The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

RKHunter all of a sudden throws a lot of warnings.

Discussion in 'General Discussion' started by betoranaldi, Feb 3, 2008.

  1. betoranaldi

    betoranaldi Well-Known Member

    Joined:
    Dec 5, 2007
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    So I run rkhunter every night. Just last night it started throwing a ton of warnings.

    I have not had any root or wheeled user logins over the past week and nothing seems strange in the rest of the system.

    What would cause this and how can i store the new file properties so that they don't show as warnings. Is this something I should be concerned about?

    A closer look at the warnings show that the file properties have changed (inode change.)

    Code:
        /bin/awk                                                 [ Warning ]
        /bin/basename                                            [ Warning ]
        /bin/bash                                                [ Warning ]
        /bin/cat                                                 [ Warning ]
        /bin/chmod                                               [ Warning ]
        /bin/chown                                               [ Warning ]
        /bin/cp                                                  [ Warning ]
        /bin/csh                                                 [ Warning ]
        /bin/cut                                                 [ Warning ]
        /bin/date                                                [ Warning ]
        /bin/df                                                  [ Warning ]
        /bin/dmesg                                               [ Warning ]
        /bin/echo                                                [ Warning ]
        /bin/ed                                                  [ Warning ]
        /bin/egrep                                               [ Warning ]
        /bin/env                                                 [ Warning ]
        /bin/fgrep                                               [ Warning ]
        /bin/grep                                                [ Warning ]
        /bin/kill                                                [ Warning ]
        /bin/login                                               [ Warning ]
        /bin/ls                                                  [ Warning ]
        /bin/mail                                                [ Warning ]
        /bin/mktemp                                              [ Warning ]
        /bin/more                                                [ Warning ]
        /bin/mount                                               [ Warning ]
        /bin/mv                                                  [ Warning ]
        /bin/netstat                                             [ Warning ]
        /bin/passwd                                              [ Warning ]
        /bin/ps                                                  [ Warning ]
        /bin/pwd                                                 [ Warning ]
        /bin/rpm                                                 [ Warning ]
        /bin/sed                                                 [ Warning ]
        /bin/sh                                                  [ Warning ]
        /bin/sort                                                [ Warning ]
        /bin/su                                                  [ Warning ]
        /bin/touch                                               [ Warning ]
        /bin/uname                                               [ Warning ]
        /bin/gawk                                                [ Warning ]
        /bin/tcsh                                                [ Warning ]
        /usr/bin/awk                                             [ Warning ]
        /usr/bin/chattr                                          [ Warning ]
        /usr/bin/curl                                            [ Warning ]
        /usr/bin/cut                                             [ Warning ]
        /usr/bin/diff                                            [ Warning ]
        /usr/bin/dirname                                         [ Warning ]
        /usr/bin/du                                              [ Warning ]
        /usr/bin/env                                             [ Warning ]
        /usr/bin/file                                            [ Warning ]
        /usr/bin/find                                            [ Warning ]
        /usr/bin/groups                                          [ Warning ]
        /usr/bin/head                                            [ Warning ]
        /usr/bin/id                                              [ Warning ]
        /usr/bin/kill                                            [ Warning ]
        /usr/bin/killall                                         [ Warning ]
        /usr/bin/last                                            [ Warning ]
        /usr/bin/lastlog                                         [ Warning ]
        /usr/bin/ldd                                             [ Warning ]
        /usr/bin/less                                            [ Warning ]
        /usr/bin/locate                                          [ Warning ]
        /usr/bin/logger                                          [ Warning ]
        /usr/bin/lsattr                                          [ Warning ]
        /usr/bin/lynx                                            [ Warning ]
        /usr/bin/md5sum                                          [ Warning ]
        /usr/bin/newgrp                                          [ Warning ]
        /usr/bin/passwd                                          [ Warning ]
        /usr/bin/perl                                            [ Warning ]
        /usr/bin/pstree                                          [ Warning ]
        /usr/bin/readlink                                        [ Warning ]
        /usr/bin/runcon                                          [ Warning ]
        /usr/bin/sha1sum                                         [ Warning ]
        /usr/bin/size                                            [ Warning ]
        /usr/bin/stat                                            [ Warning ]
        /usr/bin/strace                                          [ Warning ]
        /usr/bin/strings                                         [ Warning ]
        /usr/bin/sudo                                            [ Warning ]
        /usr/bin/tail                                            [ Warning ]
        /usr/bin/test                                            [ Warning ]
        /usr/bin/top                                             [ Warning ]
        /usr/bin/tr                                              [ Warning ]
        /usr/bin/uniq                                            [ Warning ]
        /usr/bin/users                                           [ Warning ]
        /usr/bin/vmstat                                          [ Warning ]
        /usr/bin/w                                               [ Warning ]
        /usr/bin/watch                                           [ Warning ]
        /usr/bin/wc                                              [ Warning ]
        /usr/bin/wget                                            [ Warning ]
        /usr/bin/whatis                                          [ Warning ]
        /usr/bin/whereis                                         [ Warning ]
        /usr/bin/which                                           [ Warning ]
        /usr/bin/who                                             [ Warning ]
        /usr/bin/whoami                                          [ Warning ]
        /usr/bin/gawk                                            [ Warning ]
        /sbin/chkconfig                                          [ Warning ]
        /sbin/depmod                                             [ Warning ]
        /sbin/ifconfig                                           [ Warning ]
        /sbin/ifdown                                             [ Warning ]
        /sbin/ifup                                               [ Warning ]
        /sbin/init                                               [ Warning ]
        /sbin/insmod                                             [ Warning ]
        /sbin/ip                                                 [ Warning ]
        /sbin/lsmod                                              [ Warning ]
        /sbin/modinfo                                            [ Warning ]
        /sbin/modprobe                                           [ Warning ]
        /sbin/nologin                                            [ Warning ]
        /sbin/rmmod                                              [ Warning ]
        /sbin/runlevel                                           [ Warning ]
        /sbin/sulogin                                            [ Warning ]
        /sbin/sysctl                                             [ Warning ]
        /sbin/syslogd                                            [ Warning ]
        /usr/sbin/adduser                                        [ Warning ]
        /usr/sbin/chroot                                         [ Warning ]
        /usr/sbin/groupadd                                       [ Warning ]
        /usr/sbin/groupdel                                       [ Warning ]
        /usr/sbin/groupmod                                       [ Warning ]
        /usr/sbin/grpck                                          [ Warning ]
        /usr/sbin/lsof                                           [ Warning ]
        /usr/sbin/pwck                                           [ Warning ]
        /usr/sbin/sestatus                                       [ Warning ]
        /usr/sbin/tcpd                                           [ Warning ]
        /usr/sbin/useradd                                        [ Warning ]
        /usr/sbin/userdel                                        [ Warning ]
        /usr/sbin/usermod                                        [ Warning ]
        /usr/sbin/vipw                                           [ Warning ]
        /usr/sbin/xinetd                                         [ Warning ]
        /usr/local/bin/perl                                      [ Warning ]
        /usr/local/bin/rkhunter                                  [ Warning ]
    
