Re: [Rkhunter-users] Fresh OS and rkhunter install warnings

Thu, 10 Oct 2013 14:52:31 -0700 

On Thursday 10 October 2013 4:17:34 pm Sportsman Fishing 
Adventures wrote:
> Hi all, just leased a new dedicated server and had a
> third party (way to web) install a security package
> including rkhunter on to it and the first day of emailed
> logs show these errors and was wondering why they are
> there at all as it is a fresh install so there will be no
> security issues yet.  Appreciate any help or guidance you
> may provide.  I am a relatively newbie to running my own
> dedicated server so please be patient.  I changed the
> User and Group to "username" from the actual account
> name.
>
> [ Rootkit Hunter version 1.4.0 ]
>
> Checking rkhunter data files...
>   Checking file mirrors.dat                              
>    [ No update ] Checking file programs_bad.dat          
>                   [ No update ] Checking file
> backdoorports.dat                            [ No update
> ] Checking file suspscan.dat                             
>    [ No update ] Checking file i18n/cn                   
>                   [ No update ] Checking file i18n/de    
>                                  [ No update ] Checking
> file i18n/en                                      [ No
> update ] Checking file i18n/zh                           
>           [ No update ] Checking file i18n/zh.utf8       
>                          [ No update ] [ Rootkit Hunter
> version 1.4.0 ]
> File updated: searched for 167 files, found 139
> Warning: User 'username' has been added to the passwd
> file. Warning: Group 'username' has been added to the
> group file. Warning: The SSH configuration option
> 'PermitRootLogin' has not been set. The default value may
> be 'yes', to allow root access. Warning: Suspicious file
> types found in /dev:
>          /dev/.udev/queue.bin: Applesoft BASIC program
> data /dev/.udev/db/block:sda1: ASCII text
>          /dev/.udev/db/block:sda3: ASCII text
>          /dev/.udev/db/block:sda2: ASCII text
>          /dev/.udev/db/block:sda: ASCII text
>          /dev/.udev/db/sound:card1: ASCII text
>          /dev/.udev/db/input:event16: ASCII text
>          /dev/.udev/db/input:event15: ASCII text
>          /dev/.udev/db/input:event14: ASCII text
>          /dev/.udev/db/input:event13: ASCII text
>          /dev/.udev/db/input:event0: ASCII text
>          /dev/.udev/db/usb:usb5: ASCII text
>          /dev/.udev/db/usb:usb6: ASCII text
>          /dev/.udev/db/usb:usb4: ASCII text
>          /dev/.udev/db/usb:usb3: ASCII text
>          /dev/.udev/db/sound:card0: ASCII text
>          /dev/.udev/db/input:event12: ASCII text
>          /dev/.udev/db/input:event11: ASCII text
>          /dev/.udev/db/input:event9: ASCII text
>          /dev/.udev/db/input:event10: ASCII text
>          /dev/.udev/db/input:event6: ASCII text
>          /dev/.udev/db/input:event8: ASCII text
>          /dev/.udev/db/sound:hwC1D2: ASCII text
>          /dev/.udev/db/sound:pcmC1D7p: ASCII text
>          /dev/.udev/db/input:event7: ASCII text
>          /dev/.udev/db/sound:pcmC1D3p: ASCII text
>          /dev/.udev/db/sound:controlC1: ASCII text
>          /dev/.udev/db/input:event5: ASCII text
>          /dev/.udev/db/sound:hwC1D3: ASCII text
>          /dev/.udev/db/sound:hwC1D0: ASCII text
>          /dev/.udev/db/sound:pcmC1D8p: ASCII text
>          /dev/.udev/db/sound:hwC1D1: ASCII text
>          /dev/.udev/db/sound:pcmC1D9p: ASCII text
>          /dev/.udev/db/input:event1: ASCII text
>          /dev/.udev/db/input:event2: ASCII text
>          /dev/.udev/db/pci:0000:08:00.0: ASCII text
>          /dev/.udev/db/sound:controlC0: ASCII text
