[rkhunter] Warnings found + Please inspect this machine, because it may be infected.

craigedmonds

Well-Known Member
Oct 29, 2007
113
0
66
Europe
cPanel Access Level
Root Administrator
Twitter
I am getting these messages on a couple of machines the last few days.

subject: [rkhunter] Warnings found for server
body: Please inspect this machine, because it may be infected.

Looking in the separate rkhunter report there are quite a few errors which says...

Warning: The file properties have changed: File: /usr/bin/last

The file path for each warning is different of course. And the report says they have "changed"...from what?

Is there any specific process I should be following to determine if there is a rootkit on my servers?

I have them pretty well locked down with key access, ssh port blocked, csf fireall + ip blocklists + atomicorp ASl system etc, so am pretty confident that noone has been able to access the server externally.

Could these error be false positives?

Another error in the report is..

Warning: The SSH and rkhunter configuration options should be the same:
SSH configuration option 'PermitRootLogin': yes
Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no

Should this be yes for both or no for both?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello :)

Here is an older thread with discussion of the same issue:

RKHunter Warnings

It's difficult to say if your system has been hacked. I recommend consulting with a qualified system administrator if you have reason to believe your server has been compromised.

Thank you.
 

inthukha

Well-Known Member
Jul 17, 2013
61
0
6
cPanel Access Level
Root Administrator
Hi,

I m using rkhunter from 3 years now, its sending you email once the any update your system install. because it won't update itself until you are not running it. this is store all files modified date and changes when you run. and on next run this will recheck all files and compare with the old scan result.

if you have concern so i suggest run clamd, LMD and scan your server. as well i also suggest you to install and run rootkit hunter. Rootkit Hunter that will detect most common exploits as well will give you summary too.