need advice on root kit hunter log file results opensuse 13.1
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
need advice on root kit hunter log file results opensuse 13.1
I have to repair grub2 using the install dvd by issuing the following commands using the install dvd to boot into repair mode:
mount /dev/sda2 /mnt
mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
mkdir /mnt/mounts
mount --rbind /mounts /mnt/mounts
chroot /mnt
grub2-install /dev/sda
exit
reboot
I also ran e2fsk on the drive.
I do not have to repair grub2 after a system reboot, just on a power up. I ran root kit hunter and it found 3 suspect files. These are script files and I am not sure if they are false positives. I am pasting my log files to this post. The first time it ran there were 3 suspect files reported, second time it ran it reports all good. The two log files are posted one log file after the other. The suspect files are:
/sbin/ifup
/usr/bin/ldd
usr/bin/chkconfig
I had to edit out the bulk of the reports so I could post it. The warnings are in the report.
Thank you for your time.
[12:11:12] Running Rootkit Hunter version 1.4.0 on linux-693r
[12:11:12]
[12:11:12] Info: Start date is Thu May 14 12:11:12 EDT 2020
[12:11:12]
[12:11:12] Checking configuration file and command-line options...
[12:11:12] Info: Detected operating system is 'Linux'
[12:11:12] Info: Uname output is 'Linux linux-693r 3.11.6-4-desktop #1 SMP PREEMPT Wed Oct 30 18:04:56 UTC 2013 (e6d4a27) x86_64 x86_64 x86_64 GNU/Linux'
[12:11:13] Info: Command line is /usr/bin/rkhunter --check
[12:11:13] Info: Environment shell is /bin/bash; rkhunter is using bash
[12:11:13] Info: Using configuration file '/etc/rkhunter.conf'
[12:11:13] Info: Installation directory is '/usr'
[12:11:13] Info: Using language 'en'
[12:11:13] Info: Using '/var/lib/rkhunter/db' as the database directory
[12:11:13] Info: Using '/usr/lib64/rkhunter/scripts' as the support script directory
[12:11:13] Info: Using '/usr/bin /bin /usr/sbin /sbin /usr/local/bin /usr/local/sbin' as the command directories
[12:11:13] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[12:11:13] Info: No mail-on-warning address configured
[12:11:13] Info: X will be automatically detected
[12:11:13] Info: Found the 'basename' command: /usr/bin/basename
[12:11:13] Info: Found the 'diff' command: /usr/bin/diff
[12:11:13] Info: Found the 'dirname' command: /usr/bin/dirname
[12:11:13] Info: Found the 'file' command: /usr/bin/file
[12:11:13] Info: Found the 'find' command: /usr/bin/find
[12:11:13] Info: Found the 'ifconfig' command: /sbin/ifconfig
[12:11:13] Info: Found the 'ip' command: /bin/ip
[12:11:13] Info: Found the 'ldd' command: /usr/bin/ldd
[12:11:13] Info: Found the 'lsattr' command: /usr/bin/lsattr
[12:11:13] Info: Found the 'lsmod' command: /bin/lsmod
[12:11:13] Info: Found the 'lsof' command: /usr/bin/lsof
[12:11:13] Info: Found the 'mktemp' command: /usr/bin/mktemp
[12:11:13] Info: Found the 'netstat' command: /bin/netstat
[12:11:13] Info: Found the 'perl' command: /usr/bin/perl
[12:11:13] Info: Found the 'pgrep' command: /usr/bin/pgrep
[12:11:13] Info: Found the 'ps' command: /usr/bin/ps
[12:11:13] Info: Found the 'pwd' command: /usr/bin/pwd
[12:11:13] Info: Found the 'readlink' command: /usr/bin/readlink
[12:11:13] Info: Found the 'stat' command: /usr/bin/stat
[12:11:14] Info: Found the 'strings' command: /usr/bin/strings
[12:11:14] Info: System is not using prelinking
[12:11:14] Info: Using the '/usr/bin/sha1sum' command for the file hash checks
[12:11:14] Info: The hash function field index is set to 1
[12:11:14] Info: Using package manager 'RPM' for file property checks
[12:11:14] Info: Found the 'rpm' command: /bin/rpm
[12:11:14] Info: Previous file attributes were stored
[12:11:14] Info: Enabled tests are: all
[12:11:14] Info: Disabled tests are: suspscan hidden_ports hidden_procs deleted_files packet_cap_apps
[12:11:14] Info: Including user files for file properties check:
[12:11:14] /etc/rkhunter.conf
[12:11:14] Info: Found ksym file '/proc/kallsyms'
[12:11:14] Info: Using 'date' to process epoch second times.
