LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-09-2011, 06:55 PM   #1
Pedroski
Senior Member
 
Registered: Jan 2002
Location: Nanjing, China
Distribution: Ubuntu 14.04
Posts: 1,348

Rep: Reputation: 42
rkhunter result


Hi! I run Fedora 14. I thought I would run rkhunter, just to see if the Chinese Govt. had hacked my computer. God knows why they would, but they are paranoid, and I do live here in China!

I got a few warnings. Should I be worried?

I got lots of these, for almost every command I think:

[07:34:59] /bin/su [ Warning ]
[07:35:00] Warning: The file properties have changed:
[07:35:00] File: /bin/su
[07:35:00] Current hash: 0ef03993fbc86eeee3626c74587275bb1a886733
[07:35:00] Stored hash : d6348ab78d7592f0521d3e687f3116c1d232f9ae4004003105d16d5551421f9f
[07:35:00] Current permissions: 4755 Stored permissions: 04755
[07:35:00] /bin/touch [ Warning ]
[07:35:00] Warning: The file properties have changed:
[07:35:00] File: /bin/touch
[07:35:00] Current hash: 602086addb4b2a8ef3ced951aab154d5c0bf553a
[07:35:00] Stored hash : db8d21dab0bc45fd7102a0d2efade7409887b9ebb24cce94627d313793125a09
[07:35:00] Current size: 50644 Stored size: 49052
[07:35:00] /bin/uname [ Warning ]

This is about SSH

[07:37:32] Checking if SSH root access is allowed [ Warning ]
[07:37:32] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
[07:37:32] Checking if SSH protocol v1 is allowed [ Warning ]
[07:37:32] Warning: The SSH configuration option 'Protocol' has not been set.
The default value may be '2,1', to allow the use of protocol version 1.

Then I got these 'suspicious files':

[07:37:33] Info: SCAN_MODE_DEV set to 'THOROUGH'
[07:37:34] Checking /dev for suspicious file types [ Warning ]
[07:37:34] Warning: Suspicious file types found in /dev:
[07:37:34] /dev/shm/pulse-shm-963768747: data
[07:37:34] /dev/shm/pulse-shm-1163883879: data
[07:37:34] /dev/shm/pulse-shm-2868160985: data
[07:37:34] /dev/shm/mono-shared-500-shared_fileshare-fangshan-Linux-i686-36-12-0: data
[07:37:34] /dev/shm/mono-shared-500-shared_data-fangshan-Linux-i686-312-12-0: data
[07:37:34] /dev/shm/mono.1945: data
[07:37:34] /dev/shm/pulse-shm-1594613402: data
[07:37:34] /dev/shm/pulse-shm-2213329014: data
[07:37:34] /dev/shm/pulse-shm-4243797310: data
[07:37:34] /dev/shm/pulse-shm-1850792680: data
[07:37:35] Checking for hidden files and directories [ Warning ]
[07:37:35] Warning: Hidden directory found: /etc/.java
[07:37:35] Warning: Hidden directory found: /dev/.mdadm
[07:37:36] Warning: Hidden directory found: /dev/.udev
[07:37:36] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[07:37:36] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[07:37:36] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[07:37:36] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[07:37:36] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text

Is any of this serious???
 
Old 04-10-2011, 01:14 AM   #2
aus9
Guru
 
Registered: Oct 2003
Posts: 5,056

Rep: Reputation: Disabled
hi

1)

"I got a few warnings. Should I be worried? I got lots of these, for almost every command I think:"

Sounds like you have done some system updates. You should be able to verify using your package manager....what packages have been upgraded.

HINT run RKH immediately after a system upgrade helps the memory.

I am on Debian so use slightly different tools but check

Code:
man rpm or man yum
on how to query a command to find its package name and then check that you upgraded that package.

2) there are numerous mentions in the FAQ or readme on how to handle hidden files or folders or directories

Its up to you to investigate them and you can whitelist those you confirm are distro specific (meaning a false positives) and join the mailing list and post any you believe are possible hits

eg

http://rkhunter.cvs.sourceforge.net/...AQ?view=markup

section 4.4 and section 6





3) Generally speaking if you are a local user or a sysadmin you are better off not allowing ssh root access but login as a local user and then running su or sudo su to get root

therefore suggest you modify your /etc/rkhunter.conf to show

ALLOW_SSH_ROOT_USER=no

while there check you have rpm enabled as per

PKGMGR=RPM


a) There is nothing stopping you from encryting your home folder and hardening your system if you suspect your govt of intrusive behaviour
b) run rkhunter --propupd as root to update your changes
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Grep for the result of a command within the result of another command jasonws Programming 6 11-18-2010 02:39 PM
RKhunter Help please Golgo13 Linux - Software 3 01-16-2008 04:27 PM
rkhunter lumiwa Linux - Newbie 1 09-17-2007 08:51 PM
rkhunter atlaika Linux - Security 7 11-29-2005 10:47 AM
rkhunter phatbastard Linux - Security 3 12-08-2004 09:44 PM


All times are GMT -5. The time now is 01:29 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration