Rootkit hunter general questions

michaellopez12 · 11-06-2013, 09:35 PM

Hello everyone.

I have a general question about running the the ./rkcheck command in Linux to check for rootkits. I found none. However I did find the following: I got this error message and output:

Code:

[15:35:18]          /dev/.udev/queue.bin: data
[15:35:18]          /dev/.udev/db/block:sr0: ASCII text
[15:35:18]          /dev/.udev/db/block:sda1: ASCII text
[15:35:18]          /dev/.udev/db/block:dm-2: ASCII text
[15:35:18]          /dev/.udev/db/block:sda2: ASCII text
[15:35:18]          /dev/.udev/db/input:event4: ASCII text
[15:35:18]          /dev/.udev/db/input:event3: ASCII text
[15:35:18]          /dev/.udev/db/input:mouse1: ASCII text
[15:35:19]          /dev/.udev/db/net:eth0: ASCII text
[15:35:19]          /dev/.udev/db/net:eth1: ASCII text
[15:35:19]          /dev/.udev/db/block:sda: ASCII text
[15:35:19]          /dev/.udev/db/block:sdb1: ASCII text
[15:35:19]          /dev/.udev/db/block:sdb: ASCII text
[15:35:19]          /dev/.udev/db/input:event0: ASCII text
[15:35:19]          /dev/.udev/db/input:event6: ASCII text
[15:35:19]          /dev/.udev/db/input:event5: ASCII text
[15:35:19]          /dev/.udev/db/input:event1: ASCII text
[15:35:19]          /dev/.udev/db/input:mouse2: ASCII text
[15:35:19]          /dev/.udev/db/input:event2: ASCII text
[15:35:19]          /dev/.udev/db/block:dm-1: ASCII text
[15:35:19]          /dev/.udev/db/block:dm-0: ASCII text
[15:35:19]          /dev/.udev/db/block:loop1: ASCII text
[15:35:19]          /dev/.udev/db/block:loop6: ASCII text
[15:35:19]          /dev/.udev/db/block:loop3: ASCII text
[15:35:19]          /dev/.udev/db/block:loop0: ASCII text
[15:35:19]          /dev/.udev/db/block:loop5: ASCII text
[15:35:19]          /dev/.udev/db/block:loop7: ASCII text
[15:35:19]          /dev/.udev/db/block:loop4: ASCII text
[15:35:19]          /dev/.udev/db/block:loop2: ASCII text
[15:35:19]          /dev/.udev/db/usb:3-1: ASCII text
[15:35:19]          /dev/.udev/db/usb:usb3: ASCII text
[15:35:19]          /dev/.udev/db/pci:0000:00:1f.5: ASCII text
[15:35:19]          /dev/.udev/db/pci:0000:00:1f.2: ASCII text
[15:35:19]          /dev/.udev/db/block:ram14: ASCII text
[15:35:19]          /dev/.udev/db/block:ram10: ASCII text
[15:35:19]          /dev/.udev/db/block:ram0: ASCII text
[15:35:19]          /dev/.udev/db/block:ram8: ASCII text
[15:35:19]          /dev/.udev/db/block:ram12: ASCII text
[15:35:19]          /dev/.udev/db/block:ram2: ASCII text
[15:35:19]          /dev/.udev/db/block:ram9: ASCII text
[15:35:19]          /dev/.udev/db/block:ram6: ASCII text
[15:35:19]          /dev/.udev/db/block:ram5: ASCII text
[15:35:19]          /dev/.udev/db/block:ram15: ASCII text
[15:35:19]          /dev/.udev/db/block:ram4: ASCII text
[15:35:19]          /dev/.udev/db/block:ram13: ASCII text
[15:35:19]          /dev/.udev/db/block:ram7: ASCII text
[15:35:19]          /dev/.udev/db/block:ram3: ASCII text
[15:35:19]          /dev/.udev/db/block:ram11: ASCII text
[15:35:19]          /dev/.udev/db/block:ram1: ASCII text
[15:35:19]          /dev/.udev/db/usb:1-1.6: ASCII text
[15:35:19]          /dev/.udev/db/usb:1-1: ASCII text
[15:35:19]          /dev/.udev/db/usb:2-1: ASCII text
[15:35:19]          /dev/.udev/db/usb:usb1: ASCII text
[15:35:19]          /dev/.udev/db/usb:usb2: ASCII text
[15:35:19]          /dev/.udev/db/serio:serio0: ASCII text
[15:35:19]          /dev/.udev/rules.d/99-root.rules: ASCII text
[15:35:19]          /dev/shm/pulse-shm-2675932622: data
[15:35:19]          /dev/shm/pulse-shm-3820659595: data
[15:35:19]          /dev/shm/pulse-shm-1193605553: data
[15:35:19]   Checking for hidden files and directories       [ Warning ]
[15:35:19] Warning: Hidden directory found: '/etc/.java'
[15:35:19] Warning: Hidden directory found: '/dev/.mdadm'
[15:35:19] Warning: Hidden directory found: '/dev/.udev'
[15:35:19] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[15:35:19] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[15:35:20] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[15:35:20] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[15:35:20] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[15:35:20] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
[15:35:20] Warning: Hidden file found: /sbin/.cryptsetup.hmac: ASCII text

Is there any way to tell which of the above are false positives and which ones are warnings? I have been told to google each one but I am not getting the results. How do I get resolve the ones that are harmful to my server? By the way I want to be able to resolve the ones that are harmful on all of my servers.

John VV · 11-06-2013, 10:38 PM

basically they are all false positives
everything in /dev is hardware/software devices

and the hidden java folder in /etc is odd
but then again Oracle is doing odd things with java

rkhunter is a bit old , though it was finally updated last year

have a read through this Ubuntu page
https://help.ubuntu.com/community/RKhunter

you DO need to set up a database
the basics will be the same for other OS's like RHEL
if you are using a redhat family of OS's use "su -" to become root , and not "sudo" to run that ONE command as root

Also read the documentation on RKhunter's web site
http://sourceforge.net/apps/trac/rkhunter/wiki/SPRKH

unSpawn · 11-07-2013, 12:50 AM

Quote:

Originally Posted by michaellopez12

I have a general question about running the the ./rkcheck command in Linux

Rootkit Hunter does not need and does not ship with a "rkcheck" command: ask those who you got it from.

Quote:

Originally Posted by michaellopez12

Is there any way to tell which of the above are false positives and which ones are warnings?

Yes, the README, rkhunter.conf comments and FAQ Rootkit Hunter comes with tells you how: use your distributions package management to verify files and (visually) inspect the rest.

Quote:

Originally Posted by michaellopez12

I have been told to google each one

Then you have not read the README and FAQ that Rootkit Hunter comes with. You should read those first. Else why run something you don't understand?..

michaellopez12 · 11-07-2013, 01:00 PM

[QUOTE=unSpawn;5059832]

Quote:

Originally Posted by michaellopez12

I have a general question about running the the ./rkcheck command in Linux
Rootkit Hunter does not need and does not ship with a "rkcheck" command: ask those who you got it from.

Yes, the README, rkhunter.conf comments and FAQ Rootkit Hunter comes with tells you how: use your distributions package management to verify files and (visually) inspect the rest.

Then you have not read the README and FAQ that Rootkit Hunter comes with. You should read those first. Else why run something you don't understand?..

Where would I find the rkhunter.conf comments? Would I just do a vi rkhunter.conf command? Is the README and FAQ that Rootkit Hunter comes with some type of booklet or can it be found in the system? Please forgive me for my ingnorance but this is my first time ever using this command to patch and upgrage my servers. Plus these servers are for a company.

michaellopez12 · 11-07-2013, 01:02 PM

Quote:

Originally Posted by John VV

basically they are all false positives
everything in /dev is hardware/software devices

Since they are all false positives that means they have been white flagged and I don't have to worry about them correct?

John VV · 11-07-2013, 01:45 PM

no

on a VERY FRESH NEW install
the VERY first program to run would be to set up the rkhunter db
because it is a KNOWN clean install

then rkhunter checks for changes along with known "creepy-crawlers "

it is a rather complicated simple program

the same goes for the other program "ckrootkit"

please read the documentation

but in the last 8 years i have seen
ZERO rootkits
ZERO viruses

and the only viruses i have seen are on Windows OS's that Norton & McAfee AV missed

fallow the normal "Good Safe Computing Practices "
and it will be a 1/1,000,000,000 that a rootkit will get installed

michaellopez12 · 11-07-2013, 02:25 PM

Quote:

Originally Posted by John VV

no

on a VERY FRESH NEW install
the VERY first program to run would be to set up the rkhunter db
because it is a KNOWN clean install

then rkhunter checks for changes along with known "creepy-crawlers "

it is a rather complicated simple program

the same goes for the other program "ckrootkit"

please read the documentation

but in the last 8 years i have seen
ZERO rootkits
ZERO viruses

and the only viruses i have seen are on Windows OS's that Norton & McAfee AV missed

fallow the normal "Good Safe Computing Practices "
and it will be a 1/1,000,000,000 that a rootkit will get installed

Okay I see. The reason I ask is because I want to uninstall and reinstall rkhunter. I am currently using rkhunter version 1.4.0. This leads me to my next question. Every time I try to run the ./rkcheck command to execute rkhunter and search for root kits, I keep getting the following error messages:

Invalid BINDIR configuration option: Invalid directory found: .
Invalid BINDIR configuration option: Invalid directory found:

I have been told that the reason I keep getting this error message is simply because the path of the file points to the wrong location. If this is true my questions are the following:

Is it necessary to first uninstall and then reinstall rootkit hunter? If so how would I go about uninstalling rootkit hunter? By the way do you mean to tell me that because they are false positives they are not white listed that they may be harmful? I am a bit confused as to what it is you are trying to tell me.

But bottom line what I am trying to currently accomplish is simply that every time I run ./rkcheck it should perform the rkcheck without any difficulty and point out to me what are the false positives and what needs to go and what is white listed. It would be too time consuming to google all the ones that may be false positives to find out if they do mean harm because I must do this for 16 servers.

By the way which documentation are you talking about again? Do you mean the one from sourceforge? Also the version of linux I am using is CentOS release 6.4.

Habitual · 11-07-2013, 02:39 PM

Quote:

Originally Posted by michaellopez12

Is it necessary to first uninstall and then reinstall rootkit hunter?

no.

[ Rootkit Hunter version 1.4.0 ] is current. Why uninstall it?
Don't answer that.
Inspect /var/log/rkhunter.log carefully.

michaellopez12 · 11-07-2013, 02:44 PM

Quote:

Originally Posted by Habitual

Inspect /var/log/rkhunter.log carefully.

When you tell me to inspect this log file carefully, which by the way I have in the past to no avail, are saying that the solution for why I keep receiving the error message could be found in that particular log file? Because I just don't see it:

Invalid BINDIR configuration option: Invalid directory found: .
Invalid BINDIR configuration option: Invalid directory found:

michaellopez12 · 11-07-2013, 03:25 PM

Quote:

Originally Posted by Habitual

no.

[ Rootkit Hunter version 1.4.0 ] is current. Why uninstall it?
Don't answer that.
Inspect /var/log/rkhunter.log carefully.

The reason I would uninstall it is because I keep receiving this error message:

Invalid BINDIR configuration option: Invalid directory found: .
Invalid BINDIR configuration option: Invalid directory found:

everytime I execute this command: ./rkcheck.

I did a VI rkcheck and this is what I found what it is supposed to do:

./rkhunter --update
./rkhunter --createlogfile --checkall --quiet

and yet I keep getting the error message. So my way of thinking is that if it keeps doing that with that version installed there must be something wrong with that particular version. That is why I want to uninstall it and reinstall it. Now if I were to reinstall it what would happen? Would it override and get rid of the other version?

John VV · 11-07-2013, 03:57 PM

there is no "./rkcheck"

as root run

Code:

rkhunter  --help

to read the HELP guide
and READ the man page

Code:

su -
man rkhunter

the basic check is ran by running

Code:

su -
rkhunter -c

there is and never has been a need for that ./
rkhunter is installed into /usr/bin

and you HAVE to run it as root

michaellopez12 · 11-07-2013, 04:33 PM

Quote:

Originally Posted by John VV

there is no "./rkcheck"

as root run

Code:

rkhunter  --help

to read the HELP guide
and READ the man page

Code:

su -
man rkhunter

the basic check is ran by running

Code:

su -
rkhunter -c

there is and never has been a need for that ./
rkhunter is installed into /usr/bin

and you HAVE to run it as root

I have been running it as root. Doesn't the ./ mean that it is being executed. The rkcheck is highlighted in green which means it is an executable and must be executed.

