rkhunter-users Mailing List for Rootkit Hunter (Page 2)
Brought to you by:
dogsbody
You can subscribe to this list here.
2006 |
Jan
(2) |
Feb
(2) |
Mar
(7) |
Apr
(5) |
May
(5) |
Jun
(7) |
Jul
(23) |
Aug
(17) |
Sep
(35) |
Oct
(138) |
Nov
(95) |
Dec
(84) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2007 |
Jan
(140) |
Feb
(78) |
Mar
(28) |
Apr
(17) |
May
(78) |
Jun
(72) |
Jul
(49) |
Aug
(47) |
Sep
(74) |
Oct
(69) |
Nov
(50) |
Dec
(75) |
2008 |
Jan
(43) |
Feb
(80) |
Mar
(30) |
Apr
(29) |
May
(25) |
Jun
(14) |
Jul
(47) |
Aug
(11) |
Sep
(28) |
Oct
(17) |
Nov
(14) |
Dec
(66) |
2009 |
Jan
(54) |
Feb
(21) |
Mar
(22) |
Apr
(8) |
May
(4) |
Jun
(13) |
Jul
(10) |
Aug
(24) |
Sep
(1) |
Oct
(41) |
Nov
(17) |
Dec
(99) |
2010 |
Jan
(53) |
Feb
(19) |
Mar
(30) |
Apr
(28) |
May
(135) |
Jun
(34) |
Jul
(19) |
Aug
(24) |
Sep
(48) |
Oct
(4) |
Nov
(61) |
Dec
(17) |
2011 |
Jan
(23) |
Feb
(18) |
Mar
(14) |
Apr
(12) |
May
(23) |
Jun
(27) |
Jul
(57) |
Aug
(17) |
Sep
(25) |
Oct
(19) |
Nov
(9) |
Dec
(4) |
2012 |
Jan
(19) |
Feb
(5) |
Mar
(5) |
Apr
(17) |
May
(13) |
Jun
(21) |
Jul
(2) |
Aug
(10) |
Sep
(5) |
Oct
(5) |
Nov
(18) |
Dec
(4) |
2013 |
Jan
(23) |
Feb
(13) |
Mar
(5) |
Apr
(48) |
May
(38) |
Jun
(5) |
Jul
(19) |
Aug
(14) |
Sep
(10) |
Oct
(7) |
Nov
(19) |
Dec
(44) |
2014 |
Jan
(11) |
Feb
(11) |
Mar
(38) |
Apr
(36) |
May
(21) |
Jun
(13) |
Jul
(7) |
Aug
(21) |
Sep
(30) |
Oct
(3) |
Nov
|
Dec
(29) |
2015 |
Jan
(5) |
Feb
(5) |
Mar
(12) |
Apr
(5) |
May
(25) |
Jun
(11) |
Jul
(7) |
Aug
(8) |
Sep
(3) |
Oct
(15) |
Nov
(10) |
Dec
|
2016 |
Jan
(5) |
Feb
|
Mar
(6) |
Apr
(12) |
May
(2) |
Jun
(11) |
Jul
(8) |
Aug
(13) |
Sep
(15) |
Oct
(6) |
Nov
(21) |
Dec
(1) |
2017 |
Jan
|
Feb
(2) |
Mar
(2) |
Apr
(3) |
May
(2) |
Jun
(30) |
Jul
(42) |
Aug
(8) |
Sep
(2) |
Oct
(24) |
Nov
(12) |
Dec
(14) |
2018 |
Jan
(7) |
Feb
(22) |
Mar
(8) |
Apr
(11) |
May
(28) |
Jun
(20) |
Jul
(2) |
Aug
(1) |
Sep
(2) |
Oct
(2) |
Nov
(11) |
Dec
|
2019 |
Jan
(5) |
Feb
(11) |
Mar
(6) |
Apr
(5) |
May
(4) |
Jun
(4) |
Jul
(4) |
Aug
(8) |
Sep
(5) |
Oct
(7) |
Nov
(10) |
Dec
(1) |
2020 |
Jan
|
Feb
|
Mar
|
Apr
(2) |
May
(4) |
Jun
(3) |
Jul
(3) |
Aug
(2) |
Sep
|
Oct
(7) |
Nov
(3) |
Dec
(1) |
2021 |
Jan
(1) |
Feb
(3) |
Mar
|
Apr
|
May
(7) |
Jun
(2) |
Jul
(7) |
Aug
(11) |
Sep
|
Oct
|
Nov
|
Dec
|
2022 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
(2) |
Jun
(1) |
Jul
(2) |
Aug
|
Sep
(4) |
Oct
|
Nov
|
Dec
|
2023 |
Jan
|
Feb
|
Mar
(5) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(3) |
Nov
(4) |
Dec
(1) |
2024 |
Jan
|
Feb
(3) |
Mar
(8) |
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Michael D. S. I. <mi...@gu...> - 2022-09-30 03:51:57
|
On 30 Sep 2022 at 13:41, John Dodson wrote: Subject: Re: [Rkhunter-users] Question on fixing an issue just saw in rkhunter log From: John Dodson <jwa...@gm...> To: mi...@gu..., Rkh...@li... Date sent: Fri, 30 Sep 2022 13:41:18 +1000 > Hi Michael, > Although it could be a "positive"... > > BOINC https://boinc.berkeley.edu > The BOINC (Berkeley Open Infrastructure for Network Computing) software > platform is used for volunteer computing or grid computing creation. > > I would have to assume that you (or the "supervisor"/root of the machine) > chose to install & run boinc, to allow your idle cpu to be used for the above > "voluntary" work. > > If you didn't & don't want it, it's relatively easy to give the command, > > dnf remove boinc* > > Of course that might remove some dependencies you are actually using so read > & understand what dnf is about to do before you agree with the removal. > It might also have been installed as part of a "group" of packages you are > using. > > Cheers > > John (Sydney - where the sun rises slightly earlier than Guam allowing > for seasonal variation ;-) > Yes, Running Boinc on 5 linux machines at home. Was doing the original Seti@home before. Usually look at the rkhunter reports, but don't recall seeing this warning before, so perhaps it was some change in either boinc or einstein project. Perhaps will post on eintein page. Thanks again. > On Fri, 2022-09-30 at 05:00 +1000, Michael D. Setzer II via Rkhunter-users > wrote: > > Rkhunter reports > > > > [04:21:27] Warning: Network TCP port 47018 is being used by /usr/bin/boinc. > > Possible rootkit: Possible Universal Rootkit (URK) component > > Use the 'lsof -i' or 'netstat -an' command to check this. > > > > Using lsof -i get this. > > > > lsof -i | grep boinc > > boinc 2766 msetzerii 7u IPv4 35501 0t0 TCP localhost:xqosd > > (LISTEN) > > boinc 2766 msetzerii 10u IPv4 1331117 0t0 TCP > > setzconote.dyndns.org:47032->einstein10.aei.uni-hannover.de:https > > (CLOSE_WAIT) > > boinc 2766 msetzerii 14u IPv4 1331116 0t0 TCP > > setzconote.dyndns.org:47018->einstein10.aei.uni-hannover.de:https > > (CLOSE_WAIT) > > > > The address shows router that doesn't forward this port > > to machines behind it so don't think it would go > > anywhere. So note sure if this is an issue, or if it would be > > something with rkhunter or with boinc einstein project.. > > > > (Also, saw an issue in report with /usr/libexec/gawk > > linking to /usr/libexec/awk which is a directory with two > > files. The gawk is new from earlier this month, the files in > > awk date to 7/2021?) > > Fedora 35. > > > > # ls -l | grep awk > > drwxr-xr-x. 2 root root 4096 Jun 6 16:36 awk > > lrwxrwxrwx. 1 root root 3 Sep 18 01:19 gawk -> awk > > # ls -l awk > > total 32 > > -rwxr-xr-x. 1 root root 15944 Jul 22 2021 grcat > > -rwxr-xr-x. 1 root root 15928 Jul 22 2021 pwcat > > > > +------------------------------------------------------------+ > > Michael D. Setzer II - Computer Science Instructor > > (Retired) > > mailto:mi...@gu... > > mailto:mse...@gm... > > Guam - Where America's Day Begins > > G4L Disk Imaging Project maintainer > > http://sourceforge.net/projects/g4l/ > > +------------------------------------------------------------+ > > > > > > > > > > > > _______________________________________________ > > Rkhunter-users mailing list > > Rkh...@li... > > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > +------------------------------------------------------------+ Michael D. Setzer II - Computer Science Instructor (Retired) mailto:mi...@gu... mailto:mse...@gm... Guam - Where America's Day Begins G4L Disk Imaging Project maintainer http://sourceforge.net/projects/g4l/ +------------------------------------------------------------+ |