[12:11:14] Info: Locking is not being used
[12:11:14]
[12:11:14] Starting system checks...
[12:11:14]
[12:11:14] Info: Starting test name 'system_commands'
[12:11:14] Checking system commands...
[12:11:14]
[12:11:14] Info: Starting test name 'strings'
[12:11:14] Performing 'strings' command checks
[12:11:14] Scanning for string /usr/sbin/ntpsx [ OK ]
[12:11:14] Scanning for string /usr/sbin/.../bkit-ava [ OK ]
[12:11:14] Scanning for string /usr/sbin/.../bkit-d [ OK ]
[12:11:15] Scanning for string /usr/sbin/.../bkit-shd [ OK ]
[12:11:15] Scanning for string /usr/sbin/.../bkit-f [ OK ]
[12:11:15] Scanning for string /usr/include/.../proc.h [ OK ]
[12:11:15] Scanning for string /usr/include/.../.bash_history [ OK ]
[12:11:15] Scanning for string /usr/include/.../bkit-get [ OK ]
[12:11:15] Scanning for string /usr/include/.../bkit-dl [ OK ]
[12:11:15] Scanning for string /usr/include/.../bkit-screen [ OK ]
[12:11:15] Scanning for string /usr/include/.../bkit-sleep [ OK ]
[12:11:15] Scanning for string /usr/lib/.../bkit-adore.o [ OK ]
[12:11:15] Scanning for string /usr/lib/.../ls [ OK ]
[12:11:15] Scanning for string /usr/lib/.../netstat [ OK ]
[12:11:15] Scanning for string /usr/lib/.../lsof [ OK ]
[12:11:15] Scanning for string /usr/lib/.../bkit-ssh/bkit-shdcfg [ OK ]
[12:11:45] /sbin/fsck [ OK ]
[12:11:45] /sbin/ifconfig [ OK ]
[12:11:45] /sbin/ifdown [ OK ]
[12:11:45] /sbin/ifstatus [ OK ]
[12:11:45] /sbin/ifup [ Warning ]
[12:11:45] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script, ASCII text executable
[12:11:45] /sbin/init [ OK ]
[12:11:46] /sbin/insmod [ OK ]
[13:40:37] Info: Starting test name 'system_configs'
[13:40:37] Performing system configuration file checks
[13:40:37] Checking for SSH configuration file [ Found ]
[13:40:37] Info: Found SSH configuration file: /etc/ssh/sshd_config
[13:40:38] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'yes'.
[13:40:38] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[13:40:38] Checking if SSH root access is allowed [ Warning ]
[13:40:38] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
[13:40:38] Checking if SSH protocol v1 is allowed [ Warning ]
[13:40:38] Warning: The SSH configuration option 'Protocol' has not been set.
The default value may be '2,1', to allow the use of protocol version 1.
[13:40:38] Checking for running syslog daemon [ Found ]
[13:40:38] Info: Found rsyslog configuration file: /etc/rsyslog.conf
[13:40:38] Checking for syslog configuration file [ Found ]
[13:40:38] Checking if syslog remote logging is allowed [ Not allowed ]
[13:40:38]
[13:40:38] Info: Starting test name 'filesystem'
[13:40:38] Performing filesystem checks
[13:40:38] Info: SCAN_MODE_DEV set to 'THOROUGH'
[13:40:39] Info: Found file '/dev/.sysconfig/network/ifup-lo': it is whitelisted.
[13:40:39] Info: Found file '/dev/.sysconfig/network/if-lo': it is whitelisted.
[13:40:39] Info: Found file '/dev/.sysconfig/network/config-lo': it is whitelisted.
[13:40:39] Info: Found file '/dev/.sysconfig/network/started': it is whitelisted.
