The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Rootkit Hunter System tools BAD markers

Discussion in 'General Discussion' started by sandy25, Oct 9, 2005.

  1. sandy25

    sandy25 Member

    Joined:
    Aug 26, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    after we run Rootkit we get this errors:

    Code:
    Rootkit Hunter 1.2.7 is running
    
    Determining OS... Ready
    
    
    Checking binaries
    * Selftests
         Strings (command)                                        [ OK ]
    
    
    * System tools
      Performing 'known good' check...
    /bin/cat                                                   [ BAD ]
       /bin/chmod                                                 [ BAD ]
       /bin/chown                                                 [ BAD ]
       /bin/dmesg                                                 [ BAD ]
       /bin/egrep                                                 [ BAD ]
       /bin/env                                                   [ BAD ]
       /bin/fgrep                                                 [ BAD ]
       /bin/grep                                                  [ BAD ]
       /bin/kill                                                  [ BAD ]
       /bin/login                                                 [ BAD ]
       /bin/ls                                                    [ BAD ]
       /bin/mount                                                 [ BAD ]
       /bin/netstat                                               [ BAD ]
       /bin/ps                                                    [ OK ]
       /bin/su                                                    [ BAD ]
       /sbin/chkconfig                                            [ OK ]
       /sbin/depmod                                               [ OK ]
       /sbin/ifconfig                                             [ BAD ]
       /sbin/init                                                 [ BAD ]
       /sbin/insmod                                               [ OK ]
       /sbin/modinfo                                              [ OK ]
       /sbin/runlevel                                             [ BAD ]
       /sbin/sysctl                                               [ OK ]
       /sbin/syslogd                                              [ OK ]
       /usr/bin/file                                              [ BAD ]
       /usr/bin/find                                              [ OK ]
       /usr/bin/groups                                            [ OK ]
       /usr/bin/kill                                              [ BAD ]
       /usr/bin/killall                                           [ OK ]
       /usr/bin/lsattr                                            [ OK ]
       /usr/bin/pstree                                            [ OK ]
       /usr/bin/sha1sum                                           [ BAD ]
       /usr/bin/stat                                              [ BAD ]
       /usr/bin/users                                             [ BAD ]
       /usr/bin/w                                                 [ OK ]
       /usr/bin/watch                                             [ OK ]
       /usr/bin/who                                               [ BAD ]
       /usr/bin/whoami                                            [ BAD ]
    We have check in Rootkit log and here is info:
    Code:
    [05:57:08] Checking /bin/cat against hashes in database (adab51f4f506e0736d11f034f9fe7309) failed
    [05:57:08] RPM info: [B]your package 'coreutils-4.5.3-28'[/B]
    [05:57:08] RPM info: packages in database: [B]coreutils-4.5.3-26[/B]
    server kernel is: 2.4.21-37.ELsmp #1 SMP Wed Sep 7 13:28:55 EDT 2005 i686
    server OS: RedHat Enterprise 3 i686
    whm/cpanel: WHM 10.6.0 cPanel 10.8.0-S59


    Server runs fine and all its ok, but what is with this BAD markers?

    Thanks, S.
     
  2. Johnson

    Johnson Active Member

    Joined:
    Apr 16, 2003
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    There is nothisg more than you've already told: the package in your system is newer than in RKH database. When Michael Boelen will update RKH database for RHEL eveything will be ok.
     
  3. sandy25

    sandy25 Member

    Joined:
    Aug 26, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    and for me this is logical but better ask :)

    On all our servers this is "problem" so this is it :)

    Thanks, S.
     
  4. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    same happened to me with my servers, notified to michael but he didn't update the app DB yet..
     
  5. ChemicalWH

    ChemicalWH Active Member

    Joined:
    Mar 4, 2004
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    hehe, i happen to know the guy in real life, shall i whoop his ass?

    either way, it still shows 4 bads on my server:
    /bin/dmesg [ BAD ]
    /bin/kill [ BAD ]
    /bin/login [ BAD ]
    /bin/mount [ BAD ]

    any of you have trouble with those ?
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Those will appear on RHE servers running v3.6 - the rkhunter is still out of date for the md5sums for those files.
     
  7. Johnson

    Johnson Active Member

    Joined:
    Apr 16, 2003
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    you probably mean CentOs , not RHE
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    No, I mean RHE.
     
  9. ChemicalWH

    ChemicalWH Active Member

    Joined:
    Mar 4, 2004
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Yea, it's RHE.

    I figured it was that, but EV1 told me my server was compromised on root level, which is really really REALLY unlikely.. I've been doing server maintenance for far over 3 years now and spent 4 years before that getting my degrees for it, so I SHOULD be able to notice it when something has been compromised.

    Either way, thanks for confirming my thoughts, I'll ask Michael to update some stuff when I see him.
     
  10. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    On a somewhat related topic, I've noticed that the following has been occurring at the start of email reports from rkhunter:

    Code:
    Rootkit Hunter 1.2.7 is running
    
    Determining OS... Unknown
    Warning: This operating system is not fully supported!
    Warning: Cannot find md5_not_known
    All MD5 checks will be skipped!
    whereas the emails used to start with:
    Code:
    Rootkit Hunter 1.2.7 is running
    
    Determining OS... Ready
    Looking back through the emails, I notice that the last one that determined the OS correctly was on the 3rd of November this year, with Determining OS... Unknown occurring from the 4th onwards. This just so happens to co-inicide with the upgrade from CentOS 3.5 to 3.6.

    I've also checked that rkhunter is up to date and it seems to think it is.

    Has anyone else noticed that rkhunter can't 'recognise' CentOS 3.6 when it previously had no problems with 3.5 and 3.4?
     
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yup, that is the CentOS issue - there is no support at all yet for the v3.6 md5's.
     

Share This Page