The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[rkhunter] Warnings found + Please inspect this machine, because it may be infected.

Discussion in 'Security' started by craigedmonds, Sep 4, 2013.

  1. craigedmonds

    craigedmonds Well-Known Member

    Joined:
    Oct 29, 2007
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Europe
    cPanel Access Level:
    Root Administrator
    Twitter:
    I am getting these messages on a couple of machines the last few days.

    subject: [rkhunter] Warnings found for server
    body: Please inspect this machine, because it may be infected.

    Looking in the separate rkhunter report there are quite a few errors which says...

    Warning: The file properties have changed: File: /usr/bin/last

    The file path for each warning is different of course. And the report says they have "changed"...from what?

    Is there any specific process I should be following to determine if there is a rootkit on my servers?

    I have them pretty well locked down with key access, ssh port blocked, csf fireall + ip blocklists + atomicorp ASl system etc, so am pretty confident that noone has been able to access the server externally.

    Could these error be false positives?

    Another error in the report is..

    Warning: The SSH and rkhunter configuration options should be the same:
    SSH configuration option 'PermitRootLogin': yes
    Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no

    Should this be yes for both or no for both?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Here is an older thread with discussion of the same issue:

    RKHunter Warnings

    It's difficult to say if your system has been hacked. I recommend consulting with a qualified system administrator if you have reason to believe your server has been compromised.

    Thank you.
     
  3. inthukha

    inthukha Well-Known Member

    Joined:
    Jul 17, 2013
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hi,

    I m using rkhunter from 3 years now, its sending you email once the any update your system install. because it won't update itself until you are not running it. this is store all files modified date and changes when you run. and on next run this will recheck all files and compare with the old scan result.

    if you have concern so i suggest run clamd, LMD and scan your server. as well i also suggest you to install and run rootkit hunter. Rootkit Hunter that will detect most common exploits as well will give you summary too.
     
Loading...

Share This Page