rootkit hunter

[Sheldon]

* Application version scan
- Exim MTA 4.34 [ OK ]
- GnuPG 1.2.1 [ Vulnerable ]
- Apache [unknown] [ OK ]
- Bind DNS [unknown] [ OK ]
- OpenSSL 0.9.7a [ Vulnerable ]
- PHP 4.3.8 [ OK ]
- PHP 4.3.8 [ OK ]
- Procmail MTA 3.22 [ OK ]
- OpenSSH 3.5p1 [ Vulnerable ]



Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]

* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... [ OK (Remote root login disabled) ]
Checking for allowed protocols... [ OK (Only SSH2 allowed) ]

* Check: Events and Logging
Search for syslog configuration... [ OK ]
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]


procmail? why is this installed.. did cpanel install this?

how can I update openssl and openssh without mucking cpanel up?

and what is GnuPG and how can I update it?

/etc/passwd [FOUND] is this bad?

logging to remote system [ no remote logging] is this bad?


* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files...[ Warning! ]
---------------
/etc/.pwd.lock
---------------
Please inspect: /etc/.java (directory)


.pwd.lock is a blank file
I copied it to a different file and rm'd it

/etc/.java is a directory with files all are empty as I can see.

Any suggestions?

[eazistore]

* Application version scan
- Exim MTA 4.34 [ OK ]
- GnuPG 1.2.1 [ Vulnerable ]
- Apache [unknown] [ OK ]
- Bind DNS [unknown] [ OK ]
- OpenSSL 0.9.7a [ Vulnerable ]
- PHP 4.3.8 [ OK ]
- PHP 4.3.8 [ OK ]
- Procmail MTA 3.22 [ OK ]
- OpenSSH 3.5p1 [ Vulnerable ]



Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]

* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... [ OK (Remote root login disabled) ]
Checking for allowed protocols... [ OK (Only SSH2 allowed) ]

* Check: Events and Logging
Search for syslog configuration... [ OK ]
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]


procmail? why is this installed.. did cpanel install this?

how can I update openssl and openssh without mucking cpanel up?

and what is GnuPG and how can I update it?

/etc/passwd [FOUND] is this bad?

logging to remote system [ no remote logging] is this bad?


* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files...[ Warning! ]
---------------
/etc/.pwd.lock
---------------
Please inspect: /etc/.java (directory)


.pwd.lock is a blank file
I copied it to a different file and rm'd it

/etc/.java is a directory with files all are empty as I can see.

Any suggestions?

Hi Sheldon,

I posted something about rkhunter 1.1.5 on 12/8/2004 at this link Rootkit Hunter 1.1.5

Seems like it's a know issue and false-positives.

[Joey3]

Hi Sheldon,

I posted something about rkhunter 1.1.5 on 12/8/2004 at this link Rootkit Hunter 1.1.5 - cPanel Forums

Seems like it's a know issue and false-positives.

eazistore, thank you so much for sharing about rkhunter 1.1.5. It helps me to resolve this issue and now i am fine.

[Spiral]

Consider that program "informational" ....

If you do not understand what it is telling you, probably not a good idea to be using it.

Many things Rootkit Hunter reports fall in the "Duh! " category being obvious, some items are purely informational and the general idea there is if something actually wrong that it would bring it to the surface so that you would take notice.

Mainly you don't want any unusual errors or hits coming back on the "specific" rootkit checks as positive and take with a bit of caution reports about system file changes which might be system updates or something else and that you would need to find out separately.