From: John D. <jwa...@gm...> - 2022-09-30 03:41:28
|
Hi Michael, Although it could be a "positive"... BOINC https://boinc.berkeley.edu The BOINC (Berkeley Open Infrastructure for Network Computing) software platform is used for volunteer computing or grid computing creation. I would have to assume that you (or the "supervisor"/root of the machine) chose to install & run boinc, to allow your idle cpu to be used for the above "voluntary" work. If you didn't & don't want it, it's relatively easy to give the command, dnf remove boinc* Of course that might remove some dependencies you are actually using so read & understand what dnf is about to do before you agree with the removal. It might also have been installed as part of a "group" of packages you are using. Cheers John (Sydney - where the sun rises slightly earlier than Guam allowing for seasonal variation ;-) On Fri, 2022-09-30 at 05:00 +1000, Michael D. Setzer II via Rkhunter-users wrote: > Rkhunter reports > > [04:21:27] Warning: Network TCP port 47018 is being used by /usr/bin/boinc. > Possible rootkit: Possible Universal Rootkit (URK) component > Use the 'lsof -i' or 'netstat -an' command to check this. > > Using lsof -i get this. > > lsof -i | grep boinc > boinc 2766 msetzerii 7u IPv4 35501 0t0 TCP localhost:xqosd > (LISTEN) > boinc 2766 msetzerii 10u IPv4 1331117 0t0 TCP > setzconote.dyndns.org:47032->einstein10.aei.uni-hannover.de:https > (CLOSE_WAIT) > boinc 2766 msetzerii 14u IPv4 1331116 0t0 TCP > setzconote.dyndns.org:47018->einstein10.aei.uni-hannover.de:https > (CLOSE_WAIT) > > The address shows router that doesn't forward this port > to machines behind it so don't think it would go > anywhere. So note sure if this is an issue, or if it would be > something with rkhunter or with boinc einstein project.. > > (Also, saw an issue in report with /usr/libexec/gawk > linking to /usr/libexec/awk which is a directory with two > files. The gawk is new from earlier this month, the files in > awk date to 7/2021?) > Fedora 35. > > # ls -l | grep awk > drwxr-xr-x. 2 root root 4096 Jun 6 16:36 awk > lrwxrwxrwx. 1 root root 3 Sep 18 01:19 gawk -> awk > # ls -l awk > total 32 > -rwxr-xr-x. 1 root root 15944 Jul 22 2021 grcat > -rwxr-xr-x. 1 root root 15928 Jul 22 2021 pwcat > > +------------------------------------------------------------+ > Michael D. Setzer II - Computer Science Instructor > (Retired) > mailto:mi...@gu... > mailto:mse...@gm... > Guam - Where America's Day Begins > G4L Disk Imaging Project maintainer > http://sourceforge.net/projects/g4l/ > +------------------------------------------------------------+ > > > > > > _______________________________________________ > Rkhunter-users mailing list > Rkh...@li... > https://lists.sourceforge.net/lists/listinfo/rkhunter-users |
From: Michael L. <mic...@gm...> - 2022-09-29 19:36:09
|
I would take rkhunter seriously. I would note the pid and descend into /proc and run ls -lat ./exe inside the PID directory in proc and check the hash of the exe file to make sure it is genuine before writing it off as a bug. I would not write off the traffic as unrouteable because government actors and the most sophisticated criminals use NIDS to evade. You might be wrong, it can't hurt to check the hash of the binary. Cheers, Michael Lazin .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι. On Thu, Sep 29, 2022 at 3:06 PM Michael D. Setzer II via Rkhunter-users < rkh...@li...> wrote: > Rkhunter reports > > [04:21:27] Warning: Network TCP port 47018 is being used by > /usr/bin/boinc. > Possible rootkit: Possible Universal Rootkit (URK) component > Use the 'lsof -i' or 'netstat -an' command to check this. > > Using lsof -i get this. > > lsof -i | grep boinc > boinc 2766 msetzerii 7u IPv4 35501 0t0 TCP > localhost:xqosd > (LISTEN) > boinc 2766 msetzerii 10u IPv4 1331117 0t0 TCP > setzconote.dyndns.org:47032->einstein10.aei.uni-hannover.de:https > (CLOSE_WAIT) > boinc 2766 msetzerii 14u IPv4 1331116 0t0 TCP > setzconote.dyndns.org:47018->einstein10.aei.uni-hannover.de:https > (CLOSE_WAIT) > > The address shows router that doesn't forward this port > to machines behind it so don't think it would go > anywhere. So note sure if this is an issue, or if it would be > something with rkhunter or with boinc einstein project.. > > (Also, saw an issue in report with /usr/libexec/gawk > linking to /usr/libexec/awk which is a directory with two > files. The gawk is new from earlier this month, the files in > awk date to 7/2021?) > Fedora 35. > > # ls -l | grep awk > drwxr-xr-x. 2 root root 4096 Jun 6 16:36 awk > lrwxrwxrwx. 1 root root 3 Sep 18 01:19 gawk -> awk > # ls -l awk > total 32 > -rwxr-xr-x. 1 root root 15944 Jul 22 2021 grcat > -rwxr-xr-x. 1 root root 15928 Jul 22 2021 pwcat > > +------------------------------------------------------------+ > Michael D. Setzer II - Computer Science Instructor > (Retired) > mailto:mi...@gu... > mailto:mse...@gm... > Guam - Where America's Day Begins > G4L Disk Imaging Project maintainer > http://sourceforge.net/projects/g4l/ > +------------------------------------------------------------+ > > > > > > _______________________________________________ > Rkhunter-users mailing list > Rkh...@li... > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > |
From: Michael D. S. I. <mi...@gu...> - 2022-09-29 19:00:50
|
Rkhunter reports [04:21:27] Warning: Network TCP port 47018 is being used by /usr/bin/boinc. Possible rootkit: Possible Universal Rootkit (URK) component Use the 'lsof -i' or 'netstat -an' command to check this. Using lsof -i get this. lsof -i | grep boinc boinc 2766 msetzerii 7u IPv4 35501 0t0 TCP localhost:xqosd (LISTEN) boinc 2766 msetzerii 10u IPv4 1331117 0t0 TCP setzconote.dyndns.org:47032->einstein10.aei.uni-hannover.de:https (CLOSE_WAIT) boinc 2766 msetzerii 14u IPv4 1331116 0t0 TCP setzconote.dyndns.org:47018->einstein10.aei.uni-hannover.de:https (CLOSE_WAIT) The address shows router that doesn't forward this port to machines behind it so don't think it would go anywhere. So note sure if this is an issue, or if it would be something with rkhunter or with boinc einstein project.. (Also, saw an issue in report with /usr/libexec/gawk linking to /usr/libexec/awk which is a directory with two files. The gawk is new from earlier this month, the files in awk date to 7/2021?) Fedora 35. # ls -l | grep awk drwxr-xr-x. 2 root root 4096 Jun 6 16:36 awk lrwxrwxrwx. 1 root root 3 Sep 18 01:19 gawk -> awk # ls -l awk total 32 -rwxr-xr-x. 1 root root 15944 Jul 22 2021 grcat -rwxr-xr-x. 1 root root 15928 Jul 22 2021 pwcat +------------------------------------------------------------+ Michael D. Setzer II - Computer Science Instructor (Retired) mailto:mi...@gu... mailto:mse...@gm... Guam - Where America's Day Begins G4L Disk Imaging Project maintainer http://sourceforge.net/projects/g4l/ +------------------------------------------------------------+ |
From: Mark S. <ma...@ri...> - 2022-07-19 20:40:34
|
The man page didn't state the order that config files were considered and how multiple occurrences of the same value might be handled. Attached is a patch to the man page to clarify that first the "rkhunter.d" directory is checked, then the "local" file and finally the main config file. If there are multiple files in the ".d" directory, the option that appears in the last file by alphabetical order will be selected. I don't want to sign up for a Sourceforge account to submit a single doc-patch. Thanks, -- *Mark Stosberg* (he/him) Director of Systems & Security ma...@ri... | 765.277.1916 https://www.rideamigos.com <https://rideamigos.com/> Changing the way the world commutes. <https://www.linkedin.com/company/rideamigos> <https://www.twitter.com/rideamigos> <https://www.facebook.com/rideamigos> <https://www.instagram.com/rideamigos> <https://rideamigos.com/newsletter-sign-up/> |
From: samsamros <sam...@su...> - 2022-07-05 18:24:11
|
Hello rkhunter team! I'd like to report a false positive while using firejail. This may help users using similar configurations who run into this problem rule out a false positive. I'm using a debian based distro (Parrot OS) running the latest rkhunter and firejail. firejail version 0.9.64.4 This needs the hardened ping profile. (ping-hardened.inc.profile ping.profile), and symlinks up (sudo firecfg). Run rkhunter -c -sk Rootkit checks... Rootkits checked : 477 Possible rootkits: 7 Rootkit names : Ping Rootkit or other backdoor Warning: Checking for possible rootkit strings [ Warning ] Found string '/bin/bash' in file '/usr/local/bin/ping'. Possible rootkit: Ping Rootkit or other backdoor After reviewing the problem and checking multiple other computers with the same config and unrelated to my setup, I was able to rule it out as a false positive. I reviewed another computer which is also a personal laptop running Parrot OS. The same possible rootkit appeared. I did much research and couldn't find a bug anywhere or information on the rootkit directly. After purging firejail and reinstalling profiles and the software itself the warning was gone (as the symlinks were gone) I used a friend's system who is unrelated to my network and who I seldom share any information with. He also uses Parrot OS as a desktop distro (no ports with services facing the web directly). He had firejail installed, same version (0.9.64.4), and he also had the ping hardened profile included in /etc/firejail but had not run sudo firecfg after installing the software a few months back. He ran rkhunter -c -sk and the following came out: Rootkit checks... Rootkits checked : 477 Possible rootkits: 6 (all of which are confirmed false positives) I also wrote firejail devs about the issue: https://github.com/netblue30/firejail/issues/5236 where further details may be seen. They also ruled it out as a false positive. I hope this helps other users who run into this issue find answers on the issue. There are some false positives arising from firejail which are nothing to worry about. thank you all! -- |
From: Martin W. <SN...@gm...> - 2022-06-19 13:10:33
|
<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>Hey,</div> <div> </div> <div>I'm using rkhunter 1.4.6 on Ubuntu 18.04.6 LTS on two servers and an older version of Debian on a third server.</div> <div>Since a few weeks I get the "same" error on all three servers from the daily cronjob for rkhunter.</div> <div> </div> <div>/etc/cron.daily/rkhunter:</div> <div>libkmod: ERROR ../libkmod/libkmod-module.c:1931 kmod_module_get_holders: could not open '/sys/module/ptp/holders': No such file or directory</div> <div> </div> <div>/etc/cron.daily/rkhunter:</div> <div>libkmod: ERROR ../libkmod/libkmod-module.c:1941 kmod_module_get_holders: could not open '/sys/module/dcdbas/holders': No such file or directory</div> <div> </div> <div> <div>/etc/cron.daily/rkhunter:</div> <div>libkmod: ERROR ../libkmod/libkmod-module.c:1931 kmod_module_get_holders: could not open '/sys/module/lrw/holders': No such file or directory</div> <div> </div> <div>I'm confused that the same error occures on different servers.</div> <div>I searched for a solution, but couldn't find an answer for this type of error.</div> <div> </div> <div>Do you have an idea or suggestion on how to fix the problem?</div> <div> </div> <div>Thank you!</div> </div></div></body></html> |
From: John D. <jwa...@gm...> - 2022-05-09 13:32:26
|
Not sure this is the problem but, Are you running as root (does rkhunter have read access on those files) Are any of those file symlinks & the target is not installed? Have you checked for config options that set "FreeBSD" or something? Cheers John On Wed, 2022-05-04 at 17:25 +0200, Bastian Beuttel via Rkhunter-users wrote: > /usr/sbin/ntpsx |
From: Bastian B. <ba...@go...> - 2022-05-04 15:25:55
|
Hi! I'm using Rootkit Hunter 1.4.6 on a FreeBSD 13.0 machine. When I run it, I get a lot of these Warnings: ``` Warning: Scanning for string /usr/sbin/ntpsx [ Warning ] String not found in 'strings' command Warning: Scanning for string /usr/sbin/.../bkit-ava [ Warning ] String not found in 'strings' command Warning: Scanning for string /usr/sbin/.../bkit-d [ Warning ] String not found in 'strings' command Warning: Scanning for string /usr/sbin/.../bkit-shd [ Warning ] String not found in 'strings' command Warning: Scanning for string /usr/sbin/.../bkit-f [ Warning ] String not found in 'strings' command Warning: Scanning for string /usr/include/.../proc.h [ Warning ] String not found in 'strings' command Warning: Scanning for string /usr/include/.../.bash_history [ Warning ] String not found in 'strings' command […] ``` Followed by a lot of ``` fopen: No such file or directory fopen: No such file or directory fopen: No such file or directory fopen: No such file or directory fopen: No such file or directory fopen: No such file or directory fopen: No such file or directory fopen: No such file or directory fopen: No such file or directory fopen: No such file or directory fopen: No such file or directory fopen: No such file or directory fopen: No such file or directory fopen: No such file or directory fopen: No such file or directory fopen: No such file or directory fopen: No such file or directory fopen: No such file or directory […] ``` The logs show nothing more informative. I don't have this behavior on another FreeBSD machine. What could I do? `string` seems to work: ``` # echo "234654ian1" | strings 234654ian1 ``` Thanks! |
From: Clare A. <cla...@gm...> - 2022-01-27 05:25:24
|
Hello, I just installed rkhunter in Ubuntu (under WSL2) and it works great. I also just installed it in Kali on the same machine also under WSL2 and I get the following: $ sudo rkhunter -c Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/which.debianutils $ sudo rkhunter --versioncheck Invalid WEB_CMD configuration option: Relative pathname: "/bin/false" This is a fresh install of kali-linux-default I'd rather not have to edit the read only config file, if that can be helped. Thoughts? |
From: Adam F. <a2...@du...> - 2021-08-26 08:00:32
|
On 2021-08-20, John Horne wrote: > On Fri, 2021-08-20 at 11:25 +0100, Adam Funk wrote: >> On 2021-08-19, John Horne wrote: >> >> > On Thu, 2021-08-19 at 13:43 +0100, Adam Funk wrote: >> > > On a fairly fresh installation of Raspberry Pi OS (buster image of >> > > 2021-05-07 kept up to date with `sudo apt update` and `apt >> > > dist-upgrade`), I'm getting this strange warning from rkhunter: >> > > >> > > Warning: Found preloaded shared library: /usr/lib/arm-linux- >> > > gnueabihf/libarmmem-${PLATFORM}.so >> > > >> > > I've never seen this on the other Pi OS that I've been using, and it >> > > looks like a variable substitution has failed in producing the >> > > message. >> > > >> > > >> > The variable is part of the file name used by the shared library mechanism. >> > Nothing to do with the message itself. >> >> Thanks! >> >> Do you know what causes it, and whether it's a concern or "noise"? >> > A quick google seems to indicate it is something to do with Raspberry Pi and > the 6l and 7l ARMHF platforms. It looks genuine. Thanks! (I did try googling it but couldn't come up with anything that looked relevant to this.) |
From: John D. <jwa...@gm...> - 2021-08-23 00:57:18
|
I would assume you are using dnf or something to update the system? If you also run logwatch (which if you are running rkhunter I assume you would ;-) then it shows packages updated recently. Otherwise you can try, for example, (fedora/redhat) rpm -q --whatprovides /usr/bin/ssh then rpm -qi openssh-clients then grep openssh-clients /var/log/dnf.rpm.log if you are really interested. Ubuntu? /var/log/apt ? Cheers John On Sat, 2021-08-21 at 20:55 +0000, matthewhtb--- via Rkhunter-users wrote: > I ran Rkhunter 1.4.6 and received many “Warning” messages. I realize that > Rkhunter has a hash for various executables and provides the “Warning” if > the hashes of the current files are different. There were 24 occasions > where the file hash had changed which strikes me as a lot. Three examples > are below. > > Is there a way to check if these are false positives (as they result from > Ubuntu updating the executables) or something more concerning? > > I have never run rkhunter --proupd > > ----- > > Warning: The file properties have changed: > File: /usr/bin/ssh > Current hash: e875b1185577ff872fbaabde481cc196af03745c530403c830 > 3f00fe35859bf7 > Stored hash : 