LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 01-23-2007, 01:22 AM   #1
jantman
Member
 
Registered: Nov 2005
Location: New Jersey, USA
Distribution: SuSE
Posts: 492

Rep: Reputation: 31
rkhunter warnings


I have a SuSE 9.3 server with an install that's about a year old. I've been meaning to install rkhunter for a while, but just got around to it tonight.

I set it up to run in my nightly admin cron job, and email the log to me (as well as saving it locally). I just did a test run, and got quite a few warnings in the log.

I searched most of them on google, and scarily didn't come up with a anything for a few of them:

[00:57:58] Value of hiddendirs: /etc/.java /etc/.pwd.lock
I know that .java is ok, but couldn't find anything online about .pwd.lock, but it said:
[00:57:59] Hidden file/dir /etc/.pwd.lock [empty] seems to be OK
so I assume this is OK...

One side-note, it said that Apache wasn't found... I guess rkhunter doesn't support Apache2 yet?

[00:58:40] Scanning OpenSSL...
[00:58:41] /usr/bin/openssl found
[00:58:41] Version 0.9.7e seems to be vulnerable (if unpatched)!
[00:58:41] ----------------------------------------------------------
[00:58:41] Scanning PHP...
[00:58:43] /usr/bin/php found
[00:58:44] Version 4.3.10 seems to be vulnerable (if unpatched)!
[00:58:44] ----------------------------------------------------------
[00:58:44] Scanning ProFTPd...
[00:58:44] /usr/sbin/proftpd found
[00:58:45] Version 1.2.5rc1 seems to be vulnerable (if unpatched)!


I just ran the YaST update and didn't get anything for these...

Thanks for any help.
 
Old 01-23-2007, 02:52 AM   #2
ScottSmith
LQ Newbie
 
Registered: Mar 2004
Distribution: Debian - Sid
Posts: 23

Rep: Reputation: 1
I too was getting strange error messages from rkhunter until I ran rkhunter --update. That seemed to fix most of the problems that I was having. In addition, look into the config file, there are known hiden directories that are commented out. If you are comfortable with the hidden directory uncomment the line in the config file to not receive the error message, or add your own directory path.

Scott
 
Old 01-23-2007, 10:59 AM   #3
jantman
Member
 
Registered: Nov 2005
Location: New Jersey, USA
Distribution: SuSE
Posts: 492

Original Poster
Rep: Reputation: 31
Thanks for the info. I just ran --update, I'll post tomorrow with the results of the next scan.

If they're not anything to worry about, I'd rather leave them in there and check them time to time... after all, if someone does get root, it would be pretty easy to check for rkhunter installed, look in the config file, and get a list of ignored files.
 
Old 01-23-2007, 12:41 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,711
Blog Entries: 54

Rep: Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966
I know that .java is ok, but couldn't find anything online about .pwd.lock, but it said: so I assume this is OK...
Next to what ScottSmith already said, a short explanation. In short: don't assume but make certain. Filenames that start with a dot are not listed by default and show up if you use 'ls' "-a" switch. Because of that these filenames are (still) considered suspicious. If files are part of a package it is easiest to verify using your distro's package manager. If they are not part of a package you will have to get info with 'stat' to see ownership, access permissions and modification and access times and 'file' to get an idea of the contents. If it appears to be text visual inspection is the easiest way to get a clue, else if it's data try use 'strings'.

Besides that RKH 1.2.9 comes with an offline copy of the FAQ which should help you find out more.


One side-note, it said that Apache wasn't found... I guess rkhunter doesn't support Apache2 yet?
RKH does support Apache2. You're probably (since you didn't post it) pointing towards a glitch that's fixed in CVS. If you can spare the time do me a favour and run the CVS version. Please notice the project was here: http://sourceforge.net/projects/rkhunter a long time ago and is not anymore at http://www.rootkit.nl/ which is dusty, deprecated and dead as far as I'm concerned. Anything pointing to it should be updated or have the link removed.


The version check could be fixed like ScottSmith already said by running --update unless nobody in the community notified us versions changed.


I too was getting strange error messages from rkhunter
If there are any that werent fixed let me know, OK?
 
Old 01-23-2007, 03:39 PM   #5
jantman
Member
 
Registered: Nov 2005
Location: New Jersey, USA
Distribution: SuSE
Posts: 492

Original Poster
Rep: Reputation: 31
I ran --update.

I insatlled the package from a SuSE 9.3 RPM which, I assume, may be a bit dusty.

The .pwd.lock file is empty, owned by root, and last modified on the date of the OS installation... so hopefully it's not anything to worry about...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
rkhunter atlaika Linux - Security 7 11-29-2005 11:47 AM
Help with Rkhunter findings............................ M$ISBS Linux - Security 13 08-01-2005 08:28 PM
rkhunter phatbastard Linux - Security 3 12-08-2004 10:44 PM
Snort and rkhunter lord_zoo Linux - Security 5 11-28-2004 09:07 AM
Getting Warning during rkhunter? BajaNick Linux - Security 8 09-12-2004 09:34 PM


All times are GMT -5. The time now is 04:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration