LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   rkhunter warnings (http://www.linuxquestions.org/questions/linux-security-4/rkhunter-warnings-521925/)

jantman 01-23-2007 01:22 AM

rkhunter warnings
 
I have a SuSE 9.3 server with an install that's about a year old. I've been meaning to install rkhunter for a while, but just got around to it tonight.

I set it up to run in my nightly admin cron job, and email the log to me (as well as saving it locally). I just did a test run, and got quite a few warnings in the log.

I searched most of them on google, and scarily didn't come up with a anything for a few of them:

[00:57:58] Value of hiddendirs: /etc/.java /etc/.pwd.lock
I know that .java is ok, but couldn't find anything online about .pwd.lock, but it said:
[00:57:59] Hidden file/dir /etc/.pwd.lock [empty] seems to be OK
so I assume this is OK...

One side-note, it said that Apache wasn't found... I guess rkhunter doesn't support Apache2 yet?

[00:58:40] Scanning OpenSSL...
[00:58:41] /usr/bin/openssl found
[00:58:41] Version 0.9.7e seems to be vulnerable (if unpatched)!
[00:58:41] ----------------------------------------------------------
[00:58:41] Scanning PHP...
[00:58:43] /usr/bin/php found
[00:58:44] Version 4.3.10 seems to be vulnerable (if unpatched)!
[00:58:44] ----------------------------------------------------------
[00:58:44] Scanning ProFTPd...
[00:58:44] /usr/sbin/proftpd found
[00:58:45] Version 1.2.5rc1 seems to be vulnerable (if unpatched)!


I just ran the YaST update and didn't get anything for these...

Thanks for any help.

ScottSmith 01-23-2007 02:52 AM

I too was getting strange error messages from rkhunter until I ran rkhunter --update. That seemed to fix most of the problems that I was having. In addition, look into the config file, there are known hiden directories that are commented out. If you are comfortable with the hidden directory uncomment the line in the config file to not receive the error message, or add your own directory path.

Scott

jantman 01-23-2007 10:59 AM

Thanks for the info. I just ran --update, I'll post tomorrow with the results of the next scan.

If they're not anything to worry about, I'd rather leave them in there and check them time to time... after all, if someone does get root, it would be pretty easy to check for rkhunter installed, look in the config file, and get a list of ignored files.

unSpawn 01-23-2007 12:41 PM

I know that .java is ok, but couldn't find anything online about .pwd.lock, but it said: so I assume this is OK...
Next to what ScottSmith already said, a short explanation. In short: don't assume but make certain. Filenames that start with a dot are not listed by default and show up if you use 'ls' "-a" switch. Because of that these filenames are (still) considered suspicious. If files are part of a package it is easiest to verify using your distro's package manager. If they are not part of a package you will have to get info with 'stat' to see ownership, access permissions and modification and access times and 'file' to get an idea of the contents. If it appears to be text visual inspection is the easiest way to get a clue, else if it's data try use 'strings'.

Besides that RKH 1.2.9 comes with an offline copy of the FAQ which should help you find out more.


One side-note, it said that Apache wasn't found... I guess rkhunter doesn't support Apache2 yet?
RKH does support Apache2. You're probably (since you didn't post it) pointing towards a glitch that's fixed in CVS. If you can spare the time do me a favour and run the CVS version. Please notice the project was here: http://sourceforge.net/projects/rkhunter a long time ago and is not anymore at http://www.rootkit.nl/ which is dusty, deprecated and dead as far as I'm concerned. Anything pointing to it should be updated or have the link removed.


The version check could be fixed like ScottSmith already said by running --update unless nobody in the community notified us versions changed.


I too was getting strange error messages from rkhunter
If there are any that werent fixed let me know, OK?

jantman 01-23-2007 03:39 PM

I ran --update.

I insatlled the package from a SuSE 9.3 RPM which, I assume, may be a bit dusty.

The .pwd.lock file is empty, owned by root, and last modified on the date of the OS installation... so hopefully it's not anything to worry about...


All times are GMT -5. The time now is 12:13 PM.