Rootkit Hunter System tools BAD markers

[sandy25]

Hello,

after we run Rootkit we get this errors:

Code:

Rootkit Hunter 1.2.7 is running

Determining OS... Ready


Checking binaries
* Selftests
     Strings (command)                                        [ OK ]


* System tools
  Performing 'known good' check...
/bin/cat                                                   [ BAD ]
   /bin/chmod                                                 [ BAD ]
   /bin/chown                                                 [ BAD ]
   /bin/dmesg                                                 [ BAD ]
   /bin/egrep                                                 [ BAD ]
   /bin/env                                                   [ BAD ]
   /bin/fgrep                                                 [ BAD ]
   /bin/grep                                                  [ BAD ]
   /bin/kill                                                  [ BAD ]
   /bin/login                                                 [ BAD ]
   /bin/ls                                                    [ BAD ]
   /bin/mount                                                 [ BAD ]
   /bin/netstat                                               [ BAD ]
   /bin/ps                                                    [ OK ]
   /bin/su                                                    [ BAD ]
   /sbin/chkconfig                                            [ OK ]
   /sbin/depmod                                               [ OK ]
   /sbin/ifconfig                                             [ BAD ]
   /sbin/init                                                 [ BAD ]
   /sbin/insmod                                               [ OK ]
   /sbin/modinfo                                              [ OK ]
   /sbin/runlevel                                             [ BAD ]
   /sbin/sysctl                                               [ OK ]
   /sbin/syslogd                                              [ OK ]
   /usr/bin/file                                              [ BAD ]
   /usr/bin/find                                              [ OK ]
   /usr/bin/groups                                            [ OK ]
   /usr/bin/kill                                              [ BAD ]
   /usr/bin/killall                                           [ OK ]
   /usr/bin/lsattr                                            [ OK ]
   /usr/bin/pstree                                            [ OK ]
   /usr/bin/sha1sum                                           [ BAD ]
   /usr/bin/stat                                              [ BAD ]
   /usr/bin/users                                             [ BAD ]
   /usr/bin/w                                                 [ OK ]
   /usr/bin/watch                                             [ OK ]
   /usr/bin/who                                               [ BAD ]
   /usr/bin/whoami                                            [ BAD ]

We have check in Rootkit log and here is info:

Code:

[05:57:08] Checking /bin/cat against hashes in database (adab51f4f506e0736d11f034f9fe7309) failed
[05:57:08] RPM info: your package 'coreutils-4.5.3-28'
[05:57:08] RPM info: packages in database: coreutils-4.5.3-26

server kernel is: 2.4.21-37.ELsmp #1 SMP Wed Sep 7 13:28:55 EDT 2005 i686
server OS: RedHat Enterprise 3 i686
whm/cpanel: WHM 10.6.0 cPanel 10.8.0-S59


Server runs fine and all its ok, but what is with this BAD markers?

Thanks, S.

[Johnson]

There is nothisg more than you've already told: the package in your system is newer than in RKH database. When Michael Boelen will update RKH database for RHEL eveything will be ok.

[sandy25]

and for me this is logical but better ask

On all our servers this is "problem" so this is it

Thanks, S.

[sh4ka]

same happened to me with my servers, notified to michael but he didn't update the app DB yet..

[ChemicalWH]

hehe, i happen to know the guy in real life, shall i whoop his ass?

either way, it still shows 4 bads on my server:
/bin/dmesg [ BAD ]
/bin/kill [ BAD ]
/bin/login [ BAD ]
/bin/mount [ BAD ]

any of you have trouble with those ?

[chirpy]

Those will appear on RHE servers running v3.6 - the rkhunter is still out of date for the md5sums for those files.

[Johnson]

you probably mean CentOs , not RHE

[chirpy]

No, I mean RHE.

[ChemicalWH]

Yea, it's RHE.

I figured it was that, but EV1 told me my server was compromised on root level, which is really really REALLY unlikely.. I've been doing server maintenance for far over 3 years now and spent 4 years before that getting my degrees for it, so I SHOULD be able to notice it when something has been compromised.

Either way, thanks for confirming my thoughts, I'll ask Michael to update some stuff when I see him.

[webignition]

On a somewhat related topic, I've noticed that the following has been occurring at the start of email reports from rkhunter:

Code:

Rootkit Hunter 1.2.7 is running

Determining OS... Unknown
Warning: This operating system is not fully supported!
Warning: Cannot find md5_not_known
All MD5 checks will be skipped!

whereas the emails used to start with:

Code:

Rootkit Hunter 1.2.7 is running

Determining OS... Ready

Looking back through the emails, I notice that the last one that determined the OS correctly was on the 3rd of November this year, with Determining OS... Unknown occurring from the 4th onwards. This just so happens to co-inicide with the upgrade from CentOS 3.5 to 3.6.

I've also checked that rkhunter is up to date and it seems to think it is.

Has anyone else noticed that rkhunter can't 'recognise' CentOS 3.6 when it previously had no problems with 3.5 and 3.4?

[chirpy]

Yup, that is the CentOS issue - there is no support at all yet for the v3.6 md5's.