The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

rkhunter : I have some bad "System tools" ?

Discussion in 'General Discussion' started by Nikoms, Nov 28, 2007.

  1. Nikoms

    Nikoms Member

    Joined:
    Nov 29, 2006
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    I receive my rkhunter everyday,... I never read the mail because I'm very busy... But today, I decided to open it, and check if everything was ok on my server... But it seems that there is a problem :p

    Here is what I received (in red : an error :) ):


    Mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated
    Using mirror http://rkhunter.sourceforge.net
    [DB] Mirror file : Up to date
    [DB] MD5 hashes system binaries : Up to date
    [DB] Operating System information : Up to date
    [DB] MD5 blacklisted tools/binaries : Up to date
    [DB] Known good program versions : Up to date
    [DB] Known bad program versions : Up to date




    Ready.


    Rootkit Hunter 1.2.9 is running

    Determining OS... Ready


    Checking binaries
    * Selftests
    Strings (command) [ OK ]


    * System tools
    Info: prelinked files found
    Performing 'known good' check...
    /bin/cat [ BAD ]
    /bin/chmod [ BAD ]
    /bin/chown [ BAD ]
    /bin/date [ BAD ]
    /bin/dmesg [ BAD ]
    /bin/env [ BAD ]
    /bin/grep [ BAD ]
    /bin/kill [ BAD ]
    /bin/login [ BAD ]
    /bin/ls [ BAD ]
    /bin/more [ BAD ]
    /bin/mount [ BAD ]
    /bin/netstat [ BAD ]
    /bin/ps [ BAD ]
    /bin/su [ BAD ]
    /sbin/chkconfig [ BAD ]
    /sbin/depmod [ BAD ]
    /sbin/ifconfig [ BAD ]
    /sbin/init [ BAD ]
    /sbin/insmod [ BAD ]
    /sbin/ip [ BAD ]
    /sbin/lsmod [ BAD ]
    /sbin/modinfo [ BAD ]
    /sbin/modprobe [ BAD ]
    /sbin/rmmod [ BAD ]
    /sbin/runlevel [ BAD ]
    /sbin/sulogin [ BAD ]
    /sbin/sysctl [ BAD ]
    /sbin/syslogd [ BAD ]
    /usr/bin/chattr [ BAD ]
    /usr/bin/du [ BAD ]
    /usr/bin/file [ BAD ]
    /usr/bin/find [ BAD ]
    /usr/bin/head [ BAD ]
    /usr/bin/killall [ BAD ]
    /usr/bin/lsattr [ BAD ]
    /usr/bin/passwd [ BAD ]
    /usr/bin/pstree [ BAD ]
    /usr/bin/sha1sum [ BAD ]
    /usr/bin/stat [ BAD ]
    /usr/bin/top [ BAD ]
    /usr/bin/users [ BAD ]
    /usr/bin/vmstat [ BAD ]
    /usr/bin/w [ BAD ]
    /usr/bin/watch [ BAD ]
    /usr/bin/wc [ BAD ]
    /usr/bin/wget [ BAD ]
    /usr/bin/whereis [ BAD ]
    /usr/bin/who [ BAD ]
    /usr/bin/whoami [ BAD ]
    --------------------------------------------------------------------------------
    Rootkit Hunter has found some bad or unknown hashes. This can happen due to replaced
    binaries or updated packages (which give other hashes). Be sure your hashes are
    up-to-date (rkhunter --update). If you're in doubt about these hashes, contact
    us through the Rootkit Hunter mailinglist at rkhunter-users@lists.sourceforge.net.
    --------------------------------------------------------------------------------


