Multiple Rootkit Hunter Cron warnings

LukeDouglas

Active Member
Nov 22, 2010
30
1
58
I am getting dozens of emails with various warnings. I suspect they are false positives but wanted confirmation.

Here is text from just one of the emails:

Code:
[ Rootkit Hunter version 1.4.2 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ No update ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ No update ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/tr                                      [ No update ]
  Checking file i18n/tr.utf8                                 [ No update ]
  Checking file i18n/zh                                      [ No update ]
  Checking file i18n/zh.utf8                                 [ No update ]
[ Rootkit Hunter version 1.4.2 ]
File updated: searched for 171 files, found 145
Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: a /usr/bin/perl -w script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script text executable
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type PLAIN --log-indent 2 ROOTKIT_MALWARE_LOGIN_BDOOR_LOG
Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type PLAIN --nl --log-indent 2 ROOTKIT_MALWARE_SUSP_DIR_LOG
Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type PLAIN --nl --log-indent 2 ROOTKIT_MALWARE_SNIFFER_LOG
Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type PLAIN --nl --log-indent 2 ROOTKIT_TROJAN_XINETD_LOG
Warning: The SSH and rkhunter configuration options should be the same:
         SSH configuration option 'PermitRootLogin': yes
         Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
Warning: Suspicious file types found in /dev:
         /dev/.udev/queue.bin: data
         /dev/.udev/db/block:vda1: ASCII text
         /dev/.udev/db/input:event0: ASCII text
         /dev/.udev/db/input:event1: ASCII text
         /dev/.udev/db/input:js0: ASCII text
         /dev/.udev/db/input:mouse1: ASCII text
         /dev/.udev/db/input:event3: ASCII text
         /dev/.udev/db/net:eth0: ASCII text
         /dev/.udev/db/block:vdb: ASCII text
         /dev/.udev/db/input:mouse2: ASCII text
         /dev/.udev/db/input:event4: ASCII text
         /dev/.udev/db/input:event2: ASCII text
         /dev/.udev/db/block:vda: ASCII text
         /dev/.udev/db/block:ram6: ASCII text
         /dev/.udev/db/block:ram7: ASCII text
         /dev/.udev/db/block:ram9: ASCII text
         /dev/.udev/db/block:ram8: ASCII text
         /dev/.udev/db/block:ram11: ASCII text
         /dev/.udev/db/block:loop4: ASCII text
         /dev/.udev/db/block:ram3: ASCII text
         /dev/.udev/db/block:ram13: ASCII text
         /dev/.udev/db/block:ram4: ASCII text
         /dev/.udev/db/block:loop6: ASCII text
         /dev/.udev/db/block:loop5: ASCII text
         /dev/.udev/db/block:ram2: ASCII text
         /dev/.udev/db/block:ram14: ASCII text
         /dev/.udev/db/block:loop7: ASCII text
         /dev/.udev/db/block:ram15: ASCII text
         /dev/.udev/db/block:ram5: ASCII text
         /dev/.udev/db/block:ram0: ASCII text
         /dev/.udev/db/block:loop0: ASCII text
         /dev/.udev/db/block:loop1: ASCII text
         /dev/.udev/db/block:ram1: ASCII text
         /dev/.udev/db/block:ram10: ASCII text
         /dev/.udev/db/block:loop2: ASCII text
         /dev/.udev/db/block:ram12: ASCII text
         /dev/.udev/db/block:loop3: ASCII text
         /dev/.udev/db/usb:1-1: ASCII text
         /dev/.udev/db/usb:usb1: ASCII text
         /dev/.udev/db/serio:serio0: ASCII text
         /dev/.udev/rules.d/99-root.rules: ASCII text
Warning: Hidden directory found: /etc/.java
Warning: Hidden directory found: /dev/.udev
Warning: Hidden file found: /etc/.brand: ASCII text
Warning: Hidden file found: /etc/.domainips.swp: Vim swap file, version 7.4
Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
After reading various posts, I ran the following:

Code:
[email protected] [~]# rpm -qf /usr/sbin/sssd
error: file /usr/sbin/sssd: No such file or directory
[email protected] [~]# /var/cpanel/updatelogs/last
-bash: /var/cpanel/updatelogs/last: Permission denied
I am using OpenSSL for most clients currently. I'm not sure why I got a Permission denied on checking the logs.

So I did a 'crontab' and got the following:

Code:
[email protected] [~]# crontab -l
SHELL="/bin/bash"
0 8,20 * * * /root/chkrootkit.sh | grep -v .packlist

SHELL="/bin/bash"
0 8,20 * * * /root/rkhunter.sh

SHELL="/bin/bash"
10 0 * * * perl /usr/mscpanel/mscpanel.pl > /dev/null 2>&1

SHELL="/bin/bash"
# 20 0 * * * /usr/sbin/service clamd restart > /dev/null 2>&1

SHELL="/bin/bash"
0 6 * * * /usr/local/cpanel/scripts/exim_tidydb > /dev/null 2>&1

SHELL="/bin/bash"
30 5 * * * /usr/local/cpanel/scripts/optimize_eximstats > /dev/null 2>&1

SHELL="/bin/bash"
48 15 * * 0 (/usr/local/cpanel/scripts/fix-cpanel-perl; /usr/local/cpanel/scripts/upcp --cron)

SHELL="/bin/bash"
36 4 * * * /usr/local/cpanel/scripts/cpbackup

SHELL="/bin/bash"
35 * * * * /usr/bin/test -x /usr/local/cpanel/bin/tail-check && /usr/local/cpanel/bin/tail-check

SHELL="/bin/bash"

SHELL="/bin/bash"
30 */4 * * * /usr/bin/test -x /usr/local/cpanel/scripts/update_db_cache && /usr/local/cpanel/scripts/update_db_cache

SHELL="/bin/bash"
25 */2 * * * /usr/local/cpanel/bin/mysqluserstore >/dev/null 2>&1

SHELL="/bin/bash"
15 */2 * * * /usr/local/cpanel/bin/dbindex >/dev/null 2>&1

SHELL="/bin/bash"
15 */6 * * * /usr/local/cpanel/scripts/autorepair recoverymgmt >/dev/null 2>&1

SHELL="/bin/bash"
*/5 * * * * /usr/local/cpanel/scripts/dcpumon-wrapper >/dev/null 2>&1

SHELL="/bin/bash"
48 22 * * * /usr/local/cpanel/whostmgr/docroot/cgi/cpaddons_report.pl --notify

SHELL="/bin/bash"
8,23,38,53 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1

SHELL="/bin/bash"
0 2 * * * /usr/local/cpanel/bin/backup

SHELL="/bin/bash"
25 3 * * * /root/bin/sys-snap --cron

SHELL="/bin/bash"
17 20 * * * /usr/local/cpanel/3rdparty/quickinstall/scripts/getCache.pl

SHELL="/bin/bash"

SHELL="/bin/bash"
@reboot /usr/local/cpanel/bin/onboot_handler
40 0 * * * /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
5,20,35,50 * * * * /usr/local/cpanel/scripts/eximstats_spam_check 2>&1
0 */2 * * * /usr/local/cpanel/scripts/shrink_modsec_ip_database -x 2>&1
12 2 * * 0 /usr/local/cpanel/bin/cloudflare_update.sh >/dev/null 2>&1
09,39 * * * * /usr/local/cpanel/scripts/clean_user_php_sessions > /dev/null 2>&1
[email protected] [~]#
I regret my lack of knowledge but any useful feedback would be greatly appreciated.
 
Last edited by a moderator:

ES - George

Well-Known Member
PartnerNOC
Jun 12, 2011
179
24
68
UK
cPanel Access Level
DataCenter Provider
Twitter
[email protected] [~]# /var/cpanel/updatelogs/last
-bash: /var/cpanel/updatelogs/last: Permission denied
[/code]
I am using OpenSSL for most clients currently. I'm not sure why I got a Permission denied on checking the logs.
To view this log, you'll need to use a text editor, such as cat, or nano, for example:

# cat /var/cpanel/updatelogs/last

In relation to your crontab, to give you a bit of perspective and food for thought, below is a completely clean/standard copy on a freshly installed cPanel machine, you may like to compare it against what you've got, looking at any cron jobs you don't recognize, and finding out what they do:

Code:
[[email protected] /]# crontab -l
@reboot /usr/local/cpanel/bin/onboot_handler
4 3 * * * /usr/local/cpanel/whostmgr/docroot/cgi/cpaddons_report.pl --notify
39 2 * * * (/usr/local/cpanel/scripts/fix-cpanel-perl; /usr/local/cpanel/scripts/upcp --cron)
0 1 * * * /usr/local/cpanel/scripts/cpbackup
0 2 * * * /usr/local/cpanel/bin/backup
35 * * * * /usr/bin/test -x /usr/local/cpanel/bin/tail-check && /usr/local/cpanel/bin/tail-check
0 6 * * * /usr/local/cpanel/scripts/exim_tidydb > /dev/null 2>&1
30 5 * * * /usr/local/cpanel/scripts/optimize_eximstats > /dev/null 2>&1
5,20,35,50 * * * * /usr/local/cpanel/scripts/eximstats_spam_check 2>&1
45 */4 * * * /usr/bin/test -x /usr/local/cpanel/scripts/update_mailman_cache && /usr/local/cpanel/scripts/update_mailman_cache
30 */4 * * * /usr/bin/test -x /usr/local/cpanel/scripts/update_db_cache && /usr/local/cpanel/scripts/update_db_cache
25 */2 * * * /usr/local/cpanel/bin/mysqluserstore >/dev/null 2>&1
15 */2 * * * /usr/local/cpanel/bin/dbindex >/dev/null 2>&1
15 */6 * * * /usr/local/cpanel/scripts/autorepair recoverymgmt >/dev/null 2>&1
*/5 * * * * /usr/local/cpanel/scripts/dcpumon-wrapper >/dev/null 2>&1
0 */2 * * * /usr/local/cpanel/scripts/shrink_modsec_ip_database -x 2>&1
09,39 * * * * /usr/local/cpanel/scripts/clean_user_php_sessions > /dev/null 2>&1
0,15,30,45 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1
[[email protected] /]#
If in doubt, I suggest hiring a systems administrator with experience dealing with such matters. There's a list of potential candidates, here:

System Administration Services | cPanel Forums
 
  • Like
Reactions: Infopro