First please tell us you have read through the rkhunter FAQ’s <http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/FAQ> and searched the list archives <https://sourceforge.net/p/rkhunter/mailman/rkhunter-users/> for similar questions and then ask again.
-Al- On Mon, Sep 19, 2016 at 04:27 AM, Carol & Derek wrote: > Hi all, > > This is my first foray with rkhunter so I'm still learning how it works. > > I recently built a fresh Centos 7 server with the intention of having it > locked down pretty tight. > > # uname -a > Linux ABCDEFG 3.10.0-327.28.3.el7.x86_64 #1 SMP Thu Aug 18 19:05:49 UTC 2016 > x86_64 x86_64 x86_64 GNU/Linux > > It is running Apache and VSFTPD. Firewall rules only permit connections from > specific IPs. SSH is blocked at the firewall so nothing external should be > able to reach it. > > I put rkhunter on this box and set up daily email reports. > > Rkhunter starts up and runs: > > [03:21:09] Running Rootkit Hunter version 1.4.2 on ABCDEFG > [03:21:09] > [03:21:09] Info: Start date is Sun Sep 18 03:21:09 EDT 2016 > [03:21:09] > [03:21:09] Checking configuration file and command-line options... > [03:21:09] Info: Detected operating system is 'Linux' > [03:21:09] Info: Found O/S name: CentOS Linux release 7.2.1511 (Core) > [03:21:09] Info: Command line is /usr/bin/rkhunter --update --nocolors > [03:21:09] Info: Environment shell is /bin/sh; rkhunter is using bash > [03:21:09] Info: Using configuration file '/etc/rkhunter.conf' > [03:21:09] Info: Installation directory is '/usr' > [03:21:09] Info: Using language 'en' > [03:21:09] Info: Using '/var/lib/rkhunter/db' as the database directory > [03:21:09] Info: Using '/usr/share/rkhunter/scripts' as the support script > directory > [03:21:09] Info: Using '/sbin /bin /usr/sbin /usr/bin /usr/local/bin > /usr/local/sbin /usr/libexec /usr/local/libexec' as the command directories > [03:21:09] Info: Using '/var/lib/rkhunter' as the temporary directory > [03:21:09] Info: X will be automatically detected > [03:21:09] Info: Found the 'basename' command: /bin/basename > [03:21:09] Info: Found the 'diff' command: /bin/diff > [03:21:09] Info: Found the 'dirname' command: /bin/dirname > [03:21:09] Info: Found the 'file' command: /bin/file > [03:21:09] Info: Found the 'find' command: /bin/find > [03:21:09] Info: Found the 'ifconfig' command: /sbin/ifconfig > [snip] > > It checks for updates: > > [03:21:11] Info: This version : 2009091601 > [03:21:11] Info: Latest version: 2009091601 > [03:21:11] Checking file i18n/cn [ No update ] > [03:21:12] Info: This version : 2014010301 > [03:21:12] Info: Latest version: 2014010301 > [03:21:12] Checking file i18n/de [ No update ] > [03:21:12] Info: This version : 2013112401 > [03:21:12] Info: Latest version: 2013112401 > [03:21:12] Checking file i18n/en [ No update ] > > > But when it is doing the file checks, it is giving some warnings: > > [03:21:22] Info: Starting test name 'properties' > [03:21:22] Performing file properties checks > [03:21:22] Checking for prerequisites [ OK ] > [03:21:23] /usr/sbin/adduser [ OK ] > [03:21:24] /usr/sbin/chkconfig [ OK ] > [03:21:25] /usr/sbin/chroot [ OK ] > [03:21:26] /usr/sbin/depmod [ Warning ] > [03:21:26] Warning: The file properties have changed: > [03:21:26] File: /usr/sbin/depmod > [03:21:26] Current inode: 420722 Stored inode: 806149 > > > The full set of warnings is this: > > ---------------------- Start Rootkit Hunter Scan ---------------------- > Warning: The file properties have changed: > File: /usr/sbin/depmod > Current inode: 420722 Stored inode: 806149 > Warning: The file properties have changed: > File: /usr/sbin/init > Current inode: 420734 Stored inode: 846785 > Warning: The file properties have changed: > File: /usr/sbin/insmod > Current inode: 420723 Stored inode: 806150 > Warning: The file properties have changed: > File: /usr/sbin/lsmod > Current inode: 22751 Stored inode: 806151 > Warning: The file properties have changed: > File: /usr/sbin/modinfo > Current inode: 22755 Stored inode: 806152 > Warning: The file properties have changed: > File: /usr/sbin/modprobe > Current inode: 22757 Stored inode: 806153 > Warning: The file properties have changed: > File: /usr/sbin/rmmod > Current inode: 22758 Stored inode: 806154 > Warning: The file properties have changed: > File: /usr/sbin/runlevel > Current inode: 420425 Stored inode: 846788 > Warning: The file properties have changed: > File: /usr/bin/kmod > Current inode: 100930731 Stored inode: 101135620 > Warning: The file properties have changed: > File: /usr/bin/systemctl > Current inode: 100883675 Stored inode: 101104379 > Warning: The file properties have changed: > File: /usr/lib/systemd/systemd > Current inode: 35069854 Stored inode: 33716503 > > ----------------------- End Rootkit Hunter Scan ----------------------- > > > There are two users on this server with a login: root and the maintenace > account. And root cannot login over SSH. Every other account is a "nologin" > system account.. > > So the three questions I have are: > 1. How can I tell if these rkhunter warnings false-positives? > 2. How I fix the actual problem, whether it is a genuine file corruption or a > false-positive? > 3. Are there troubleshooting steps I can follow to analyse the cause of this? > > I have applied all available yum updates to the system too, so maybe it's > ahead of the rkhunter repositories? > > Many thanks for your patience and guidance. > > > -Derek -Al- -- Al Varnell Mountain View, CA
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------------------------------------------
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users