iisnet

Active Member
Oct 6, 2002
35
0
156
It appears that a RHEL3 server that I have got compromised a few hours ago - rkhunter returned the following:

/bin/kill [ BAD ]
/bin/login [ BAD ]
/bin/dmesg [ BAD ]
/sbin/depmod [ BAD ]
/sbin/ifconfig [ BAD ]

......

However, rkhunter and chkrootkit were unable to detect any rootkits on the server. Would it be safe to just replace these files with clean ones, or would it be better to do a complete reinstall?

Any suggestions would be appreciated.
 

dezignguy

Well-Known Member
Sep 26, 2004
533
0
166
Obviously you haven't been paying much attention to what's going on with your server... the reason that rkhunter is returning "BAD" for those programs is because the MD5 hashes have been changed (so the file has been changed), but the highly likely reason that the file has been changed is because up2date installed new versions from Redhat. RHEL3 is now at Taroon Update 4. So check that out first, there should be logs for up2date.
 

iisnet

Active Member
Oct 6, 2002
35
0
156
Meh, guess I haven't been paying attention indeed :rolleyes:
I updated rkhunter, but I guess their MD5 hashes haven't been updated either?

Thanks.
 

haze

Well-Known Member
Dec 21, 2001
1,547
3
318
You can keep trying to run rkhunter --update 2 maybe 3 times a day. I think the developer is probably busy with the holiday season and he's stated on the rkhunter web site it'll be a slow period at the moment.

rkhunter is a great tool but it should not be the only tool you have to check this sort of stuff. When you first set up your server its a good idea to have a tool such as AIDE or perhaps Tripwire installed ( my pref = AIDE ). Installing these later on is somewhat useless, but if your certain your server is clean of any issues, it probably still a good idea.

Best thing to do would be to consult an expert in this area to ensure you are as safe as possible.
 

brianc

Well-Known Member
May 16, 2003
191
7
168
iisnet said:
It appears that a RHEL3 server that I have got compromised a few hours ago - rkhunter returned the following:

/bin/kill [ BAD ]
/bin/login [ BAD ]
/bin/dmesg [ BAD ]
/sbin/depmod [ BAD ]
/sbin/ifconfig [ BAD ]

......

However, rkhunter and chkrootkit were unable to detect any rootkits on the server. Would it be safe to just replace these files with clean ones, or would it be better to do a complete reinstall?

Any suggestions would be appreciated.
What is important is the whether these files are reported as clean when using rkhunter. The "bad" messages are due to these scripts being upgraded by up2date. You should have been notified of this via your /scripts/upcp report that you receive via e-mail.

Brian