[08:27:54] Running Rootkit Hunter version 1.3.4 on s12345678
[08:27:54]
[08:27:54] Info: Start date is Di 28. Apr 08:27:54 CEST 2009
[08:27:54]
[08:27:54] Checking configuration file and command-line options...
[08:27:54] Info: Detected operating system is 'Linux'
[08:27:54] Info: Uname output is 'Linux s12345678.server123456.de 2.6.27.21rootserver-20090324a #1 SMP Tue Mar 24 04:59:16 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux'
[08:27:54] Info: Command line is /usr/local/psa/admin/sbin/modules//watchdog/rkhunter -c --nocolors --configfile /usr/local/psa/etc/modules/watchdog/rkhunter.conf --createlogfile
[08:27:54] Info: Environment shell is /bin/bash; rkhunter is using bash
[08:27:54] Info: Using configuration file '/usr/local/psa/etc/modules/watchdog/rkhunter.conf'
[08:27:54] Info: Installation directory is '/usr/local/psa'
[08:27:54] Info: Using language 'en'
[08:27:54] Info: Using '/usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db' as the database directory
[08:27:54] Info: Using '/usr/local/psa/var/modules/watchdog/lib/rkhunter/rkhunter/scripts' as the support script directory
[08:27:54] Info: Using '/usr/local/psa/admin/bin/modules/watchdog /usr/local/bin /usr/local/sbin /bin /sbin /usr/bin /usr/sbin /bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec' as the command directories
[08:27:54] Info: Using '/' as the root directory by default
[08:27:54] Info: Using '/usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/tmp' as the temporary directory
[08:27:54] Info: Emailing warnings to 'email@server123456.de' using command '/bin/mail -s "[rkhunter] Warnings found for ${HOST_NAME}"'
[08:27:54] Info: X will be automatically detected
[08:27:54] Info: Found the 'diff' command: /usr/bin/diff
[08:27:55] Info: Found the 'file' command: /usr/bin/file
[08:27:55] Info: Found the 'find' command: /usr/bin/find
[08:27:55] Info: Found the 'ifconfig' command: /sbin/ifconfig
[08:27:55] Info: Found the 'ip' command: /bin/ip
[08:27:55] Info: Found the 'ldd' command: /usr/bin/ldd
[08:27:55] Info: Found the 'lsattr' command: /usr/bin/lsattr
[08:27:55] Info: Found the 'lsmod' command: /bin/lsmod
[08:27:55] Info: Found the 'lsof' command: /usr/bin/lsof
[08:27:55] Info: Found the 'mktemp' command: /bin/mktemp
[08:27:55] Info: Found the 'netstat' command: /bin/netstat
[08:27:55] Info: Found the 'perl' command: /usr/bin/perl
[08:27:55] Info: Found the 'ps' command: /bin/ps
[08:27:55] Info: Found the 'pwd' command: /bin/pwd
[08:27:55] Info: Found the 'readlink' command: /usr/bin/readlink
[08:27:55] Info: Found the 'sort' command: /bin/sort
[08:27:55] Info: Found the 'stat' command: /usr/bin/stat
[08:27:55] Info: Found the 'strings' command: /usr/bin/strings
[08:27:55] Info: Found the 'uniq' command: /usr/bin/uniq
[08:27:55] Info: System is not using prelinking
[08:27:55] Info: Using the '/usr/bin/sha1sum' command for the file hash checks
[08:27:55] Info: The hash function field index is set to 1
[08:27:55] Info: No package manager specified: using hash function '/usr/bin/sha1sum'
[08:27:55] Info: Previous file attributes were stored
[08:27:55] Info: Enabled tests are: all
[08:27:55] Info: Disabled tests are: suspscan hidden_procs deleted_files packet_cap_apps
[08:27:55] Info: Found ksym file '/proc/kallsyms'
[08:27:55]
[08:27:55] Starting system checks...
[08:27:55]
[08:27:55] Checking system commands...
[08:27:55] Info: Starting test name 'system_commands'
[08:27:55]
[08:27:55] Performing 'strings' command checks
[08:27:56] Info: Starting test name 'strings'
[08:28:00]
[08:28:00] Performing 'shared libraries' checks
[08:28:00] Info: Starting test name 'shared_libs'
[08:28:00] Checking for preloading variables [ None found ]
[08:28:00] Checking for preload file [ Not found ]
[08:28:00] Info: Starting test name 'shared_libs_path'
[08:28:00] Checking LD_LIBRARY_PATH variable [ Not found ]
[08:28:00]
[08:28:00] Performing file properties checks
[08:28:00] Info: Starting test name 'properties'
[08:28:00] Warning: Checking for prerequisites [ Warning ]
[08:28:00] The file of stored file properties (rkhunter.dat) does not exist, and so must be created. To do this type in 'rkhunter --propupd'.
