The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Getting rkHunter Security Warnings daily?

Discussion in 'Security' started by Shahzadqayyum, Jun 26, 2015.

  1. Shahzadqayyum

    Shahzadqayyum Member

    Joined:
    Feb 5, 2015
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hello!
    I Got [rkhunter] Warnings found for server‏ Security Warnings a few weeks ago.
    I scanned my server using maldet.
    Found 2 infected files.

    Code:
    ========================
    malware detect scan report for server.xyz.com:
    SCAN ID: 061415-1200.11881
    TIME: Jun 14 12:51:23 -0400
    PATH: /home
    TOTAL FILES: 50682
    TOTAL HITS: 2
    TOTAL CLEANED: 0
    
    NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 061415-1200.11881
    FILE HIT LIST:
    {MD5}php.exe.globals.5034 : /home/cpeasyapache/src/php-5.4.39/ext/standard/tests/file/bug41874_3.phpt
    {MD5}php.exe.globals.4973 : /home/cpeasyapache/src/php-5.4.39/ext/standard/tests/general_functions/bug50732.phpt
    ===============================================
    Linux Malware Detect v1.4.2 < proj@rfxn.com >
    
    
    these infected files were manually quarantined by support staff.
    Next day same notification [rkhunter] Warnings found for server‏ in my inbox?
    again scanned all server but still getting these notifications.

    I tried almost everything including cpanel /server hardening. Updated cpanel and rkHunter but still getting these notifications daily/sometimes twice a day?

    any help be appreciated.
    thanks in advance
    rkhunter.jpg
     
    #1 Shahzadqayyum, Jun 26, 2015
    Last edited by a moderator: Jun 26, 2015
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Check the rkhunter log file, or run "rkhunter -c" yourself to see what it is flagging. If in doubt ask for help from your hosting provider.

    You should also tell the support staff that those files found by maldet are false positives... they should know that. They are valid parts of EasyApache / PHP source. Maybe ask for a more experienced technician or a security team if they have one available.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Yes, please consult with your support staff and have them review the file names in the report. You can compare the MD5sums with another cPanel server to verify they are in-fact legitimate files included with cPanel/EasyApache.

    Thank you.
     
Loading...

Share This Page