Need some help With RKHUNTER

Discussion in 'Security' started by File_Wizard, Jul 9, 2008.

0
  1. #1
    Good morning i got RKHUNTER ran on cronjob but when it scans every day it tells me this..

    [ Rootkit Hunter version 1.3.2 ]

    [1;33mChecking rkhunter version... [0;39m
    This version : 1.3.2
    Latest version: 1.3.2
    [ Rootkit Hunter version 1.3.2 ]

    [1;33mChecking rkhunter data files... [0;39m
    Checking file mirrors.dat [34C[ [1;32mNo update [0;39m ]
    Checking file programs_bad.dat [29C[ [1;32mNo update [0;39m ]
    Checking file backdoorports.dat [28C[ [1;32mNo update [0;39m ]
    Checking file suspscan.dat [33C[ [1;32mNo update [0;39m ]
    Checking file i18n/cn [38C[ [1;32mNo update [0;39m ]
    Checking file i18n/en [38C[ [1;32mNo update [0;39m ]
    Checking file i18n/zh [38C[ [1;32mNo update [0;39m ]
    Checking file i18n/zh.utf8 [33C[ [1;32mNo update [0;39m ]
    Warning: Checking for prerequisites [ Warning ]
    The file of stored file properties (rkhunter.dat) does not exist, and so must be created. To do this type in 'rkhunter --propupd'.
    Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
    is used, all the files on their system are known to be genuine, and installed from a
    reliable source. The rkhunter '--check' option will compare the current file properties
    against previously stored values, and report if any values differ. However, rkhunter
    cannot determine what has caused the change, that is for the user to do.
    Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
    Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
    Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
    Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
    Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
    Warning: The SSH configuration option 'PermitRootLogin' has not been set.
    The default value may be 'yes', to allow root access.
    Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression

    One or more warnings have been found while checking the system.
    Please check the log file (/var/log/rkhunter.log)

    the last part is that a good or bad sign:confused:
     
    File_Wizard, Jul 9, 2008 IP
  2. jayshah

    jayshah Peon

    Messages:
    1,126
    Likes Received:
    68
    Best Answers:
    1
    Trophy Points:
    0
    #2
    Firstly, check each of the files /usr/bin/groups, /usr/bin/ldd, etc., for their contents. It's possible this is a false positive (I have personally seen these).

    Secondly, the "The file of stored file properties (rkhunter.dat) does not exist, and so must be created" message is regarding a comparison check. The rkhunter.dat should contain what the files contained when the server was clean, so it can compare them against now. This is why the "all the files on their system are known to be genuine" is also apparent.

    You'll need to edit your sshd_config file if you want to disable direct root login

    Uncompress and see what that file is.


    I hope this helps you,
     
    jayshah, Jul 9, 2008 IP