I have rkhunter on my classroom systems, and have checked logs and didn't see anything that I thought was a problem, but now have run into a situation that is a big problem.
I was seeing a message from systemctl --status=failed that DbSercuritySpt was failing. It is some that in /etc/init.d but just was a shell script that run /tmp/g251 which didn't exist. The was also a selinux and a weird named file in same directory. A recent build system had none of these files. The weird named file, was actually pointing to /usr/bin/samewierdname file that would be 625900 bytes in size. The name of the file would change, and some systems had multiple copies of the files, and the would have the current date. Later I found the crontab had a line that would run a script gcc.sh from the /etc/cron.hourly folder. If been using this process to try to clean the machines, but don't know if there is a better way, or even if this is really going to complete fix the issue. Remove the gcc.sh script from the /etc/cron.hourly cmd="hostname ; ls /etc/cron.hourly ; rm /etc/cron.hourly/gcc.sh" Copy a clean crontab file cmd="hostname ; cd /etc ; ncftpget ftp://192.168.7.101/crontab . " Remove the 3 files from the /etc/init.d directory cmd="hostname ; cd /etc/init.d ; rm DbSecuritySpt eyshcjdmzg selinux; ls -l" This command would list all the files with the strange size, and modified it to delete all of the files. cmd="hostname ; cd /usr/bin ; ls -l | grep 625900 | cut -b 51-70" I also noticed that the lsof ps and netstat programs seemed to have been modififed. rkhunter probable saw that, and I mistook the difference as being from a dnf upgrade. cmd="hostname ; dnf reinstall lsof procps-ng net-tools -y" I did this on one system, and it seemed to get rid of the problem, but it has just been a short time. Was hoping this list would have the best answers for really fixing this, or at least pointing me to a resouce that can. Thanks. +----------------------------------------------------------+ Michael D. Setzer II - Computer Science Instructor Guam Community College Computer Center mailto:mi...@guam.net mailto:msetze...@gmail.com Guam - Where America's Day Begins G4L Disk Imaging Project maintainer http://sourceforge.net/projects/g4l/ +----------------------------------------------------------+ http://setiathome.berkeley.edu (Original) Number of Seti Units Returned: 19,471 Processing time: 32 years, 290 days, 12 hours, 58 minutes (Total Hours: 287,489) BOINC@HOME CREDITS ABC 16613838.513356 | EINSTEIN 133913302.288695 ROSETTA 60333252.687309 | SETI 104587492.242787 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