[13:40:39] Info: Found file '/dev/.sysconfig/network/new-stamp-2': it is whitelisted.
[13:40:39] Info: Found file '/dev/shm/pulse-shm-2445994891': it is whitelisted.
[13:40:39] Info: Found file '/dev/shm/pulse-shm-2167102362': it is whitelisted.
[13:40:39] Info: Found file '/dev/shm/pulse-shm-1026961346': it is whitelisted.
[13:40:39] Info: Found file '/dev/shm/pulse-shm-3381024706': it is whitelisted.
[13:40:39] Checking /dev for suspicious file types [ Warning ]
[13:40:39] Warning: Suspicious file types found in /dev:
[13:40:39] /dev/.sysconfig/network/if-enp5s0: ASCII text
[13:40:39] /dev/.sysconfig/network/ifup-enp5s0: ASCII text
[13:40:39] /dev/.sysconfig/network/config-enp5s0: ASCII text
[13:40:40] Info: Found hidden directory '/dev/.sysconfig': it is whitelisted.
[13:40:40] Checking for hidden files and directories [ Warning ]
[13:40:40] Warning: Hidden file found: /dev/.udev: symbolic link to `/run/udev'
[13:40:53]
[13:40:53] Info: Starting test name 'apps'
[13:40:53] Checking application versions...
[13:40:54] Info: Application 'exim' not found.
[13:40:54] Checking version of GnuPG [ OK ]
[13:40:54] Info: Application 'gpg' version '2.0.22' found.
[13:40:54] Info: Application 'httpd' not found.
[13:40:54] Info: Application 'named' not found.
[13:40:54] Checking version of OpenSSL [ OK ]
[13:40:54] Info: Application 'openssl' version '1.0.1e' found.
[13:40:54] Info: Application 'php' not found.
[13:40:54] Checking version of Procmail MTA [ OK ]
[13:40:54] Info: Application 'procmail' version '3.22' found.
[13:40:54] Info: Application 'proftpd' not found.
[13:40:54] Checking version of OpenSSH [ OK ]
[13:40:54] Info: Application 'sshd' version '6.2,' found.
[13:40:55] Info: Applications checked: 4 out of 9
[13:40:55]
[13:40:55] System checks summary
[13:40:55] =====================
[13:40:55]
[13:40:55] File properties checks...
[13:40:55] Required commands check failed
[13:40:55] Files checked: 181
[13:40:55] Suspect files: 3
[13:40:55]
[13:40:55] Rootkit checks...
[13:40:55] Rootkits checked : 306
[13:40:55] Possible rootkits: 0
[13:40:55]
[13:40:55] Applications checks...
[13:40:55] Applications checked: 4
[13:40:55] Suspect applications: 0
[13:40:55]
[13:40:55] The system checks took: 2 minutes and 55 seconds
[13:40:56]
[13:40:56] Info: End date is Thu May 14 13:40:55 EDT 2020
Next run of rootkit test check...........
[19:20:16]
[19:20:16] Performing checks on the network ports
[19:20:16] Info: Starting test name 'ports'
[19:20:16] Performing check for backdoor ports
[19:20:17] Checking for TCP port 1524 [ Not found ]
[19:20:17] Checking for TCP port 1984 [ Not found ]
[19:20:17] Checking for UDP port 2001 [ Not found ]
[19:20:17] Checking for TCP port 2006 [ Not found ]
[19:20:17] Checking for TCP port 2128 [ Not found ]
[19:20:18] Checking for TCP port 6666 [ Not found ]
[19:20:18] Checking for TCP port 6667 [ Not found ]
[19:20:18] Checking for TCP port 6668 [ Not found ]
[19:20:18] Checking for TCP port 6669 [ Not found ]
[19:20:18] Checking for TCP port 7000 [ Not found ]
[19:20:19] Checking for TCP port 13000 [ Not found ]
[19:20:19] Checking for TCP port 14856 [ Not found ]
[19:20:19] Checking for TCP port 25000 [ Not found ]
[19:20:19] Checking for TCP port 29812 [ Not found ]
[19:20:19] Checking for TCP port 31337 [ Not found ]
[19:20:20] Checking for TCP port 32982 [ Not found ]
[19:20:20] Checking for TCP port 33369 [ Not found ]
[19:20:20] Checking for TCP port 47107 [ Not found ]
[19:20:20] Checking for TCP port 47018 [ Not found ]
[19:20:20] Checking for TCP port 60922 [ Not found ]
[19:20:21] Checking for TCP port 62883 [ Not found ]
[19:20:21] Checking for TCP port 65535 [ Not found ]
[19:20:21] Checking for backdoor ports [ None found ]
[19:20:21]
[19:20:21] Info: Test 'hidden_ports' disabled at users request.
[19:20:21]
[19:20:21] Performing checks on the network interfaces
[19:20:21] Info: Starting test name 'promisc'
[19:20:21] Checking for promiscuous interfaces [ None found ]
[19:20:21]
[19:20:21] Info: Test 'packet_cap_apps' disabled at users request.
[19:20:21]
[19:20:21] Info: Starting test name 'local_host'
[19:20:21] Checking the local host...
[19:20:22]
[19:20:22] Info: Starting test name 'startup_files'
[19:20:22] Performing system boot checks
[19:20:22] Checking for local host name [ Found ]
[19:20:22]
[19:20:22] Info: Starting test name 'startup_malware'
[19:20:22] Checking for system startup files [ Found ]
[19:20:25] Checking system startup files for malware [ None found ]
[19:20:25]
[19:20:25] Info: Starting test name 'group_accounts'
[19:20:25] Performing group and account checks
[19:20:25] Checking for passwd file [ Found ]
[19:20:25] Info: Found password file: /etc/passwd
[19:20:25] Checking for root equivalent (UID 0) accounts [ None found ]
[19:20:25] Info: Found shadow file: /etc/shadow
[19:20:25] Checking for passwordless accounts [ None found ]
[19:20:25]
[19:20:25] Info: Starting test name 'passwd_changes'
[19:20:25] Checking for passwd file changes [ None found ]
[19:20:25]
[19:20:25] Info: Starting test name 'group_changes'
[19:20:25] Checking for group file changes [ None found ]
[19:20:26] Checking root account shell history files [ OK ]
[19:20:26]
[19:20:26] Info: Starting test name 'system_configs'
[19:20:26] Performing system configuration file checks
[19:20:26] Checking for SSH configuration file [ Found ]
[19:20:26] Info: Found SSH configuration file: /etc/ssh/sshd_config
[19:20:26] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'yes'.
[19:20:26] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[19:20:26] Checking if SSH root access is allowed [ Warning ]
[19:20:26] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
[19:20:26] Checking if SSH protocol v1 is allowed [ Warning ]
[19:20:26] Warning: The SSH configuration option 'Protocol' has not been set.
The default value may be '2,1', to allow the use of protocol version 1.
[19:20:26] Checking for running syslog daemon [ Found ]
[19:20:26] Info: Found rsyslog configuration file: /etc/rsyslog.conf
[19:20:27] Checking for syslog configuration file [ Found ]
[19:20:27] Checking if syslog remote logging is allowed [ Not allowed ]
[19:20:27]
[19:20:27] Info: Starting test name 'filesystem'
[19:20:27] Performing filesystem checks
[19:20:27] Info: SCAN_MODE_DEV set to 'THOROUGH'
[19:20:27] Info: Found file '/dev/.sysconfig/network/ifup-lo': it is whitelisted.
[19:20:27] Info: Found file '/dev/.sysconfig/network/if-lo': it is whitelisted.
[19:20:27] Info: Found file '/dev/.sysconfig/network/config-lo': it is whitelisted.
[19:20:27] Info: Found file '/dev/.sysconfig/network/started': it is whitelisted.
[19:20:27] Info: Found file '/dev/.sysconfig/network/new-stamp-2': it is whitelisted.
[19:20:28] Info: Found file '/dev/shm/pulse-shm-945268521': it is whitelisted.
[19:20:28] Info: Found file '/dev/shm/pulse-shm-3889263875': it is whitelisted.
[19:20:28] Info: Found file '/dev/shm/pulse-shm-1133244443': it is whitelisted.
[19:20:28] Info: Found file '/dev/shm/pulse-shm-779620220': it is whitelisted.
