LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-05-2008, 09:17 PM   #1
M$ISBS
Member
 
Registered: Aug 2003
Posts: 818

Rep: Reputation: 30
RKhunter question, Getting warnings for some directories.


Just ran rkhunter and I get a warning message for these directories...

/bin/groups
/usr/bin/ldd
/usr/bin/whatis
/usr/sbin/adduser

I also get a warning when checking for hidden files and directories.

Is any of this anything to worry about?

Thanks.
 
Old 02-05-2008, 09:49 PM   #2
bigrigdriver
LQ Addict
 
Registered: Jul 2002
Location: East Centra Illinois, USA
Distribution: Debian Squeeze
Posts: 5,743

Rep: Reputation: 299Reputation: 299Reputation: 299
From the information you have given, it's difficult to say if you should worry about it.

Can you be more specific: What are the warning messages?
 
Old 02-05-2008, 10:38 PM   #3
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 117Reputation: 117
Those files could definitely be used as part of a rootkit (if modified).
 
Old 02-06-2008, 05:21 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,986
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Quote:
Originally Posted by M$ISBS View Post
Just ran rkhunter
Which version?


Quote:
Originally Posted by M$ISBS View Post
I get a warning message for these directories...
No, those are files. Let me guess, the warning is about the binary being replaced by a script. Please read the FAQ in your docs directory and see the whitelisting options in your rkhunter.conf.


Quote:
Originally Posted by M$ISBS View Post
I also get a warning when checking for hidden files and directories.
No exact log lines, no advice.
 
Old 02-06-2008, 10:44 PM   #5
M$ISBS
Member
 
Registered: Aug 2003
Posts: 818

Original Poster
Rep: Reputation: 30
rkhunter version 1.3.0


The warning is just that, the word warning next to a directory or file while rkhunter runs.

/usr/sbin/adduser [ Warning ]
/usr/bin/whatis [ Warning ]
/usr/bin/ldd [ Warning ]
/bin/groups [ Warning ]

Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable



Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: Bourne-Again shell script text executable

arning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable

Warning: The command '/bin/groups' has been replaced by a script: /bin/groups: Bourne shell script text executable

Checking for hidden files and directories [ Warning ]
Warning: Hidden directory found: /dev/.udev
 
Old 02-27-2008, 08:19 PM   #6
Hegemon
Member
 
Registered: Jan 2002
Location: Australia
Distribution: Gentoo
Posts: 103

Rep: Reputation: 15
Check the file /var/log/rkhunter.log paste the warnings here if there odd.

Also check the files themselfs, if there script files you can examine the code, paste one here if you don't understand it, might just be simple wrapper scripts.

I have some warnings on hidden files on my system, but these are normal:
[13:14:27] Warning: Hidden directory found: /etc/.java
[13:14:27] Warning: Hidden directory found: /dev/.static
[13:14:27] Warning: Hidden directory found: /dev/.udev
[13:14:27] Warning: Hidden directory found: /dev/.initramfs
 
Old 02-28-2008, 06:36 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,986
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Quote:
Originally Posted by Hegemon View Post
Check the file /var/log/rkhunter.log paste the warnings here if there odd. Also check the files themselfs, if there script files you can examine the code, paste one here if you don't understand it, might just be simple wrapper scripts.
I already told him what to do and if he could read the docs that come with the product or the mailing list archives he could know how to handle it.



Quote:
Originally Posted by Hegemon View Post
I have some warnings on hidden files on my system, but these are normal:
[13:14:27] Warning: Hidden directory found: /etc/.java
[13:14:27] Warning: Hidden directory found: /dev/.static
[13:14:27] Warning: Hidden directory found: /dev/.udev
[13:14:27] Warning: Hidden directory found: /dev/.initramfs
Again this too is something you can verify and then whitelist in rkhunter.conf.


BTW, not to plug stuff, but RKH 1.3.2 was released yesterday. Come 'n get it!
 
Old 03-01-2008, 03:49 PM   #8
ceedub
LQ Newbie
 
Registered: Mar 2008
Posts: 1

Rep: Reputation: 0
I got the same warnings as Hegemon on my Ubuntu setup, but I also got this one:
Warning: Hidden file found: /dev/.tmp-2-0: block special (2/0)

The file (.tmp-2-0) is 0kb and is of type "x-special/device-block". Does anyone know what this is or if I should worry?
 
Old 03-05-2008, 01:38 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,986
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
There are a few ways to determine if a file has a malicious nature or purpose. The FAQ that comes with the product goes into details in section 3.1 "Rootkit Hunter tells me there is something wrong with my system. What do I do?". Please read that part, try to determine what package and then ask.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
rkhunter Security scanning generated the following warnings max_tcs Linux - Security 1 06-25-2007 01:09 AM
rkhunter warnings adityavpratap Slackware 15 02-24-2007 07:11 AM
rkhunter warnings jantman Linux - Security 4 01-23-2007 02:39 PM
question about ~directories kalak Linux - Newbie 13 10-09-2006 10:39 AM
kio (KDirWatch) warnings about removed directories Lokheed Linux - Software 0 07-28-2004 05:47 PM


All times are GMT -5. The time now is 04:11 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration