LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   RKhunter question, Getting warnings for some directories. (http://www.linuxquestions.org/questions/linux-security-4/rkhunter-question-getting-warnings-for-some-directories-618962/)

M$ISBS 02-05-2008 09:17 PM

RKhunter question, Getting warnings for some directories.
 
Just ran rkhunter and I get a warning message for these directories...

/bin/groups
/usr/bin/ldd
/usr/bin/whatis
/usr/sbin/adduser

I also get a warning when checking for hidden files and directories.

Is any of this anything to worry about?

Thanks.

bigrigdriver 02-05-2008 09:49 PM

From the information you have given, it's difficult to say if you should worry about it.

Can you be more specific: What are the warning messages?

Matir 02-05-2008 10:38 PM

Those files could definitely be used as part of a rootkit (if modified).

unSpawn 02-06-2008 05:21 AM

Quote:

Originally Posted by M$ISBS (Post 3047407)
Just ran rkhunter

Which version?


Quote:

Originally Posted by M$ISBS (Post 3047407)
I get a warning message for these directories...

No, those are files. Let me guess, the warning is about the binary being replaced by a script. Please read the FAQ in your docs directory and see the whitelisting options in your rkhunter.conf.


Quote:

Originally Posted by M$ISBS (Post 3047407)
I also get a warning when checking for hidden files and directories.

No exact log lines, no advice.

M$ISBS 02-06-2008 10:44 PM

rkhunter version 1.3.0


The warning is just that, the word warning next to a directory or file while rkhunter runs.

/usr/sbin/adduser [ Warning ]
/usr/bin/whatis [ Warning ]
/usr/bin/ldd [ Warning ]
/bin/groups [ Warning ]

Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable



Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: Bourne-Again shell script text executable

arning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable

Warning: The command '/bin/groups' has been replaced by a script: /bin/groups: Bourne shell script text executable

Checking for hidden files and directories [ Warning ]
Warning: Hidden directory found: /dev/.udev

Hegemon 02-27-2008 08:19 PM

Check the file /var/log/rkhunter.log paste the warnings here if there odd.

Also check the files themselfs, if there script files you can examine the code, paste one here if you don't understand it, might just be simple wrapper scripts.

I have some warnings on hidden files on my system, but these are normal:
[13:14:27] Warning: Hidden directory found: /etc/.java
[13:14:27] Warning: Hidden directory found: /dev/.static
[13:14:27] Warning: Hidden directory found: /dev/.udev
[13:14:27] Warning: Hidden directory found: /dev/.initramfs

unSpawn 02-28-2008 06:36 AM

Quote:

Originally Posted by Hegemon (Post 3072092)
Check the file /var/log/rkhunter.log paste the warnings here if there odd. Also check the files themselfs, if there script files you can examine the code, paste one here if you don't understand it, might just be simple wrapper scripts.

I already told him what to do and if he could read the docs that come with the product or the mailing list archives he could know how to handle it.



Quote:

Originally Posted by Hegemon (Post 3072092)
I have some warnings on hidden files on my system, but these are normal:
[13:14:27] Warning: Hidden directory found: /etc/.java
[13:14:27] Warning: Hidden directory found: /dev/.static
[13:14:27] Warning: Hidden directory found: /dev/.udev
[13:14:27] Warning: Hidden directory found: /dev/.initramfs

Again this too is something you can verify and then whitelist in rkhunter.conf.


BTW, not to plug stuff, but RKH 1.3.2 was released yesterday. Come 'n get it!

ceedub 03-01-2008 03:49 PM

I got the same warnings as Hegemon on my Ubuntu setup, but I also got this one:
Warning: Hidden file found: /dev/.tmp-2-0: block special (2/0)

The file (.tmp-2-0) is 0kb and is of type "x-special/device-block". Does anyone know what this is or if I should worry?

unSpawn 03-05-2008 01:38 AM

There are a few ways to determine if a file has a malicious nature or purpose. The FAQ that comes with the product goes into details in section 3.1 "Rootkit Hunter tells me there is something wrong with my system. What do I do?". Please read that part, try to determine what package and then ask.


All times are GMT -5. The time now is 02:16 AM.