mir das gleiche

Hi,

ich schreibe hier nur weil ich ebenfalls die gleichen - also fast alle - Meldungen mit rkhunter bekommen habe nachdem ich teamspeak installiert hatte. Da ich am Vortag bevor ich ts3 installiert hatte auch einen rkhunter check machte und da nichts zu sehen war bin ich jetzt schon etwas ....nachdenklich darüber geworden. Da ich gelesen habe das Du auch ts installiert hast, wollte ich das hier mal anmerken. Ich glaube nicht das rkhunter in dem Fall spinnt. Und eigentlich nicht gleich nachdem ich ts installiert hatte sondern erst nachdem ich mal die clients zuhause getestet hatte. Die Uhrzeit stimmte mit den Änderungen der Datein überein. Keine Idee was das soll oder so aber ich installiere die Kiste neu.

lg. noci

chris4000 · Nov 11, 2012

rkhunter und chkrootkit sind wenig zuverlässig. Vor allem gibt es genug Rootkits, die sie nicht kennen und deshalb auch nicht erkennen können!

d4f · Nov 11, 2012

Sie aus einem laufenden System zu starten ist eh sinnlos. Der Angreifer muss nur rkhunter durch eine Binary ersetzen welche immer sagt "aaaaaalles ok"
Primärer Einsatz ist Validierung der binary mit Fingerprints von trusted binaries aus einem Rescue-System um Unterschiede und somit potentielle Einbrüche zu erkennen. Und das tut es recht erfolgreich.

Es gibt immer Methoden rkhunter trotzdem zu umgehen aber die gibt es immer.

RKHunter gibt Warnung aus

Privateer

New Member

Roger Wilco

Active Member

d4f

Kaffee? Wo?

GwenDragon

Registered User

Lord Gurke

Nur echt mit 32 Zähnen

PapaBaer

Registered User

Privateer

New Member

PapaBaer

Registered User

Privateer

New Member

PapaBaer

Registered User

noci

New Member

chris4000

Member

d4f

Kaffee? Wo?

We value your privacy