rkhunter-users Mailing List for Rootkit Hunter (Page 3)
Brought to you by:
dogsbody
You can subscribe to this list here.
2006 |
Jan
(2) |
Feb
(2) |
Mar
(7) |
Apr
(5) |
May
(5) |
Jun
(7) |
Jul
(23) |
Aug
(17) |
Sep
(35) |
Oct
(138) |
Nov
(95) |
Dec
(84) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2007 |
Jan
(140) |
Feb
(78) |
Mar
(28) |
Apr
(17) |
May
(78) |
Jun
(72) |
Jul
(49) |
Aug
(47) |
Sep
(74) |
Oct
(69) |
Nov
(50) |
Dec
(75) |
2008 |
Jan
(43) |
Feb
(80) |
Mar
(30) |
Apr
(29) |
May
(25) |
Jun
(14) |
Jul
(47) |
Aug
(11) |
Sep
(28) |
Oct
(17) |
Nov
(14) |
Dec
(66) |
2009 |
Jan
(54) |
Feb
(21) |
Mar
(22) |
Apr
(8) |
May
(4) |
Jun
(13) |
Jul
(10) |
Aug
(24) |
Sep
(1) |
Oct
(41) |
Nov
(17) |
Dec
(99) |
2010 |
Jan
(53) |
Feb
(19) |
Mar
(30) |
Apr
(28) |
May
(135) |
Jun
(34) |
Jul
(19) |
Aug
(24) |
Sep
(48) |
Oct
(4) |
Nov
(61) |
Dec
(17) |
2011 |
Jan
(23) |
Feb
(18) |
Mar
(14) |
Apr
(12) |
May
(23) |
Jun
(27) |
Jul
(57) |
Aug
(17) |
Sep
(25) |
Oct
(19) |
Nov
(9) |
Dec
(4) |
2012 |
Jan
(19) |
Feb
(5) |
Mar
(5) |
Apr
(17) |
May
(13) |
Jun
(21) |
Jul
(2) |
Aug
(10) |
Sep
(5) |
Oct
(5) |
Nov
(18) |
Dec
(4) |
2013 |
Jan
(23) |
Feb
(13) |
Mar
(5) |
Apr
(48) |
May
(38) |
Jun
(5) |
Jul
(19) |
Aug
(14) |
Sep
(10) |
Oct
(7) |
Nov
(19) |
Dec
(44) |
2014 |
Jan
(11) |
Feb
(11) |
Mar
(38) |
Apr
(36) |
May
(21) |
Jun
(13) |
Jul
(7) |
Aug
(21) |
Sep
(30) |
Oct
(3) |
Nov
|
Dec
(29) |
2015 |
Jan
(5) |
Feb
(5) |
Mar
(12) |
Apr
(5) |
May
(25) |
Jun
(11) |
Jul
(7) |
Aug
(8) |
Sep
(3) |
Oct
(15) |
Nov
(10) |
Dec
|
2016 |
Jan
(5) |
Feb
|
Mar
(6) |
Apr
(12) |
May
(2) |
Jun
(11) |
Jul
(8) |
Aug
(13) |
Sep
(15) |
Oct
(6) |
Nov
(21) |
Dec
(1) |
2017 |
Jan
|
Feb
(2) |
Mar
(2) |
Apr
(3) |
May
(2) |
Jun
(30) |
Jul
(42) |
Aug
(8) |
Sep
(2) |
Oct
(24) |
Nov
(12) |
Dec
(14) |
2018 |
Jan
(7) |
Feb
(22) |
Mar
(8) |
Apr
(11) |
May
(28) |
Jun
(20) |
Jul
(2) |
Aug
(1) |
Sep
(2) |
Oct
(2) |
Nov
(11) |
Dec
|
2019 |
Jan
(5) |
Feb
(11) |
Mar
(6) |
Apr
(5) |
May
(4) |
Jun
(4) |
Jul
(4) |
Aug
(8) |
Sep
(5) |
Oct
(7) |
Nov
(10) |
Dec
(1) |
2020 |
Jan
|
Feb
|
Mar
|
Apr
(2) |
May
(4) |
Jun
(3) |
Jul
(3) |
Aug
(2) |
Sep
|
Oct
(7) |
Nov
(3) |
Dec
(1) |
2021 |
Jan
(1) |
Feb
(3) |
Mar
|
Apr
|
May
(7) |
Jun
(2) |
Jul
(7) |
Aug
(11) |
Sep
|
Oct
|
Nov
|
Dec
|
2022 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
(2) |
Jun
(1) |
Jul
(2) |
Aug
|
Sep
(4) |
Oct
|
Nov
|
Dec
|
2023 |
Jan
|
Feb
|
Mar
(5) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(3) |
Nov
(4) |
Dec
(1) |
2024 |
Jan
|
Feb
(3) |
Mar
(8) |
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Ewert, S. <St...@co...> - 2021-07-02 11:44:13
|
Hi, thanks for your replies. Here the settings of my rkhunter.conf: #> grep -v "^#" rkhunter.conf | grep . UPDATE_MIRRORS=1 MIRRORS_MODE=0 TMPDIR=/var/lib/rkhunter/tmp DBDIR=/var/lib/rkhunter/db SCRIPTDIR=/usr/share/rkhunter/scripts UPDATE_LANG="en" LOGFILE=/var/log/rkhunter.log USE_SYSLOG=authpriv.warning AUTO_X_DETECT=1 ALLOW_SSH_PROT_V1=2 ENABLE_TESTS=ALL DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps apps SCRIPTWHITELIST=/bin/egrep SCRIPTWHITELIST=/bin/fgrep SCRIPTWHITELIST=/bin/which SCRIPTWHITELIST=/usr/bin/ldd SCRIPTWHITELIST=/usr/sbin/adduser SCRIPTWHITELIST=/usr/bin/egrep SCRIPTWHITELIST=/usr/bin/fgrep SCRIPTWHITELIST=/usr/bin/which SCRIPTWHITELIST=/usr/bin/lwp-request ALLOWHIDDENDIR=/etc/.java ALLOWDEVFILE=/dev/shm/PostgreSQL.* WEB_CMD="" INSTALLDIR=/usr If I change the WEB_CMD to 'WEB_CMD=wget' the updates is still failing. I have also found another Debian 10 server which rkhunter V1.4.6. On that machine the update works fine! The configuration is the same (except some differences in the "ALLOW..." entries). The WEB_CMD entry is there set to: WEB_CMD="" If I look on this machine into the log file I see that the update URL is correct (within ".../1.4/..."): Info: Executing download command '/usr/bin/wget -q -O "/var/lib/rkhunter/tmp/rkhunter.upd.KLbWw6RrLe" http://rkhunter.sourceforge.net/1.4/programs_bad.dat 2>/dev/null' That's strange. Where is the difference to the machien on which the update fails? Best regards, Steffen |
From: John H. <joh...@pl...> - 2021-07-02 11:12:38
|
On Thu, 2021-07-01 at 17:42 +0200, Ewert, Steffen wrote: > > I have here a Debian 10 system. Every time if I do a "rkhunter --update" I > get > > | [17:30:24] Running Rootkit Hunter version 1.4.6 on DFlExt4 > | [17:30:24] > | [17:30:24] Info: Start date is Thu 01 Jul 2021 05:30:24 PM CEST > | [17:30:24] > | [17:30:24] Checking configuration file and command-line options... > | [17:30:24] Info: Detected operating system is 'Linux' > | [17:30:24] Info: Found O/S name: Debian GNU/Linux 10 (buster) > ... > | [17:30:24] > | [17:30:24] Checking rkhunter data files... > | [17:30:24] Info: Created temporary file > '/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM' > | [17:30:24] Info: Created temporary file > '/var/lib/rkhunter/tmp/mirrors.dat.SVrROABgWb' > | [17:30:24] Info: The mirrors file has been rotated: > /var/lib/rkhunter/db/mirrors.dat > | [17:30:24] Info: Executing download command '/usr/bin/wget -q -O > "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" > https://rkhunter.sourceforge.io/mirrors.dat 2>/dev/null' > | [17:30:25] Info: Download failed - 1 mirror(s) left. > | [17:30:25] Info: Created temporary file > '/var/lib/rkhunter/tmp/mirrors.dat.3VeWSgPHKp' > | [17:30:25] Info: The mirrors file has been rotated: > /var/lib/rkhunter/db/mirrors.dat > | [17:30:25] Info: Executing download command '/usr/bin/wget -q -O > "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" > https://rkhunter.sourceforge.io/mirrors.dat 2>/dev/null' > | [17:30:26] Warning: Download of 'mirrors.dat' failed: Unable to determine > the latest version number. > | [17:30:26] Checking file mirrors.dat [ Update > failed ] > | [17:30:26] Info: Executing download command '/usr/bin/wget -q -O > "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" > https://rkhunter.sourceforge.io/programs_bad.dat 2>/dev/null' > | [17:30:27] Info: Download failed - 1 mirror(s) left. > Hello, I have been using a test Debian 10 server (for other work), and have just installed rkhunter via apt. I was a bit surprised in that the supplied configuration file is obviously wrong. Trying to run an '--update' it seems they have set the WEB_CMD config option to (literally) "/bin/false" (i.e with the double-quotes). However, double-quotes are a perfectly valid filename character. So RKH sees this as a relative file name, and fails before doing much at all. I created a /etc/rkhunter.conf.local file containing 'WEB_CMD=wget'. As to your problem, they have also set the MIRRORS_MODE option such that RKH expects local mirrors. To the rkhunter.conf.local file I added 'MIRRORS_MODE=0'. Updates now worked. However, they have also configured RKH not to update any of the language files (except 'en'). No problem with that really, but it's not exactly user-friendly! (If you want to enable this, then add 'UPDATE_LANG=' to the /etc/rkhunter.conf.local file.) Finally it seems they have disabled the mirrors file itself from being updated - which is obviously useful if you are using local mirrors. However, if you have modified the mirrors mode to use remote mirrors, then you may also want to set 'UPDATE_MIRRORS=1'. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK ________________________________ [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. |
From: Ewert, S. <St...@co...> - 2021-07-01 15:58:53
|
Hello, I have here a Debian 10 system. Every time if I do a "rkhunter --update" I get | [17:30:24] Running Rootkit Hunter version 1.4.6 on DFlExt4 | [17:30:24] | [17:30:24] Info: Start date is Thu 01 Jul 2021 05:30:24 PM CEST | [17:30:24] | [17:30:24] Checking configuration file and command-line options... | [17:30:24] Info: Detected operating system is 'Linux' | [17:30:24] Info: Found O/S name: Debian GNU/Linux 10 (buster) | [17:30:24] Info: Command line is /usr/bin/rkhunter --update | [17:30:24] Info: Environment shell is /bin/bash; rkhunter is using dash | [17:30:24] Info: Using configuration file '/etc/rkhunter.conf' | [17:30:24] Info: Installation directory is '/usr' | [17:30:24] Info: Using language 'en' | [17:30:24] Info: Using '/var/lib/rkhunter/db' as the database directory | [17:30:24] Info: Using '/usr/share/rkhunter/scripts' as the support script directory | [17:30:24] Info: Using '/usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin /opt/wildfly-22.0.0.Final/bin' as the command directories | [17:30:24] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory | [17:30:24] Info: X will be automatically detected | [17:30:24] Info: Using second color set | [17:30:24] Info: Found the 'basename' command: /usr/bin/basename | [17:30:24] Info: Found the 'diff' command: /usr/bin/diff | [17:30:24] Info: Found the 'dirname' command: /usr/bin/dirname | [17:30:24] Info: Found the 'file' command: /usr/bin/file | [17:30:24] Info: Found the 'find' command: /usr/bin/find | [17:30:24] Info: Found the 'ifconfig' command: /usr/sbin/ifconfig | [17:30:24] Info: Found the 'ip' command: /usr/sbin/ip | [17:30:24] Info: Found the 'ipcs' command: /usr/bin/ipcs | [17:30:24] Info: Found the 'ldd' command: /usr/bin/ldd | [17:30:24] Info: Found the 'lsattr' command: /usr/bin/lsattr | [17:30:24] Info: Found the 'lsmod' command: /usr/sbin/lsmod | [17:30:24] Info: Found the 'lsof' command: /usr/bin/lsof | [17:30:24] Info: Found the 'mktemp' command: /usr/bin/mktemp | [17:30:24] Info: Found the 'netstat' command: /usr/bin/netstat | [17:30:24] Info: Found the 'numfmt' command: /usr/bin/numfmt | [17:30:24] Info: Found the 'perl' command: /usr/bin/perl | [17:30:24] Info: Found the 'pgrep' command: /usr/bin/pgrep | [17:30:24] Info: Found the 'ps' command: /usr/bin/ps | [17:30:24] Info: Found the 'pwd' command: /usr/bin/pwd | [17:30:24] Info: Found the 'readlink' command: /usr/bin/readlink | [17:30:24] Info: Found the 'stat' command: /usr/bin/stat | [17:30:24] Info: Found the 'strings' command: /usr/bin/strings | [17:30:24] Info: Found the 'wget' command: /usr/bin/wget | [17:30:24] Info: The mirrors file will be rotated | [17:30:24] Info: Both local and remote mirrors will be used | [17:30:24] Info: The mirrors file will be updated | [17:30:24] Info: Logging to log file: /var/log/rkhunter.log | [17:30:24] Info: Locking is not being used | [17:30:24] | [17:30:24] Checking rkhunter data files... | [17:30:24] Info: Created temporary file '/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM' | [17:30:24] Info: Created temporary file '/var/lib/rkhunter/tmp/mirrors.dat.SVrROABgWb' | [17:30:24] Info: The mirrors file has been rotated: /var/lib/rkhunter/db/mirrors.dat | [17:30:24] Info: Executing download command '/usr/bin/wget -q -O "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" https://rkhunter.sourceforge.io/mirrors.dat 2>/dev/null' | [17:30:25] Info: Download failed - 1 mirror(s) left. | [17:30:25] Info: Created temporary file '/var/lib/rkhunter/tmp/mirrors.dat.3VeWSgPHKp' | [17:30:25] Info: The mirrors file has been rotated: /var/lib/rkhunter/db/mirrors.dat | [17:30:25] Info: Executing download command '/usr/bin/wget -q -O "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" https://rkhunter.sourceforge.io/mirrors.dat 2>/dev/null' | [17:30:26] Warning: Download of 'mirrors.dat' failed: Unable to determine the latest version number. | [17:30:26] Checking file mirrors.dat [ Update failed ] | [17:30:26] Info: Executing download command '/usr/bin/wget -q -O "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" https://rkhunter.sourceforge.io/programs_bad.dat 2>/dev/null' | [17:30:27] Info: Download failed - 1 mirror(s) left. | [17:30:27] Info: Created temporary file '/var/lib/rkhunter/tmp/mirrors.dat.G52DN9sdJN' | [17:30:27] Info: The mirrors file has been rotated: /var/lib/rkhunter/db/mirrors.dat | [17:30:27] Info: Executing download command '/usr/bin/wget -q -O "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" https://rkhunter.sourceforge.io/programs_bad.dat 2>/dev/null' | [17:30:28] Warning: Download of 'programs_bad.dat' failed: Unable to determine the latest version number. | [17:30:28] Checking file programs_bad.dat [ Update failed ] | [17:30:28] Info: Executing download command '/usr/bin/wget -q -O "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" https://rkhunter.sourceforge.io/backdoorports.dat 2>/dev/null' | [17:30:29] Info: Download failed - 1 mirror(s) left. | [17:30:29] Info: Created temporary file '/var/lib/rkhunter/tmp/mirrors.dat.TERb4FKGwG' | [17:30:29] Info: The mirrors file has been rotated: /var/lib/rkhunter/db/mirrors.dat | [17:30:29] Info: Executing download command '/usr/bin/wget -q -O "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" https://rkhunter.sourceforge.io/backdoorports.dat 2>/dev/null' | [17:30:30] Warning: Download of 'backdoorports.dat' failed: Unable to determine the latest version number. | [17:30:30] Checking file backdoorports.dat [ Update failed ] | [17:30:30] Info: Executing download command '/usr/bin/wget -q -O "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" https://rkhunter.sourceforge.io/suspscan.dat 2>/dev/null' | [17:30:31] Info: Download failed - 1 mirror(s) left. | [17:30:31] Info: Created temporary file '/var/lib/rkhunter/tmp/mirrors.dat.7Ft28KYtq9' | [17:30:31] Info: The mirrors file has been rotated: /var/lib/rkhunter/db/mirrors.dat | [17:30:31] Info: Executing download command '/usr/bin/wget -q -O "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" https://rkhunter.sourceforge.io/suspscan.dat 2>/dev/null' | [17:30:32] Warning: Download of 'suspscan.dat' failed: Unable to determine the latest version number. | [17:30:32] Checking file suspscan.dat [ Update failed ] | [17:30:32] Info: Executing download command '/usr/bin/wget -q -O "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" https://rkhunter.sourceforge.io/i18n/1.4.6/i18n.ver 2>/dev/null' | [17:30:33] Info: Download failed - 1 mirror(s) left. | [17:30:33] Info: Created temporary file '/var/lib/rkhunter/tmp/mirrors.dat.4JxnPBYOt6' | [17:30:33] Info: The mirrors file has been rotated: /var/lib/rkhunter/db/mirrors.dat | [17:30:33] Info: Executing download command '/usr/bin/wget -q -O "/var/lib/rkhunter/tmp/rkhunter.upd.rObivgfPpM" https://rkhunter.sourceforge.io/i18n/1.4.6/i18n.ver 2>/dev/null' | [17:30:34] Checking file i18n versions [ Update failed ] | [17:30:34] Warning: Download of 'i18n.ver' failed: Unable to determine the latest version number. I see that the URL is wrong. It's https://rkhunter.sourceforge.io/mirrors.dat but it should be https://rkhunter.sourceforge.io/1.4/mirrors.dat [1]. Is this because of the error message in the last line "Unable to determine the latest version number."? What can I do to get the update to work? [link:MTkyLjE2OC4xLjIsMyxUaWNrZXQsMjQ2MQ==] Links: ------ [1] https://rkhunter.sourceforge.io/mirrors.dat |
From: John D. <jwa...@gm...> - 2021-06-08 03:38:20
|
I think the answer would probably be yes, but the question is who/what would be interpreting the result, when & what would be done about it? This is especially relevant since you appear to work for spacelabs.com (Spacelabs Healthcare) which would imply that you might be considering putting it into a "monitor" or "sensor" that might then be embedded into a medical device/system that you would expect will somehow "protect" that device from some nefarious attackers. I think you'll find there's a lot more to it than that, but it might be a useful place to start. Might be useful to ask on a yocto list what people use for securing their systems... Cheers John On Mon, 2021-06-07 at 13:07 +0000, Aikansh Shukla wrote: > Hi, > > I would like to know that does rkhunter support yocto linux? > > regards, > Aikansh |
From: Aikansh S. <Aik...@sp...> - 2021-06-07 13:23:33
|
Hi, I would like to know that does rkhunter support yocto linux? regards, Aikansh |
From: Joe S. <jo...@br...> - 2021-05-25 03:24:05
|
<html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> </head> <body smarttemplateinserted="true"> <div class="moz-signature">Hi:</div> <div class="moz-signature"><br> </div> <div class="moz-signature">How can I eliminate these port errors. They are ok, I just would rather not see the errors.</div> <div class="moz-signature"><br> </div> <div class="moz-signature"> <pre class="moz-quote-pre" wrap="">Warning: Process '/usr/local/cpanel/3rdparty/perl/532/bin/perl' (PID 23066) is listening on the network.</pre> </div> <div class="moz-signature"> --<br> ___________________________<br> Joe Saladino[<a class="moz-txt-link-abbreviated" href="mailto:jo...@br...">jo...@br...</a>]<br> <b>Ph:</b> (208) 971-7570<br> <br> You never realize Jesus is all you need<br> until Jesus is all you have.<br> --Timothy Keller (The Prodigal Prophet)</div> </body> </html> |
From: Rootkit H. <opa...@do...> - 2021-05-21 03:41:20
|
On 5/20/21 7:22 AM, John Dodson [Masked] wrote: > I can only think to ask, what does, > > ls -laRZ /usr/libexec/*awk > > say on each machine, are they different (& binary wise?), are remote filesystems > involved, do the gawk package/binaries on each server verify, does/did a package > update occur when rkhunter ran causing a race, etc. On a machine where it works correctly |$ ls -laRZ /usr/libexec/*awk lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0 16 Mar 15 2019 /usr/libexec/gawk -> /usr/libexec/awk /usr/libexec/awk: total 32 drwxr-xr-x. 2 root root system_u:object_r:bin_t:s0 4096 Apr 7 13:14 . drwxr-xr-x. 27 root root system_u:object_r:bin_t:s0 4096 May 6 15:53 .. -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 9240 Mar 15 2019 grcat -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 9224 Mar 15 2019 pwcat | On one where it doesn’t |$ ls -laRZ /usr/libexec/*awk lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0 16 Mar 15 2019 /usr/libexec/gawk -> /usr/libexec/awk /usr/libexec/awk: total 32 drwxr-xr-x. 2 root root system_u:object_r:bin_t:s0 32 Apr 6 11:22 . drwxr-xr-x. 34 root root system_u:object_r:bin_t:s0 4096 May 6 15:57 .. -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 9240 Mar 15 2019 grcat -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 9224 Mar 15 2019 pwcat | Honestly, they look pretty similar to me. RPM tells me none of the files were altered. No remote filesystems are involved. > Cheers > > John > > > On Wed, 2021-05-19 at 15:17 -0700, opa...@do... wrote: >> On some of my OL8 servers, rkhunter throws this warning: >> >> Warning: No hash value found for file '/usr/libexec/gawk' in the >> 'rkhunter.dat' file. >> >> /usr/libexec/gawk is a symlink to /usr/libexec/awk. Which, in turn, is >> a directory >> >> $ file /usr/libexec/gawk >> /usr/libexec/gawk: symbolic link to /usr/libexec/awk >> >> $ file /usr/libexec/awk >> /usr/libexec/awk: directory >> >> This does not affect all the nodes. Some seem to behave normally. >> >> Running rkhunter on the affected nodes with --propupd does not fix it. >> >> I am using rkhunter 1.4.6 >> >> Suggestions? >> > |
From: Simon B. <sim...@do...> - 2021-05-20 22:20:31
|
Hi everybody, we are running a server on Oracle Linux 8 with rkhunter 1.4.6 and podman to run some rootless containers. Whenever rkhunter does his running_procs scan, we get a lot of warnings containing commands (so I know which container is the cause) but no pathnames - e.g. [15:07:32] Command: postgres [15:07:32] UID: xxxxx PID: xxxxxx [15:07:32] Pathname: [15:07:33] Possible Rootkit: Spam tool component I'd like to whitelist those, but RTKT_FILE_WHITELIST requires a full path. What can I do to keep the running_procs scan without getting all those false positives? Thanks in advance -- Simon Berchner |
From: John D. <jwa...@gm...> - 2021-05-20 14:22:34
|