    Check rootkits
    * Default files and directories
    Rootkit '55808 Trojan - Variant A'... [ OK ]
    ADM Worm... [ OK ]
    Rootkit 'AjaKit'... [ OK ]
    Rootkit 'aPa Kit'... [ OK ]
    Rootkit 'Apache Worm'... [ OK ]
    Rootkit 'Ambient (ark) Rootkit'... [ OK ]
    Rootkit 'Balaur Rootkit'... [ OK ]
    Rootkit 'BeastKit'... [ OK ]
    Rootkit 'beX2'... [ OK ]
    Rootkit 'BOBKit'... [ OK ]
    Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
    Rootkit 'Danny-Boy's Abuse Kit'... [ OK ]
    Rootkit 'Devil RootKit'... [ OK ]
    Rootkit 'Dica'... [ OK ]
    Rootkit 'Dreams Rootkit'... [ OK ]
    Rootkit 'Duarawkz'... [ OK ]
    Rootkit 'Flea Linux Rootkit'... [ OK ]
    Rootkit 'FreeBSD Rootkit'... [ OK ]
    Rootkit '****`it Rootkit'... [ OK ]
    Rootkit 'GasKit'... [ OK ]
    Rootkit 'Heroin LKM'... [ OK ]
    Rootkit 'HjC Kit'... [ OK ]
    Rootkit 'ignoKit'... [ OK ]
    Rootkit 'ImperalsS-FBRK'... [ OK ]
    Rootkit 'Irix Rootkit'... [ OK ]
    Rootkit 'Kitko'... [ OK ]
    Rootkit 'Knark'... [ OK ]
    Rootkit 'Li0n Worm'... [ OK ]
    Rootkit 'Lockit / LJK2'... [ OK ]
    Rootkit 'MRK'... [ OK ]
    Rootkit 'Ni0 Rootkit'... [ OK ]
    Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
    Rootkit 'Optic Kit (Tux)'... [ OK ]
    Rootkit 'Oz Rootkit'... [ OK ]
    Rootkit 'Portacelo'... [ OK ]
    Rootkit 'R3dstorm Toolkit'... [ OK ]
    Rootkit 'RH-Sharpe's rootkit'... [ OK ]
    Rootkit 'RSHA's rootkit'... [ OK ]
    Sebek LKM... [ OK ]
    Rootkit 'Scalper Worm'... [ OK ]
    Rootkit 'Shutdown'... [ OK ]
    Rootkit 'SHV4'... [ OK ]
    Rootkit 'SHV5'... [ OK ]
    Rootkit 'Sin Rootkit'... [ OK ]
    Rootkit 'Slapper'... [ OK ]
    Rootkit 'Sneakin Rootkit'... [ OK ]
    Rootkit 'Suckit Rootkit'... [ OK ]
    Rootkit 'SunOS Rootkit'... [ OK ]
    Rootkit 'Superkit'... [ OK ]
    Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
    Rootkit 'TeLeKiT'... [ OK ]
    Rootkit 'T0rn Rootkit'... [ OK ]
    Rootkit 'Trojanit Kit'... [ OK ]
    Rootkit 'Tuxtendo'... [ OK ]
    Rootkit 'URK'... [ OK ]
    Rootkit 'VcKit'... [ OK ]
    Rootkit 'Volc Rootkit'... [ OK ]
    Rootkit 'X-Org SunOS Rootkit'... [ OK ]
    Rootkit 'zaRwT.KiT Rootkit'... [ OK ]

    * Suspicious files and malware
    Scanning for known rootkit strings [ OK ]
    Scanning for known rootkit files [ OK ]
    Testing running processes... [ OK ]
    Miscellaneous Login backdoors [ OK ]
    Miscellaneous directories [ OK ]
    Software related files [ OK ]
    Sniffer logs [ OK ]

    * Trojan specific characteristics
    shv4
    Checking /etc/rc.d/rc.sysinit
    Test 1 [ Clean ]
    Test 2 [ Clean ]
    Test 3 [ Clean ]
    Checking /etc/inetd.conf [ Not found ]
    Checking /etc/xinetd.conf [ Clean ]

    * Suspicious file properties
    chmod properties
    Checking /bin/ps [ Clean ]
    Checking /bin/ls [ Clean ]
    Checking /usr/bin/w [ Clean ]
    Checking /usr/bin/who [ Clean ]
    Checking /bin/netstat [ Clean ]
    Checking /bin/login [ Clean ]
    Script replacements
    Checking /bin/ps [ Clean ]
    Checking /bin/ls [ Clean ]
    Checking /usr/bin/w [ Clean ]
    Checking /usr/bin/who [ Clean ]
    Checking /bin/netstat [ Clean ]
    Checking /bin/login [ Clean ]

    * OS dependant tests

    Linux
    Checking loaded kernel modules... [ OK ]
    Checking file attributes [ OK ]
    Checking LKM module path [ OK ]


    Networking
    * Check: frequently used backdoors
    Port 2001: Scalper Rootkit [ OK ]
    Port 2006: CB Rootkit [ OK ]
    Port 2128: MRK [ OK ]
    Port 14856: Optic Kit (Tux) [ OK ]
    Port 47107: T0rn Rootkit [ OK ]
    Port 60922: zaRwT.KiT [ OK ]

    * Interfaces
    Scanning for promiscuous interfaces... [ OK ]


    System checks
    * Allround tests
    Checking hostname... Found. Hostname is admin.namico.be
    Checking for passwordless user accounts... OK
    Checking for differences in user accounts... OK. No changes.
    Checking for differences in user groups... OK. No changes.
    Checking boot.local/rc.local file...
    - /etc/rc.local [ OK ]
    - /etc/rc.d/rc.local [ OK ]
    - /usr/local/etc/rc.local [ Not found ]
    - /usr/local/etc/rc.d/rc.local [ Not found ]
    - /etc/conf.d/local.start [ Not found ]
    - /etc/init.d/boot.local [ Not found ]
    Checking rc.d files...
    Processing........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ........
    Result rc.d files check [ OK ]
    Checking history files
    Bourne Shell [ OK ]

    * Filesystem checks
    Checking /dev for suspicious files... [ OK ]
    Scanning for hidden files... [ Warning! ]
    ---------------
    /etc/.pwd.lock
    /etc/.whostmgrft /dev/.udevdb
    ---------------
    Please inspect: /dev/.udevdb (directory)


