rkhunter warnings - Should I be concerned and if so how so I fix this?
I just downloaded and ran rkhunter on OpenSuse 13.2 in the XFCE desktop and got these warning messages:
Checking for prerequisites [ Warning ] /usr/sbin/ifup [ Warning ] /usr/bin/chkconfig [ Warning ] /usr/bin/egrep [ Warning ] /usr/bin/fgrep [ Warning ] /usr/bin/ldd [ Warning ] Checking for passwd file changes [ Warning ] Checking for group file changes [ Warning ] Checking if SSH root access is allowed [ Warning ] Checking if SSH protocol v1 is allowed [ Warning ] Checking for running syslog daemon [ Warning ] Checking for hidden files and directories [ Warning ] Am I screwed or how can I fix the problems claimed to be affecting my system? I'm pretty new to Linux these days. I remember the old days prior to Slackware but it's all new to me again with modern twists because I got lazy and used Windows too long. Heck, I started on Plato back in 1973 and so much has changed! Any help for a 50 year young guy would be appreciated! Thanks, Rolland |
Quote:
Code:
zypper se rkhunter Code:
man rkhunter https://en.opensuse.org/Rootkit_Hunter did you set up the database and then run a "update" , to update the rules ? Code:
su - |
Quote:
Take care, Rolland |
I had expected something more, well, verbose from Rkhunter, are you sure that is all the detail it provided and have you turned the verbosity up to maximum (whatever that takes)? anyway...
Quote:
This is important because you want to run it on a pristine, clean, system before making any updates, and use that as a reference (the appropriate switch is documented in the man page). This reference is then used to say 'if there are any changes - deltas to the original reference system - have they occurred as a result of deliberate, known, explicitly requested, updates, or is there some unknown thing causing them? If answer = 'unknown thing', then worry. If there is any chance that someone makes a change before you capture the reference state, then that is bad, as that change will be under the radar, for all time (or, at least, 'till a re-install). This is why getting that snapshot early is vital. And that's what I need to complain to them about. (After that, when you make a deliberate update, that changes the reference system, but you capture a new reference state, but only when you have made sure that you understand what has gone on.) OK, that said... Quote:
I think egrep/fgrep and ldd are used by Rkh, and it is a link to those (which could be misdirection to a 'tricked up' executable that does something bad) which is causing suspicion. Check any link points to a sensible place, and that the executable there is the one known to, eg, yast. Anything else would trigger real suspicions. (Although there is a 'brute force and ignorance' way of dealing with this, which is to use, eg, Yast to overwrite these executables and ensure that the location that Yast has just used is the one pointed to by the links. Not a pretty way of dealing with it, but at least you are sure...or sure-ish.) Quote:
Quote:
Quote:
|
What you should be concerned about is clearly identified in /var/log/rkhunter.log
Have a look. |
Quote:
|
All times are GMT -5. The time now is 05:01 PM. |