LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   rkhunter result (https://www.linuxquestions.org/questions/linux-security-4/rkhunter-result-874054/)

Pedroski 04-09-2011 06:55 PM
rkhunter result
 
Hi! I run Fedora 14. I thought I would run rkhunter, just to see if the Chinese Govt. had hacked my computer. God knows why they would, but they are paranoid, and I do live here in China!

I got a few warnings. Should I be worried?

I got lots of these, for almost every command I think:

[07:34:59] /bin/su [ Warning ]
[07:35:00] Warning: The file properties have changed:
[07:35:00] File: /bin/su
[07:35:00] Current hash: 0ef03993fbc86eeee3626c74587275bb1a886733
[07:35:00] Stored hash : d6348ab78d7592f0521d3e687f3116c1d232f9ae4004003105d16d5551421f9f
[07:35:00] Current permissions: 4755 Stored permissions: 04755
[07:35:00] /bin/touch [ Warning ]
[07:35:00] Warning: The file properties have changed:
[07:35:00] File: /bin/touch
[07:35:00] Current hash: 602086addb4b2a8ef3ced951aab154d5c0bf553a
[07:35:00] Stored hash : db8d21dab0bc45fd7102a0d2efade7409887b9ebb24cce94627d313793125a09
[07:35:00] Current size: 50644 Stored size: 49052
[07:35:00] /bin/uname [ Warning ]

This is about SSH

[07:37:32] Checking if SSH root access is allowed [ Warning ]
[07:37:32] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
[07:37:32] Checking if SSH protocol v1 is allowed [ Warning ]
[07:37:32] Warning: The SSH configuration option 'Protocol' has not been set.
The default value may be '2,1', to allow the use of protocol version 1.

Then I got these 'suspicious files':

[07:37:33] Info: SCAN_MODE_DEV set to 'THOROUGH'
[07:37:34] Checking /dev for suspicious file types [ Warning ]
[07:37:34] Warning: Suspicious file types found in /dev:
[07:37:34] /dev/shm/pulse-shm-963768747: data
[07:37:34] /dev/shm/pulse-shm-1163883879: data
[07:37:34] /dev/shm/pulse-shm-2868160985: data
[07:37:34] /dev/shm/mono-shared-500-shared_fileshare-fangshan-Linux-i686-36-12-0: data
[07:37:34] /dev/shm/mono-shared-500-shared_data-fangshan-Linux-i686-312-12-0: data
[07:37:34] /dev/shm/mono.1945: data
[07:37:34] /dev/shm/pulse-shm-1594613402: data
[07:37:34] /dev/shm/pulse-shm-2213329014: data
[07:37:34] /dev/shm/pulse-shm-4243797310: data
[07:37:34] /dev/shm/pulse-shm-1850792680: data
[07:37:35] Checking for hidden files and directories [ Warning ]
[07:37:35] Warning: Hidden directory found: /etc/.java
[07:37:35] Warning: Hidden directory found: /dev/.mdadm
[07:37:36] Warning: Hidden directory found: /dev/.udev
[07:37:36] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[07:37:36] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[07:37:36] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[07:37:36] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[07:37:36] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text

Is any of this serious???

aus9 04-10-2011 01:14 AM
hi

1)

"I got a few warnings. Should I be worried? I got lots of these, for almost every command I think:"

Sounds like you have done some system updates. You should be able to verify using your package manager....what packages have been upgraded.

HINT run RKH immediately after a system upgrade helps the memory.

I am on Debian so use slightly different tools but check

Code:
man rpm or man yum
on how to query a command to find its package name and then check that you upgraded that package.

2) there are numerous mentions in the FAQ or readme on how to handle hidden files or folders or directories

Its up to you to investigate them and you can whitelist those you confirm are distro specific (meaning a false positives) and join the mailing list and post any you believe are possible hits

eg

http://rkhunter.cvs.sourceforge.net/...AQ?view=markup

section 4.4 and section 6





3) Generally speaking if you are a local user or a sysadmin you are better off not allowing ssh root access but login as a local user and then running su or sudo su to get root

therefore suggest you modify your /etc/rkhunter.conf to show

ALLOW_SSH_ROOT_USER=no

while there check you have rpm enabled as per

PKGMGR=RPM


a) There is nothing stopping you from encryting your home folder and hardening your system if you suspect your govt of intrusive behaviour
b) run rkhunter --propupd as root to update your changes


All times are GMT -5. The time now is 09:11 AM.