>          /dev/.udev/db/sound:hwC0D0: ASCII text
>          /dev/.udev/db/sound:pcmC0D1p: ASCII text
>          /dev/.udev/db/sound:pcmC0D2c: ASCII text
>          /dev/.udev/db/sound:pcmC0D0c: ASCII text
>          /dev/.udev/db/sound:pcmC0D0p: ASCII text
>          /dev/.udev/db/sound:seq: ASCII text
>          /dev/.udev/db/sound:timer: ASCII text
>          /dev/.udev/db/net:eth0: ASCII text
>          /dev/.udev/db/drm:card0: ASCII text
>          /dev/.udev/db/block:loop0: ASCII text
>          /dev/.udev/db/block:loop7: ASCII text
>          /dev/.udev/db/block:loop6: ASCII text
>          /dev/.udev/db/block:loop4: ASCII text
>          /dev/.udev/db/block:loop5: ASCII text
>          /dev/.udev/db/block:loop1: ASCII text
>          /dev/.udev/db/block:loop2: ASCII text
>          /dev/.udev/db/block:loop3: ASCII text
>          /dev/.udev/db/block:ram9: ASCII text
>          /dev/.udev/db/block:ram11: ASCII text
>          /dev/.udev/db/block:ram8: ASCII text
>          /dev/.udev/db/block:ram5: ASCII text
>          /dev/.udev/db/block:ram13: ASCII text
>          /dev/.udev/db/block:ram10: ASCII text
>          /dev/.udev/db/block:ram4: ASCII text
>          /dev/.udev/db/block:ram12: ASCII text
>          /dev/.udev/db/block:ram2: ASCII text
>          /dev/.udev/db/block:ram14: ASCII text
>          /dev/.udev/db/block:ram1: ASCII text
>          /dev/.udev/db/block:ram0: ASCII text
>          /dev/.udev/db/block:ram6: ASCII text
>          /dev/.udev/db/block:ram7: ASCII text
>          /dev/.udev/db/block:ram15: ASCII text
>          /dev/.udev/db/block:ram3: ASCII text
>          /dev/.udev/db/pci:0000:00:1f.2: ASCII text
>          /dev/.udev/db/usb:2-1: ASCII text
>          /dev/.udev/db/usb:1-1: ASCII text
>          /dev/.udev/db/usb:usb1: ASCII text
>          /dev/.udev/db/usb:usb2: ASCII text
>          /dev/.udev/rules.d/99-root.rules: ASCII text
> Warning: Hidden directory found: '/dev/.mdadm'
> Warning: Hidden directory found: '/dev/.udev'
> Warning: Hidden file found:
> /usr/share/man/man5/.k5login.5.gz: gzip compressed data,
> from Unix, max compression Warning: Hidden file found:
> /usr/share/man/man5/.k5identity.5.gz: gzip compressed
> data, from Unix, max compression Warning: Hidden file
> found: /usr/bin/.fipscheck.hmac: ASCII text Warning:
> Hidden file found: /usr/bin/.ssh.hmac: ASCII text
> Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII
> text Warning: Hidden file found: /sbin/.cryptsetup.hmac:
> ASCII text
>
>
> --
> Paul Smith
> Van Isle BC Web Solutions
> http://www.vanislebc.com
> Sportsman Fishing Adventures Ltd.
> http://www.sportsmanfishing.com
> cell# 1-778-808-2490
> home# 1-250-283-2129


Paul,

Rkhunter is a great tool.  However, it isn't always 
(usually?) an "install and forget" type of program.  Yous 
installation simply needs some tweaking to be adapted to 
the particular configuration of your server.  rkhunter.conf 
is where you make those tweaks.  It's pretty well 
commented.  You can easily tweak it yourself, or go back to 
the third-party installer and say, "Hey! ... ".

The first few warnings are simply rkhunter doing its job 
(e.g if a new user is added to your system, rkhunter will 
alert you.  If you've configured SSH to allow root login 
[not a best practice, rkhunter will warn you.).  Most of 
the rest should probably be "whitelisted".  All of that 
stuff can be done in rkhunter.conf.  After changes, be syre 
to run "rkhunter --propupd".  Then, run "rkhunter -c" to go 
through a check so that you can see the output, and make 
any necessary cahnges accordingly.

HTH

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to