[19:20:28] Info: Found file '/dev/shm/pulse-shm-2167102362': it is whitelisted.
[19:20:28] Info: Found file '/dev/shm/pulse-shm-1026961346': it is whitelisted.
[19:20:28] Info: Found file '/dev/shm/pulse-shm-3381024706': it is whitelisted.
[19:20:28] Checking /dev for suspicious file types [ Warning ]
[19:20:28] Warning: Suspicious file types found in /dev:
[19:20:28] /dev/.sysconfig/network/if-enp5s0: ASCII text
[19:20:28] /dev/.sysconfig/network/ifup-enp5s0: ASCII text
[19:20:28] /dev/.sysconfig/network/config-enp5s0: ASCII text
[19:20:29] Info: Found hidden directory '/dev/.sysconfig': it is whitelisted.
[19:20:29] Checking for hidden files and directories [ Warning ]
[19:20:29] Warning: Hidden file found: /dev/.udev: symbolic link to `/run/udev'
[19:20:29]
[19:20:29] Info: Starting test name 'apps'
[19:20:29] Checking application versions...
[19:20:30] Info: Application 'exim' not found.
[19:20:30] Checking version of GnuPG [ OK ]
[19:20:30] Info: Application 'gpg' version '2.0.22' found.
[19:20:30] Info: Application 'httpd' not found.
[19:20:30] Info: Application 'named' not found.
[19:20:30] Checking version of OpenSSL [ OK ]
[19:20:30] Info: Application 'openssl' version '1.0.1e' found.
[19:20:30] Info: Application 'php' not found.
[19:20:30] Checking version of Procmail MTA [ OK ]
[19:20:30] Info: Application 'procmail' version '3.22' found.
[19:20:31] Info: Application 'proftpd' not found.
[19:20:31] Checking version of OpenSSH [ OK ]
[19:20:31] Info: Application 'sshd' version '6.2,' found.
[19:20:31] Info: Applications checked: 4 out of 9
[19:20:31]
[19:20:31] System checks summary
[19:20:31] =====================
[19:20:31]
[19:20:31] File properties checks...
[19:20:31] Files checked: 181
[19:20:31] Suspect files: 0
[19:20:31]
[19:20:31] Rootkit checks...
[19:20:31] Rootkits checked : 306
[19:20:31] Possible rootkits: 0
[19:20:31]
[19:20:31] Applications checks...
[19:20:31] Applications checked: 4
[19:20:31] Suspect applications: 0
[19:20:31]
[19:20:31] The system checks took: 4 minutes and 34 seconds
[19:20:31]
[19:20:31] Info: End date is Thu May 14 19:20:31 EDT 2020
So, opensuse 13.1 was discontinued (EOL) Feb 3rd 2016. Is this a system that needs to remain on that version or is/was this a Suse Linux Enterprise product?
For rkhunter, look at the warnings. Suspected rootkits in both of those runs show 0.
It is not an enterprise product. I use this version because it works well with the 3d nvidia driver for games and found the neuveau driver lacking in the tumbleweed release. I'm not sure if that is also true with opensuse leap. The newer releases work well with non-nvidia cards concerning 3d from my experience. I replaced the hard drive with a sata solid state drive. Recently, on boot up, I read this warning 'attempt to read or write outside of disk hd0' that results in a kernel panic. E2fsck -cfpv /dev/sda2 was performed using a recovery disk as well as grub2 repair that I listed in my post. Both repairs have not eliminated the warning that happens on boot, and it takes several boot attempts, so I decided to leave the box on 24/7. About 2 or 3 times I noticed the mouse cursor not behaving while browsing and my browser pages would go wild for a few seconds and another time on wake up, the task bar disappeared and it froze, so I began to think about possible compromise. Not sure how to proceed with diagnosing a read/write error.
Does not sound like a compromise. If you get compromised, you’ll never know. Not reassuring but that’s the way it is. A good (skilled black hat) hacker is not going to target an individual because there is nothing in it. Better to go after a company with a credit card database, personal data. Unless it’s some degenerate hacking an iot device.
The problem with running an unsupported OS is you get no updates which can leave security holes. Up to you really.
Last edited by sevendogsbsd; 05-16-2020 at 12:51 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