I can only think to ask, what does, ls -laRZ /usr/libexec/*awk say on each machine, are they different (& binary wise?), are remote filesystems involved, do the gawk package/binaries on each server verify, does/did a package update occur when rkhunter ran causing a race, etc. Cheers John On Wed, 2021-05-19 at 15:17 -0700, opa...@do... wrote: > On some of my OL8 servers, rkhunter throws this warning: > > Warning: No hash value found for file '/usr/libexec/gawk' in the > 'rkhunter.dat' file. > > /usr/libexec/gawk is a symlink to /usr/libexec/awk. Which, in turn, is > a directory > > $ file /usr/libexec/gawk > /usr/libexec/gawk: symbolic link to /usr/libexec/awk > > $ file /usr/libexec/awk > /usr/libexec/awk: directory > > This does not affect all the nodes. Some seem to behave normally. > > Running rkhunter on the affected nodes with --propupd does not fix it. > > I am using rkhunter 1.4.6 > > Suggestions? > |
From: <opa...@do...> - 2021-05-19 22:46:10
|
On some of my OL8 servers, rkhunter throws this warning: Warning: No hash value found for file '/usr/libexec/gawk' in the 'rkhunter.dat' file. /usr/libexec/gawk is a symlink to /usr/libexec/awk. Which, in turn, is a directory $ file /usr/libexec/gawk /usr/libexec/gawk: symbolic link to /usr/libexec/awk $ file /usr/libexec/awk /usr/libexec/awk: directory This does not affect all the nodes. Some seem to behave normally. Running rkhunter on the affected nodes with --propupd does not fix it. I am using rkhunter 1.4.6 Suggestions? -- Do not become so fixated on the cheese at the end of the maze that you forget the real goal is to escape from the lab. Stephen |
From: John L. <jle...@ou...> - 2021-05-03 22:49:02
|
Well, after I stared at it for a while, it became obvious. IMMUTITELIST should be IMMUTWHITELIST !!! The -C option is happy now. The default rkhunter.conf just needs a tiny edit. Regards, John On 5/3/21 6:20 PM, John LeRoy wrote: > Hello list, > > I want to use the immutable files from a Debian Live on a USB stick. > > So I tried to avoid a constant warning entry in the log file by using > the whitelist entry. > > However, this is what I got: > > # > # Allow the specified file to have the immutable attribute set. > # > # This option may be specified more than once, and may use wildcard > characters. > # > # The default value is the null string. > # > IMMUTITELIST=/sbin/ifdown > > gives > > user@debian:~$ sudo rkhunter -C > Unknown configuration file option: IMMUTITELIST=/sbin/ifdown > > Please advise. Thank you. > > John > > > > > _______________________________________________ > Rkhunter-users mailing list > Rkh...@li... > https://lists.sourceforge.net/lists/listinfo/rkhunter-users |
From: John L. <jle...@ou...> - 2021-05-03 22:20:57
|
Hello list, I want to use the immutable files from a Debian Live on a USB stick. So I tried to avoid a constant warning entry in the log file by using the whitelist entry. However, this is what I got: # # Allow the specified file to have the immutable attribute set. # # This option may be specified more than once, and may use wildcard characters. # # The default value is the null string. # IMMUTITELIST=/sbin/ifdown gives user@debian:~$ sudo rkhunter -C Unknown configuration file option: IMMUTITELIST=/sbin/ifdown Please advise. Thank you. John |
From: John H. <joh...@pl...> - 2021-02-07 00:39:50
|
Hello, For the next release of 'rkhunter' I have updated the GNU GPL license file ('LICENSE') from version 2 to version 3. I have also modified the supplied RPM spec file template ('rkhunter.spec') to state the license as 'GPLv3+'. I doubt these changes will affect anyone, but I feel that I should let you know anyway. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK ________________________________ [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. |
From: John H. <joh...@pl...> - 2021-02-06 23:53:11
|
On Sat, 2021-02-06 at 18:30 +0000, John Horne wrote: > Hello, > > I have now modified the rkhunter sourceforge (SF) site to use HTTPS rather > than HTTP. This should only affect the '--update' and '--versioncheck' > options, which download files from SF. The rkhunter code itself has not been > modified (yet) as SF say that they will simply perform a redirect as > required. > Hello, Unfortunately I have had to revert this change (so we are using HTTP again). Rkhunter performs a check on the mirror URL(s), causing the above change to fail. So we will need to push out a new version of rkhunter before we can move to HTTPS. If you really want to use HTTPS now, then you can either get the latest development version (from https://sourceforge.net/p/rkhunter/rkh_code/ci/develop/tree/ ) and download a snapshot or you can modify the code yourself (it's only one line). If you want to modify the code, then you need to change the 'rkhunter' program (version 1.4.6) line 7502 from: ====== if [ $DOING_VERS_CHK -eq 0 -a "${MIRROR}" = "http:// rkhunter.sourceforge.net" ]; then ====== to ====== if [ $DOING_VERS_CHK -eq 0 -a \( "${MIRROR}" = "https://rkhunter.sourceforge.io" -o "${MIRROR}" = "http://rkhunter.sourceforge.net" \) ]; then ====== In either case, you will then need to modify your 'mirrors.dat' file (usually found at '/var/lib/rkhunter/db/mirrors.dat'). Change the mirror URLs in it to 'https://rkhunter.sourceforge.io' and modify the version number (the first line) to something that begins '2022' (which is the year of the version). This stops the file from being updated itself (otherwise the mirror would revert to using HTTP again). John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK ________________________________ [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. |
From: John H. <joh...@pl...> - 2021-02-06 19:04:08
|
Hello, I have now modified the rkhunter sourceforge (SF) site to use HTTPS rather than HTTP. This should only affect the '--update' and '--versioncheck' options, which download files from SF. The rkhunter code itself has not been modified (yet) as SF say that they will simply perform a redirect as required. The modification also now uses PHP 7 rather than PHP 5 at SF. I don't think this has any effect on rkhunter. The Rootkit Hunter project website itself has not been modified to use HTTPS yet. So you may get a warning about some parts of the site being unsecure. I'll look into that when I get a moment. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK ________________________________ [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. |
From: Brian C. H. <bc...@bc...> - 2021-01-18 02:40:40
|
Hello, I recently started seeing this warning: Warning: No hash value found for file '/usr/local/bin/perl' in the 'rkhunter.dat' file. Warning: No symbolic link target found for file '/usr/local/bin/perl' in the 'rkhunter.dat' file I tried using EXISTWHITELIST to suppress the messages, but these settings didn't work: EXISTWHITELIST=/usr/local/bin/* EXISTWHITELIST=/usr/local/bin/perl I assume that this error come from the fact that the target of the symbolic link disappeared between db updates. I tried removing prop DB and running with --propupd, but made no difference. I see mentions that this issue has been repeatedly addressed, but I can't find how it has been addressed. Am I missing something? Brian |
From: <vze...@ve...> - 2020-12-03 23:14:46
|
On Mon, 29 Jun 2020, C. Kujau wrote: > On Tue, 16 Jun 2020, vze1amckv--- via Rkhunter-users wrote: >>> [22:28:06] Info: Starting test name 'passwd_changes' >> [22:28:06] Checking for passwd file changes [ Warning ] >> [22:28:07] Warning: User 'tcpdump' has been added to the passwd file. >> [22:28:07] >> >> I haven't installed tcpdump recently. Is there any other reason why a >> "tcpdump" user would be created? For example do you know what other common >> software might have tcpdump bundled with it? > > Most of this should already be covered in the FAQ: > > https://sourceforge.net/p/rkhunter/rkh_code/ci/master/tree/files/FAQ > > Especially 3.1, "Rootkit Hunter tells me there is something wrong with my > system. What do I do?" > > We don't know anything about your system and can't tell what caused the > additional "tcpdump" user to be created. Better consult your logs and > install/update scripts to find out if this is a benign addition or not. > > Good luck, > C. Thanks for the reply to my e-mail earlier this summer- not sure why I never received it (but only found it when searching the archive for an answer.) I've satisfied myself that the "tcpdump" user is probably nothing to worry about (a third opinion is always helpful), and most of the changed-file warnings are caused by legitimate software updates, but am still curious about the one time I ran rkhunter and it said that "unhide" found hundreds of "hidden" processes. This only happened once, and of course the only way to recover from a real rootkit infection is to completely reformat and reinstall, which would seem to be overkill if nothing is really wrong. Anyway I do have another question that I asked earlier... I submitted a "support request" to the project developers on the SourceForge website some years ago: https://sourceforge.net/p/rkhunter/support-requests/44 but for some reason this ticket doesn't show in the list of open cases OR in the list of closed requests. Can an admin please help me to view the status of that request? Thank you. |
From: ciprian p. <cip...@gm...> - 2020-11-28 10:05:01
|
Hello community, I'm hoping someone could help me with this. Recently I have installed *RKhunter* (v1.4.2) on a couple of loadbalancers ( *Haproxy* 2.0.14 ) running on Debian 9. Stretch. While performing a full system check I'm getting a lot or warnings about tcp ports being used by Haproxy. They look like this: Use the 'lsof -i' or 'netstat -an' command to check this. Warning: Network TCP port 13000 is being used by /usr/sbin/haproxy. Possible rootkit: Possible Universal Rootkit (URK) SSH server Use the 'lsof -i' or 'netstat -an' command to check this. Warning: Network TCP port 47018 is being used by /usr/sbin/haproxy. Possible rootkit: Possible Universal Rootkit (URK) component Use the 'lsof -i' or 'netstat -an' command to check this.* *Also, it seems that I cannot simply whitelist those ports as they seem to keep changing*. What one would do in this case ? Cheers, -- *Ciprian Parfon* System & Network Engineer +40 721879113 cip...@gm... |
From: Dan B. <da...@do...> - 2020-11-09 18:15:12
|
Did you read the help page that was returned? rkhunter is never run on it's own, it's always run with a command following a space. There is a space in the check command... `rkhunter --check` Try `which rkhunter` to see if you can see where it is installed. Regards, Dan On 09/11/2020 17:00, stafford crombie wrote: > Hi, > > I downloaded rkhunter and installed it on my VM it appears in the applications menu. > However it will not run. > It only returns the rkhunter -h help list. > > I tried running it from the CMD line, as rkhunter—check, but returns, command not found. > > I tried sudo rkhunter—check, command not found > I tried from root again command not found. > > Have I done something wrong. > Stafford > > _______________________________________________ > Rkhunter-users mailing list > Rkh...@li... > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > |
From: stafford c. <ask...@ms...> - 2020-11-09 17:33:17
|
Hi, I downloaded rkhunter and installed it on my VM it appears in the applications menu. However it will not run. It only returns the rkhunter -h help list. I tried running it from the CMD line, as rkhunter—check, but returns, command not found. I tried sudo rkhunter—check, command not found I tried from root again command not found. Have I done something wrong. Stafford |
From: <vze...@ve...> - 2020-10-12 22:04:35
|
On 10/5/20 7:04 PM, Al Varnell wrote: > It's normal for some issues to be initially hidden since they might > contain security vulnerabilities that need to remain so until > resolved to prevent exploitation. They normally remain hidden until a > responsible person is assigned and they are judged to be OK for > public viewing. But I was under the impression that the author would > have access, so not sure why you are not able to view it. Thanks. Reason I can't view it is I no longer have the login credentials that I used to create it. https://sourceforge.net/p/rkhunter/support-requests/44 So I request the admins to please "unhide" this ticket? (Or if they prefer, please e-mail me privately with the status.) > I'm under the impression that --propupd doesn't affect hidden > findings, but as I said earlier, I'm not familiar with the unhide > function. You are correct; --propupd does not affect the "unhide" test. Rather, it's just that I don't want to run --propupd until I can be certain that I have no infections. Thank you! |
From: Al V. <alv...@ma...> - 2020-10-05 23:05:09
|
I might be able to address any Mac questions you still have. I have no experience with any other OS or with unhindered, so would only be guessing about such questions. Sent from my iPad -Al- > On Oct 5, 2020, at 15:05, vze1amckv--- via Rkhunter-users <rkh...@li...> wrote: > > Hello all, > > I e-mailed the list a few months ago, but must have missed the reply. A time ago (when I used a Mac) I submitted a question via the "support requests" ticketing function of Sourceforge and was assigned a ticket number of 44: > > https://sourceforge.net/p/rkhunter/support-requests/44 > > I see that no longer appears even in the list of closed tickets. Is there any particular reason it's hidden, and can somebody with access to view the ticket please let me know what's in it? I believe it was Macintosh specific questions if I remember correctly. Sorry if the developers already replied; I simply don't remember. It's normal for some issues to be initially hidden since they might contain security vulnerabilities that need to remain so until resolved to prevent exploitation. They normally remain hidden until a responsible person is assigned and they are judged to be OK for public viewing. But I was under the impression that the author would have access, so not sure why you are not able to view it. > More recently (several months ago) I installed rkhunter on a new XUbuntu computer, but I think that I never executed it (as evidenced by the lack of any /var/log/rkhunter.log file). > > Thus, since I'd presume it has nothing to compare the existing files to, I was surprised when I saw a slew of warnings about changed file properties. I know they're normal if you update the OS, just not sure what the point of comparison is if it's the first run. This is perfectly normal. The first time it's run there is nothing to compare the current has value to, so it should be reporting each file as changed. Normally, one should make a first run immediately after installing a virgin OS in order to establish a baseline. I'm only surprised that only 125 of 145 files were found to have changed. > Now here's where it gets interesting. I also see this warning: > > [22:28:06] Info: Starting test name 'passwd_changes' > [22:28:06] Checking for passwd file changes [ Warning ] > [22:28:07] Warning: User 'tcpdump' has been added to the passwd file. > [22:28:07] > > I haven't installed tcpdump recently. Is there any other reason why a "tcpdump" user would be created? For example do you know what other common software might have tcpdump bundled with it? > > [22:28:08] Warning: Group 'render' has been added to the group