rkhunter-users — General questions about Rootkit Hunter

[Rkhunter-users] RKHunter and Docker process

[Olexandra B. <bok...@gm...>]

Hi everyone!

Need a hint. The case is we have a bunch of processes, that are running in
docker. One of them is

"hydra serve all --dangerous-force-http".

How can we whitelist such a process? Does using docker affect on how we
should put is to whitelist?

Re: [Rkhunter-users] Process with semicolon: bug or linux feauture

[Olexandra B. <bok...@gm...>]

Just in case anyone will face with it.
Problem was in immutable flag setted on /usr/sbin/NetworkManager. The case
is when you are trying to update such binary, system can't re-write it
(download new file with additional symbols, which are maybe memory segment
where new binary is, delete old one, rename a new one). As a result you may
have a bunch of usr/sbin/NetworkManager with additional symbols. In system
output you may not see it so as ";" is a separator and the name will be
always /usr/sbin/NetworkManager, but RKHunter works with strings I suppose,
so it shows process how it is -- usr/sbin/NetworkManager;5cyt67yr

In other words, nothing criminal. To fix it delete all files with
additional simbols, get rid of immutable flag and reinstal the whole
package.

нд, 26 трав. 2019 о 02:50 John Horne <joh...@pl...> пише:

> On Sun, 2019-05-26 at 00:19 +0300, Olexandra Bokova wrote:
> > Hi!
> >
> > Thank you for reply!
> >
> > I haven't got access to the server right now. I can give the message in
> two
> > days, if you need. But the main and only warning there is:
> >
> > Warning: Process '/usr/sbin/NetworkManager;5cyt67yr' (PID 2813) is
> listening
> > on the network.
> >
> I think we'll need to see the output from a debug run of rkhunter. Can you
> run
> rkhunter with the '--debug' option and send me a copy of the file it
> produces
> in '/tmp' please.
>
>
> Thanks,
>
> John.
>
> --
> John Horne | Senior Operations Analyst | Technology and Information
> Services
> University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
> ________________________________
> [http://www.plymouth.ac.uk/images/email_footer.gif]<
> http://www.plymouth.ac.uk/worldclass>
>
> This email and any files with it are confidential and intended solely for
> the use of the recipient to whom it is addressed. If you are not the
> intended recipient then copying, distribution or other use of the
> information contained is strictly prohibited and you should not rely on it.
> If you have received this email in error please let the sender know
> immediately and delete it from your system(s). Internet emails are not
> necessarily secure. While we take every care, University of Plymouth
> accepts no responsibility for viruses and it is your responsibility to scan
> emails and their attachments. University of Plymouth does not accept
> responsibility for any changes made after it was sent. Nothing in this
> email or its attachments constitutes an order for goods or services unless
> accompanied by an official order form.
>
> _______________________________________________
> Rkhunter-users mailing list
> Rkh...@li...
> https://lists.sourceforge.net/lists/listinfo/rkhunter-users
>

Re: [Rkhunter-users] How to whitelist a path in rkhunter 'running_procs' test?

[Finn F. <fin...@li...>]

Thanks, John. This solves my issue and I gained a knew knowledge about rkhunter. :)
________________________________
From: John Horne <joh...@pl...>
Sent: Wednesday, 30 October 2019 7:09 PM
To: rkh...@li... <rkh...@li...>
Subject: Re: [Rkhunter-users] How to whitelist a path in rkhunter 'running_procs' test?

On Wed, 2019-10-30 at 10:44 +0000, Finn Fausto wrote:
> Hi!
>
> I have rootkit hunter running on one of my virtual machines. I'm getting a
> result of:
>
> Info: Starting test name 'running_procs'
> Checking running processes for suspicious files [ Warning ]
> Warning: The following processes are using suspicious files:
> Command: httpd.bin
> UID: 0 PID: 1899
> Pathname: /opt/redmine/apache2/bin/httpd.bin
> Possible Rootkit: IRC bot
>
> Yes, I'm using Redmine also for testing. And this is a false positive
> detection by rkhunter, right? Since it is being used by Redmine.
> I want rkhunter to skip the path of /opt/redmine/apache2/bin/httpd.bin when
> my rkhunter script runs.
> I already edit my rkhunter.conf and tried to put the path on EXISTWHITELIST,
> SCRIPTWHITELIST, and ALLOWIPCPROC sections but I still get the warning.
>
> Cant find a reference on whitelisting a path that is located on /opt
> directory. What variable in the rkhunter.conf should I use for whitelisting
> the said path?
>
Use:
RTKT_FILE_WHITELIST=/opt/redmine/apache2/bin/httpd.bin

As the config file says though you may also want to ensure that the file is
checked in the file properties check. For that add:
USER_FILEPROP_FILES_DIRS=/opt/redmine/apache2/bin/httpd.bin



John.

--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
________________________________
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>

This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form.

_______________________________________________
Rkhunter-users mailing list
Rkh...@li...
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] How to whitelist a path in rkhunter 'running_procs' test?

[John H. <joh...@pl...>]

On Wed, 2019-10-30 at 10:44 +0000, Finn Fausto wrote:
> Hi!
>
> I have rootkit hunter running on one of my virtual machines. I'm getting a
> result of:
>
> Info: Starting test name 'running_procs'
> Checking running processes for suspicious files [ Warning ]
> Warning: The following processes are using suspicious files:
> Command: httpd.bin
> UID: 0 PID: 1899
> Pathname: /opt/redmine/apache2/bin/httpd.bin
> Possible Rootkit: IRC bot
>
> Yes, I'm using Redmine also for testing. And this is a false positive
> detection by rkhunter, right? Since it is being used by Redmine.
> I want rkhunter to skip the path of /opt/redmine/apache2/bin/httpd.bin when
> my rkhunter script runs.
> I already edit my rkhunter.conf and tried to put the path on EXISTWHITELIST,
> SCRIPTWHITELIST, and ALLOWIPCPROC sections but I still get the warning.
>
> Cant find a reference on whitelisting a path that is located on /opt
> directory. What variable in the rkhunter.conf should I use for whitelisting
> the said path?
>
Use:
RTKT_FILE_WHITELIST=/opt/redmine/apache2/bin/httpd.bin

As the config file says though you may also want to ensure that the file is
checked in the file properties check. For that add:
USER_FILEPROP_FILES_DIRS=/opt/redmine/apache2/bin/httpd.bin



John.

--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
________________________________
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>

This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form.

[Rkhunter-users] How to whitelist a path in rkhunter 'running_procs' test?

[Finn F. <fin...@li...>]

Hi!

I have rootkit hunter running on one of my virtual machines. I'm getting a result of:

Info: Starting test name 'running_procs'
Checking running processes for suspicious files [ Warning ]
Warning: The following processes are using suspicious files:
Command: httpd.bin
UID: 0 PID: 1899
Pathname: /opt/redmine/apache2/bin/httpd.bin
Possible Rootkit: IRC bot

Yes, I'm using Redmine also for testing. And this is a false positive detection by rkhunter, right? Since it is being used by Redmine.
I want rkhunter to skip the path of /opt/redmine/apache2/bin/httpd.bin when my rkhunter script runs.
I already edit my rkhunter.conf and tried to put the path on EXISTWHITELIST, SCRIPTWHITELIST, and ALLOWIPCPROC sections but I still get the warning.

Cant find a reference on whitelisting a path that is located on /opt directory. What variable in the rkhunter.conf should I use for whitelisting the said path?

Re: [Rkhunter-users] Suspicious Shared Memory segments | warning per mail

[John H. <joh...@pl...>]

On Mon, 2019-10-28 at 10:20 +0000, Koblenz Thomas wrote:
> Hi
>
> the whitelist is working, I see that in the logs. but I still get a warning
> via e-mail.
>
> Info: Found process pathname '/opt/commvault2/Base64/cvd': it is whitelisted.
>
> Is it possible to disable e-mail warnings for whitelisted things?
>
Would you send me a copy of the log file please? Or at least the part
containing the output from the whole of the test.


Thanks,

John.
>
>
> -----Ursprüngliche Nachricht-----
> Von: Al Varnell <alv...@ma...>
> Gesendet: Montag, 28. Oktober 2019 09:27
> An: RKHunter-Users <rkh...@li...>
> Cc: Koblenz Thomas <Tho...@ze...>
> Betreff: Re: [Rkhunter-users] Suspicious Shared Memory segments | warning per
> mail
>
> On Mon, Oct 28, 2019 at 00:31 AM, Koblenz Thomas wrote:
> > Hello,
> >
> > I have a problem with a false-positive for Suspicious Shared Memory
> > segments. Since the last update of the Commvault Agent I always get
> > warnings for Suspicious Shared Memory segments.
> >
> > [08:18:25]   Process: /opt/commvault/Base64/cvd    PID: 758    Owner: root
> > [ Found ]
> > [08:18:25]   Process: /opt/commvault/Base64/cvd    PID: 758    Owner: root
> > [ Found ]
> >
> >
> > I have already made the following entry in the rkhunter.log
> > ALLOWIPCPROC= "/opt/commvault/Base64/cvd
>
> I suspect you meant to say in the rkhunter.conf file, but I think the error
> is in placing a space and quote before the path. Shouldn't it read:
> ALLOWIPCPROC=/opt/commvault/Base64/cvd
>
> -Al-
>
> > Unfortunately we still get mails informing us about a warning. Is it
> > possible to configure rkhunter to stop sending mail when a whitelist has
> > been configured?
> >
> > Version : Rootkit Hunter 1.4.2, Deb9.11
> >
> >
> >
> > Thomas
>
> [K FAIR]
> Um mehr über unser komplettes Produktportfolio zu erfahren, laden Sie unsere
> neue kostenlose PLANT.BOOK-App in Ihrem Apple App Store<
> https://itunes.apple.com/us/app/plantbook/id1287430289?mt=8> und Microsoft
> Store<
> https://www.microsoft.com/en-us/p/plantbook/9nt0fm3hssls?source=lp&activetab=pivot%3Aoverviewtab
> > herunter.
> To find more details about our complete product portfolio, download our new
> free PLANT.BOOK app from your Apple App Store<
> https://itunes.apple.com/us/app/plantbook/id1287430289?mt=8> and Microsoft
> Store<
> https://www.microsoft.com/en-us/p/plantbook/9nt0fm3hssls?source=lp&activetab=pivot%3Aoverviewtab>
> ;.
>
> [
> https://www.zeppelin-systems.com/files/website.png]<https://www.zeppelin-systems.com/videos.html
> >  [https://www.zeppelin-systems.com/files/newsletter.png] <
> https://www.zeppelin-systems.com/en/meta/newsletter.html>   [
> https://www.zeppelin-systems.com/files/youtube.png] <
> https://www.youtube.com/channel/UC3zqgeXXj7i1-CNwr6sUW5w/playlists>
> ________________________________________
>
> Zeppelin Systems GmbH
> Handelsregister - Commercial Register: AG Ulm HRB 729780
> Sitz - Registered Domicile: D-88045 Friedrichshafen
>
> Aufsichtsratsvorsitzender - Chairman of the supervisory board: Peter
> Gerstmann
> Geschäftsführung - Management board: Alexander Wassermann (Vorsitzender -
> Chairman), Rochus C. Hofmann
> ________________________________________
>
>
> _______________________________________________
> Rkhunter-users mailing list
> Rkh...@li...
> https://lists.sourceforge.net/lists/listinfo/rkhunter-users
--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
________________________________
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>

This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form.

[Rkhunter-users] Suspicious Shared Memory segments | warning per mail

[Koblenz T. <Tho...@ze...>]

Hi

the whitelist is working, I see that in the logs. but I still get a warning via e-mail.

Info: Found process pathname '/opt/commvault2/Base64/cvd': it is whitelisted.

Is it possible to disable e-mail warnings for whitelisted things?

Thomas


-----Ursprüngliche Nachricht-----
Von: Al Varnell <alv...@ma...>
Gesendet: Montag, 28. Oktober 2019 09:27
An: RKHunter-Users <rkh...@li...>
Cc: Koblenz Thomas <Tho...@ze...>
Betreff: Re: [Rkhunter-users] Suspicious Shared Memory segments | warning per mail

On Mon, Oct 28, 2019 at 00:31 AM, Koblenz Thomas wrote:
> Hello,
>
> I have a problem with a false-positive for Suspicious Shared Memory segments. Since the last update of the Commvault Agent I always get warnings for Suspicious Shared Memory segments.
>
> [08:18:25]   Process: /opt/commvault/Base64/cvd    PID: 758    Owner: root [ Found ]
> [08:18:25]   Process: /opt/commvault/Base64/cvd    PID: 758    Owner: root [ Found ]
>
>
> I have already made the following entry in the rkhunter.log
> ALLOWIPCPROC= "/opt/commvault/Base64/cvd

I suspect you meant to say in the rkhunter.conf file, but I think the error is in placing a space and quote before the path. Shouldn't it read:
ALLOWIPCPROC=/opt/commvault/Base64/cvd

-Al-

> Unfortunately we still get mails informing us about a warning. Is it possible to configure rkhunter to stop sending mail when a whitelist has been configured?
>
> Version : Rootkit Hunter 1.4.2, Deb9.11
>
>
>
> Thomas

[K FAIR]
Um mehr über unser komplettes Produktportfolio zu erfahren, laden Sie unsere neue kostenlose PLANT.BOOK-App in Ihrem Apple App Store<https://itunes.apple.com/us/app/plantbook/id1287430289?mt=8> und Microsoft Store<https://www.microsoft.com/en-us/p/plantbook/9nt0fm3hssls?source=lp&activetab=pivot%3Aoverviewtab> herunter.
To find more details about our complete product portfolio, download our new free PLANT.BOOK app from your Apple App Store<https://itunes.apple.com/us/app/plantbook/id1287430289?mt=8> and Microsoft Store<https://www.microsoft.com/en-us/p/plantbook/9nt0fm3hssls?source=lp&activetab=pivot%3Aoverviewtab>.

[https://www.zeppelin-systems.com/files/website.png]<https://www.zeppelin-systems.com/videos.html>  [https://www.zeppelin-systems.com/files/newsletter.png] <https://www.zeppelin-systems.com/en/meta/newsletter.html>   [https://www.zeppelin-systems.com/files/youtube.png] <https://www.youtube.com/channel/UC3zqgeXXj7i1-CNwr6sUW5w/playlists>
________________________________________

Zeppelin Systems GmbH
Handelsregister - Commercial Register: AG Ulm HRB 729780
Sitz - Registered Domicile: D-88045 Friedrichshafen

Aufsichtsratsvorsitzender - Chairman of the supervisory board: Peter Gerstmann
Geschäftsführung - Management board: Alexander Wassermann (Vorsitzender - Chairman), Rochus C. Hofmann
________________________________________

Re: [Rkhunter-users] Suspicious Shared Memory segments | warning per mail

[Al V. <alv...@ma...>]

On Mon, Oct 28, 2019 at 00:31 AM, Koblenz Thomas wrote:
> Hello,
>  
> I have a problem with a false-positive for Suspicious Shared Memory segments. Since the last update of the Commvault Agent I always get warnings for Suspicious Shared Memory segments.
>  
> [08:18:25]   Process: /opt/commvault/Base64/cvd    PID: 758    Owner: root [ Found ]
> [08:18:25]   Process: /opt/commvault/Base64/cvd    PID: 758    Owner: root [ Found ]
>  
>  
> I have already made the following entry in the rkhunter.log
> ALLOWIPCPROC= "/opt/commvault/Base64/cvd

I suspect you meant to say in the rkhunter.conf file, but I think the error is in placing a space and quote before the path. Shouldn't it read:
ALLOWIPCPROC=/opt/commvault/Base64/cvd

-Al-

> Unfortunately we still get mails informing us about a warning. Is it possible to configure rkhunter to stop sending mail when a whitelist has been configured?
>  
> Version : Rootkit Hunter 1.4.2, Deb9.11
>  
>  
>  
> Thomas

[Rkhunter-users] Suspicious Shared Memory segments | warning per mail

[Koblenz T. <Tho...@ze...>]

Hello,

I have a problem with a false-positive for Suspicious Shared Memory segments. Since the last update of the Commvault Agent I always get warnings for Suspicious Shared Memory segments.

[08:18:25]   Process: /opt/commvault/Base64/cvd    PID: 758    Owner: root [ Found ]
[08:18:25]   Process: /opt/commvault/Base64/cvd    PID: 758    Owner: root [ Found ]


I have already made the following entry in the rkhunter.log
ALLOWIPCPROC= "/opt/commvault/Base64/cvd

Unfortunately we still get mails informing us about a warning. Is it possible to configure rkhunter to stop sending mail when a whitelist has been configured?

Version : Rootkit Hunter 1.4.2, Deb9.11



Thomas

[K FAIR]
Um mehr ?ber unser komplettes Produktportfolio zu erfahren, laden Sie unsere neue kostenlose PLANT.BOOK-App in Ihrem Apple App Store<https://itunes.apple.com/us/app/plantbook/id1287430289?mt=8> und Microsoft Store<https://www.microsoft.com/en-us/p/plantbook/9nt0fm3hssls?source=lp&activetab=pivot%3Aoverviewtab> herunter.
To find more details about our complete product portfolio, download our new free PLANT.BOOK app from your Apple App Store<https://itunes.apple.com/us/app/plantbook/id1287430289?mt=8> and Microsoft Store<https://www.microsoft.com/en-us/p/plantbook/9nt0fm3hssls?source=lp&activetab=pivot%3Aoverviewtab>.

[https://www.zeppelin-systems.com/files/website.png]<https://www.zeppelin-systems.com/videos.html>  [https://www.zeppelin-systems.com/files/newsletter.png] <https://www.zeppelin-systems.com/en/meta/newsletter.html>   [https://www.zeppelin-systems.com/files/youtube.png] <https://www.youtube.com/channel/UC3zqgeXXj7i1-CNwr6sUW5w/playlists>
________________________________________

Zeppelin Systems GmbH
Handelsregister - Commercial Register: AG Ulm HRB 729780
Sitz - Registered Domicile: D-88045 Friedrichshafen

Aufsichtsratsvorsitzender - Chairman of the supervisory board: Peter Gerstmann
Gesch?ftsf?hrung - Management board: Alexander Wassermann (Vorsitzender - Chairman), Rochus C. Hofmann
________________________________________

Re: [Rkhunter-users] rkhunter --propupd changes not recognized

[John H. <joh...@pl...>]

On Tue, 2019-09-10 at 16:36 -0700, Al Varnell wrote:
> It should be, but for whatever reason the OP must have intended to disable
> it. But his issue was why propupd didn't prevent warning.
>
Correct. I was not going to argue *why* the user would want to do this :-)

Secondly, he did say 'for example', so it may well not be curl that he was
actually trying to modify.



John.

>
> On Tue, Sep 10, 2019 at 15:05 PM, Stockwell, Steven [US] (MS) wrote:
> > Shouldn't curl be 755 or 700?  Not 600 (not executable).
> >
> > S^2
> >
> > -----Original Message-----
> > From: John Horne <joh...@pl...>
> > Sent: Sunday, September 08, 2019 2:22 PM
> > To: rkh...@li...
> > Subject: EXT :Re: [Rkhunter-users] rkhunter --propupd changes not
> > recognized
> >
> > On Sun, 2019-09-08 at 11:45 +0200, ratatouille via Rkhunter-users wrote:
> > > Hello!
> > >
> > > When I change the permissions of for example /usr/bin/curl to 0600 and
> > > do a rkhunter --propupd after, rkhunter warns me nevertheless that
> > > the properties of curl has been changed.
> > >
> > > How can I correct this?
> > >
> > If you are using the PKGMGR option then you'll need to exclude the file
> > from
> > using the package manager. (See PKGMGR_NO_VRFY)
> >
> >
> >
> > John.
>
>
>
--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
________________________________
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>

This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form.

Re: [Rkhunter-users] rkhunter --propupd changes not recognized

[Al V. <alv...@ma...>]

It should be, but for whatever reason the OP must have intended to disable it. But his issue was why propupd didn't prevent warning.

-Al-

On Tue, Sep 10, 2019 at 15:05 PM, Stockwell, Steven [US] (MS) wrote:
> Shouldn't curl be 755 or 700?  Not 600 (not executable).
> 
> S^2
> 
> -----Original Message-----
> From: John Horne <joh...@pl... <mailto:joh...@pl...>> 
> Sent: Sunday, September 08, 2019 2:22 PM
> To: rkh...@li... <mailto:rkh...@li...>
> Subject: EXT :Re: [Rkhunter-users] rkhunter --propupd changes not recognized
> 
> On Sun, 2019-09-08 at 11:45 +0200, ratatouille via Rkhunter-users wrote:
>> Hello!
>> 
>> When I change the permissions of for example /usr/bin/curl to 0600 and
>> do a rkhunter --propupd after, rkhunter warns me nevertheless that
>> the properties of curl has been changed.
>> 
>> How can I correct this?
>> 
> If you are using the PKGMGR option then you'll need to exclude the file from
> using the package manager. (See PKGMGR_NO_VRFY)
> 
> 
> 
> John.

Re: [Rkhunter-users] rkhunter --propupd changes not recognized

[Stockwell, S. [U. (MS) <Ste...@ng...>]

Shouldn't curl be 755 or 700?  Not 600 (not executable).

S^2

-----Original Message-----
From: John Horne <joh...@pl...> 
Sent: Sunday, September 08, 2019 2:22 PM
To: rkh...@li...
Subject: EXT :Re: [Rkhunter-users] rkhunter --propupd changes not recognized

On Sun, 2019-09-08 at 11:45 +0200, ratatouille via Rkhunter-users wrote:
> Hello!
>
> When I change the permissions of for example /usr/bin/curl to 0600 and
> do a rkhunter --propupd after, rkhunter warns me nevertheless that
> the properties of curl has been changed.
>
> How can I correct this?
>
If you are using the PKGMGR option then you'll need to exclude the file from
using the package manager. (See PKGMGR_NO_VRFY)



John.

--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
________________________________
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>

This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form.

_______________________________________________
Rkhunter-users mailing list
Rkh...@li...
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] rkhunter --propupd changes not recognized

[John H. <joh...@pl...>]

On Sun, 2019-09-08 at 11:45 +0200, ratatouille via Rkhunter-users wrote:
> Hello!
>
> When I change the permissions of for example /usr/bin/curl to 0600 and
> do a rkhunter --propupd after, rkhunter warns me nevertheless that
> the properties of curl has been changed.
>
> How can I correct this?
>
If you are using the PKGMGR option then you'll need to exclude the file from
using the package manager. (See PKGMGR_NO_VRFY)



John.

--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
________________________________
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>

This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form.

[Rkhunter-users] rkhunter --propupd changes not recognized

[ratatouille <rat...@bi...>]

Hello!

When I change the permissions of for example /usr/bin/curl to 0600 and
do a rkhunter --propupd after, rkhunter warns me nevertheless that
the properties of curl has been changed.

How can I correct this?

Kind regards

  Andreas

Re: [Rkhunter-users] rkhunter giving ssh root login warning even when both config files are set to “no” root login

[Richard S. <rj...@ms...>]

On 8/9/2019 4:37 AM, John Horne wrote:
> On Fri, 2019-08-09 at 12:39 +0300, Nerijus Baliūnas via Rkhunter-users wrote:
>> 2019-08-09 12:18, John Horne rašė:
>>> On Thu, 2019-08-08 at 21:49 +0000, Richard Shelquist wrote:
>>>> I'm getting an ssh warning from rkhunter, even though the sshd and
>>>> rkhunter options for root login are both set to "no". My server is
>>>> running Centos 7.6.1810 with rkhunter 1.4.6.
>>>>
>>>> The system started with sshd and rkhunter root login options set to
>>>> "yes", and I was not receiving any error message. But then when server
>>>> setup was complete, I switched both of the root login options to "no" and
>>>> that is when the warnings began.
>>>>
>>>> Here are grep results which verify that the sshd and rkhunter config
>>>> settings are both set to "no":
>>>>
>>>> $grep PermitRootLogin /etc/ssh/sshd_config
>>>> PermitRootLogin no
>>>>
>>> You need the equal sign (=) in there.
>>> PermitRootLogin=no
>>
>> Not really, PermitRootLogin no works OK. Actually there are no "=" in
>> /etc/ssh/sshd_config
>> except line # This sshd was compiled with PATH=/usr/local/bin:/usr/bin
>>
> Oops, you are correct. I completely misread that as the RKH config option.
> 
> In which case I would suspect an odd character has got into one of the config
> files for those options.
> 
> Try running:
> cat -vet /etc/ssh/sshd_config | grep PermitRootLogin
> 
> and see if any odd characters (a space or control characters) are shown with
> the option. (The line should end with a dollar sign, so a space at the end will
> look like '...no $' rather than '...no$')
> 

John, you got it right. There was a DOS ^M character which somehow ended 
up in the /etc/ssh/sshd_config file. Thank you for the suggestion. 
Problem solved.

Re: [Rkhunter-users] rkhunter giving ssh root login warning even when both config files are set to “no” root login

[John H. <joh...@pl...>]

On Fri, 2019-08-09 at 12:39 +0300, Nerijus Baliūnas via Rkhunter-users wrote:
> 2019-08-09 12:18, John Horne rašė:
> > On Thu, 2019-08-08 at 21:49 +0000, Richard Shelquist wrote:
> > > I'm getting an ssh warning from rkhunter, even though the sshd and
> > > rkhunter options for root login are both set to "no". My server is
> > > running Centos 7.6.1810 with rkhunter 1.4.6.
> > >
> > > The system started with sshd and rkhunter root login options set to
> > > "yes", and I was not receiving any error message. But then when server
> > > setup was complete, I switched both of the root login options to "no" and
> > > that is when the warnings began.
> > >
> > > Here are grep results which verify that the sshd and rkhunter config
> > > settings are both set to "no":
> > >
> > > $grep PermitRootLogin /etc/ssh/sshd_config
> > > PermitRootLogin no
> > >
> > You need the equal sign (=) in there.
> > PermitRootLogin=no
>
> Not really, PermitRootLogin no works OK. Actually there are no "=" in
> /etc/ssh/sshd_config
> except line # This sshd was compiled with PATH=/usr/local/bin:/usr/bin
>
Oops, you are correct. I completely misread that as the RKH config option.

In which case I would suspect an odd character has got into one of the config
files for those options.

Try running:
cat -vet /etc/ssh/sshd_config | grep PermitRootLogin

and see if any odd characters (a space or control characters) are shown with
the option. (The line should end with a dollar sign, so a space at the end will
look like '...no $' rather than '...no$')



John.

--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
________________________________
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>

This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form.

