Rootkit Hunter 1.1.5

[olivier222333]

I have made the test and got:
* Application version scan
- Exim MTA 4.44 [ Unknown ]
- GnuPG 1.2.1 [ Vulnerable ]
- Apache [unknown] [ OK ]
- Bind DNS [unknown] [ OK ]
- OpenSSL 0.9.7a [ Vulnerable ]
- PHP 4.3.10 [ Unknown ]
- PHP 4.3.10 [ Unknown ]
- Procmail MTA 3.22 [ OK ]
- OpenSSH 3.6.1p2 [ Vulnerable ]


I run a RH3 AS
thx

[chirpy]

I run a RH3 AS

Then they're fine (false-positives) as RH backport fixes - this has been mentioned many times on the forums.

[haze]

You may also want to upgrade to rkhunter 1.2.1 as its available ( always a good idea to keep your software up to date ).

[Aric1]

The latest versions note that those items are either vulnerable or patched. It is up to you to know the difference.

As noted RH backports security fixes to old versions (without adding the new features), so as long as you use up2date regularly you are probably OK on those items.

[ony101]

Once it is installed, you can update it by typing:

rkhunter --versioncheck

and update the various files rkh uses:

rkhunter --update

However, especially with --update, it's not very reliable since the mirrors never seem to have the right file. So I typically just reinstall using the new version.

To check your version of rkh without running a report, type:

rkhunter --version

Aric

H,

thanks for the info. Running 1.18 and followed your update procedure. --versioncheck informs me that version 1.2.1 available and to update. I update (following above) and rhunter --verision then informs me I still have version 1.1.8. What to do?

As for reinstalling: do i jst reinstall 1.2.1 over 1.1.8.

thx

[sawbuck]

As for reinstalling: do i jst reinstall 1.2.1 over 1.1.8.thx

Yes.......

[ony101]

Yes.......

OK.............

[Marty]

When I run rkhunter v1.2.5, I get the following:

Code:

* Filesystem checks
   Checking /dev for suspicious files...                      [ Warning! (unusual files found) ]
---------------------------------------------
Unusual files:
/dev/tmpMnt:      Linux rev 1.0 ext2 filesystem data (mounted or unclean) (errors)
---------------------------------------------

Any ideas?

[chirpy]

I would guess that's a manually created /tmp partition, and if so, can be ignored.

[Marty]

Chirpy,

Good call! You are 100% correct. Thank you.

[quadrahost]

1.2.7 is out now. Great thread!

[Aric1]

For those of you who like to have rkhunter run automatically and have it update itself, I use this script:

Code:

#!/bin/bash

## Update the database first
/usr/local/bin/rkhunter --update

##Gather Versions
THISVER=`/usr/local/bin/rkhunter --versioncheck | grep "This version:"`
LATVER=`/usr/local/bin/rkhunter --versioncheck | grep "Latest version:"`
UPDATEAVAIL=`/usr/local/bin/rkhunter --versioncheck | grep "Update available"`

##Print The Versions
echo "$THISVER"
echo "$LATVER"

##If Update Doesn't Exist
if [ -z "$UPDATEAVAIL" ] ; then
        ##No Updates Are Available
        echo "No Updates Available"
else
        ##Print Update Available
        echo $UPDATEAVAIL

        ##Print New Version
        NEWVER=`echo $LATVER | awk '{ print $3;}'`
        OLDVER=`echo $THISVER | awk '{ print $3;}'`

        ## Check that the new version is actually greater - sometimes it's old..
        if [ ${NEWVER//./} -gt ${OLDVER//./} ] ; then
                ##Begin Fresh Install
                cd /usr/local/src
                rm -r -f rkhunter-$NEWVER.tar.gz
                rm -r -f rkhunter-$NEWVER.tar
                wget  http://downloads.rootkit.nl/rkhunter-$NEWVER.tar.gz -q
                gunzip rkhunter-$NEWVER.tar.gz
                tar -xf rkhunter-$NEWVER.tar
                rm -r -f rkhunter-$NEWVER.tar
                cd rkhunter
                echo "Installing version $NEWVER"
                sh installer.sh > /dev/null
        else
                echo "Latest version is actually older, so ignoring"
       fi                                                    
fi

##Create Temp Log
touch tmp.log

##Empty Temp Log
echo > tmp.log

##Run RKHUNTER To Log
/usr/local/bin/rkhunter -c --cronjob --createlogfile --display-logfile >> tmp.log

##Print Log
cat tmp.log

I have it set to display the detailed log file also so if a potential issue is discovered, you have more detail about what triggered the warning.

Just name this script whatever you want and throw it in /etc/cron.daily or execute it from the crontab. Make sure the script is owned/executed by root with 0700 permissions.

Don't forget to show your appreciation to the author by buying him something on his Amazon wishlist. He's a nice guy and does a good job keeping rkhunter updated.