240970e65242586bf8160f3cebc4a7e8c7074a5fc203219af1 > 53fa858490f81c > Current inode: 1051539 Stored inode: 1049714 > Current file modification time: 1627044912 (23-Jul-2021 13:55:12) > Stored file modification time : 1590737829 (29-May-2020 08:37:09) > > Warning: The file properties have changed: > File: /usr/bin/ps > Current hash: 701d30ed7055d688aad76e94f43f6da71bf6ca58caa961cee5 > f38d0c45c0aa52 > Stored hash : 6e1be2ff79adf6a05ad09b6df87618a5f9857378a2978beb1d > ec12e20fd34844 > Current inode: 1050911 Stored inode: 1049547 > Current file modification time: 1622222850 (28-May-2021 18:27:30) > Stored file modification time : 1582782727 (27-Feb-2020 05:52:07) > > Warning: The file properties have changed: > File: /usr/sbin/groupadd > Current hash: c4a51fd9348b4981d8cd5a4d9115e25dd1b7647129d01f31b9 > 62936d96c33b8d > Stored hash : 05b11bc4a81adda19d9e899ee05faa79553fd9bfd088911ec6 > ec9b31f358beb2 > Current inode: 1050480 Stored inode: 1057423 > Current file modification time: 1626300498 (14-Jul-2021 23:08:18) > Stored file modification time : 1590647867 (28-May-2020 07:37:47) > > > > _______________________________________________ > Rkhunter-users mailing list > Rkh...@li... > https://lists.sourceforge.net/lists/listinfo/rkhunter-users |
From: <mat...@da...> - 2021-08-21 21:11:22
|
I ran Rkhunter 1.4.6 and received many Warning messages. I realize that Rkhunter has a hash for various executables and provides the Warning if the hashes of the current files are different. There were 24 occasions where the file hash had changed which strikes me as a lot. Three examples are below. Is there a way to check if these are false positives (as they result from Ubuntu updating the executables) or something more concerning? I have never run rkhunter --proupd ----- Warning: The file properties have changed: File: /usr/bin/ssh Current hash: e875b1185577ff872fbaabde481cc196af03745c530403c830 3f00fe35859bf7 Stored hash : 240970e65242586bf8160f3cebc4a7e8c7074a5fc203219af1 53fa858490f81c Current inode: 1051539 Stored inode: 1049714 Current file modification time: 1627044912 (23-Jul-2021 13:55:12) Stored file modification time : 1590737829 (29-May-2020 08:37:09) Warning: The file properties have changed: File: /usr/bin/ps Current hash: 701d30ed7055d688aad76e94f43f6da71bf6ca58caa961cee5 f38d0c45c0aa52 Stored hash : 6e1be2ff79adf6a05ad09b6df87618a5f9857378a2978beb1d ec12e20fd34844 Current inode: 1050911 Stored inode: 1049547 Current file modification time: 1622222850 (28-May-2021 18:27:30) Stored file modification time : 1582782727 (27-Feb-2020 05:52:07) Warning: The file properties have changed: File: /usr/sbin/groupadd Current hash: c4a51fd9348b4981d8cd5a4d9115e25dd1b7647129d01f31b9 62936d96c33b8d Stored hash : 05b11bc4a81adda19d9e899ee05faa79553fd9bfd088911ec6 ec9b31f358beb2 Current inode: 1050480 Stored inode: 1057423 Current file modification time: 1626300498 (14-Jul-2021 23:08:18) Stored file modification time : 1590647867 (28-May-2020 07:37:47) |
From: John H. <joh...@pl...> - 2021-08-20 18:38:53
|
On Fri, 2021-08-20 at 11:25 +0100, Adam Funk wrote: > On 2021-08-19, John Horne wrote: > > > On Thu, 2021-08-19 at 13:43 +0100, Adam Funk wrote: > > > On a fairly fresh installation of Raspberry Pi OS (buster image of > > > 2021-05-07 kept up to date with `sudo apt update` and `apt > > > dist-upgrade`), I'm getting this strange warning from rkhunter: > > > > > > Warning: Found preloaded shared library: /usr/lib/arm-linux- > > > gnueabihf/libarmmem-${PLATFORM}.so > > > > > > I've never seen this on the other Pi OS that I've been using, and it > > > looks like a variable substitution has failed in producing the > > > message. > > > > > > > > The variable is part of the file name used by the shared library mechanism. > > Nothing to do with the message itself. > > Thanks! > > Do you know what causes it, and whether it's a concern or "noise"? > A quick google seems to indicate it is something to do with Raspberry Pi and the 6l and 7l ARMHF platforms. It looks genuine. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK ________________________________ [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. |
From: Adam F. <a2...@du...> - 2021-08-20 10:30:37
|
On 2021-08-19, John Horne wrote: > On Thu, 2021-08-19 at 13:43 +0100, Adam Funk wrote: >> On a fairly fresh installation of Raspberry Pi OS (buster image of >> 2021-05-07 kept up to date with `sudo apt update` and `apt >> dist-upgrade`), I'm getting this strange warning from rkhunter: >> >> Warning: Found preloaded shared library: /usr/lib/arm-linux- >> gnueabihf/libarmmem-${PLATFORM}.so >> >> I've never seen this on the other Pi OS that I've been using, and it >> looks like a variable substitution has failed in producing the >> message. >> >> > The variable is part of the file name used by the shared library mechanism. > Nothing to do with the message itself. Thanks! Do you know what causes it, and whether it's a concern or "noise"? |
From: John H. <joh...@pl...> - 2021-08-19 15:48:38
|
On Thu, 2021-08-19 at 13:43 +0100, Adam Funk wrote: > On a fairly fresh installation of Raspberry Pi OS (buster image of > 2021-05-07 kept up to date with `sudo apt update` and `apt > dist-upgrade`), I'm getting this strange warning from rkhunter: > > Warning: Found preloaded shared library: /usr/lib/arm-linux- > gnueabihf/libarmmem-${PLATFORM}.so > > I've never seen this on the other Pi OS that I've been using, and it > looks like a variable substitution has failed in producing the > message. > > The variable is part of the file name used by the shared library mechanism. Nothing to do with the message itself. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK ________________________________ [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. |