Re: [Rkhunter-users] rkhunter giving ssh root login warning even when both config files are set to “no” root login

[Nerijus B. <ne...@us...>]

2019-08-09 12:18, John Horne rašė:
> On Thu, 2019-08-08 at 21:49 +0000, Richard Shelquist wrote:
>> I'm getting an ssh warning from rkhunter, even though the sshd and rkhunter
>> options for root login are both set to "no". My server is running Centos
>> 7.6.1810 with rkhunter 1.4.6.
>> 
>> The system started with sshd and rkhunter root login options set to "yes",
>> and I was not receiving any error message. But then when server setup was
>> complete, I switched both of the root login options to "no" and that is 
>> when
>> the warnings began.
>> 
>> Here are grep results which verify that the sshd and rkhunter config 
>> settings
>> are both set to "no":
>> 
>> $grep PermitRootLogin /etc/ssh/sshd_config
>> PermitRootLogin no
>> 
> You need the equal sign (=) in there.
> PermitRootLogin=no

Not really, PermitRootLogin no works OK. Actually there are no "=" in 
/etc/ssh/sshd_config
except line # This sshd was compiled with PATH=/usr/local/bin:/usr/bin

Regards,
Nerijus

Re: [Rkhunter-users] rkhunter giving ssh root login warning even when both config files are set to “no” root login

[John H. <joh...@pl...>]

On Thu, 2019-08-08 at 21:49 +0000, Richard Shelquist wrote:
> I'm getting an ssh warning from rkhunter, even though the sshd and rkhunter
> options for root login are both set to "no". My server is running Centos
> 7.6.1810 with rkhunter 1.4.6.
>
> The system started with sshd and rkhunter root login options set to "yes",
> and I was not receiving any error message. But then when server setup was
> complete, I switched both of the root login options to "no" and that is when
> the warnings began.
>
> Here are grep results which verify that the sshd and rkhunter config settings
> are both set to "no":
>
> $grep PermitRootLogin /etc/ssh/sshd_config
> PermitRootLogin no
>
You need the equal sign (=) in there.
PermitRootLogin=no



John.

--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
________________________________
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>

This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form.

[Rkhunter-users] rkhunter giving ssh root login warning even when both config files are set to “no” root login

[Richard S. <rj...@ms...>]

I'm getting an ssh warning from rkhunter, even though the sshd and rkhunter options for root login are both set to "no". My server is running Centos 7.6.1810 with rkhunter 1.4.6.

The system started with sshd and rkhunter root login options set to "yes", and I was not receiving any error message. But then when server setup was complete, I switched both of the root login options to "no" and that is when the warnings began.

Here are grep results which verify that the sshd and rkhunter config settings are both set to "no":

$grep PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin no

$grep ALLOW_SSH_ROOT_USER /etc/rkhunter.conf
ALLOW_SSH_ROOT_USER=no

Just in case it is related, the protocol options are set as follows:

$grep Protocol /etc/ssh/sshd_config
Protocol 2

$grep ALLOW_SSH_PROT_V1 /etc/rkhunter.conf
ALLOW_SSH_PROT_V1=0

The following rkhunter log snippet clearly shows that sshd and rkhunter config files are both set to indicate no root login, yet I get a warning about ssh root access:

[13:43:33] Info: Using configuration file '/etc/rkhunter.conf'

[13:48:21] Info: Starting test name 'system_configs_ssh'
[13:48:21]   Checking for an SSH configuration file          [ Found ]
[13:48:21] Info: Found an SSH configuration file: /etc/ssh/sshd_config
[13:48:21] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[13:48:21] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[13:48:21]   Checking if SSH root access is allowed          [ Warning ]
[13:48:21] Warning: The SSH and rkhunter configuration options should be the same:
[13:48:21]          SSH configuration option 'PermitRootLogin': no
[13:48:21]          Rkhunter configuration option   'ALLOW_SSH_ROOT_USER': no
[13:48:21]   Checking if SSH protocol v1 is allowed          [ Not allowed ]
[13:48:21]   Checking for other suspicious configuration settings [ None found ]

Similarly, the email I receive from rkhunter gives me a warning, yet it also confirms that the settings are already the same:

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: The SSH and rkhunter configuration options should be the same:
         SSH configuration option 'PermitRootLogin': no
         Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no

----------------------- End Rootkit Hunter Scan -----------------------

I have run rkhunter -C, and I have even rebooted the server, but still the same issue.

Any ideas of what is causing this rkhunter warning and how to fix it??

Re: [Rkhunter-users] Cannot update or versioncheck, "Unable to determine the latest version number."

[Slow B. <slo...@gm...>]

That was the problem, thank you. It was set to 1.

On Mon, Aug 5, 2019 at 9:10 AM John Horne <joh...@pl...> wrote:

> On Mon, 2019-08-05 at 08:15 -0400, Slow Bro wrote:
> >
> > > [01:00:07] Checking file mirrors.dat                         [ Skipped
> ]
> > > [01:00:07] Info: The mirrors file has no required mirrors in it:
> > >
> Your config file probably has the MIRROS_MODE option set. If you have set
> it to
> use local mirrors, then the mirrors file has no local mirrors in it (just
> the
> remote sourceforge ones). Hence, there are no required mirrors and all the
> other file checks fail.
>
> Remove the MIRRORS_MODE option from the config file.
>
>
>
> John.
>
> --
> John Horne | Senior Operations Analyst | Technology and Information
> Services
> University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
> ________________________________
> [http://www.plymouth.ac.uk/images/email_footer.gif]<
> http://www.plymouth.ac.uk/worldclass>
>
> This email and any files with it are confidential and intended solely for
> the use of the recipient to whom it is addressed. If you are not the
> intended recipient then copying, distribution or other use of the
> information contained is strictly prohibited and you should not rely on it.
> If you have received this email in error please let the sender know
> immediately and delete it from your system(s). Internet emails are not
> necessarily secure. While we take every care, University of Plymouth
> accepts no responsibility for viruses and it is your responsibility to scan
> emails and their attachments. University of Plymouth does not accept
> responsibility for any changes made after it was sent. Nothing in this
> email or its attachments constitutes an order for goods or services unless
> accompanied by an official order form.
>
> _______________________________________________
> Rkhunter-users mailing list
> Rkh...@li...
> https://lists.sourceforge.net/lists/listinfo/rkhunter-users
>

Re: [Rkhunter-users] Cannot update or versioncheck, "Unable to determine the latest version number."

[John H. <joh...@pl...>]

On Mon, 2019-08-05 at 08:15 -0400, Slow Bro wrote:
>
> > [01:00:07] Checking file mirrors.dat                         [ Skipped ]
> > [01:00:07] Info: The mirrors file has no required mirrors in it:
> >
Your config file probably has the MIRROS_MODE option set. If you have set it to
use local mirrors, then the mirrors file has no local mirrors in it (just the
remote sourceforge ones). Hence, there are no required mirrors and all the
other file checks fail.

Remove the MIRRORS_MODE option from the config file.



John.

--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
________________________________
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>

This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form.

Re: [Rkhunter-users] Cannot update or versioncheck, "Unable to determine the latest version number."

[Slow B. <slo...@gm...>]

Al suggested I try version 1.4 of the dat file but that gives the same
result. Anyone else have any ideas? I have two servers and I configured
both identically, and one is successful. The successful one is a
DigitalOcean Droplet, the failing one is a VirtualBox VM running at home.
In case that impacts this.

root@db03:~# mv /var/lib/rkhunter/db/mirrors.dat
/var/lib/rkhunter/db/mirrors.1.3.dat
root@db03:~# wget -O/var/lib/rkhunter/db/mirrors.dat
http://rkhunter.sourceforge.net/1.4/mirrors.dat
--2019-07-30 00:09:35--  http://rkhunter.sourceforge.net/1.4/mirrors.dat
Resolving rkhunter.sourceforge.net (rkhunter.sourceforge.net)...
216.105.38.10
Connecting to rkhunter.sourceforge.net
(rkhunter.sourceforge.net)|216.105.38.10|:80...
connected.
HTTP request sent, awaiting response... 200 OK
Length: 97
Saving to: ‘/var/lib/rkhunter/db/mirrors.dat’

/var/lib/rkhunter/db/mirrors.dat
100%[=================================================================================================================================================>]
     97  --.-KB/s    in 0s

2019-07-30 00:09:35 (13.8 MB/s) - ‘/var/lib/rkhunter/db/mirrors.dat’ saved
[97/97]

root@db03:~# cat /var/lib/rkhunter/db/mirrors.dat
Version:2018120901
mirror=http://rkhunter.sourceforge.net
remote=http://rkhunter.sourceforge.net


root@db03:~# rkhunter --update
[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ Skipped ]
  Checking file programs_bad.dat                             [ Update
failed ]
  Checking file backdoorports.dat                            [ Update
failed ]
  Checking file suspscan.dat                                 [ Update
failed ]
  Checking file i18n versions                                [ Update
failed ]

Please check the log file (/var/log/rkhunter.log)

root@db03:~# rkhunter --versioncheck
[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter version...
  This version  : 1.4.6
  Latest version: Download failed
root@db03:~#

On Wed, Jul 24, 2019 at 9:16 PM Slow Bro <slo...@gm...> wrote:

> Not sure what the problem is, I am getting a successful download of the
> .dat file with wget. Please assist.
>
> root@db03:~# rkhunter --update
> [ Rootkit Hunter version 1.4.6 ]
>
> Checking rkhunter data files...
>   Checking file mirrors.dat                                  [ Skipped ]
>   Checking file programs_bad.dat                             [ Update
> failed ]
>   Checking file backdoorports.dat                            [ Update
> failed ]
>   Checking file suspscan.dat                                 [ Update
> failed ]
>   Checking file i18n versions                                [ Update
> failed ]
>
> Please check the log file (/var/log/rkhunter.log)
>
> root@db03:~# rkhunter --versioncheck
> [ Rootkit Hunter version 1.4.6 ]
>
> Checking rkhunter version...
>   This version  : 1.4.6
>   Latest version: Download failed
> root@db03:~# cat /var/lib/rkhunter/db/mirrors.dat
> Version:2007060601
> mirror=http://rkhunter.sourceforge.net
> mirror=http://rkhunter.sourceforge.net
> root@db03:~# tail /var/log/rkhunter.log
> [01:00:07] Checking rkhunter data files...
> [01:00:07] Info: Created temporary file
> '/var/lib/rkhunter/tmp/rkhunter.upd.6eFlkVXRur'
> [01:00:07] Checking file mirrors.dat                         [ Skipped ]
> [01:00:07] Info: The mirrors file has no required mirrors in it:
> /var/lib/rkhunter/db/mirrors.dat
> [01:00:07] Warning: Download of 'programs_bad.dat' failed: Unable to
> determine the latest version number.
> [01:00:07] Checking file programs_bad.dat                    [ Update
> failed ]
> [01:00:07] Info: The mirrors file has no required mirrors in it:
> /var/lib/rkhunter/db/mirrors.dat
> [01:00:07] Warning: Download of 'backdoorports.dat' failed: Unable to
> determine the latest version number.
> [01:00:07] Checking file backdoorports.dat                   [ Update
> failed ]
> [01:00:07] Info: The mirrors file has no required mirrors in it:
> /var/lib/rkhunter/db/mirrors.dat
> [01:00:07] Warning: Download of 'suspscan.dat' failed: Unable to determine
> the latest version number.
> [01:00:07] Checking file suspscan.dat                        [ Update
> failed ]
> [01:00:07] Info: The mirrors file has no required mirrors in it:
> /var/lib/rkhunter/db/mirrors.dat
> [01:00:07] Checking file i18n versions                       [ Update
> failed ]
> [01:00:07] Warning: Download of 'i18n.ver' failed: Unable to determine the
> latest version number.
> [01:00:07]
> [01:00:07] Info: End date is Thu Jul 25 01:00:07 UTC 2019
> root@db03:~# wget -O- http://rkhunter.sourceforge.net/1.3/mirrors.dat
> --2019-07-25 01:04:13--  http://rkhunter.sourceforge.net/1.3/mirrors.dat
> Resolving rkhunter.sourceforge.net (rkhunter.sourceforge.net)...
> 216.105.38.10
> Connecting to rkhunter.sourceforge.net (rkhunter.sourceforge.net)|216.105.38.10|:80...
> connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 97
> Saving to: ‘STDOUT’
>
> -                                                                0%[
>
>                                                                ]       0
>  --.-KB/s               Version:2007060601
> mirror=http://rkhunter.sourceforge.net
> mirror=http://rkhunter.sourceforge.net
> -
>  100%[=================================================================================================================================================>]
>      97  --.-KB/s    in 0s
>
> 2019-07-25 01:04:13 (4.93 MB/s) - written to stdout [97/97]
>
> root@db03:~#
>

