The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Warning at RootKit Hunter 1.3 Output

Discussion in 'General Discussion' started by isputra, Dec 7, 2007.

  1. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    Hi,

    Yesterday i have done upgraded RKHunter from 1.2.9 to 1.3.0. Today i have receive RootKit Hunter Output Daily Run from cron and full of warning as you can see below :

    --------------------------------
    Warning: Checking for preload file [ Warning ]
    Warning: Found library preload file: /etc/ld.so.preload
    Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
    Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
    Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
    Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
    Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
    Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
    -------------------------------------

    Seach on this forum and found nothing about above warning. Anyone, can explain to me what is the meaning of above warning and how to avoid the warning.

    Or is this just false warning again from RKHunter like happen at the earlier version before ?

    Thanks.
     
  2. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    It is noting that these files do not match previous versions and are executable. You'll want to verify the contents of those files. You can do a diff on the files from that system a homogeneous system if you have one.
     
  3. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    AH, thanks cpaneldave.
     
  4. betoranaldi

    betoranaldi Well-Known Member

    Joined:
    Dec 5, 2007
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    Sorry to dig up an old thread, but I got the same exact warnings on the same bin files.

    Code:
    Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
    Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
    Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
    Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
    Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
    Warning: No output found from the lsmod command or the /proc/modules file:
            /proc/modules output: 
            lsmod output: 
    Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
    
    One or more warnings have been found while checking the system.
    Please check the log file (/var/log/rkhunter.log)
    I don't have an additional system to compare the files to.

    Is there anyway I can tell that they are ok? Is there a way I can overwrite them with known, good versions?
     
    #4 betoranaldi, Dec 19, 2008
    Last edited: Dec 19, 2008
  5. nichiyume

    nichiyume Member

    Joined:
    Nov 18, 2004
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Phoenix, Az
    Was this your first time running rkhunter in a while? they could have been updated by yum updating a package. I've seen those, however if an attacker gained elevated privileges needed to modify those files, you would have bigger and likely more visual problems.

    You can uncomment:
    ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
    from /etc/rkhunter.conf because it is quite common to get that error.

    You could find out which package those binaries are from and re-install it.

    If you are worried about being rooted, look at ps auxf | less and see if there is something different than before. A good time to research what should be there.
     
  6. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    rkhunter has a pretty good mailing list too, I think from the sourceforge page.
     
Loading...

Share This Page