- Code: Select all
rkhunter -c --rwo
Warning: GasKit Rootkit [ Warning ]
Directory '/dev/dev' found
Warning: The following processes are using suspicious files:
Command: anacron
UID: 0 PID: 1360
Pathname: /etc/crontab
Possible Rootkit: Unknown rootkit
Command: crond
UID: 0 PID: 697
Pathname: /etc/crontab
Possible Rootkit: Unknown rootkit
Warning: Found passwordless account in shadow file: xguest
These have to be false positives right? Can someone put me at ease by confirming this? Thank you very much.
Update:
A fresh install on a third box rkhunter installed and run within minutes of booting shows:
- Code: Select all
rkhunter -c --rwo
Warning: GasKit Rootkit [ Warning ]
Directory '/dev/dev' found
Warning: The following processes are using suspicious files:
Command: crond
UID: 0 PID: 609
Pathname: /etc/crontab
Possible Rootkit: Unknown rootkit
These have to be false positives I think. Anyone have any ideas? Thanks.
update 2 same rkhunter results even with propupd
Here is the entire run of commands:
urpmi rkhunter
To satisfy dependencies, the following packages are going to be installed:
Package Version Release Arch
(medium "Core Release")
rkhunter 1.3.8 3.mga2 noarch
unhide 20110113 1.mga1 x86_64 (suggested)
864KB of additional disk space will be used.
194KB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) y
$MIRRORLIST: media/core/release/rkhunter-1.3.8-3.mga2.noarch.rpm
$MIRRORLIST: media/core/release/unhide-20110113-1.mga1.x86_64.rpm
installing rkhunter-1.3.8-3.mga2.noarch.rpm unhide-20110113-1.mga1.x86_64.rpm from /var/cache/urpmi/rpms
Preparing... #############################################
1/2: unhide #############################################
2/2: rkhunter #############################################
[ Rootkit Hunter version 1.3.8 ]
File created: searched for 167 files, found 139
[ Rootkit Hunter version 1.3.8 ]
Checking the local host...
Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ Warning ]
Checking for group file changes [ Warning ]
Checking root account shell history files [ None found ]
[Press <ENTER> to continue]
System checks summary
=====================
File properties checks...
All checks skipped
Rootkit checks...
All checks skipped
Applications checks...
All checks skipped
The system checks took: 1 second
All results have been written to the log file (/var/log/rkhunter.log)
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
----------------------------------------------------------------------
More information on package rkhunter-1.3.8-3.mga2.noarch
rkhunter is a tool to detect rootkits installed on your system and suspicious
file changes. In order for rkhunter to run these checks, it maintains a catalog
of files and their properties installed on your system so it can compare
current files and statusses against the ones recorded in its database.
Out of the box rkhunter is configured to give as few false positives as
possible on a Mageia system. Still, despite this, you might want to change some
of its configuration options yourself to best suit you. The file used for this
is /etc/rkhunter.conf
Upon an initial install, rkhunter will create the databases it needs itself. On
upgrades and during regular use, you may want to update its databases yourself
by executing:
rkhunter --propupd
before running any other rkhunter checks yourself.
----------------------------------------------------------------------
[root@localhost quadio]# cat /var/log/rkhu
rkhunter.log rkhunter.log.old
[root@localhost quadio]# cat /var/log/rkhunter.log
[07:53:19] Running Rootkit Hunter version 1.3.8 on localhost
[07:53:19]
[07:53:19] Info: Start date is Sun Jun 24 07:53:19 EDT 2012
[07:53:20]
[07:53:20] Checking configuration file and command-line options...
[07:53:20] Info: Detected operating system is 'Linux'
[07:53:20] Info: Found O/S name: Mageia 2
[07:53:20] Info: Command line is /usr/sbin/rkhunter --enable group_changes,passwd_changes
[07:53:20] Info: Environment shell is /bin/bash; rkhunter is using bash
[07:53:20] Info: Using configuration file '/etc/rkhunter.conf'
[07:53:20] Info: Installation directory is '/var'
[07:53:20] Info: Using language 'en'
[07:53:20] Info: Using '/var/lib/rkhunter/db' as the database directory
[07:53:20] Info: Using '/var/lib/rkhunter/scripts' as the support script directory
[07:53:20] Info: Using '/sbin /bin /usr/sbin /usr/bin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec' as the command directories
[07:53:20] Info: Using '/' as the root directory by default
[07:53:20] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[07:53:20] Info: No mail-on-warning address configured
[07:53:20] Info: X will be automatically detected
[07:53:20] Info: Using second color set
[07:53:20] Info: Found the 'basename' command: /bin/basename
[07:53:20] Info: Found the 'diff' command: /usr/bin/diff
[07:53:20] Info: Found the 'dirname' command: /usr/bin/dirname
[07:53:20] Info: Found the 'file' command: /usr/bin/file
[07:53:20] Info: Found the 'find' command: /bin/find
[07:53:20] Info: Found the 'ifconfig' command: /sbin/ifconfig
[07:53:20] Info: Found the 'ip' command: /sbin/ip
[07:53:20] Info: Found the 'ldd' command: /usr/bin/ldd
[07:53:20] Info: Found the 'lsattr' command: /usr/bin/lsattr
[07:53:20] Info: Found the 'lsmod' command: /sbin/lsmod
[07:53:20] Info: Found the 'lsof' command: /usr/sbin/lsof
[07:53:20] Info: Found the 'mktemp' command: /bin/mktemp
[07:53:20] Info: Found the 'netstat' command: /bin/netstat
[07:53:20] Info: Found the 'perl' command: /usr/bin/perl
[07:53:20] Info: Found the 'pgrep' command: /usr/bin/pgrep
[07:53:20] Info: Found the 'ps' command: /bin/ps
[07:53:20] Info: Found the 'pwd' command: /bin/pwd
[07:53:20] Info: Found the 'readlink' command: /usr/bin/readlink
[07:53:20] Info: Found the 'stat' command: /bin/stat
[07:53:20] Info: Found the 'strings' command: /usr/bin/strings
[07:53:20] Info: Enabled tests are: group_accounts group_changes local_host passwd_changes
[07:53:20] Info: Disabled tests are: deleted_files hidden_ports hidden_procs packet_cap_apps suspscan
[07:53:20] Info: Found ksym file '/proc/kallsyms'
[07:53:20] Info: Using 'date' to process epoch second times.
[07:53:20] Info: Locking is not being used
[07:53:20]
[07:53:20] Starting system checks...
[07:53:20]
[07:53:20] Info: Test 'system_commands' disabled at users request.
[07:53:20]
[07:53:20] Info: Test 'rootkits' disabled at users request.
[07:53:20]
[07:53:20] Info: Test 'network' disabled at users request.
[07:53:20]
[07:53:20] Info: Starting test name 'local_host'
[07:53:20] Checking the local host...
[07:53:20]
[07:53:20] Info: Test 'startup_files' disabled at users request.
[07:53:21]
[07:53:21] Info: Starting test name 'group_accounts'
[07:53:21] Performing group and account checks
[07:53:21] Checking for passwd file [ Found ]
[07:53:21] Info: Found password file: /etc/passwd
[07:53:21] Checking for root equivalent (UID 0) accounts [ None found ]
[07:53:21] Info: Found shadow file: /etc/shadow
[07:53:21] Checking for passwordless accounts [ None found ]
[07:53:21]
[07:53:21] Info: Starting test name 'passwd_changes'
[07:53:21] Checking for passwd file changes [ Warning ]
[07:53:21] Warning: Unable to check for passwd file differences: no copy of the passwd file exists.
[07:53:21]
[07:53:21] Info: Starting test name 'group_changes'
[07:53:21] Checking for group file changes [ Warning ]
[07:53:21] Warning: Unable to check for group file differences: no copy of the group file exists.
[07:53:21] Checking root account shell history files [ None found ]
[07:53:21]
[07:53:21] Info: Test 'system_configs' disabled at users request.
[07:53:21]
[07:53:21] Info: Test 'filesystem' disabled at users request.
[07:53:21]
[07:53:21] Info: Test 'apps' disabled at users request.
[07:53:21]
[07:53:21] System checks summary
[07:53:21] =====================
[07:53:21]
[07:53:21] File properties checks...
[07:53:21] All checks skipped
[07:53:21]
[07:53:21] Rootkit checks...
[07:53:21] All checks skipped
[07:53:21]
[07:53:21] Applications checks...
[07:53:21] All checks skipped
[07:53:21]
[07:53:21] The system checks took: 1 second
[07:53:21]
[07:53:21] Info: End date is Sun Jun 24 07:53:21 EDT 2012