[08:28:00]
[08:28:00] Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
is used, all the files on their system are known to be genuine, and installed from a
reliable source. The rkhunter '--check' option will compare the current file properties
against previously stored values, and report if any values differ. However, rkhunter
cannot determine what has caused the change, that is for the user to do.
[08:28:05] /usr/bin/lastlog [ OK ]
[08:28:05] /usr/bin/ldd [ Warning ]
[08:28:05] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text
[08:28:06] /usr/bin/passwd [ OK ]
[08:28:06] Info: Found file '/usr/bin/passwd': it is whitelisted for the 'file immutable-bit' check.
[08:28:08] /usr/bin/whatis [ OK ]
[08:28:08] Info: Found file '/usr/bin/whatis': it is whitelisted for the 'script replacement' check.
[08:28:08] /sbin/checkproc [ OK ]
[08:28:08] /sbin/chkconfig [ Warning ]
[08:28:08] Warning: The command '/sbin/chkconfig' has been replaced by a script: /sbin/chkconfig: a /usr/bin/perl script text
[08:28:08] /sbin/depmod [ OK ]
[08:28:09] /sbin/ifup [ Warning ]
[08:28:09] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text
[08:28:09] /sbin/init [ OK ]
[08:28:09] Info: Found file '/sbin/init': it is whitelisted for the 'file immutable-bit' check.
[08:28:10] /usr/sbin/xinetd [ OK ]
[08:28:11]
[08:28:11] Checking for rootkits...
[08:28:11] Info: Starting test name 'rootkits'
[08:28:11]
[08:28:11] Performing check of known rootkit files and directories
[08:28:11] Info: Starting test name 'known_rkts'
[08:28:53]
[08:28:53] Performing check for enabled xinetd services
[08:28:53] Info: Using xinetd configuration file '/etc/xinetd.conf'
[08:28:53] Checking '/etc/xinetd.conf' for enabled services [ None found ]
[08:28:53] Found 'includedir /etc/xinetd.d' directive
[08:28:54] Checking '/etc/xinetd.d/ftp_psa' for enabled services [ Warning ]
[08:28:54] Checking '/etc/xinetd.d/netstat' for enabled services [ None found ]
[08:28:54] Checking '/etc/xinetd.d/poppassd_psa' for enabled services [ Warning ]
[08:28:54] Checking '/etc/xinetd.d/smtp_psa' for enabled services [ Warning ]
[08:28:54] Checking '/etc/xinetd.d/smtps_psa' for enabled services [ Warning ]
[08:28:55] Checking for enabled xinetd services [ Warning ]
[08:28:55] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
[08:28:55] Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa
[08:28:55] Warning: Found enabled xinetd service: /etc/xinetd.d/smtp_psa
[08:28:55] Warning: Found enabled xinetd service: /etc/xinetd.d/smtps_psa
[08:28:55] Info: Apache backdoor check skipped: Apache modules and configuration directories not found.
[08:28:55]
[08:28:55] Performing Linux specific checks
[08:28:55] Info: Starting test name 'os_specific'
[08:28:55] Checking loaded kernel modules [ Warning ]
[08:28:55] Warning: No output found from the lsmod command or the /proc/modules file:
[08:28:55] /proc/modules output:
[08:28:55] lsmod output:
[08:28:55] Info: Using modules pathname of '/lib/modules/2.6.27.21rootserver-20090324a'
[08:28:55] Checking kernel module names [ OK ]
[08:28:55]
[08:28:59]
[08:28:59] Performing group and account checks
[08:28:59] Info: Starting test name 'group_accounts'
[08:28:59] Checking for passwd file [ Found ]
[08:28:59] Info: Found password file: /etc/passwd
[08:28:59] Checking for root equivalent (UID 0) accounts [ None found ]
[08:28:59] Info: Found shadow file: /etc/shadow
[08:28:59] Checking for passwordless accounts [ None found ]
[08:29:00] Info: Starting test name 'passwd_changes'
[08:29:00] Checking for passwd file changes [ Warning ]
[08:29:00] Warning: Users have been added to the passwd file:
[08:29:00] 123456ftp:x:10001:2523::/srv/www/vhosts/server12345.de:/bin/false
[08:29:00] Info: Starting test name 'group_changes'
[08:29:00] Checking for group file changes [ Warning ]
[08:29:00] Warning: Groups have been added to the group file:
[08:29:00] dialout:x:16:popuser,mhandlers-user,alias,qmaild,qmaill,qmailp,qmailq,qmailr,qmails,sw-cp-server,psaftp,psaadm,123456ssh,123456ftp
[08:29:00] video:x:33:popuser,mhandlers-user,alias,qmaild,qmaill,qmailp,qmailq,qmailr,qmails,sw-cp-server,psaftp,psaadm,123456ssh,123456ftp
[08:29:00] Warning: Groups have been removed from the group file:
[08:29:00] dialout:x:16:popuser,mhandlers-user,alias,qmaild,qmaill,qmailp,qmailq,qmailr,qmails,sw-cp-server,psaftp,psaadm,123456ssh
[08:29:00] video:x:33:popuser,mhandlers-user,alias,qmaild,qmaill,qmailp,qmailq,qmailr,qmails,sw-cp-server,psaftp,psaadm,123456ssh
[08:29:00] Checking root account shell history files [ OK ]
[08:29:00]
[08:29:00] Performing system configuration file checks
[08:29:00] Info: Starting test name 'system_configs'
[08:29:00] Checking for SSH configuration file [ Found ]
[08:29:00] Info: Found SSH configuration file: /etc/ssh/sshd_config
[08:29:00] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'unset'.
