Hallo, Bernd,
Du meintest am 22.06.12:
Where can i find 1.3.8 ?
My usual source is slackfind.net, but the side seems to have problems.
My next place:
http://arktur.shuttle.de/CD/beta/slack/n1/rkhunter-1.3.8-i686-1cf.txz
Built from Corrado Franco (http://conraid.net)
Viele Gruesse!
Helmut
Hallo, Bernd,
Du meintest am 21.06.12:
is there a live cd with rootkit hunter ?
That's not impossible but difficult.
rkhunter first needs a run
rkhunter --propupd
to generate a file with a kind of checksums, and thereafter it compares
the actual checksums with the data in this
Hallo, Tanstaafl,
Du meintest am 21.09.11:
After a lot of updates on my gentoo system - one of which included a
REBUILD of rkhunter - and *after* running --propupd, I'm getting the
following Warning (this is the only one):
[07:40:01] Warning: The command '/usr/sbin/rkhunter' has
been
Hallo, Robert,
Du meintest am 27.07.11:
Just upgraded to 1.3.8 now I?m getting Xzibit Rootkit. I?m sure
it is a false positive, how do I clear this error?
RTKT_FILE_WHITELIST=/etc/rc.d/rc.sysinit:hdparm
Sorry to be late to the thread, Running Debian Squeeze and rkhunter
1.3.6-4. Also
Hallo, Carlos,
Du meintest am 21.04.11:
I've been afected by a new rootkit in Debian Lenny server, but
rkhunter don't detect it.
[...]
I think a good add-on for rkhunter is inspect the MD5 of the
packages, A good test maybe run debsums on debian systems
Sorry - that's the job of the
Hallo, rkhunter-users,
I've just seen a linux server with the following symptoms:
- in /var/log/messages every minute a cron message from Opyum Team
- lynx localhost doesn't work; the apache was dead
- restarting the apache works, but the apache dies again after some
minutes
These problems
Hallo, Jonny,
Du meintest am 11.08.10:
when I try almost any command (except --version) with rkhunter it
gives the error:
The command 'awk' must be present on the system in order to run
rkhunter.
# echo $PATH
/sbin:/bin:/usr/sbin:/usr/bin
I'd like to send the log file but sadly we can't
Hallo, Jonny,
Du meintest am 11.08.10:
OK found it...seems like a bug to me...the default /etc/rkhunter.conf
has these lines in it
#
# Specify the command directories to be checked. This is a
# space-separated list of directories.
#
#BINDIR=/bin /usr/bin /sbin /usr/sbin /usr/local/bin
Hallo, Jonny,
Du meintest am 11.08.10:
#BINDIR=/bin /usr/bin /sbin /usr/sbin /usr/local/bin
/usr/local/sbin /usr/libexec /usr/local/libexec
BINDIR=/usr/sbin
Who has damaged that configuration file? That's not the original
one.
[...]
But that aside as it is not the point, the real point
Hallo, Jonny,
Du meintest am 10.08.10:
I'm running
# rkhunter --version
Rootkit Hunter 1.3.4
on gentoo linux hardened 2.6.32
when I try almost any command (except --version) with rkhunter it
gives the error:
The command 'awk' must be present on the system in order to run
rkhunter.
Hallo, Duane,
Du meintest am 27.05.10:
[22:55:56] Info: Starting test name 'os_specific'
[22:55:56] Checking loaded kernel modules [
Warning ] [22:55:56] Warning: No output found from the lsmod command
or the /proc/modules file:
That may be no problem - may be you run a
Hallo, Duane,
Du meintest am 26.05.10:
-rw-r--r-- 1 root root 40 May 30 2007 ..1.gz
-rw-r--r-- 1 root root 40 May 30 2007 :.1.gz
-rw-r--r-- 1 root root 3806 May 30 2007 GET.1.gz
-rw-r--r-- 1 root root 3805 May 30 2007 HEAD.1.gz
lrwxrwxrwx 1 root root 9 Jul 19 2007
Hallo, Duane,
Du meintest am 27.05.10:
How do I go about checking the warnings in File Properties?
If I'm being too questioning please just tell me to go pound sand.
I really appreciate your help (all of you).
Take about 20 minutes to read very slowly (with time to think about) the
file
Hallo, Duane,
Du meintest am 27.05.10:
/bin/sh: /usr/bin/rkhunter: No such file or directory
It will error with no path put in (returns: /bin/sh: rkhunter: No
such file or directory)
What tells
which rkhunter
ls -l $(which rkhunter)
Viele Gruesse!
Helmut
Hallo, Duane,
Du meintest am 25.05.10:
bash -x rkhunter --propupd 2/tmp/rkh.log
+ get_installdir_option
++ get_option 1 single INSTALLDIR
++ OPTTYPE=1
++ OPTMULTI=single
++ OPTV=INSTALLDIR
+++ grep -h '^INSTALLDIR=' /usr/local/etc/rkhunter.conf
++ '[' -z '' ']'
++ echo ''
++
Hallo, Duane,
Du meintest am 25.05.10:
./installer.sh --remove
./installer.sh --install
The re-install worked! I have done --propupd and --update and run
the first scan after making some mods in the rkhunter.conf file.
Fine!
I am pretty sure I have a trojan or resident
Hallo, Duane,
Du meintest am 25.05.10:
I am pretty sure I have a trojan or resident spoofer in there,
Why?
I have 5 domains on the server. One of the domains (which is a
mirror of another domain that runs about 250 Meg / month) is running
5 times higher (1.2 Gig so far this month) in
Hallo, Duane,
Du meintest am 26.05.10:
OK .. time for another dumb question. I seem to have several
rkhunter.conf files in different locations. What one is the one I
use?
First:
which rkhunter
shows, which version of rkhunter is used.
locate bin/rkhunter
or
Hallo, Duane,
Du meintest am 24.05.10:
I tried to install rkhunter on my Redhat Fedora Core 6 virtual server
(GoDaddy). But what I get for email notification is:
That's a very ancient version, nearly 4 years old. Please try a newer
one, perhaps fedora 11 or 12.
Viele Gruesse!
Helmut
Hallo, Mike,
Du meintest am 25.05.10 zum Thema Re: [Rkhunter-users] rkhunter/cron Red Hat
Fedora Core 6 - ooops:
I tried to install rkhunter on my Redhat Fedora Core 6 virtual
server (GoDaddy). But what I get for email notification is:
That's a very ancient version, nearly 4 years old.
Hallo, John,
Du meintest am 25.05.10:
I've installed rkhunter on my virtual server (RedHat Fedora Core 6)
FC6 is very old, and unsupported you realise.
By the way - you (or some other instructed person) should update the
Tested on list on
Hallo, John,
Du meintest am 25.05.10:
By the way - you (or some other instructed person) should update the
Tested on list on
http://www.rootkit.nl/projects/rootkit_hunter.html
That is not the official RKH web site. (It is the old one, so not for
us to maintain.)
Is that now the
:
installing from the tarball (rkhunter-version.tar.gz)
or
installing a Fedora *.rpm
- do I need to uninstall first? If so how.
That depends ...
2. Have I been successful in eliminating HTML from this email?
Yes - delightful!
3. How do I reply and keep this in the thread. Helmut Hullen
Hallo, Duane,
Du meintest am 25.05.10:
I installed from the tarball (rkhunter-1.3.6.tar.gz)
Is this staying in the thread?
Splendid!
But for the error:
bash -x rkhunter --propupd 2/tmp/rkh.log
And then look in /tmp/rkh.log for get_installdir_option (until
get_rootdir_option).
Hallo, Tanstaafl,
Du meintest am 19.05.10:
All you have to do is run RKH with the debug option. Something like:
rkhunter --debug --enable properties
This should create a file in the /tmp directory, it may be fairly
large. If you send me (not the list) both files, then I can take a
Hallo, Tanstaafl,
Du meintest am 19.05.10:
Ooops - now I need the 1.3.4 version, and can't find it on the
sourceforge site:
ftp://hullen.hopto.org/rkhunter-1.3.4-noarch-1cf.tgz
It's an ancient tarball.
I prefer to unwrap such a packet with the midnight commander, just
pressing the
Hallo, Tanstaafl,
Du meintest am 16.05.10:
[03:11:58] Warning: Checking for possible rootkit strings[
Warning ] [03:11:58] Found string 'hdparm' in file
'/etc/init.d/hdparm'. Possible rootkit: Xzibit Rootkit
[03:11:58] Found string 'hdparm' in file
Hallo, John,
Du meintest am 09.05.10:
RTKT_FILE_WHITELIST=/etc/init.d/RCS/boot.local.neu,v
# wegen Xzibit
Why are you whitelisting this file? It is not checked for as a
rootkit file.
You can see the reason in the remark line: rkhunter guessed there
might be a xzibit virus. Together with
Hallo,
rkhunter seems to have a problem with *,v files (which are typical
for rcs files):
rkhunter.conf:
RTKT_FILE_WHITELIST=/etc/init.d/RCS/boot.local.neu,v
# wegen Xzibit
rkhunter.log:
Whitelisted rootkit file does not exist: /etc/init.d/RCS/boot.local.neu
Whitelisted rootkit file does
Hallo, Sportsman,
Du meintest am 01.05.10:
Warning: Network TCP port 47107 is being used by
/usr/local/apache/bin/httpd. Possible rootkit: T0rn
Use the 'lsof -i' or 'netstat -an' command to check this.
Have you tried these commands?
It's a good idea to look for the last clean
Hallo, Sportsman,
Du meintest am 02.05.10 zum Thema RE: [Rkhunter-users] Possible Root Kit?:
Warning: Network TCP port 47107 is being used by
/usr/local/apache/bin/httpd. Possible rootkit: T0rn
Use the 'lsof -i' or 'netstat -an' command to check this.
Have you tried these
Hallo, Call,
Du meintest am 29.04.10:
Re RKHunter.
Did the scanning. Great. Interesting results worthy of further
investigation. Instruction - see log file. Go to open log file using
occassionally stupid Gedit, permission denied, must be root to view.
Tried with several better text
Hallo, rkhunter-users,
I run a distribution which uses no /udev (it doesn't need hot plugging
detection etc.). It needs (for running on old machines) /dev/ida.
rkhunter detects this directory as possible rootkit - ok.
I can put a line
RTKIT_DIR_WHITELIST=/dev/ida
into /etc/rkhunter.conf,
Hallo, Chris,
Du meintest am 27.01.10:
or
chmod 744 /usr/bin/rkhunter
and that may not work - 755 is a better proposal.
Would 744 not be the same thing as o+x (in this case)?
No. 744 is rwxr--r--
chmod o+x changes this pattern to
rwxr--r-x
I prefer running rkhunter not only
Hallo, Chris,
Du meintest am 26.01.10:
The file seems to have the right permissions.
[r...@archlinux gumper]# ls -l /usr/bin/rkhunter
-rw-r--r-- 1 root root 425660 Jan 26 19:46 /usr/bin/rkhunter
Try setting the executable bit :)
chmod o+x /usr/bin/rkhunter
That should work
or
chmod
Hallo, gumper,
Du meintest am 26.01.10:
[r...@archlinux gumper]# rkhunter -c
bash: /usr/bin/rkhunter: Permission denied
The file seems to have the right permissions.
[r...@archlinux gumper]# ls -l /usr/bin/rkhunter
-rw-r--r-- 1 root root 425660 Jan 26 19:46 /usr/bin/rkhunter
Does
Hallo, david,
Du meintest am 07.11.09:
hello i think that my computer is intected, Im use linux mint
Checking /dev for suspicious file types [ Warning ]
No problem.
rkhunter -c -sk
Checking /dev for suspicious file types [Warning ]
No problem.
