LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-22-2010, 01:27 PM   #1
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,008

Rep: Reputation: 30
suspect applications?


I have a few suspect application in the rkhunter log.
Any ideas on what to do?

Attached log
Attached Files
File Type: log rkhunter.log (129.6 KB, 12 views)
 
Old 12-22-2010, 07:43 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,541
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
Quote:
Originally Posted by qwertyjjj View Post
I have a few suspect application in the rkhunter log. Any ideas on what to do?
Yeah, actually read the README and the comments in rkhunter.conf. Note most common and less common questions have already been answered: do check the FAQ (scriptlets at the bottom) and search the rkhunter mailing list archives.


Code:
Warning: The file properties have changed
Investigate reason for change and if valid run "--propupd".


Code:
Warning: The file '[X]' exists on the system, but it is not present in the rkhunter.dat file.
Run "--propupd".


Code:
Warning: The command '[X]' has been replaced by a script
Investigate and see the SCRIPTWHITELIST comments in rkhunter.conf.


Code:
Warning: Hidden directory found: [Y]
Investigate and see ALLOWHIDDENDIR.


Code:
Warning: Hidden file found: [Y]
ALLOWHIDDENFILE.


Code:
Warning: Application '[Z]', version '[Z]', is out of date, and possibly a security risk.
APP_WHITELIST.
 
Old 12-23-2010, 02:23 AM   #3
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,008

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by unSpawn View Post
Yeah, actually read the README and the comments in rkhunter.conf. Note most common and less common questions have already been answered: do check the FAQ (scriptlets at the bottom) and search the rkhunter mailing list archives.


Code:
Warning: The file properties have changed
Investigate reason for change and if valid run "--propupd".
When I look through some of the files, they are just full of garbled computer text eg /sbin/depmod
?

DO these seem ok - I have no idea what they are.
[18:14:03] Checking for hidden files and directories [ Warning ]
[18:14:03] Warning: Hidden directory found: /dev/.udev
[18:14:03] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[18:14:03] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[18:14:03] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[18:14:03] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text

Last edited by qwertyjjj; 12-23-2010 at 02:27 AM.
 
Old 12-23-2010, 11:39 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,541
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
See what package a file is in with 'rpm -qf /sbin/depmod --qf="%{NAME}\n";' and then verifying the package running 'rpm -Vv [namepfpackage]' should give you an idea if your RPMDB is to be trusted. All of the rest, like I said before, was handled a gazillion times over. Reading your rkhunter.conf should get you most and five minutes worth of searching this forum and the rkhunter mailing list archives the rest. Do try that before replying.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
linux turned off by itself. Suspect over heating centguy Linux - Software 10 09-02-2010 10:49 PM
rkhunter warnings or suspect files judoka Linux - Security 7 08-21-2010 09:30 AM
* option with ls, chown and chmod (suspect more) dive Slackware 5 08-16-2008 05:35 AM
Suspect TCP fragment aimstr8 Linux - Networking 0 10-23-2002 11:18 AM


All times are GMT -5. The time now is 01:22 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration