RKHunter report question

[LukeDouglas]

So I have been getting 5-6 emails daily from my server and been researching to do updates. However, RKHUNTER seems a bit over my head. I ran a check and have posted the results below. It looks like it is in pretty good shape but there were 5 suspect files and 1 suspect application. I believe the issue with the OpenSSL application warning is an outdated version is still on the server but I don't think it is being used by any website. As far as the files, I'm not sure why these are questionable.

I've attached a TXT file with the results. If anyone can give me some guidance on how to resolve these issues, if they are not 'false' positives, I would appreciate your feedback.

 

[cPanelMichael]

Hello @LukeDouglas,

Here's a quote from our Why Can't I Clean A Hacked Machine document that offers some background information on rootkit hunters:

Third-party rootkit hunters
Utilities like rkhunter and chkrootkit can be just as harmful as they are helpful. While they may provide information about known rootkits, they may also create a false sense of trust and security. If rootkit detection performed flawlessly every time, there would be no need for multiple products in order to do so. Remember, these utilities check for known malware only. While they can conduct some heuristics, they can also provide false positives. Most importantly, it is both simple and commonplace for malware developers to evade detection by downloading these utilities and learning how they work.

There will always be unknown malware that has never been and will never be detected. Malware often has variants that operate in many different ways. Without knowing every possible variant, it is impossible to conclusively address the issue.

No official documentation exists for malware because its stealth is how it survives. While independent researchers and antivirus companies provide information about their findings in some cases, no guarantee can be made that the information is entirely accurate or complete. Once that information is released to the public, malware authors may alter their programs to function in a new manner in order to remain undetected.

It looks like the TXT file you attached shows the checks that resulted in a warning, but it doesn't offer specific details about the reason why those warnings appear or how the checks are performed. Is there any additional output about these warnings in the /var/log/rkhunter.log file?

You may also find the discussion on the following threads useful, especially for the "file properties have changed" warnings:

FAILED the md5sum comparison test - how to know when updates occur?
rkhunter warning package manager verification has failed

Thank you.