     
  2. nabuhonodozor

    nabuhonodozor Member

    Joined:
    Jun 22, 2007
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Check if cPanel autoupdated.
     
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    You need to take this issue seriously and look into your server for possible compromise. Are you getting the kind of errors mentioned in this article: http://servertune.com/kbase/entry/267/
     
  4. dflteche

    dflteche Member

    Joined:
    Dec 30, 2007
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    No, I do not think this is very serious at all if you haven't done the below:

    # rkhunter --update
    (what it does> Check for updates to database files)
    # rkhunter --propupd
    (what it does> Update the file properties database)

    rkhunter -c
    (what it does> Now don't ask me what the above command does :) )

    The reason you are getting the warning messages might due to outdated rkhunter database. Run the above command and then try running "rkhunter -c" to see if you still receive warning messages :)
     
  5. bilsalak

    bilsalak Member

    Joined:
    Nov 26, 2004
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    The # rkhunter --propupd will update the file properties database as dflteche said but it should not be done casually. Running that command is basically telling Rkhunter that you assume that the files on your system are safe. Rkhunter then records the file properties and any changes to these files are then compared against the known (good) state of the files that you created by using the --propupd command.

    It should be obvious to you by now that if your server is compromised and files are modified the last thing you want to do is record them as a known (good) state of the file. Beyond the basic checks for known trojans and viruses, Rkhunter can only tell you that something changed.

    My advice for the future is to implement a policy of manual updates on a regular schedule then make it part of your process to run RKhnter and update (via propupd) at this time if appropriate. Any assumptions about when a file is "good" or "bad" without verification makes tools like Rkhunter useless and you might as well not have it installed.
     
Loading...

Share This Page