Getting rkHunter Security Warnings daily?

Shahzadqayyum

Member
Feb 5, 2015
9
0
51
cPanel Access Level
Website Owner
Hello!
I Got [rkhunter] Warnings found for server‏ Security Warnings a few weeks ago.
I scanned my server using maldet.
Found 2 infected files.

Code:
========================
malware detect scan report for server.xyz.com:
SCAN ID: 061415-1200.11881
TIME: Jun 14 12:51:23 -0400
PATH: /home
TOTAL FILES: 50682
TOTAL HITS: 2
TOTAL CLEANED: 0

NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 061415-1200.11881
FILE HIT LIST:
{MD5}php.exe.globals.5034 : /home/cpeasyapache/src/php-5.4.39/ext/standard/tests/file/bug41874_3.phpt
{MD5}php.exe.globals.4973 : /home/cpeasyapache/src/php-5.4.39/ext/standard/tests/general_functions/bug50732.phpt
===============================================
Linux Malware Detect v1.4.2 < [email protected] >
these infected files were manually quarantined by support staff.
Next day same notification [rkhunter] Warnings found for server‏ in my inbox?
again scanned all server but still getting these notifications.

I tried almost everything including cpanel /server hardening. Updated cpanel and rkHunter but still getting these notifications daily/sometimes twice a day?

any help be appreciated.
thanks in advance
rkhunter.jpg
 
Last edited by a moderator:

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Check the rkhunter log file, or run "rkhunter -c" yourself to see what it is flagging. If in doubt ask for help from your hosting provider.

You should also tell the support staff that those files found by maldet are false positives... they should know that. They are valid parts of EasyApache / PHP source. Maybe ask for a more experienced technician or a security team if they have one available.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,219
463
Hello :)

Yes, please consult with your support staff and have them review the file names in the report. You can compare the MD5sums with another cPanel server to verify they are in-fact legitimate files included with cPanel/EasyApache.

Thank you.