chanklish

Well-Known Member
May 22, 2015
77
0
56
kinshasa
cPanel Access Level
Root Administrator
hello awesome people
i installed rk hunter on my vps and received the first scan log but i understood nothing as i am new to the security world of cpanel
can someone please explain the warning:

Code:
[ Rootkit Hunter version 1.4.6 ]

[1;33mChecking rkhunter version...[0;39m
  This version  : 1.4.6
  Latest version: 1.4.6
[ Rootkit Hunter version 1.4.6 ]

[1;33mChecking rkhunter data files...[0;39m
  Checking file mirrors.dat[34C[ [1;32mNo update[0;39m ]
  Checking file programs_bad.dat[29C[ [1;32mNo update[0;39m ]
  Checking file backdoorports.dat[28C[ [1;32mNo update[0;39m ]
  Checking file suspscan.dat[33C[ [1;32mNo update[0;39m ]
  Checking file i18n/cn[38C[ [1;32mNo update[0;39m ]
  Checking file i18n/de[38C[ [1;32mNo update[0;39m ]
  Checking file i18n/en[38C[ [1;32mNo update[0;39m ]
  Checking file i18n/tr[38C[ [1;32mNo update[0;39m ]
  Checking file i18n/tr.utf8[33C[ [1;32mNo update[0;39m ]
  Checking file i18n/zh[38C[ [1;32mNo update[0;39m ]
  Checking file i18n/zh.utf8[33C[ [1;32mNo update[0;39m ]
  Checking file i18n/ja[38C[ [1;32mNo update[0;39m ]
Warning: The command '/usr/sbin/ifdown' has been replaced by a script: /usr/sbin/ifdown: Bourne-Again shell script, ASCII text executable
Warning: The command '/usr/sbin/ifup' has been replaced by a script: /usr/sbin/ifup: Bourne-Again shell script, ASCII text executable
Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: Perl script, ASCII text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text executable
Warning: The file properties have changed:
         File: /usr/local/bin/passwd
         Current hash: c53bf7524e095c0f44e4198ee7c359fe22b526cf357b8ae36d68a0b117bf74bd
         Stored hash : 0843b3b3f490170790a943e005eb71f589426b5eec9c5f128032b71a4a3f98e4
Warning: The file properties have changed:
         File: /usr/local/cpanel/bin/jail_safe_passwd
         Current hash: c53bf7524e095c0f44e4198ee7c359fe22b526cf357b8ae36d68a0b117bf74bd
         Stored hash : 0843b3b3f490170790a943e005eb71f589426b5eec9c5f128032b71a4a3f98e4
         Current inode: 18575    Stored inode: 18221
         Current size: 3112504    Stored size: 3305912
         Current file modification time: 1543533562 (30-Nov-2018 00:19:22)
         Stored file modification time : 1538522375 (03-Oct-2018 00:19:35)
Warning: No output found from the lsmod command or the /proc/modules file:
         /proc/modules output:
         lsmod output:
Warning: The kernel modules directory '/lib/modules' is missing or empty.
Warning: The SSH and rkhunter configuration options should be the same:
         SSH configuration option 'PermitRootLogin': yes
         Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
Warning: The SSH configuration option 'Protocol' has not been set.
         The default value may be '2,1', to allow the use of protocol version 1.
Warning: Hidden file found: /etc/.updated: ASCII text
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,224
463
Hello @chanklish,

I see many of the same warnings when running RkHunter on a newly installed test system running cPanel & WHM version 76. Thus, it's likely these warnings are false positives. That said, third-party rootkit hunters such as RKhunter aren't necessarily a proven method of maintaining a secure system. We provide a section on these applications you may find informative at:

Why can't I clean a hacked machine - cPanel Knowledge Base - cPanel Documentation

You may also find the discussion on the following threads useful, especially for the "file properties have changed" warnings:

FAILED the md5sum comparison test - how to know when updates occur?
rkhunter warning package manager verification has failed

Additionally, we provide a list of companies offering system administration services on the following link should you decide to hire a security expert to review your system:

System Administration Services | cPanel Forums

Thank you.