    Application advisories
    * Application scan
    Checking Apache2 modules ... [ Not found ]
    Checking Apache configuration ... [ OK ]


    Security advisories
    * Check: Groups and Accounts
    Searching for /etc/passwd... [ Found ]
    Checking users with UID '0' (root)... [ OK ]

    * Check: SSH
    Searching for sshd_config...
    Found /etc/ssh/sshd_config
    Checking for allowed root login... Watch out Root login possible. Possible risk!
    info: No 'PermitRootLogin' entry found in file /etc/ssh/sshd_config
    Hint: See logfile for more information about this issue
    Checking for allowed protocols... [ OK (Only SSH2 allowed) ]

    * Check: Events and Logging
    Search for syslog configuration... [ OK ]
    Checking for running syslog slave... [ OK ]
    Checking for logging to remote system... [ OK (no remote logging) ]


    ---------------------------- Scan results ----------------------------

    MD5 scan
    Scanned files: 50
    Incorrect MD5 checksums: 50

    File scan
    Scanned files: 342
    Possible infected files: 0

    Application scan
    Skipped

    Scanning took 182 seconds





    What do I have to do to clean up this?

    Thank you!
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Click that link at the top of the mail and read that rkhunter has been updated. Upgrade yours.
     
  3. AnilR

    AnilR Active Member

    Joined:
    Nov 24, 2007
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    ......try this out

    # rkhunter --update

    And compile Rkhunter again to see if the md5sum errors still exists.

    # rkhunter -c
     
  4. Nikoms

    Nikoms Member

    Joined:
    Nov 29, 2006
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Hello.. I tried to update, but it seems that everything is up to date...


    root@admin [~]# rkhunter --update
    Running updater...

    Mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated
    Using mirror http://rkhunter.sourceforge.net
    [DB] Mirror file : Up to date
    [DB] MD5 hashes system binaries : Up to date
    [DB] Operating System information : Up to date
    [DB] MD5 blacklisted tools/binaries : Up to date
    [DB] Known good program versions : Up to date
    [DB] Known bad program versions : Up to date




    Ready.
    root@admin [~]# rkhunter -c


    Rootkit Hunter 1.2.9 is running

    Determining OS... Ready


    Checking binaries
    * Selftests
    Strings (command) [ OK ]


    * System tools
    Info: prelinked files found
    Performing 'known good' check...
    /bin/cat [ BAD ]
    /bin/chmod [ BAD ]
    /bin/chown [ BAD ]
    /bin/date [ BAD ]
    /bin/dmesg [ BAD ]
    /bin/env [ BAD ]
    /bin/grep [ BAD ]
    /bin/kill [ BAD ]
    /bin/login [ BAD ]
    /bin/ls [ BAD ]
    /bin/more [ BAD ]
    /bin/mount [ BAD ]
    /bin/netstat [ BAD ]
    /bin/ps [ BAD ]
    /bin/su [ BAD ]
    /sbin/chkconfig [ BAD ]
    /sbin/depmod [ BAD ]
    /sbin/ifconfig [ BAD ]
    /sbin/init [ BAD ]
    /sbin/insmod [ BAD ]
    /sbin/ip [ BAD ]
    /sbin/lsmod [ BAD ]
    /sbin/modinfo [ BAD ]
    /sbin/modprobe [ BAD ]
    /sbin/rmmod [ BAD ]
    /sbin/runlevel [ BAD ]
    /sbin/sulogin [ BAD ]
    /sbin/sysctl [ BAD ]
    /sbin/syslogd [ BAD ]
    /usr/bin/chattr [ BAD ]
    /usr/bin/du [ BAD ]
    /usr/bin/file [ BAD ]
    /usr/bin/find [ BAD ]
    /usr/bin/head [ BAD ]
    /usr/bin/killall [ BAD ]
    /usr/bin/lsattr [ BAD ]
    /usr/bin/passwd [ BAD ]
    /usr/bin/pstree [ BAD ]
    /usr/bin/sha1sum [ BAD ]
    /usr/bin/stat [ BAD ]
    /usr/bin/top [ BAD ]
    /usr/bin/users [ BAD ]
    /usr/bin/vmstat [ BAD ]
    /usr/bin/w [ BAD ]
    /usr/bin/watch [ BAD ]
    /usr/bin/wc [ BAD ]
    /usr/bin/wget [ BAD ]
    /usr/bin/whereis [ BAD ]
    /usr/bin/who [ BAD ]
    /usr/bin/whoami [ BAD ]
    --------------------------------------------------------------------------------
    Rootkit Hunter has found some bad or unknown hashes. This can happen due to replaced
    binaries or updated packages (which give other hashes). Be sure your hashes are
    up-to-date (rkhunter --update). If you're in doubt about these hashes, contact
    us through the Rootkit Hunter mailinglist at rkhunter-users@lists.sourceforge.net.
    --------------------------------------------------------------------------------
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's not enough, you need to reinstall rkhunter to v1.3.0
     
Loading...

Share This Page