I ran rkhunter for the first time and the results got me curious.

Scanning for hidden files... [ Warning! ]
---------------
/dev/.udevdb /etc/.pwd.lock

What does the above mean?

- OpenSSL 0.9.7g [ Vulnerable ]

Checking for allowed protocols... [ Warning (SSH v1 allowed) ]

I did not allow SSH, I have not even used it yet. Is it possible that someone found a way in and changed the rules? Thanks

bhert

For ssh it is looking at the default /etc/sshd/sshd-config file and see some things not quite like it would like to see. If the service is not active then the port is not active.

OpenSSL may be referring that it is aware of security issue with that version and you should look to update it. If not using the not a big deal again.

Not sure about the first one.

Have you updated rkhunter since the install? ' rkhunter --update '

Brian1

I updated rootkit hunter and now it shows

- GnuPG 1.4.2 [ Vulnerable ]

What is that?

Scanning for hidden files... [ Warning! ]
---------------
/dev/.udevdb /etc/.pwd.lock
Not sure about the first one.
Explanation: "hidden" here refers to files (remember about everything is a file) whose name starts with a dot, because those can only be seen when you explicitly add "-a" to the "ls" command. Dotfiles are used for benign purposes like storing personal configuration information in your $HOME and have been used in the past as a (simple) way to avoid easy spotting. Also see directories whose name contains of three dots.
Verification: since your distro uses an evolved package management system it would be easy to query which package owns the file: "rpm -q --whatprovides /some/file" and then "rpm -qV --noscripts returned_package_name". A distro-agnostic approach would be to use an integrity checker (Aide, Samhain or even tripwire) to check the file for changes but obviously you must have that integrity checker installed, configured and updated the database shortly after installing the O.S. If all verification methods fail you can use "stat" to find out ownership and access details, "file" to figure out if it's readable, "strings -an1" or a hexeditor if it's binary and your favourite text editor if it's human readable text. The combined results of using these commands offers enough leads to search LQ and the rest of teh intarweb for clues or post.


- OpenSSL 0.9.7g [ Vulnerable ]

OpenSSL may be referring that it is aware of security issue with that version and you should look to update it. If not using the not a big deal again.
Next to updating (which is inarguably the best first reflex) some distro's backport patches and not increment major / minor package versions. If you find this is the case you can ask the Rootkit Hunter maintainers to adjust checking.


Checking for allowed protocols... [ Warning (SSH v1 allowed) ]
I did not allow SSH, I have not even used it yet. Is it possible that someone found a way in and changed the rules?

For ssh it is looking at the default /etc/sshd/sshd-config file and see some things not quite like it would like to see. If the service is not active then the port is not active.
Since the software is installed and apparently not in use you have two options: remove it or change the line "Protocol 2,1" to read "Protocol 2" anyway in /etc/sshd_config. This way you know now you've covered that hole if you would like to use ssh in the future.


- GnuPG 1.4.2 [ Vulnerable ]
Check your distro's repo's for an update of the package. Comments wrt to OpenSSL apply here as well.

Thanks UnSpawn! I will put this information to good use. Thanks again for your help