file. > [22:28:08] Warning: Group 'tcpdump' has been added to the group file. > > I don't use this computer for any packet-capturing activities, so not sure how tcpdump got added. Is there a way to find out when? > > The end of run shows this: > > [22:29:57] System checks summary > [22:29:57] ===================== > [22:29:57] > [22:29:57] File properties checks... > [22:29:57] Required commands check failed > [22:29:57] Files checked: 145 > [22:29:57] Suspect files: 125 > [22:29:58] > [22:29:58] Rootkit checks... > [22:29:58] Rootkits checked : 479 > [22:29:58] Possible rootkits: 4 > > > Then in July, I got the attached. (If the attachment doesn't come through... basically the "unhide" test uncovered hundreds of hidden processes.) > > What's up with all these hidden processes? I know I can run "--propupd" to suppress warnings, but I also know that puts my stamp of approval on what I see. I'd think the existence of hidden processes would be the #1 clue of actual infection. I'm under the impression that --propupd doesn't affect hidden findings, but as I said earlier, I'm not familiar with the unhide function. > Anyway, please let me know what happened to my support ticket. > https://sourceforge.net/p/rkhunter/support-requests/44 > Thanks! > <hidden_processes.text> > _______________________________________________ > Rkhunter-users mailing list > Rkh...@li... > https://lists.sourceforge.net/lists/listinfo/rkhunter-users |
From: <vze...@ve...> - 2020-10-05 22:04:52
|
Hello all, I e-mailed the list a few months ago, but must have missed the reply. A time ago (when I used a Mac) I submitted a question via the "support requests" ticketing function of Sourceforge and was assigned a ticket number of 44: https://sourceforge.net/p/rkhunter/support-requests/44 I see that no longer appears even in the list of closed tickets. Is there any particular reason it's hidden, and can somebody with access to view the ticket please let me know what's in it? I believe it was Macintosh specific questions if I remember correctly. Sorry if the developers already replied; I simply don't remember. More recently (several months ago) I installed rkhunter on a new XUbuntu computer, but I think that I never executed it (as evidenced by the lack of any /var/log/rkhunter.log file). Thus, since I'd presume it has nothing to compare the existing files to, I was surprised when I saw a slew of warnings about changed file properties. I know they're normal if you update the OS, just not sure what the point of comparison is if it's the first run. Now here's where it gets interesting. I also see this warning: [22:28:06] Info: Starting test name 'passwd_changes' [22:28:06] Checking for passwd file changes [ Warning ] [22:28:07] Warning: User 'tcpdump' has been added to the passwd file. [22:28:07] I haven't installed tcpdump recently. Is there any other reason why a "tcpdump" user would be created? For example do you know what other common software might have tcpdump bundled with it? [22:28:08] Warning: Group 'render' has been added to the group file. [22:28:08] Warning: Group 'tcpdump' has been added to the group file. I don't use this computer for any packet-capturing activities, so not sure how tcpdump got added. Is there a way to find out when? The end of run shows this: [22:29:57] System checks summary [22:29:57] ===================== [22:29:57] [22:29:57] File properties checks... [22:29:57] Required commands check failed [22:29:57] Files checked: 145 [22:29:57] Suspect files: 125 [22:29:58] [22:29:58] Rootkit checks... [22:29:58] Rootkits checked : 479 [22:29:58] Possible rootkits: 4 Then in July, I got the attached. (If the attachment doesn't come through... basically the "unhide" test uncovered hundreds of hidden processes.) What's up with all these hidden processes? I know I can run "--propupd" to suppress warnings, but I also know that puts my stamp of approval on what I see. I'd think the existence of hidden processes would be the #1 clue of actual infection. Anyway, please let me know what happened to my support ticket. https://sourceforge.net/p/rkhunter/support-requests/44 Thanks! |
From: Al V. <alv...@ma...> - 2020-10-03 00:55:21
|
Confirmed and not an unusual length of time between releases. Sent from my iPad -Al- macOS User On Oct 2, 2020, at 17:27, John Dodson <jwa...@gm...> wrote: > Also, it seems that the last rkhunter release was 2018-02-20 - can anyone > confirm that is the case? |
From: Al V. <alv...@ma...> - 2020-10-03 00:54:59
|
The first is a place to open tickets for issues found or features requested. The second allows user to subscribe to these emails which seek help with use, problems encountered and other discussion topics. Sent from my iPad -Al- > On Oct 2, 2020, at 17:43, John Dodson <jwa...@gm...> wrote: > > What is the difference between, > > https://sourceforge.net/p/rkhunter/activity/?page=0&limit=100#5ef33dc5ee24ca4de271687e > > and > > https://sourceforge.net/projects/rkhunter/lists/rkhunter-users > > The difference confuses me! > > John |