The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

help with rkhunter output

Discussion in 'Security' started by gotalk, Oct 19, 2011.

  1. gotalk

    gotalk Member

    Joined:
    May 27, 2008
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    I have a VPS with whm/cpanel and I'm looking for advice. Last week I started getting server overload warnings and I came across some advice on this forum to install rkhunter to scan for security risks. Can someone with some experience with rkunter please help me interpret these results? I'm just not sure if some of these warnings are normal for WHM/CPANEL or not.

    [1;33mChecking rkhunter version... [0;39m
    This version : 1.3.8
    Latest version: 1.3.8
    [ Rootkit Hunter version 1.3.8 ]

    [1;33mChecking rkhunter data files... [0;39m
    Checking file mirrors.dat [34C[ [1;32mNo update [0;39m ]
    Checking file programs_bad.dat [29C[ [1;32mNo update [0;39m ]
    Checking file backdoorports.dat [28C[ [1;32mNo update [0;39m ]
    Checking file suspscan.dat [33C[ [1;32mNo update [0;39m ]
    Checking file i18n/cn [38C[ [1;32mNo update [0;39m ]
    Checking file i18n/de [38C[ [1;32mNo update [0;39m ]
    Checking file i18n/en [38C[ [1;32mNo update [0;39m ]
    Checking file i18n/zh [38C[ [1;32mNo update [0;39m ]
    Checking file i18n/zh.utf8 [33C[ [1;32mNo update [0;39m ]
    Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
    Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
    Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
    Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
    Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
    Warning: The SSH configuration option 'PermitRootLogin' has not been set.
    The default value may be 'yes', to allow root access.
    Warning: Hidden directory found: /dev/.udev
    Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
    Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
    Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
    Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
    Warning: Application 'exim', version '4.69', is out of date, and possibly a security risk.
    Warning: Application 'openssl', version '0.9.8e', is out of date, and possibly a security risk.
    Warning: Application 'sshd', version '4.3p2', is out of date, and possibly a security risk.

    :confused:
    THanks in advance!

    -John
     
    #1 gotalk, Oct 19, 2011
    Last edited: Oct 19, 2011
  2. SB-Nick

    SB-Nick Well-Known Member

    Joined:
    Aug 26, 2008
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    The log you posted doesnt seem extrange at all, the output you see in there is normal and it doesnt point to the cause of a server being compromised. Anyhow, there is a lot of the rkhunter output you are missing out there.

    I would look at "top" with the help of "sar" to find why the server is getting overloaded at certain times.
     
  3. gotalk

    gotalk Member

    Joined:
    May 27, 2008
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Thanks Nick, The overload warnings only lasted about a day and I haven't had one since last week. I just installed rkhunter on the advice of another cpanel forum member and wasn't to sure how to interpret the log.

    Can you explain what you mean by this?
     
  4. SB-Nick

    SB-Nick Well-Known Member

    Joined:
    Aug 26, 2008
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hey,

    Those are system command tools that will help you troubleshoot your overload issue.

    top displays linux tasks, the cpu, ram, disk io% usage by each and much more.
    sar collects and gives you a system statistics report every few minutes for the same.

    I would recommend googling for the documentation to understand how they work.
     
  5. fshagan

    fshagan Member

    Joined:
    Jan 29, 2008
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    For a cPanel VPS server, I found the following changes to /etc/rkhunter.conf helpful. They eliminate some of the "false positive" reports ("command has been replaced by script", "/lib/modules is empty", "hidden" files or directories, etc):

    Find:
    Code:
    DISABLE_TESTS="suspscan hidden_ports hidden_procs deleted_files packet_cap_apps"
    
    Replace with (note the two new values at the front of the string):
    Code:
    DISABLE_TESTS="os_specific avail_modules suspscan hidden_ports hidden_procs deleted_files packet_cap_apps"
    
    Find:
    Code:
    #SCRIPTWHITELIST="/sbin/ifup /sbin/ifdown"
    #SCRIPTWHITELIST="/usr/bin/groups /usr/bin/ldd /usr/bin/whatis"
    
    Remove the "#" to enable the script white list:
    Code:
    SCRIPTWHITELIST="/sbin/ifup /sbin/ifdown"
    SCRIPTWHITELIST="/usr/bin/groups /usr/bin/ldd /usr/bin/whatis"
    

    Find:
    Code:
    #ALLOWHIDDENDIR="/dev/.udev"
    
    Remove the "#" to allow the /dev/.udev hidden directory:
    Code:
    ALLOWHIDDENDIR="/dev/.udev"
    
    To eliminate the "Hidden File Found" warnings, find:
    Code:
    #ALLOWHIDDENFILE="/etc/.java"
    #ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz"
    #ALLOWHIDDENFILE="/etc/.pwd.lock"
    #ALLOWHIDDENFILE="/etc/.init.state"
    #ALLOWHIDDENFILE="/lib/.libcrypto.so.0.9.8e.hmac /lib/.libcrypto.so.6.hmac"
    #ALLOWHIDDENFILE="/lib/.libssl.so.0.9.8e.hmac /lib/.libssl.so.6.hmac"
    #ALLOWHIDDENFILE="/usr/bin/.fipscheck.hmac"
    #ALLOWHIDDENFILE="/usr/bin/.ssh.hmac"
    #ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.1.0.hmac"
    #ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.hmac"
    #ALLOWHIDDENFILE="/usr/lib/.libgcrypt.so.11.hmac"
    #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha1hmac.hmac"
    #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha256hmac.hmac"
    #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac"
    #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac"
    #ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac"
    #ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz"
    
    Remove the "#" for the hidden files on a cPanel system (items 7,8,16 and 17 in this list):
    Code:
    #ALLOWHIDDENFILE="/etc/.java"
    #ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz"
    #ALLOWHIDDENFILE="/etc/.pwd.lock"
    #ALLOWHIDDENFILE="/etc/.init.state"
    #ALLOWHIDDENFILE="/lib/.libcrypto.so.0.9.8e.hmac /lib/.libcrypto.so.6.hmac"
    #ALLOWHIDDENFILE="/lib/.libssl.so.0.9.8e.hmac /lib/.libssl.so.6.hmac"
    ALLOWHIDDENFILE="/usr/bin/.fipscheck.hmac"
    ALLOWHIDDENFILE="/usr/bin/.ssh.hmac"
    #ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.1.0.hmac"
    #ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.hmac"
    #ALLOWHIDDENFILE="/usr/lib/.libgcrypt.so.11.hmac"
    #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha1hmac.hmac"
    #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha256hmac.hmac"
    #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac"
    #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac"
    ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac"
    ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz"
    
    That will eliminate the "false positives" you are seeing, allowing you to focus on the real issues.
     
  6. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    does this work on dedicated servers kernel 2.6.18?
     
Loading...

Share This Page