Rootkit Hunter 1.1.5

[eazistore]

Hi,

We have updated to Rootkit Hunter 1.1.5 today.
We notine the email report are slightly different and notice this:

* Application version scan
- ClamAV 0.75.1 [ OK ]
- Exim MTA 4.34 [ OK ]
- GnuPG 1.2.3 [ Vulnerable ]
- Apache [unknown] [ OK ]
- Bind DNS [unknown] [ OK ]
- OpenSSL 0.9.7a [ Vulnerable ]
- PHP 4.3.8 [ OK ]
- PHP 4.3.8 [ OK ]
- Procmail MTA 3.22 [ OK ]
- OpenSSH 3.6.1p2 [ Vulnerable ]

Anybody here got experience in this?

WHM 9.4.0 cPanel 9.5.0-C27
Fedora i686 - WHM X v3.1.0

Thanks in advance.

[chirpy]

Yep, get the same on all my servers. Looks like they're false-positives.

[eazistore]

Yep, get the same on all my servers. Looks like they're false-positives.

Hi chirpy,

Thanks for the feedback.
I sent a mail to the author www.rootkit.nl yesterday and he mention this:

It means you're running software that is/can be vulnerable for security
issues. On a longer term, it can mean someone is able to hack your
server. So you have to upgrade to newer versions, which aren't
vulnerable ;-)

I am a newbie on Linux and didn't make another move to upgrade the version that stated vulnerable.

[chirpy]

They would be correct, except that RedHat do something called back-porting of security fixes. That means they stay on an old stable version, but implement any security fixes that are released to that the applications remains both secure and stable. You'll just have to ignore that part of rkhunter - the rest of it, however, is extremely useful and worth using.

[isputra]

Hi,

I'm still using 1.1.3. And i have confuse with this :

* Trojan specific characteristics
shv4
Checking /etc/rc.d/rc.sysinit
Test 1 [ Clean ]
Test 2 [ Clean ]
Test 3 [ Clean ]
Checking /etc/inetd.conf [ Clean ]
Checking /etc/xinetd.conf [ Warning! ]
pop-3 is enabled, ntalk is enabled, talk is enabled, imap is enabled

I check on xinetd.conf and there is no pop-3, ntalk/talk on that config. Do you know what this is about ?

[chirpy]

Their false-positives. This is happening because rkhunter is just checking whether the files are enabled in /etc/xinetd.d/* not whether they're actually started. You can either:

1. Ignore them
2. Edit the respective files in the directory above and set them to disable = yes
3. Delete the respective files from the directory above, since they are redundant

[isputra]

Thanks chirpy

If i want to upgrade to 1.1.5, what step i must follow ?
Just install it like fresh install or what ?

[chirpy]

Yes, just install as if it's a new installation and it will overwrite the old one.

[Sheldon]

is there an uninstall procedure for this?

I always like to know how to uninstall something if I had to.

Sheldon

[chirpy]

No, there isn't. But it's not very invasive locate rkhunter will find just about everything that is installed.

[Aric1]

For those of you keeping score at home, 1.1.6 is the current version as of this writing.

To do a fresh install, you could just paste the following into your terminal when logged in via SSH:

cd ~; rm -Rf rkhunter*; wget http://downloads.rootkit.nl/rkhunter-1.1.6.tar.gz; tar zxf rkhunter-*.tar.gz; cd rkhunter; ./installer.sh; rkhunter -c --cronjob; cd ..; rm -Rf rkhunter*

That will install it and run it for the first time.

Once it is installed, you can update it by typing:

rkhunter --versioncheck

and update the various files rkh uses:

rkhunter --update

However, especially with --update, it's not very reliable since the mirrors never seem to have the right file. So I typically just reinstall using the new version.

To check your version of rkh without running a report, type:

rkhunter --version

To just run rkhunter at any time, type:

rkhunter -c

If you want rkhunter to check your server every day and e-mail you the results, you can put something like the following in your crontab (crontab -e):

30 5 * * * /usr/local/bin/rkhunter -c --cronjob

The --cronjob option executes a number of other options to not wait for keypresses between sections, removes color, etc.

The above example will execute rkhunter at 5:30 AM, server time, feel free to change it however you wish.

You can pipe the output to any e-mail address you like or, if you are set to forward root mail to a valid address, a copy of the output will be mailed to root, so you will receive it at whatever e-mail address root forwarding is set it.

That sends the FULL output, with all OKs as well.

If you only want to get the executive summary with a note of any problems encountered, add --report-mode to the cronjob.

rkhunter also has a "mail on issues" setting, separate of anything you might do with the crontab.

Modify the following file on your server:

/usr/local/etc/rkhunter.conf

You'll see the first option at the top has a mail to on problems section. Uncomment the line so it looks like this:

# Send a warning message to the admin when one or more warnings
# are available (rootkit and MD5 check). Note: uses default `mail`
# commmand to send the warning message.
MAIL-ON-WARNING=youremailaddress@goes-here.com

rkhunter is a great automated tool, but as noted by others, it's not infallable. Running this doesn't mean you can just go to sleep on security issues. It's important that you give your server the "human touch" and check for security violations yourself.

Also, the developer of rkhunter has an Amazon wishlist. If you like rkhunter, you should consider buying him a book or two.

Aric

[eazistore]

For those of you keeping score at home, 1.1.6 is the current version as of this writing.

Thanks Aric1,

Upgraded to rkhunter 1.1.6 without any hiccups.
Nice.

[isputra]

Thanks Aric1,

Upgraded to rkhunter 1.1.6 without any hiccups.
Nice.

Me too .. upgraded without problem

[isputra]

I have this on my email :

* Application version scan
- ClamAV 0.75.1 [ OK ]
- ClamAV 0.70-rc [ Unknown ]
- Exim MTA 4.41 [ OK ]
- GnuPG 1.2.1 [ Vulnerable ]
- Apache [unknown] [ OK ]
- Bind DNS [unknown] [ OK ]
- OpenSSL 0.9.6m [ OK ]
- PHP 4.3.8 [ OK ]
- PHP 4.3.8 [ OK ]
- Procmail MTA 3.22 [ OK ]
- ProFTPd 1.2.9 [ Vulnerable ]
- OpenSSH 3.7.1p2 [ Unknown ]

Is there any way to uninstall ClamAV 0.70-rc ?

[Aric1]

locate clamav

would have given you a hint.

You probably have a copy here:

/usr/src/

delete any old clamAV directories you find there, you don't need them.

Regards,

Aric