I am getting dozens of emails with various warnings. I suspect they are false positives but wanted confirmation.
Here is text from just one of the emails:
After reading various posts, I ran the following:
I am using OpenSSL for most clients currently. I'm not sure why I got a Permission denied on checking the logs.
So I did a 'crontab' and got the following:
I regret my lack of knowledge but any useful feedback would be greatly appreciated.
Here is text from just one of the emails:
Code:
[ Rootkit Hunter version 1.4.2 ]
Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/tr [ No update ]
Checking file i18n/tr.utf8 [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]
[ Rootkit Hunter version 1.4.2 ]
File updated: searched for 171 files, found 145
Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: a /usr/bin/perl -w script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script text executable
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type PLAIN --log-indent 2 ROOTKIT_MALWARE_LOGIN_BDOOR_LOG
Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type PLAIN --nl --log-indent 2 ROOTKIT_MALWARE_SUSP_DIR_LOG
Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type PLAIN --nl --log-indent 2 ROOTKIT_MALWARE_SNIFFER_LOG
Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type PLAIN --nl --log-indent 2 ROOTKIT_TROJAN_XINETD_LOG
Warning: The SSH and rkhunter configuration options should be the same:
SSH configuration option 'PermitRootLogin': yes
Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
Warning: Suspicious file types found in /dev:
/dev/.udev/queue.bin: data
/dev/.udev/db/block:vda1: ASCII text
/dev/.udev/db/input:event0: ASCII text
/dev/.udev/db/input:event1: ASCII text
/dev/.udev/db/input:js0: ASCII text
/dev/.udev/db/input:mouse1: ASCII text
/dev/.udev/db/input:event3: ASCII text
/dev/.udev/db/net:eth0: ASCII text
/dev/.udev/db/block:vdb: ASCII text
/dev/.udev/db/input:mouse2: ASCII text
/dev/.udev/db/input:event4: ASCII text
/dev/.udev/db/input:event2: ASCII text
/dev/.udev/db/block:vda: ASCII text
/dev/.udev/db/block:ram6: ASCII text
/dev/.udev/db/block:ram7: ASCII text
/dev/.udev/db/block:ram9: ASCII text
/dev/.udev/db/block:ram8: ASCII text
/dev/.udev/db/block:ram11: ASCII text
/dev/.udev/db/block:loop4: ASCII text
/dev/.udev/db/block:ram3: ASCII text
/dev/.udev/db/block:ram13: ASCII text
/dev/.udev/db/block:ram4: ASCII text
/dev/.udev/db/block:loop6: ASCII text
/dev/.udev/db/block:loop5: ASCII text
/dev/.udev/db/block:ram2: ASCII text
/dev/.udev/db/block:ram14: ASCII text
/dev/.udev/db/block:loop7: ASCII text
/dev/.udev/db/block:ram15: ASCII text
/dev/.udev/db/block:ram5: ASCII text
/dev/.udev/db/block:ram0: ASCII text
/dev/.udev/db/block:loop0: ASCII text
/dev/.udev/db/block:loop1: ASCII text
/dev/.udev/db/block:ram1: ASCII text
/dev/.udev/db/block:ram10: ASCII text
/dev/.udev/db/block:loop2: ASCII text
/dev/.udev/db/block:ram12: ASCII text
/dev/.udev/db/block:loop3: ASCII text
/dev/.udev/db/usb:1-1: ASCII text
/dev/.udev/db/usb:usb1: ASCII text
/dev/.udev/db/serio:serio0: ASCII text
/dev/.udev/rules.d/99-root.rules: ASCII text
Warning: Hidden directory found: /etc/.java
Warning: Hidden directory found: /dev/.udev
Warning: Hidden file found: /etc/.brand: ASCII text
Warning: Hidden file found: /etc/.domainips.swp: Vim swap file, version 7.4
Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
Code:
[email protected] [~]# rpm -qf /usr/sbin/sssd
error: file /usr/sbin/sssd: No such file or directory
[email protected] [~]# /var/cpanel/updatelogs/last
-bash: /var/cpanel/updatelogs/last: Permission deniedSo I did a 'crontab' and got the following:
Code:
[email protected] [~]# crontab -l
SHELL="/bin/bash"
0 8,20 * * * /root/chkrootkit.sh | grep -v .packlist
SHELL="/bin/bash"
0 8,20 * * * /root/rkhunter.sh
SHELL="/bin/bash"
10 0 * * * perl /usr/mscpanel/mscpanel.pl > /dev/null 2>&1
SHELL="/bin/bash"
# 20 0 * * * /usr/sbin/service clamd restart > /dev/null 2>&1
SHELL="/bin/bash"
0 6 * * * /usr/local/cpanel/scripts/exim_tidydb > /dev/null 2>&1
SHELL="/bin/bash"
30 5 * * * /usr/local/cpanel/scripts/optimize_eximstats > /dev/null 2>&1
SHELL="/bin/bash"
48 15 * * 0 (/usr/local/cpanel/scripts/fix-cpanel-perl; /usr/local/cpanel/scripts/upcp --cron)
SHELL="/bin/bash"
36 4 * * * /usr/local/cpanel/scripts/cpbackup
SHELL="/bin/bash"
35 * * * * /usr/bin/test -x /usr/local/cpanel/bin/tail-check && /usr/local/cpanel/bin/tail-check
SHELL="/bin/bash"
SHELL="/bin/bash"
30 */4 * * * /usr/bin/test -x /usr/local/cpanel/scripts/update_db_cache && /usr/local/cpanel/scripts/update_db_cache
SHELL="/bin/bash"
25 */2 * * * /usr/local/cpanel/bin/mysqluserstore >/dev/null 2>&1
SHELL="/bin/bash"
15 */2 * * * /usr/local/cpanel/bin/dbindex >/dev/null 2>&1
SHELL="/bin/bash"
15 */6 * * * /usr/local/cpanel/scripts/autorepair recoverymgmt >/dev/null 2>&1
SHELL="/bin/bash"
*/5 * * * * /usr/local/cpanel/scripts/dcpumon-wrapper >/dev/null 2>&1
SHELL="/bin/bash"
48 22 * * * /usr/local/cpanel/whostmgr/docroot/cgi/cpaddons_report.pl --notify
SHELL="/bin/bash"
8,23,38,53 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1
SHELL="/bin/bash"
0 2 * * * /usr/local/cpanel/bin/backup
SHELL="/bin/bash"
25 3 * * * /root/bin/sys-snap --cron
SHELL="/bin/bash"
17 20 * * * /usr/local/cpanel/3rdparty/quickinstall/scripts/getCache.pl
SHELL="/bin/bash"
SHELL="/bin/bash"
@reboot /usr/local/cpanel/bin/onboot_handler
40 0 * * * /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
5,20,35,50 * * * * /usr/local/cpanel/scripts/eximstats_spam_check 2>&1
0 */2 * * * /usr/local/cpanel/scripts/shrink_modsec_ip_database -x 2>&1
12 2 * * 0 /usr/local/cpanel/bin/cloudflare_update.sh >/dev/null 2>&1
09,39 * * * * /usr/local/cpanel/scripts/clean_user_php_sessions > /dev/null 2>&1
[email protected] [~]#
Last edited by a moderator:
