LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-23-2012, 04:13 AM   #1
programer
Member
 
Registered: Mar 2012
Location: India
Distribution: Linux mint 14, Ubuntu 12.10
Posts: 46

Rep: Reputation: Disabled
RKhunter log file - Is there any malicious issues?


I am presently having a server with CentOS 6.x installed with DA panel and also Rkhunter installed and running, today i got a mail with the following information from the server
--------
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
Warning: Hidden directory found: /dev/.udev
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
Warning: Application 'openssl', version '0.9.8e', is out of date, and possibly a security risk.
Warning: Application 'sshd', version '4.3p2', is out of date, and possibly a security risk.

-----------------------

is this a potential harm, what this indicates? How to rectify this ?

Also I came to know that Chunter and rkhunter will only identify the malicious codes but will not remove it, how to remove it automatically, is there any tools available for that.

I read through some forums that this softwares are totally outdate and is there any equivalent software for this ?
 
Old 03-23-2012, 06:11 AM   #2
linoseros
LQ Newbie
 
Registered: Feb 2012
Posts: 11

Rep: Reputation: Disabled
I think so many binaries have been replaced !
 
Old 03-23-2012, 08:03 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Quote:
Originally Posted by linoseros View Post
I think so many binaries have been replaced !
There is no need to "think", "guess" or "feel" because computing is binary: an application can be tested to find out if it is vulnerable or not, configuration settings can be checked to determine if an option is safe or not and distribution package contents can be verified to find out if they are altered or not. Because of a previous post it is suggested you do some research before you post.


Quote:
Originally Posted by programer View Post
is this a potential harm, what this indicates? How to rectify this ?
Yes, I know it is boring and tedious but before you run an application it is suggested to read the documentation that comes with it. The FAQ tries to answer often-asked questions and the comments in rkhunter.conf should provide clues as well. If that doesn't work for you then the README suggests which information sources to check and in which order. You could also search LQ as these questions are not unique, they have been asked before. Efficiency and such.


Quote:
Originally Posted by programer View Post
Also I came to know that Chunter and rkhunter will only identify the malicious codes but will not remove it, how to remove it automatically, is there any tools available for that.
Trying to "fix" security incidents that way is not the right approach.


Quote:
Originally Posted by programer View Post
I read through some forums that this softwares are totally outdate
The reasons these "softwares are totally outdate" are due to a shift in attack vectors (from rootkit to application stack), the approach to detection (passive and post-incident versus actively providing early warnings) and the methods of finding evidence (signature-based versus behaviour-based). Anyway, where did you read that if I may ask?


Quote:
Originally Posted by programer View Post
I am presently having a server with CentOS 6.x installed with DA panel and also Rkhunter installed
The way you asked questions (before), the fact your run a VPS and a web-based management panel and the hint you run or will be running PHP-based applications like Wordpress or Joomla makes me think you really should invest time and properly harden your server before doing anythng else. The Centos server administration documentation, SANS Reading Room whitepapers, SANS/OWASP common mistakes list and Cisecurity benchmarks should be at the top of your list.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
rkhunter scan: 1 Rootkit & 6 Possible Suspect Files /var/log/rkhunter.log included Mollusc Linux - Security 10 09-29-2011 09:43 AM
/var/log/rkhunter.log - rkhunter's (rootkit detection) logfile ahartman Linux - Security 1 07-04-2009 06:28 PM
Confusing RKHunter log warnings for file properties checks jamiehh Linux - Security 8 04-15-2009 03:17 PM
[Bash] log file roll over issues noir911 Programming 11 07-24-2008 02:48 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 05:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration