The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Rootkit Hunter 1.1.5

Discussion in 'cPanel Developers' started by eazistore, Aug 11, 2004.

  1. eazistore

    eazistore Well-Known Member

    Joined:
    Nov 7, 2003
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Singapore
    Hi,

    We have updated to Rootkit Hunter 1.1.5 today.
    We notine the email report are slightly different and notice this:

    * Application version scan
    - ClamAV 0.75.1 [ OK ]
    - Exim MTA 4.34 [ OK ]
    - GnuPG 1.2.3 [ Vulnerable ]
    - Apache [unknown] [ OK ]
    - Bind DNS [unknown] [ OK ]
    - OpenSSL 0.9.7a [ Vulnerable ]
    - PHP 4.3.8 [ OK ]
    - PHP 4.3.8 [ OK ]
    - Procmail MTA 3.22 [ OK ]
    - OpenSSH 3.6.1p2 [ Vulnerable ]


    Anybody here got experience in this?

    WHM 9.4.0 cPanel 9.5.0-C27
    Fedora i686 - WHM X v3.1.0

    Thanks in advance.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yep, get the same on all my servers. Looks like they're false-positives.
     
  3. eazistore

    eazistore Well-Known Member

    Joined:
    Nov 7, 2003
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Singapore
    Hi chirpy,

    Thanks for the feedback.
    I sent a mail to the author www.rootkit.nl yesterday and he mention this:

    It means you're running software that is/can be vulnerable for security
    issues. On a longer term, it can mean someone is able to hack your
    server. So you have to upgrade to newer versions, which aren't
    vulnerable ;-)


    I am a newbie on Linux and didn't make another move to upgrade the version that stated vulnerable.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    They would be correct, except that RedHat do something called back-porting of security fixes. That means they stay on an old stable version, but implement any security fixes that are released to that the applications remains both secure and stable. You'll just have to ignore that part of rkhunter - the rest of it, however, is extremely useful and worth using.
     
  5. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    Hi,

    I'm still using 1.1.3. And i have confuse with this :

    * Trojan specific characteristics
    shv4
    Checking /etc/rc.d/rc.sysinit
    Test 1 [ Clean ]
    Test 2 [ Clean ]
    Test 3 [ Clean ]
    Checking /etc/inetd.conf [ Clean ]
    Checking /etc/xinetd.conf [ Warning! ]
    pop-3 is enabled, ntalk is enabled, talk is enabled, imap is enabled

    I check on xinetd.conf and there is no pop-3, ntalk/talk on that config. Do you know what this is about ?
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Their false-positives. This is happening because rkhunter is just checking whether the files are enabled in /etc/xinetd.d/* not whether they're actually started. You can either:

    1. Ignore them
    2. Edit the respective files in the directory above and set them to disable = yes
    3. Delete the respective files from the directory above, since they are redundant
     
  7. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    Thanks chirpy :)

    If i want to upgrade to 1.1.5, what step i must follow ?
    Just install it like fresh install or what ?
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yes, just install as if it's a new installation and it will overwrite the old one.
     
  9. Sheldon

    Sheldon Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    is there an uninstall procedure for this?

    I always like to know how to uninstall something if I had to.

    Sheldon
     
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    No, there isn't. But it's not very invasive locate rkhunter will find just about everything that is installed.
     
  11. Aric1

    Aric1 Well-Known Member

    Joined:
    Oct 15, 2003
    Messages:
    324
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    For those of you keeping score at home, 1.1.6 is the current version as of this writing.

    To do a fresh install, you could just paste the following into your terminal when logged in via SSH:

    cd ~; rm -Rf rkhunter*; wget http://downloads.rootkit.nl/rkhunter-1.1.6.tar.gz; tar zxf rkhunter-*.tar.gz; cd rkhunter; ./installer.sh; rkhunter -c --cronjob; cd ..; rm -Rf rkhunter*

    That will install it and run it for the first time.

    Once it is installed, you can update it by typing:

    rkhunter --versioncheck

    and update the various files rkh uses:

    rkhunter --update

    However, especially with --update, it's not very reliable since the mirrors never seem to have the right file. So I typically just reinstall using the new version.

    To check your version of rkh without running a report, type:

    rkhunter --version

    To just run rkhunter at any time, type:

    rkhunter -c

    If you want rkhunter to check your server every day and e-mail you the results, you can put something like the following in your crontab (crontab -e):

    30 5 * * * /usr/local/bin/rkhunter -c --cronjob

    The --cronjob option executes a number of other options to not wait for keypresses between sections, removes color, etc.

