Hi Steve On Tue, Oct 30, 2012 at 12:23:52PM -0700, Steve Kompolt wrote: > [root@server bin]# sh rkhunter -c --rwo > Warning: Checking for prerequisites [ Warning ] > The file of stored file properties (rkhunter.dat) does not exist, > and should be created. To do this type in 'rkhunter --propupd'. rkhunter needs to know what is okay on your system. Therefore, it should be installed fairly early on in the installation process of setting up a system. You create the first example of this db by running the command rkhunter --propupd Then you can use the --check command to periodically check your system. > Warning: WARNING! It is the users responsibility to ensure that when the > '--propupd' option > is used, all the files on their system are known to be genuine, > and installed from a > reliable source. The rkhunter '--check' option will compare the > current file properties > against previously stored values, and report if any values differ. > However, rkhunter > cannot determine what has caused the change, that is for the user > to do. This bit indicates that you, the end user, has to be sure that the stuff rkhunter reports as changed is reasonable - e.g. you've done an update and rkhunter has noticed and reportes file changes relevant to that update. > Warning: The command '/sbin/ifdown' has been replaced by a script: > /sbin/ifdown: Bourne-Again shell script text executable > Warning: The command '/sbin/ifup' has been replaced by a script: > /sbin/ifup: Bourne-Again shell script text executable > Warning: The command '/usr/bin/GET' has been replaced by a script: > /usr/bin/GET: perl script text executable > Warning: The command '/usr/bin/groups' has been replaced by a script: > /usr/bin/groups: Bourne shell script text executable > Warning: The command '/usr/bin/ldd' has been replaced by a script: > /usr/bin/ldd: Bourne shell script text executable > Warning: The command '/usr/bin/whatis' has been replaced by a script: > /usr/bin/whatis: Bourne shell script text executable These are warnings because some of your files have been changed. Or they have changed against the db you didn't set up already.
> Warning: Checking for possible rootkit strings [ Warning ] > Found string 'hdparm' in file '/etc/rc.d/rc.sysinit'. Possible > rootkit: Xzibit Rootkit You may have been pwned. It's up to you to investigate what that warning means and whether it is okay for rc.sysinit to have the word hdparam in it. > Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa > Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa > Warning: Found enabled xinetd service: /etc/xinetd.d/smtp_psa > Warning: Found enabled xinetd service: /etc/xinetd.d/smtps_psa You've got some inetd.d stuff going for ftp, pop, smtp and smtps services. rkhunter may consider these unsafe. > Warning: No output found from the lsmod command or the /proc/modules file: > /proc/modules output: > lsmod output: > Warning: The kernel modules directory '/lib/modules' is missing or empty. You have no modules in /lib/modules. I might be worried about that. > Warning: Account 'mysql' is root equivalent (UID = 0) An insecure mysql setup. > Warning: The SSH configuration option 'PermitRootLogin' has not been set. > The default value may be 'yes', to allow root access. > Warning: The SSH configuration option 'Protocol' has not been set. > The default value may be '2,1', to allow the use of protocol > version 1. Poor ssh setup. > Warning: Suspicious file types found in /dev: > /dev/hdsmat: ASCII text Shouldn't have an ascii file there. > Warning: Hidden file found: /dev/.udev.tdb: TDB database version 6, > little-endian hash size 131 bytes > Warning: Hidden file found: /bin/.bash_history: ASCII text Likewise shouldn't have a .bash_history file there. Check out what's in it. > Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed > data, from Unix, max compression Not sure what that's doing there. > Warning: Application 'gpg', version '1.2.6', is out of date, and possibly a > security risk. > Warning: Application 'httpd', version '2.0.52', is out of date, and > possibly a security risk. > Warning: Application 'openssl', version '0.9.7a', is out of date, and > possibly a security risk. > Warning: Application 'sshd', version '3.9p1', is out of date, and possibly > a security risk. > Indeed. my openssl version is reported as 1.0.1. There may be security updates you need to install for all packages that this is reported on. HTH Kind regards Lesley ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
