Rootkit Hunter System tools BAD markers

sandy25

Member
Aug 26, 2005
5
0
151
Hello,

after we run Rootkit we get this errors:

Code:
Rootkit Hunter 1.2.7 is running

Determining OS... Ready


Checking binaries
* Selftests
     Strings (command)                                        [ OK ]


* System tools
  Performing 'known good' check...
/bin/cat                                                   [ BAD ]
   /bin/chmod                                                 [ BAD ]
   /bin/chown                                                 [ BAD ]
   /bin/dmesg                                                 [ BAD ]
   /bin/egrep                                                 [ BAD ]
   /bin/env                                                   [ BAD ]
   /bin/fgrep                                                 [ BAD ]
   /bin/grep                                                  [ BAD ]
   /bin/kill                                                  [ BAD ]
   /bin/login                                                 [ BAD ]
   /bin/ls                                                    [ BAD ]
   /bin/mount                                                 [ BAD ]
   /bin/netstat                                               [ BAD ]
   /bin/ps                                                    [ OK ]
   /bin/su                                                    [ BAD ]
   /sbin/chkconfig                                            [ OK ]
   /sbin/depmod                                               [ OK ]
   /sbin/ifconfig                                             [ BAD ]
   /sbin/init                                                 [ BAD ]
   /sbin/insmod                                               [ OK ]
   /sbin/modinfo                                              [ OK ]
   /sbin/runlevel                                             [ BAD ]
   /sbin/sysctl                                               [ OK ]
   /sbin/syslogd                                              [ OK ]
   /usr/bin/file                                              [ BAD ]
   /usr/bin/find                                              [ OK ]
   /usr/bin/groups                                            [ OK ]
   /usr/bin/kill                                              [ BAD ]
   /usr/bin/killall                                           [ OK ]
   /usr/bin/lsattr                                            [ OK ]
   /usr/bin/pstree                                            [ OK ]
   /usr/bin/sha1sum                                           [ BAD ]
   /usr/bin/stat                                              [ BAD ]
   /usr/bin/users                                             [ BAD ]
   /usr/bin/w                                                 [ OK ]
   /usr/bin/watch                                             [ OK ]
   /usr/bin/who                                               [ BAD ]
   /usr/bin/whoami                                            [ BAD ]
We have check in Rootkit log and here is info:
Code:
[05:57:08] Checking /bin/cat against hashes in database (adab51f4f506e0736d11f034f9fe7309) failed
[05:57:08] RPM info: [B]your package 'coreutils-4.5.3-28'[/B]
[05:57:08] RPM info: packages in database: [B]coreutils-4.5.3-26[/B]
server kernel is: 2.4.21-37.ELsmp #1 SMP Wed Sep 7 13:28:55 EDT 2005 i686
server OS: RedHat Enterprise 3 i686
whm/cpanel: WHM 10.6.0 cPanel 10.8.0-S59


Server runs fine and all its ok, but what is with this BAD markers?

Thanks, S.
 

Johnson

Active Member
Apr 16, 2003
44
0
156
There is nothisg more than you've already told: the package in your system is newer than in RKH database. When Michael Boelen will update RKH database for RHEL eveything will be ok.
 

sandy25

Member
Aug 26, 2005
5
0
151
and for me this is logical but better ask :)

On all our servers this is "problem" so this is it :)

Thanks, S.
 

ChemicalWH

Active Member
Mar 4, 2004
40
0
156
hehe, i happen to know the guy in real life, shall i whoop his ass?

either way, it still shows 4 bads on my server:
/bin/dmesg [ BAD ]
/bin/kill [ BAD ]
/bin/login [ BAD ]
/bin/mount [ BAD ]

any of you have trouble with those ?
 

ChemicalWH

Active Member
Mar 4, 2004
40
0
156
Yea, it's RHE.

I figured it was that, but EV1 told me my server was compromised on root level, which is really really REALLY unlikely.. I've been doing server maintenance for far over 3 years now and spent 4 years before that getting my degrees for it, so I SHOULD be able to notice it when something has been compromised.

Either way, thanks for confirming my thoughts, I'll ask Michael to update some stuff when I see him.
 

webignition

Well-Known Member
Jan 22, 2005
1,880
0
166
On a somewhat related topic, I've noticed that the following has been occurring at the start of email reports from rkhunter:

Code:
Rootkit Hunter 1.2.7 is running

Determining OS... Unknown
Warning: This operating system is not fully supported!
Warning: Cannot find md5_not_known
All MD5 checks will be skipped!
whereas the emails used to start with:
Code:
Rootkit Hunter 1.2.7 is running

Determining OS... Ready
Looking back through the emails, I notice that the last one that determined the OS correctly was on the 3rd of November this year, with Determining OS... Unknown occurring from the 4th onwards. This just so happens to co-inicide with the upgrade from CentOS 3.5 to 3.6.

I've also checked that rkhunter is up to date and it seems to think it is.

Has anyone else noticed that rkhunter can't 'recognise' CentOS 3.6 when it previously had no problems with 3.5 and 3.4?