Whitelisting questions in regards to avoiding anymore false positives
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I removed the entries that I made and uncommented the ALLOWHIDDENDIR=/dev/.udev entry. When I did this I still received the warnings.
Performing filesystem checks
Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ Warning ]
Are you sure that this is the correct entry to comment out?
I'm fairly sure, but I don't know what your systems looks like and what is and isn't in the rkhunter configuration file. The above posted info doesn't tell us anything, except that there is or might be something wrong.
The log file has all the info you need to find out which file(s) and/or directories are seen as suspicious. Are they still the same as those posted in post #13 are there any others have you determined if they are false alarms.
BTW: You need to be thorough and precise when setting this up, blindly white-listing what is in the logs is pointless.
I'm fairly sure, but I don't know what your systems looks like and what is and isn't in the rkhunter configuration file. The above posted info doesn't tell us anything, except that there is or might be something wrong.
The log file has all the info you need to find out which file(s) and/or directories are seen as suspicious. Are they still the same as those posted in post #13 are there any others have you determined if they are false alarms.
BTW: You need to be thorough and precise when setting this up, blindly white-listing what is in the logs is pointless.
I understand that I need to be thorough and precise when setting this up and blindly white-listing what is in the logs is pointless. But to answer your question here is what is in the rkhunter.log file after I uncommented those entries that you told me to uncomment and I am still receiving that warning when I run rootkit hunter.
Code:
[16:14:13] Info: Starting test name 'filesystem'
[16:14:13] Performing filesystem checks
[16:14:13] Info: SCAN_MODE_DEV set to 'THOROUGH'
[16:14:14] Checking /dev for suspicious file types [ Warning ]
[16:14:14] Warning: Suspicious file types found in /dev:
[16:14:14] /dev/.udev/db/class@input@input0@event0: ASCII text
[16:14:14] /dev/.udev/db/class@usb_device@usbdev2.3: ASCII text
[16:14:14] /dev/.udev/db/class@usb_device@usbdev2.1: ASCII text
[16:14:14] /dev/.udev/db/class@usb_device@usbdev2.2: ASCII text
[16:14:14] /dev/.udev/db/class@usb_device@usbdev1.2: ASCII text
[16:14:14] /dev/.udev/db/class@usb_device@usbdev1.1: ASCII text
[16:14:14] /dev/.udev/db/block@sda@sda1: ASCII text
[16:14:14] /dev/.udev/db/block@sda@sda2: ASCII text
[16:14:14] /dev/.udev/db/class@input@input1@event1: ASCII text
[16:14:14] /dev/.udev/db/class@input@input1@mouse0: ASCII text
[16:14:14] /dev/.udev/db/class@input@input2@event2: ASCII text
[16:14:14] /dev/.udev/db/block@sda: ASCII text
[16:14:14] /dev/.udev/db/block@sr0: ASCII text
[16:14:14] /dev/.udev/db/block@ram1: ASCII text
[16:14:14] /dev/.udev/db/block@ram0: ASCII text
[16:14:14] /dev/.udev/db/class@misc@device-mapper: ASCII text
[16:14:14] /dev/.udev/db/class@input@mice: ASCII text
[16:14:14] /dev/.udev/uevent_seqnum: ASCII text
[16:14:14] Info: Found hidden directory '/dev/.udev': it is whitelisted.
[16:14:14] Checking for hidden files and directories [ Warning ]
[16:14:14] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[16:14:14] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[16:14:14] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[16:14:14] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
I honestly don't know why I keep receiving that warning for no reason. However on a more positive note, I didn't find any rootkits. Do you think I should just add these to the rkhunter.conf file and see if by not commenting them that the warnings would go away?
How would I find out if these are really harmful or not and what I can do with them if they are? Should I just Google each one to see if they have been whitelisted already because that would be too time consuming? Keep in mind too that I do not have any rootkits on my server at all. So Rootkit hunter must be doing something right.
Last edited by michaellopez12; 12-19-2013 at 01:59 PM.
[16:14:14] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[16:14:14] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[16:14:14] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[16:14:14] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
Quote:
Originally Posted by michaellopez12
How would I find out if these are really harmful or not and what I can do with them if they are? Should I just Google each one to see if they have been whitelisted already because that would be too time consuming?
Read chapter 3.1 from the FAQ file.
Last edited by druuna; 12-20-2013 at 10:22 AM.
Reason: Fixed typo
with no network, all hits are false positives
so you can edit your conf with some comfort
once you have a network up, its gets trickier
thats why there is the second opinion option if you are not sure
2) you can not rely on google.....it shows hits for some one white listing a file
but naughty people can hide something in a well known file
I am not an expert, but better you find out now that you have made a mistake and fix your thinking?
Of course I never make any mistakes....grins like a sheep
with no network, all hits are false positives
so you can edit your conf with some comfort
once you have a network up, its gets trickier
thats why there is the second opinion option if you are not sure
2) you can not rely on google.....it shows hits for some one white listing a file
but naughty people can hide something in a well known file
I am not an expert, but better you find out now that you have made a mistake and fix your thinking?
Of course I never make any mistakes....grins like a sheep
I can't afford to start over. It would take too long. But thanks anyway.
[16:14:14] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[16:14:14] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[16:14:14] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[16:14:14] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
What, in your opinion, would be the best way to tackle these hidden files? Go straight to the /usr/bin directory? Where in the /usr/bin directory would I find these files?
Last edited by michaellopez12; 12-23-2013 at 02:30 PM.
[16:14:14] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[16:14:14] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[16:14:14] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[16:14:14] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
What, in your opinion, would be the best way to tackle these hidden files?
- Investigate why these files are there and what they represent (did you do a web search? Have you figured out what the hmac extension stands for? etc).
- If you think they are valid (or not) ask others about these files (My answer: They might be valid, I also see these on RHEL 5 and 6).
- Check if the content is valid (My answer: I cannot help you with that. I don't run CentOS 6.5 I do know that the content of the hmac files are the same for specific major.minor version numbers. Check against another CentOS 6.5 box).
Quote:
Go straight to the /usr/bin directory? Where in the /usr/bin directory would I find these files?
??? The exact location of the files in in the warning message.
??? The exact location of the files in in the warning message.
Well yes. That is what I am asking. I am asking for the exact location of these files. If you don't know that is okay because I did find them and when I issued the following command:
vi fipscheck under the /usr/bin directory. I found a text file that had nothing but gibberish written on it.
[16:14:14] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[16:14:14] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[16:14:14] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[16:14:14] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
The red parts ARE the files and their full path. How obvious can it be?
Just out of curiosity. Have you tried using the rkhunter mailing list? I ask this because I have tried using it to forward a message to this e-mail address: rkhunter-users@lists.sourceforge.net
and this was the message I got back:
Sehr geehrte Damen und Herren,
ich bin erst wieder ab dem 06.01.2014 im Haus. Bitte wenden sie sich in dringengen Angelegenheiten an Daniel Schier <dschier@cyberport.de>.
Ihre E-Mail wird nicht weitergeleitet.
Mit freundlichen Grüßen
Silvio Knizek
Systemadministrator eCommerce
Do you know off hand if the mailing list is even operational?
Since I have added these into my rkhunter.conf configuration file, I didn't put the # symbol in front of it. Because of this I have stopped receiving that warning symbol at the end. Thanks.
Is it safe to assume that now this has been done I am going to be safe from rootkits taking over my computer? Or is this something that I need to be proactive on when running rootkit? I am going to ask some people about these suspicious files and get their advice
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.