[rkhunter] Warnings found + Please inspect this machine, because it may be infected.

[craigedmonds]

I am getting these messages on a couple of machines the last few days.

subject: [rkhunter] Warnings found for server
body: Please inspect this machine, because it may be infected.

Looking in the separate rkhunter report there are quite a few errors which says...

Warning: The file properties have changed: File: /usr/bin/last

The file path for each warning is different of course. And the report says they have "changed"...from what?

Is there any specific process I should be following to determine if there is a rootkit on my servers?

I have them pretty well locked down with key access, ssh port blocked, csf fireall + ip blocklists + atomicorp ASl system etc, so am pretty confident that noone has been able to access the server externally.

Could these error be false positives?

Another error in the report is..

Warning: The SSH and rkhunter configuration options should be the same:
SSH configuration option 'PermitRootLogin': yes
Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no

Should this be yes for both or no for both?

 

[cPanelMichael]

Hello

Here is an older thread with discussion of the same issue:

RKHunter Warnings

It's difficult to say if your system has been hacked. I recommend consulting with a qualified system administrator if you have reason to believe your server has been compromised.

Thank you.

 

[inthukha]

Hi,

I m using rkhunter from 3 years now, its sending you email once the any update your system install. because it won't update itself until you are not running it. this is store all files modified date and changes when you run. and on next run this will recheck all files and compare with the old scan result.

if you have concern so i suggest run clamd, LMD and scan your server. as well i also suggest you to install and run rootkit hunter. Rootkit Hunter that will detect most common exploits as well will give you summary too.