I think I may be onto something. Is it normal for an output when you do an ls under your usr/local/src directory to look like the following?:

chkrootkit DenyHosts-2.6 fop-1.0-bin.tar.gz lynis-1.3.2.tar proftpd-1.3.3d.tar rarlinux-x64-5.0.0.tar rkhunter-1.3.8.tar rkhunter-1.4.0.tar
chkrootkit.tar DenyHosts-2.6.tar lynis-1.3.2 proftpd-1.3.3d rar rkhunter-1.3.8 rkhunter-1.4.0

I think the reason I keep getting that error message is because of the two versions of the rkhunter tar file and rkhunter-1.3.8 and 1.4.0. I will try what you said and I appreciate your help. Thank you.

Oh and by the way, this was found in the rkhunter.1.4.0/files/rkhunter.conf file when I did a vi.

# This option can be used to modify the command directory list used
# by rkhunter to locate commands (that is, its PATH). By default
# this will be the root PATH, and an internal list of some common
# command directories.
#
# Any directories specified here will, by default, be appended to the
# default list. However, if a directory name begins with the '+'
# character, then that directory will be prepended to the list (that
# is, it will be put at the start of the list).
#
# This is a space-separated list of directory names. The option may
# be specified more than once.
#
#BINDIR="/bin /usr/bin /sbin /usr/sbin"
#BINDIR="+/usr/local/bin +/usr/local/sbin"

What if any needs to be changed from here so that I don't have that error message anymore or is it fine just the way it is:

Invalid BINDIR configuration option: Invalid directory found: .
Invalid BINDIR configuration option: Invalid directory found: ?

Like I said I will try your advice. Thank you again for your help.

John VV · 11-07-2013, 05:02 PM

Quote:

Doesn't the ./ mean that it is being executed.

No.
that means run this program in this folder because this folder is NOT in the system $PATH

or
that version of said program IN THIS folder is to be ran ( there can be different versions of programs installed )

i normally have 3 or 4 different versions of the Space Sim "celestia" installed
and a few different versions of TheGimp installed

then the 2 installs of Blender 2.49 and 2.68

so being able to force the use of a program in a specific folder is helpful

it is BEST to just use the version that IS IN YOUR package manager for your distro
that way it is ALREADY configured for your distro

for redhat family of OS's

Code:

yum install rkhunter

---- for the odd ball OpenSUSE

Code:

zypper in rkhunter

and ubuntu

Code:

apt-get install rkhunter

unSpawn · 11-07-2013, 06:53 PM

Quote:

Originally Posted by michaellopez12

Where would I find the rkhunter.conf comments? Would I just do a vi rkhunter.conf command?

Yes, you could 'less rkhunter.conf' usually it would reside in /etc or /usr/local/etc.

Quote:

Originally Posted by michaellopez12

Is the README and FAQ that Rootkit Hunter comes with some type of booklet or can it be found in the system?

Yes. Usually in /usr/share/doc/rkhunter or /usr/local/share/doc/rkhunter.

Quote:

Originally Posted by michaellopez12

Please forgive me for my ingnorance but this is my first time ever using this command to patch and upgrage my servers. Plus these servers are for a company.

Servers being for a company makes it even more important to read the documentation and know what you run.

michaellopez12 · 11-12-2013, 03:18 PM

Quote:

Originally Posted by unSpawn

Yes, you could 'less rkhunter.conf' usually it would reside in /etc or /usr/local/etc.

Thanks again for the help. I just went into the /usr/local/etc directory and typed ls to see if the rkhunter.conf file was there but what I found was proftpd.conf. Does this mean that my rkhunter.conf file is nonexistent? As you said I t is important to read the documentation to know what I run but what if I can't find it. I need to find it.

Quote:

Originally Posted by unSpawn

Yes. Usually in /usr/share/doc/rkhunter or /usr/local/share/doc/rkhunter.

Servers being for a company makes it even more important to read the documentation and know what you run.

I also couldn't find the /usr/local/share/doc/rkhunter directory. Is there another way to find the README information. The message I got was no such file or directory. I was in root at the time when changing directories. If there isn't what should I do?

Would I have to perform a fresh install of Roootkit Hunter in order to access those directories?