[08:29:00] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '2'.
[08:29:00] Checking if SSH root access is allowed [ Warning ]
[08:29:01] Warning: The SSH and rkhunter configuration options should be the same:
[08:29:01] SSH configuration option 'PermitRootLogin': no
[08:29:01] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': unset
[08:29:01] Checking if SSH protocol v1 is allowed [ Not allowed ]
[08:29:01] Checking for running syslog daemon [ Found ]
[08:29:01] Checking for syslog configuration file [ Found ]
[08:29:01] Info: Found syslog configuration file: /etc/syslog-ng/syslog-ng.conf
[08:29:01] Checking if syslog remote logging is allowed [ Not allowed ]
[08:29:01]
[08:29:01] Performing filesystem checks
[08:29:01] Info: Starting test name 'filesystem'
[08:29:01] Info: SCAN_MODE_DEV set to 'THOROUGH'
[08:29:02] Checking /dev for suspicious file types [ Warning ]
[08:29:02] Warning: Suspicious file types found in /dev:
[08:29:02] /dev/shm/sysconfig/ifup-eth0: ASCII text
[08:29:02] /dev/shm/sysconfig/if-eth0: ASCII text
[08:29:02] /dev/shm/sysconfig/ifup-lo: ASCII text
[08:29:02] /dev/shm/sysconfig/if-lo: ASCII text
[08:29:02] /dev/shm/sysconfig/network: ASCII text
[08:29:02] /dev/shm/sysconfig/config-lo: ASCII text
[08:29:02] /dev/shm/sysconfig/config-eth0: ASCII text
[08:29:02] /dev/shm/sysconfig/new-stamp-2: ASCII text
[08:29:02] /dev/shm/sysconfig/new-stamp-3: ASCII text
[08:29:02] Checking for hidden files and directories [ Warning ]
[08:29:02] Warning: Hidden directory found: /dev/.udev
[08:29:02]
[08:29:02] Checking application versions...
[08:29:02] Info: Starting test name 'apps'
[08:29:03] Info: Application 'exim' not found.
[08:29:03] Checking version of GnuPG [ OK ]
[08:29:03] Info: Application 'gpg' version '2.0.9' found.
[08:29:03] Info: Application 'httpd' not found.
[08:29:03] Checking version of Bind DNS [ OK ]
[08:29:03] Info: Application 'named' version '9.4.2' found.
[08:29:03] Checking version of OpenSSL [ OK ]
[08:29:03] Info: Application 'openssl' version '0.9.8g' found.
[08:29:03] Checking version of PHP [ OK ]
[08:29:03] Info: Application 'php' version '5.2.9' found.
[08:29:03] Info: Application 'procmail' not found.
[08:29:04] Checking version of ProFTPd [ OK ]
[08:29:04] Info: Application 'proftpd' version '1.3.1' found.
[08:29:04] Checking version of OpenSSH [ OK ]
[08:29:04] Info: Application 'sshd' version '5.0p1' found.
[08:29:04] Info: Applications checked: 6 out of 9
[08:29:04]
[08:29:04] System checks summary
[08:29:04] =====================
[08:29:04]
[08:29:04] File properties checks...
[08:29:04] Required commands check failed
[08:29:04] Files checked: 130
[08:29:04] Suspect files: 3
[08:29:04]
[08:29:04] Rootkit checks...
[08:29:04] Rootkits checked : 112
[08:29:04] Possible rootkits: 0
[08:29:04]
[08:29:04] Applications checks...
[08:29:04] Applications checked: 6
[08:29:04] Suspect applications: 0
[08:29:04]
[08:29:04] The system checks took: 1 minute and 9 seconds
[08:29:04]
[08:29:04] Info: End date is Di 28. Apr 08:29:04 CEST 2009