Viele Gruesse!
Helmut
Hallo, John,
Du meintest am 08.10.09:
Does anyone use inetd (not Xinetd) whitelisting? If so, could you
please report if it works with Rootkit Hunter version 1.3.4?
Solaris users will generally need to use the inetd whitelisting
(unless they have no inetd services running). RKH wouldn't
Hallo, unspawn,
Du meintest am 07.10.09:
Does anyone use inetd (not Xinetd) whitelisting? If so, could you
please report if it works with Rootkit Hunter version 1.3.4?
Works. Since many versions, up to 1.3.4
Viele Gruesse!
Helmut
Hallo,
may you please change the order of download programs in WEBCMDLIST or
the options of these programs?
The first program in the list is wget, and wget uses .netrc. And
therefore it reports (without other options for wget) the passwords in
.netrc on and on.
I've put wget behind lynx -
Hallo,
I wrote am 13.01.09:
thank you, but where is the download?
You mean it isn't at
http://sourceforge.net/project/platformdownload.php?group_id=155034
[...]
There seems something wrong.
[...]
When I change --install to --show, the script tells
PREFIX: /tmp/rkhunter
Hallo, Mark,
Du (munguanaweza) meintest am 04.12.08:
quotes didn't come out as being very distinctive. To fix this I set
up a gmail account that allows me to send mail without regard to my
location around the world.
Thank you!
This is presented in the second attachment rkhunter warnings.
Hallo, Mark,
Du (munguanaweza) meintest am 02.12.08:
Hi,
-- quoting ---
Actually, the system looks pretty clean to me. The four files
/usr/bin/groups, /usr/bin/ldd, /sbin/chkconfig, and /sbin/ifup
are very slightly concerning. As I mentioned, they may simply
be scripts on your
Hallo, Mix,
Du (michitux) meintest am 28.07.08:
(intelcore2 2,3g and 2gb ram with ubuntu 8.04)
[23:08:20] /bin/kill [
Warning ] [23:08:20] Warning: The file properties have changed:
[23:08:20] File: /bin/kill
[23:08:20] Current
Hallo, Martin,
Du (martin) meintest am 15.07.08:
This doesnt look good? Any ideas?
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... Enye LKM found
chkproc: Warning: Possible LKM Trojan installed
http://lists.debian.org/debian-user-german/2004/05/msg02024.html
Hallo, Terry,
Du (fastsnip-family1) meintest am 06.07.08:
I receive daily the following warnings from rkhunter, version 1.3.0
===
Date: Sun, 06 Jul 2008 14:05:10 -0400
Warning: Hidden directory found: /dev/.static
Warning: Hidden directory found: /dev/.udev
Warning:
Hallo, Linda,
Du (linda) meintest am 21.06.08:
Hi from a new member. I want to upgrade to the most recent version of
Rootkit Hunter (1.3.2) but can't determine how to get it onto my
server via PuTTY.
???
You have to install the downloaded package.
Viele Gruesse!
Helmut
Hallo, unspawn,
Du (unspawn) meintest am 13.06.08:
It means that the inetd superserver allows remote parties to send
ident queries to your machine on port TCP/113. This service is only
necessary if remote mail or IRC servers require it.
No - the ident service is helpful on a squid server
Hallo, Eric,
Du (mailinglists) meintest am 16.05.08:
Scanning for hidden files... [
Warning! ] ---
/etc/.pwd.lock /dev/.static
/dev/.udev
/dev/.initramfs
/dev/.initramfs-tools
---
Please inspect: /dev/.static (directory)
Hallo, Dave,
Du (rkhunter) meintest am 13.05.08:
[11:41:26] Warning: Hidden file found:
/usr/share/man/zh_CN/man1/..1.gz: gzip compressed data, from Unix,
max compression
Strange. I'd delete this file.
On our CentOS boxes I have to whitelist a similar file,
/usr/share/man/man1/..1.gz.
Hallo, lists,
Du (mr.astral) meintest am 12.05.08:
rkhunter gave me the following files a s suspicious...
http://pastebin.ca/1012886
Are these files normal
Look (in /etc/rkhunter.conf) for ALLOWDEVFILE.
Viele Gruesse!
Helmut
Hallo, Boyd,
Du (gerberb) meintest am 12.05.08:
[11:41:26] Checking for hidden files and directories [ Warning ]
[11:41:26] Warning: Hidden file found:
/usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix,
max compression
Maybe ok.
[11:41:26] Warning: Hidden file found:
Hallo, Mark,
Du (munguanaweza) meintest am 27.03.08:
I receive this warning after installation:
Checking if SSH root access is allowed [ Warning ]
I modify the /etc/ssh/sshd_config file to the following:
PermitRootLogin no
What tells
grep ^ALLOW_SSH_ROOT
Hallo, Larry,
Du (rkhunter) meintest am 28.12.07:
/var/lib/rkhunter/db/rkhunter.dat
There you should find an entry for less (among many other entrys).
It should be a new file (produced by rkhunter --propupd).
/usr/local/rkhunter/lib/rkhunter/db/rkhunter.dat is where I found
mine, all of
Hallo, Dogsbody,
Du (dan) meintest am 28.12.07:
There you should find an entry for less (among many other entrys).
It should be a new file (produced by rkhunter --propupd).
Yes, as Larry says, this file seems to get updated except for the
hashes for these three files, it's all very strange.
Hallo, Johan,
Du (johan.sundstrom) meintest am 03.12.07:
IP Address of attacker: xxx.yyy.zzz.zzz
Type of attack: URL Injection -- attempt to inject / load files onto
the server via PHP/CGI vulnerabilities
Sample log report including date and time stamp:
Request: onlinesurfnshop.com
Hallo, John,
Du (john.horne) meintest am 16.11.07:
rkhunter works well (at least I hope so ...). But it always tells
Warning: Found enabled xinetd service: /etc/xinetd.conf
To whitelist the above message add
'XINETD_ALLOWED_SVC=/etc/xinetd.conf' to your rkhunter.conf file.
Ok - it works.
Hallo, Avalon,
Du (third-chance) meintest am 23.10.07:
Can anyone give me a hint how to suppress the following messages:
/usr/bin/whatis [ Warning ]
Warning: The command '/usr/bin/whatis' has been replaced by a script:
/usr/bin/whatis: Bourne shell script text executable
Take
Hallo, John,
Du (john.horne) meintest am 23.10.07:
This seems to be different under FreeBSD too. Both settings
PermitRootLogin no and Protocol 2 are commented out in my
sshd_config, which is the default on FreeBSD. Root-Login is
definitely not permitted under FreeBSD out-of-the-box - until
Hallo, Avalon,
Du (third-chance) meintest am 23.10.07:
thank you, Helmut, for your fast reply. I must have been blind when i
was looking over the default config. I found the settings you
described and they worked well.
Don't mention - I had searched for these errors some hours ago ...
This
Hallo, John,
Du (john.horne) meintest am 23.10.07:
But when RKH can find the actual value of PermitRootLogin: why
does it need an entry in /etc/rkhunter.conf?
To see if the value has been changed. If a hacker changes your
PermitRootLogin to 'yes' in sshd_config, then you will probably
want
Hallo, B?rje,
Du (kaboki) meintest am 22.10.07:
Got this while scanning with rkhunter, and was wondering what it
means?
[06:25:39] WARNING, found: /dev/.static (directory) /dev/.udev
(directory) /dev/.initramfs (directory)
That's simple: look into /etc/rkhunter.conf, search for
62 matches
Mail list logo