    The above example will execute rkhunter at 5:30 AM, server time, feel free to change it however you wish.

    You can pipe the output to any e-mail address you like or, if you are set to forward root mail to a valid address, a copy of the output will be mailed to root, so you will receive it at whatever e-mail address root forwarding is set it.

    That sends the FULL output, with all OKs as well.

    If you only want to get the executive summary with a note of any problems encountered, add --report-mode to the cronjob.

    rkhunter also has a "mail on issues" setting, separate of anything you might do with the crontab.

    Modify the following file on your server:

    /usr/local/etc/rkhunter.conf

    You'll see the first option at the top has a mail to on problems section. Uncomment the line so it looks like this:

    # Send a warning message to the admin when one or more warnings
    # are available (rootkit and MD5 check). Note: uses default `mail`
    # commmand to send the warning message.
    MAIL-ON-WARNING=youremailaddress@goes-here.com

    rkhunter is a great automated tool, but as noted by others, it's not infallable. Running this doesn't mean you can just go to sleep on security issues. It's important that you give your server the "human touch" and check for security violations yourself.

    Also, the developer of rkhunter has an Amazon wishlist. If you like rkhunter, you should consider buying him a book or two. :)

    Aric
     
  12. eazistore

    eazistore Well-Known Member

    Joined:
    Nov 7, 2003
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Singapore
    Thanks Aric1,

    Upgraded to rkhunter 1.1.6 without any hiccups.
    Nice. :eek:
     
  13. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    Me too .. upgraded without problem :D
     
  14. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    I have this on my email :

    * Application version scan
    - ClamAV 0.75.1 [ OK ]
    - ClamAV 0.70-rc [ Unknown ]
    - Exim MTA 4.41 [ OK ]
    - GnuPG 1.2.1 [ Vulnerable ]
    - Apache [unknown] [ OK ]
    - Bind DNS [unknown] [ OK ]
    - OpenSSL 0.9.6m [ OK ]
    - PHP 4.3.8 [ OK ]
    - PHP 4.3.8 [ OK ]
    - Procmail MTA 3.22 [ OK ]
    - ProFTPd 1.2.9 [ Vulnerable ]
    - OpenSSH 3.7.1p2 [ Unknown ]

    Is there any way to uninstall ClamAV 0.70-rc ?
     
  15. Aric1

    Aric1 Well-Known Member

    Joined:
    Oct 15, 2003
    Messages:
    324
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    locate clamav

    would have given you a hint. :p

    You probably have a copy here:

    /usr/src/

    delete any old clamAV directories you find there, you don't need them.

    Regards,

    Aric
     
  16. olivier222333

    olivier222333 Well-Known Member
    PartnerNOC

    Joined:
    Jul 12, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    I have made the test and got:
    * Application version scan
    - Exim MTA 4.44 [ Unknown ]
    - GnuPG 1.2.1 [ Vulnerable ]
    - Apache [unknown] [ OK ]
    - Bind DNS [unknown] [ OK ]
    - OpenSSL 0.9.7a [ Vulnerable ]
    - PHP 4.3.10 [ Unknown ]
    - PHP 4.3.10 [ Unknown ]
    - Procmail MTA 3.22 [ OK ]
    - OpenSSH 3.6.1p2 [ Vulnerable ]


    I run a RH3 AS
    thx
     
  17. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Then they're fine (false-positives) as RH backport fixes - this has been mentioned many times on the forums.
     
  18. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    You may also want to upgrade to rkhunter 1.2.1 as its available ( always a good idea to keep your software up to date ).
     
  19. Aric1

    Aric1 Well-Known Member

    Joined:
    Oct 15, 2003
    Messages:
    324
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    The latest versions note that those items are either vulnerable or patched. It is up to you to know the difference.

    As noted RH backports security fixes to old versions (without adding the new features), so as long as you use up2date regularly you are probably OK on those items.
     
  20. ony101

    ony101 Registered

    Joined:
    Aug 11, 2004
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London, UK
    H,

    thanks for the info. Running 1.18 and followed your update procedure. --versioncheck informs me that version 1.2.1 available and to update. I update (following above) and rhunter --verision then informs me I still have version 1.1.8. What to do?

    As for reinstalling: do i jst reinstall 1.2.1 over 1.1.8.

    thx
     

Share This Page