Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
01-23-2007, 01:22 AM
|
#1
|
Member
Registered: Nov 2005
Location: New Jersey, USA
Distribution: SuSE
Posts: 492
Rep:
|
rkhunter warnings
I have a SuSE 9.3 server with an install that's about a year old. I've been meaning to install rkhunter for a while, but just got around to it tonight.
I set it up to run in my nightly admin cron job, and email the log to me (as well as saving it locally). I just did a test run, and got quite a few warnings in the log.
I searched most of them on google, and scarily didn't come up with a anything for a few of them:
[00:57:58] Value of hiddendirs: /etc/.java /etc/.pwd.lock
I know that .java is ok, but couldn't find anything online about .pwd.lock, but it said:
[00:57:59] Hidden file/dir /etc/.pwd.lock [empty] seems to be OK
so I assume this is OK...
One side-note, it said that Apache wasn't found... I guess rkhunter doesn't support Apache2 yet?
[00:58:40] Scanning OpenSSL...
[00:58:41] /usr/bin/openssl found
[00:58:41] Version 0.9.7e seems to be vulnerable (if unpatched)!
[00:58:41] ----------------------------------------------------------
[00:58:41] Scanning PHP...
[00:58:43] /usr/bin/php found
[00:58:44] Version 4.3.10 seems to be vulnerable (if unpatched)!
[00:58:44] ----------------------------------------------------------
[00:58:44] Scanning ProFTPd...
[00:58:44] /usr/sbin/proftpd found
[00:58:45] Version 1.2.5rc1 seems to be vulnerable (if unpatched)!
I just ran the YaST update and didn't get anything for these...
Thanks for any help.
|
|
|
01-23-2007, 02:52 AM
|
#2
|
LQ Newbie
Registered: Mar 2004
Distribution: Debian - Sid
Posts: 23
Rep:
|
I too was getting strange error messages from rkhunter until I ran rkhunter --update. That seemed to fix most of the problems that I was having. In addition, look into the config file, there are known hiden directories that are commented out. If you are comfortable with the hidden directory uncomment the line in the config file to not receive the error message, or add your own directory path.
Scott
|
|
|
01-23-2007, 10:59 AM
|
#3
|
Member
Registered: Nov 2005
Location: New Jersey, USA
Distribution: SuSE
Posts: 492
Original Poster
Rep:
|
Thanks for the info. I just ran --update, I'll post tomorrow with the results of the next scan.
If they're not anything to worry about, I'd rather leave them in there and check them time to time... after all, if someone does get root, it would be pretty easy to check for rkhunter installed, look in the config file, and get a list of ignored files.
|
|
|
01-23-2007, 12:41 PM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
I know that .java is ok, but couldn't find anything online about .pwd.lock, but it said: so I assume this is OK...
Next to what ScottSmith already said, a short explanation. In short: don't assume but make certain. Filenames that start with a dot are not listed by default and show up if you use 'ls' "-a" switch. Because of that these filenames are (still) considered suspicious. If files are part of a package it is easiest to verify using your distro's package manager. If they are not part of a package you will have to get info with 'stat' to see ownership, access permissions and modification and access times and 'file' to get an idea of the contents. If it appears to be text visual inspection is the easiest way to get a clue, else if it's data try use 'strings'.
Besides that RKH 1.2.9 comes with an offline copy of the FAQ which should help you find out more.
One side-note, it said that Apache wasn't found... I guess rkhunter doesn't support Apache2 yet?
RKH does support Apache2. You're probably (since you didn't post it) pointing towards a glitch that's fixed in CVS. If you can spare the time do me a favour and run the CVS version. Please notice the project was here: http://sourceforge.net/projects/rkhunter a long time ago and is not anymore at http://www.rootkit.nl/ which is dusty, deprecated and dead as far as I'm concerned. Anything pointing to it should be updated or have the link removed.
The version check could be fixed like ScottSmith already said by running --update unless nobody in the community notified us versions changed.
I too was getting strange error messages from rkhunter
If there are any that werent fixed let me know, OK?
|
|
|
01-23-2007, 03:39 PM
|
#5
|
Member
Registered: Nov 2005
Location: New Jersey, USA
Distribution: SuSE
Posts: 492
Original Poster
Rep:
|
I ran --update.
I insatlled the package from a SuSE 9.3 RPM which, I assume, may be a bit dusty.
The .pwd.lock file is empty, owned by root, and last modified on the date of the OS installation... so hopefully it's not anything to worry about...
|
|
|
All times are GMT -5. The time now is 06:33 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|