From: John H. <joh...@pl...> - 2021-08-19 14:39:25
|
On Thu, 2021-08-19 at 12:37 +0200, ks...@gm... wrote: > Hello, > I've got a Linux Server (openSUSE 15.2) that suddenly showed a suspicious > warning during the night after a timed rkhunter scan (cron job), the days > before it was quite. > There was no update on the machine before, no reboot or something like > that... > > RKHunter shows a warning about 'systemd' as a possible rootkit, can anybody > help me with that? > Any hints how I could verify what that means? > Is there a known false positive relating to that message or something like > that? > > > Running Rootkit Hunter version 1.4.6 (updated): > > ... > [04:06:33] Info: Starting test name 'malware' > [04:06:33] Performing malware checks > [04:06:33] > [04:06:33] Info: Test 'deleted_files' disabled at users request. > [04:06:33] > [04:06:33] Info: Starting test name 'running_procs' > [04:06:50] Checking running processes for suspicious files [ Warning ] > [04:06:50] Warning: The following processes are using suspicious files: > [04:06:50] Command: systemd > [04:06:50] UID: 0 PID: 1 > [04:06:50] Pathname: > [04:06:50] Possible Rootkit: Unknown rootkit > [04:06:50] Without the pathname not much can be said really. I vaguely remember a bug fix in the dev version for when pathnames weren't being shown, but that might have been with a different test. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK ________________________________ [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. |
From: Adam F. <a2...@du...> - 2021-08-19 12:50:20
|
On a fairly fresh installation of Raspberry Pi OS (buster image of 2021-05-07 kept up to date with `sudo apt update` and `apt dist-upgrade`), I'm getting this strange warning from rkhunter: Warning: Found preloaded shared library: /usr/lib/arm-linux-gnueabihf/libarmmem-${PLATFORM}.so I've never seen this on the other Pi OS that I've been using, and it looks like a variable substitution has failed in producing the message. Any ideas? Thanks |
From: <ks...@gm...> - 2021-08-19 10:38:03
|
<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>Hello,</div> <div>I've got a Linux Server (openSUSE 15.2) that suddenly showed a suspicious warning during the night after a timed rkhunter scan (cron job), the days before it was quite.</div> <div>There was no update on the machine before, no reboot or something like that...</div> <div> </div> <div>RKHunter shows a warning about 'systemd' as a possible rootkit, can anybody help me with that?</div> <div>Any hints how I could verify what that means?</div> <div>Is there a known false positive relating to that message or something like that?</div> <div> </div> <div> </div> <div>Running Rootkit Hunter version 1.4.6 (updated):</div> <div> </div> <div>...</div> <div>[04:06:33] Info: Starting test name 'malware'<br/> [04:06:33] Performing malware checks<br/> [04:06:33]<br/> [04:06:33] Info: Test 'deleted_files' disabled at users request.<br/> [04:06:33]<br/> [04:06:33] Info: Starting test name 'running_procs'<br/> [04:06:50] Checking running processes for suspicious files [ Warning ]<br/> [04:06:50] Warning: The following processes are using suspicious files:<br/> [04:06:50] Command: systemd<br/> [04:06:50] UID: 0 PID: 1<br/> [04:06:50] Pathname:<br/> [04:06:50] Possible Rootkit: Unknown rootkit<br/> [04:06:50]<br/> [04:06:50] Info: Test 'hidden_procs' disabled at users request.<br/> [04:06:50]<br/> [04:06:50] Info: Test 'suspscan' disabled at users request.<br/> [04:06:50]<br/> [04:06:50] Info: Starting test name 'login_backdoors'<br/> [04:06:50] Checking for '/bin/.login' [ Not found ]<br/> [04:06:50] Checking for '/sbin/.login' [ Not found ]<br/> [04:06:50] Checking for login backdoors [ None found ]<br/> ...</div> <div> </div> <div>Thanks for any help!</div> <div> </div> <div>Bye</div> <div>Kristof S.</div> <div> </div> <div> </div> <div class="signature"> </div></div></body></html> |
From: John H. <joh...@pl...> - 2021-08-14 01:24:56
|
On Fri, 2021-08-13 at 11:12 -0700, Pallav Kothari wrote: > Hey there, > > Rkhunter sent a lot of bounced e-mails after it ran it's daily scan on 3rd > august. > I'm not sure why rkhunter sent so many e-mails because MAIL-ON-WARNING is > commented out. > sudo cat /etc/rkhunter.conf | grep root > #MAIL-ON-WARNING=me@mydomain root@mydomain > sudo cat /etc/rkhunter.conf | grep mail > #MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" > Mail from rkhunter server: > regular_text: Date: Wed, 28 Jul 2021 03:41:44 -0700 > regular_text: From: root@www-12 > regular_text: To: root@localhost > regular_text: Subject: rkhunter Daily Run on server12 > regular_text: Message-ID: > regular_text: User-Agent: Heirloom mailx 12.5 7/5/10 > regular_text: MIME-Version: 1.0 > regular_text: Content-Type: text/plain; charset=us-ascii > regular_text: Content-Transfer-Encoding: 7b > The email you quoted is a bit old (28 July). Maybe your configuration file changed in the mean time. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK ________________________________ [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. |
From: Pallav K. <pal...@it...> - 2021-08-13 18:43:52
|
Hey there, Rkhunter sent a lot of bounced e-mails after it ran it's daily scan on 3rd august. I'm not sure why rkhunter sent so many e-mails because MAIL-ON-WARNING is commented out. sudo cat /etc/rkhunter.conf | grep root #MAIL-ON-WARNING=me@mydomain root@mydomain sudo cat /etc/rkhunter.conf | grep mail #MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" Mail from rkhunter server: regular_text: Date: Wed, 28 Jul 2021 03:41:44 -0700 regular_text: From:root@www-12 <mailto:ro...@ww...> regular_text: To: root@localhost regular_text: Subject: rkhunter Daily Run on server12 regular_text: Message-ID: regular_text: User-Agent: Heirloom mailx 12.5 7/5/10 regular_text: MIME-Version: 1.0 regular_text: Content-Type: text/plain; charset=us-ascii regular_text: Content-Transfer-Encoding: 7b |
