Hi all,

This is my first foray with rkhunter so I'm still learning how it works.

I recently built a fresh Centos 7 server with the intention of having it
locked down pretty tight.

# uname -a
Linux ABCDEFG 3.10.0-327.28.3.el7.x86_64 #1 SMP Thu Aug 18 19:05:49 UTC
2016 x86_64 x86_64 x86_64 GNU/Linux

It is running Apache and VSFTPD.  Firewall rules only permit connections
from specific IPs.  SSH is blocked at the firewall so nothing external
should be able to reach it.

I put rkhunter on this box and set up daily email reports.

Rkhunter starts up and runs:

[03:21:09] Running Rootkit Hunter version 1.4.2 on ABCDEFG
[03:21:09]
[03:21:09] Info: Start date is Sun Sep 18 03:21:09 EDT 2016
[03:21:09]
[03:21:09] Checking configuration file and command-line options...
[03:21:09] Info: Detected operating system is 'Linux'
[03:21:09] Info: Found O/S name: CentOS Linux release 7.2.1511 (Core)
[03:21:09] Info: Command line is /usr/bin/rkhunter --update --nocolors
[03:21:09] Info: Environment shell is /bin/sh; rkhunter is using bash
[03:21:09] Info: Using configuration file '/etc/rkhunter.conf'
[03:21:09] Info: Installation directory is '/usr'
[03:21:09] Info: Using language 'en'
[03:21:09] Info: Using '/var/lib/rkhunter/db' as the database directory
[03:21:09] Info: Using '/usr/share/rkhunter/scripts' as the support script
directory
[03:21:09] Info: Using '/sbin /bin /usr/sbin /usr/bin /usr/local/bin
/usr/local/sbin /usr/libexec /usr/local/libexec' as the command directories
[03:21:09] Info: Using '/var/lib/rkhunter' as the temporary directory
[03:21:09] Info: X will be automatically detected
[03:21:09] Info: Found the 'basename' command: /bin/basename
[03:21:09] Info: Found the 'diff' command: /bin/diff
[03:21:09] Info: Found the 'dirname' command: /bin/dirname
[03:21:09] Info: Found the 'file' command: /bin/file
[03:21:09] Info: Found the 'find' command: /bin/find
[03:21:09] Info: Found the 'ifconfig' command: /sbin/ifconfig
[snip]

It checks for updates:

[03:21:11] Info: This version  : 2009091601
[03:21:11] Info: Latest version: 2009091601
[03:21:11] Checking file i18n/cn                             [ No update ]
[03:21:12] Info: This version  : 2014010301
[03:21:12] Info: Latest version: 2014010301
[03:21:12] Checking file i18n/de                             [ No update ]
[03:21:12] Info: This version  : 2013112401
[03:21:12] Info: Latest version: 2013112401
[03:21:12] Checking file i18n/en                             [ No update ]


But when it is doing the file checks, it is giving some warnings:

[03:21:22] Info: Starting test name 'properties'
[03:21:22] Performing file properties checks
[03:21:22]   Checking for prerequisites                      [ OK ]
[03:21:23]   /usr/sbin/adduser                               [ OK ]
[03:21:24]   /usr/sbin/chkconfig                             [ OK ]
[03:21:25]   /usr/sbin/chroot                                [ OK ]
[03:21:26]   /usr/sbin/depmod                                [ Warning ]
[03:21:26] Warning: The file properties have changed:
[03:21:26]          File: /usr/sbin/depmod
[03:21:26]          Current inode: 420722    Stored inode: 806149


The full set of warnings is this:

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: The file properties have changed:
         File: /usr/sbin/depmod
         Current inode: 420722    Stored inode: 806149
Warning: The file properties have changed:
         File: /usr/sbin/init
         Current inode: 420734    Stored inode: 846785
Warning: The file properties have changed:
         File: /usr/sbin/insmod
         Current inode: 420723    Stored inode: 806150
Warning: The file properties have changed:
         File: /usr/sbin/lsmod
         Current inode: 22751    Stored inode: 806151
Warning: The file properties have changed:
         File: /usr/sbin/modinfo
         Current inode: 22755    Stored inode: 806152
Warning: The file properties have changed:
         File: /usr/sbin/modprobe
         Current inode: 22757    Stored inode: 806153
Warning: The file properties have changed:
         File: /usr/sbin/rmmod
         Current inode: 22758    Stored inode: 806154
Warning: The file properties have changed:
         File: /usr/sbin/runlevel
         Current inode: 420425    Stored inode: 846788
Warning: The file properties have changed:
         File: /usr/bin/kmod
         Current inode: 100930731    Stored inode: 101135620
Warning: The file properties have changed:
         File: /usr/bin/systemctl
         Current inode: 100883675    Stored inode: 101104379
Warning: The file properties have changed:
         File: /usr/lib/systemd/systemd
         Current inode: 35069854    Stored inode: 33716503

----------------------- End Rootkit Hunter Scan -----------------------


There are two users on this server with a login: root and the maintenace
account.  And root cannot login over SSH.  Every other account is a
"nologin" system account..

So the three questions I have are:
1. How can I tell if these rkhunter warnings false-positives?
2. How I fix the actual problem, whether it is a genuine file corruption or
a false-positive?
3. Are there troubleshooting steps I can follow to analyse the cause of
this?

I have applied all available yum updates to the system too, so maybe it's
ahead of the rkhunter repositories?

Many thanks for your patience and guidance.


-Derek
------------------------------------------------------------------------------
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to