[Rkhunter-users] Cannot update or versioncheck, "Unable to determine the latest version number."

[Slow B. <slo...@gm...>]

Not sure what the problem is, I am getting a successful download of the
.dat file with wget. Please assist.

root@db03:~# rkhunter --update
[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ Skipped ]
  Checking file programs_bad.dat                             [ Update
failed ]
  Checking file backdoorports.dat                            [ Update
failed ]
  Checking file suspscan.dat                                 [ Update
failed ]
  Checking file i18n versions                                [ Update
failed ]

Please check the log file (/var/log/rkhunter.log)

root@db03:~# rkhunter --versioncheck
[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter version...
  This version  : 1.4.6
  Latest version: Download failed
root@db03:~# cat /var/lib/rkhunter/db/mirrors.dat
Version:2007060601
mirror=http://rkhunter.sourceforge.net
mirror=http://rkhunter.sourceforge.net
root@db03:~# tail /var/log/rkhunter.log
[01:00:07] Checking rkhunter data files...
[01:00:07] Info: Created temporary file
'/var/lib/rkhunter/tmp/rkhunter.upd.6eFlkVXRur'
[01:00:07] Checking file mirrors.dat                         [ Skipped ]
[01:00:07] Info: The mirrors file has no required mirrors in it:
/var/lib/rkhunter/db/mirrors.dat
[01:00:07] Warning: Download of 'programs_bad.dat' failed: Unable to
determine the latest version number.
[01:00:07] Checking file programs_bad.dat                    [ Update
failed ]
[01:00:07] Info: The mirrors file has no required mirrors in it:
/var/lib/rkhunter/db/mirrors.dat
[01:00:07] Warning: Download of 'backdoorports.dat' failed: Unable to
determine the latest version number.
[01:00:07] Checking file backdoorports.dat                   [ Update
failed ]
[01:00:07] Info: The mirrors file has no required mirrors in it:
/var/lib/rkhunter/db/mirrors.dat
[01:00:07] Warning: Download of 'suspscan.dat' failed: Unable to determine
the latest version number.
[01:00:07] Checking file suspscan.dat                        [ Update
failed ]
[01:00:07] Info: The mirrors file has no required mirrors in it:
/var/lib/rkhunter/db/mirrors.dat
[01:00:07] Checking file i18n versions                       [ Update
failed ]
[01:00:07] Warning: Download of 'i18n.ver' failed: Unable to determine the
latest version number.
[01:00:07]
[01:00:07] Info: End date is Thu Jul 25 01:00:07 UTC 2019
root@db03:~# wget -O- http://rkhunter.sourceforge.net/1.3/mirrors.dat
--2019-07-25 01:04:13--  http://rkhunter.sourceforge.net/1.3/mirrors.dat
Resolving rkhunter.sourceforge.net (rkhunter.sourceforge.net)...
216.105.38.10
Connecting to rkhunter.sourceforge.net
(rkhunter.sourceforge.net)|216.105.38.10|:80...
connected.
HTTP request sent, awaiting response... 200 OK
Length: 97
Saving to: ‘STDOUT’

-                                                                0%[

                                                               ]       0
 --.-KB/s               Version:2007060601
mirror=http://rkhunter.sourceforge.net
mirror=http://rkhunter.sourceforge.net
-
 100%[=================================================================================================================================================>]
     97  --.-KB/s    in 0s

2019-07-25 01:04:13 (4.93 MB/s) - written to stdout [97/97]

root@db03:~#

Re: [Rkhunter-users] Broken link

[John H. <joh...@pl...>]

On Mon, 2019-06-24 at 16:58 -0600, Pascal via Rkhunter-users wrote:
> The link to "Rootkit Hunter installation tutorial" at
> http://rkhunter.sourceforge.net is broken.
>
Thanks for that. I have changed the link to point to the wiki contents page. It
does contain an 'install' page in there. To be honest though, the wiki hasn't
been updated in a few years now.



John.

--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
________________________________
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>

This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form.

Re: [Rkhunter-users] Warn users if file exists?

[John H. <joh...@pl...>]

On Mon, 2019-06-24 at 17:16 -0600, Pascal via Rkhunter-users wrote:
> Is this software capable of warning anyone with the file /etc/cron.d/sysstat2
> on their systems that they have been compromised?  More details at
> https://serverfault.com/questions/972726/how-do-i-warn-people-that-a-repo-has-been-hacked
>
Hi,

I have added a check for the file in the dev version. If the file exists it'll
be reported as a malware component. I couldn't actually find out what the file
did or contained, and, as far as I can tell, the relevant file (an RPM file to
install a yum repo) has now been corrected. Even so, these things can pop up
again at times.



John.

--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
________________________________
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>

This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form.