From: Eddie B. <ed...@ma...> - 2021-07-20 18:42:34
|
RKhunter 1.4.6 on Debian 11. Debian 11 has been running for a week (upgrade from Debian 10. have been using rkhunter for years with no problems before). but the alert came last night for the first time: grep: (standard input): binary file matches it also occurs when I manually `bash /etc/cron.daily/rkhunter` /etc/cron.daily/rkhunter is standard: sha256sum /etc/cron.daily/rkhunter c67c1129cd34f0d1da9bb68e1309cff700c7fd83c79993469367c51205ca0da5 pls advise. |
From: David H. <rkh...@sh...> - 2021-07-05 00:51:46
|
Hello, I have been using rkhunter for a while - thanks for an awesome product by the way. But I have started to get warnings about: /dev/shm/BC2-Main-40731-1978420_wb_wc: data /dev/shm/BC2-Main-40731-1978420_wb_rc: data /dev/shm/BC2-Main-40731-1978420_wb: data /dev/shm/BC2-Main-40731-1978420_rb_wc: data /dev/shm/BC2-Main-40731-1978420_rb_rc: data /dev/shm/BC2-Main-40731-1978420_rb: data /dev/shm/BC1-GPU-40731-1978449_wb_wc: data /dev/shm/BC1-GPU-40731-1978449_wb_rc: data /dev/shm/BC1-GPU-40731-1978449_wb: data /dev/shm/BC1-GPU-40731-1978449_rb_wc: data /dev/shm/BC1-GPU-40731-1978449_rb_rc: data /dev/shm/BC1-GPU-40731-1978449_rb: data /dev/shm/BC1-Main-40731-1978420_wb_wc: data /dev/shm/BC1-Main-40731-1978420_wb_rc: data /dev/shm/BC1-Main-40731-1978420_wb: data /dev/shm/BC1-Main-40731-1978420_rb_wc: data /dev/shm/BC1-Main-40731-1978420_rb_rc: data /dev/shm/BC1-Main-40731-1978420_rb: data /dev/shm/A9FD4FEDA01CCA9DFA1FD71A7_data: data /dev/shm/A9FD4FEDA01CCA9DFA1FD71A7: data How can I tell whether these are to be expected or not please? Normally I would google it, but I am getting nothing back about the source of these. I am guessing these might be CPU/GPU related (purely because of the -GPU- in some of them; but I would prefer to be sure before whitelisting them. And the last two which I have no idea about... Thanks for your time. David |
From: Al V. <alv...@ma...> - 2021-07-02 12:35:48
|
Note that the newest update, beside mirrors.dat is i18/de on 2018021101. Most of the rest are much older. -Al- Powered by Mailbutler <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-essential-email>, the email extension that does it all > On Jul 2, 2021, at 05:02, Ewert, Steffen <St...@co...> wrote: > > Ok! Solved! > > Looked at https://sourceforge.net/p/rkhunter/mailman/message/37214275/ <https://sourceforge.net/p/rkhunter/mailman/message/37214275/> into the last section: after changing the content of the file /var/lib/rkhunter/db/mirrors.dat from > > Version:2021020601 > remote=https://rkhunter.sourceforge.io <https://rkhunter.sourceforge.io/> > mirror=https://rkhunter.sourceforge.io <https://rkhunter.sourceforge.io/> > > to > > Version:2021020602 > mirror=http://rkhunter.sourceforge.net <http://rkhunter.sourceforge.net/> > remote=http://rkhunter.sourceforge.net <http://rkhunter.sourceforge.net/> > > it works! > > Thanks to all an have a nice weekend! > Steffen |
From: Ewert, S. <St...@co...> - 2021-07-02 12:02:26
|
Ok! Solved! Looked at https://sourceforge.net/p/rkhunter/mailman/message/37214275/ into the last section: after changing the content of the file /var/lib/rkhunter/db/mirrors.dat from Version:2021020601 remote=https://rkhunter.sourceforge.io mirror=https://rkhunter.sourceforge.io to Version:2021020602 mirror=http://rkhunter.sourceforge.net remote=http://rkhunter.sourceforge.net it works! :-) Thanks to all an have a nice weekend! Steffen Am Donnerstag, den 01.07.2021 um 17:42 schrieb Ewert, Steffen: Hello, I have here a Debian 10 system. Every time if I do a "rkhunter --update" I get | [17:30:24] Running Rootkit Hunter version 1.4.6 on DFlExt4 | [17:30:24] | [17:30:24] Info: Start date is Thu 01 Jul 2021 05:30:24 PM CEST | [17:30:24] | [17:30:24] Checking configuration file and command-line options... | [17:30:24] Info: Detected operating system is 'Linux' | [17:30:24] Info: Found O/S name: Debian GNU/Linux 10 (buster) | [17:30:24] Info: Command line is /usr/bin/rkhunter --update | [17:30:24] Info: Environment shell is /bin/bash; rkhunter is using dash | [17:30:24] Info: Using configuration file '/etc/rkhunter.conf' | [17:30:24] Info: Installation directory is '/usr' | [17:30:24] Info: Using language 'en' | [17:30:24] Info: Using '/var/lib/rkhunter/db' as the database directory | [17:30:24] Info: Using '/usr/share/rkhunter/scripts' as the support script directory | [17:30:24] Info: Using '/usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin /opt/wildfly-22.0.0.Final/bin' [1] as the command directories | [17:30:24] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory | [17:30:24] Info: X will be automatically detected | [17:30:24] Info: Using second color set | [17:30:24] Info: Found the 'basename' command: /usr/bin/basename | [17:30:24] Info: Found the 'diff' command: /usr/bin/diff | [17:30:24] Info: Found the 'dirname' command: /usr/bin/dirname | [17:30:24] Info: Found the 'file' command: /usr/bin/file | [17:30:24] Info: Found the 'find' command: /usr/bin/find | [17:30:24] Info: Found the 'ifconfig' command: /usr/sbin/ifconfig | [17:30:24] Info: Found the 'ip' command: /usr/sbin/ip | [17:30:24] Info: Found the 'ipcs' command: /usr/bin/ipcs | [17:30:24] Info: Found the 'ldd' command: /usr/bin/ldd | [17:30:24] Info: Found the 'lsattr' command: /usr/bin/lsattr | [17:30:24] Info: Found the 'lsmod' command: /usr/sbin/lsmod | [17:30:24] Info: Found the 'lsof' command: /usr/bin/lsof | [17:30:24] Info: Found the 'mktemp' command: /usr/bin/mktemp | [17:30:24] Info: Found the 'netstat' command: /usr/bin/netstat | [17:30:24] Info: Found the 'numfmt' command: /usr/bin/numfmt | [17:30:24] Info: Found the 'perl' command: /usr/bin/perl | [17:30:24] Info: Found the 'pgrep' command: /usr/bin/pgrep | [17:30:24] Info: Found the 'ps' command: /usr/bin/ps | [17:30:24] Info: Found the 'pwd' command: /usr/bin/pwd | [17:30:24] Info: Found the 'readlink' command: /usr/bin/readlink | [17:30:24] Info: Found the 'stat' command: /usr/bin/stat | [17:30:24] Info: Found the 'strings' command: /usr/bin/strings | [17:30:24] Info: Found the 'wget' command: /usr/bin/wget | [17:30:24] Info: The mirrors file will be rotated | [17:30:24] Info: Both local and remote mirrors will be used | [17:30:24] Info: The mirrors file will be updated | [17:30:24] Info: Logging to log file: /var/log/rkhunter.log | [17:30:24] Info: Locking is not being used | [17:30:24] | [17:30:24] Checking rkhunter data files... | [17:30:24] Info: Created temporary file '/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM' | [17:30:24] Info: Created temporary file '/var/lib/rkhunter/tmp/mirrors.dat.SVrROABgWb' | [17:30:24] Info: The mirrors file has been rotated: /var/lib/rkhunter/db/mirrors.dat | [17:30:24] Info: Executing download command '/usr/bin/wget -q -O "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" https://rkhunter.sourceforge.io/mirrors.dat 2>/dev/null' | [17:30:25] Info: Download failed - 1 mirror(s) left. | [17:30:25] Info: Created temporary file '/var/lib/rkhunter/tmp/mirrors.dat.3VeWSgPHKp' | [17:30:25] Info: The mirrors file has been rotated: /var/lib/rkhunter/db/mirrors.dat | [17:30:25] Info: Executing download command '/usr/bin/wget -q -O "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" https://rkhunter.sourceforge.io/mirrors.dat 2>/dev/null' | [17:30:26] Warning: Download of 'mirrors.dat' failed: Unable to determine the latest version number. | [17:30:26] Checking file mirrors.dat [ Update failed ] | [17:30:26] Info: Executing download command '/usr/bin/wget -q -O "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" https://rkhunter.sourceforge.io/programs_bad.dat 2>/dev/null' | [17:30:27] Info: Download failed - 1 mirror(s) left. | [17:30:27] Info: Created temporary file '/var/lib/rkhunter/tmp/mirrors.dat.G52DN9sdJN' | [17:30:27] Info: The mirrors file has been rotated: /var/lib/rkhunter/db/mirrors.dat | [17:30:27] Info: Executing download command '/usr/bin/wget -q -O "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" https://rkhunter.sourceforge.io/programs_bad.dat 2>/dev/null' | [17:30:28] Warning: Download of 'programs_bad.dat' failed: Unable to determine the latest version number. | [17:30:28] Checking file programs_bad.dat [ Update failed ] | [17:30:28] Info: Executing download command '/usr/bin/wget -q -O "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" https://rkhunter.sourceforge.io/backdoorports.dat 2>/dev/null' | [17:30:29] Info: Download failed - 1 mirror(s) left. | [17:30:29] Info: Created temporary file '/var/lib/rkhunter/tmp/mirrors.dat.TERb4FKGwG' | [17:30:29] Info: The mirrors file has been rotated: /var/lib/rkhunter/db/mirrors.dat | [17:30:29] Info: Executing download command '/usr/bin/wget -q -O "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" https://rkhunter.sourceforge.io/backdoorports.dat 2>/dev/null' | [17:30:30] Warning: Download of 'backdoorports.dat' failed: Unable to determine the latest version number. | [17:30:30] Checking file backdoorports.dat [ Update failed ] | [17:30:30] Info: Executing download command '/usr/bin/wget -q -O "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" https://rkhunter.sourceforge.io/suspscan.dat 2>/dev/null' | [17:30:31] Info: Download failed - 1 mirror(s) left. | [17:30:31] Info: Created temporary file '/var/lib/rkhunter/tmp/mirrors.dat.7Ft28KYtq9' | [17:30:31] Info: The mirrors file has been rotated: /var/lib/rkhunter/db/mirrors.dat | [17:30:31] Info: Executing download command '/usr/bin/wget -q -O "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" https://rkhunter.sourceforge.io/suspscan.dat 2>/dev/null' | [17:30:32] Warning: Download of 'suspscan.dat' failed: Unable to determine the latest version number. | [17:30:32] Checking file suspscan.dat [ Update failed ] | [17:30:32] Info: Executing download command '/usr/bin/wget -q -O "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" https://rkhunter.sourceforge.io/i18n/1.4.6/i18n.ver 2>/dev/null' | [17:30:33] Info: Download failed - 1 mirror(s) left. | [17:30:33] Info: Created temporary file '/var/lib/rkhunter/tmp/mirrors.dat.4JxnPBYOt6' | [17:30:33] Info: The mirrors file has been rotated: /var/lib/rkhunter/db/mirrors.dat | [17:30:33] Info: Executing download command '/usr/bin/wget -q -O "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" https://rkhunter.sourceforge.io/i18n/1.4.6/i18n.ver 2>/dev/null' | [17:30:34] Checking file i18n versions [ Update failed ] | [17:30:34] Warning: Download of 'i18n.ver' failed: Unable to determine the latest version number. I see that the URL is wrong. It's https://rkhunter.sourceforge.io/mirrors.dat but it should be https://rkhunter.sourceforge.io/1.4/mirrors.dat [2]. Is this because of the error message in the last line "Unable to determine the latest version number."? What can I do to get the update to work? [link:MTkyLjE2OC4xLjIsMyxUaWNrZXQsMjQ2MQ==] [link:MTkyLjE2OC4xLjIsMyxUaWNrZXQsMjQ2MQ==] Links: ------ [1] http://wildfly-22.0.0.Final/bin' [2] https://rkhunter.sourceforge.io/mirrors.dat |