Hello,

Yesterday, i ran the rkhunter and no problems found. Today, after run rkhunter, it found this problems (in 3 servers differents):

/bin/egrep [ BAD ]
/bin/fgrep [ BAD ]
/bin/grep [ BAD ]
/bin/ps [ BAD ]
/sbin/sysctl [ BAD ]
/usr/bin/w [ BAD ]
/usr/bin/watch [ BAD ]

Maybe a false-positive? If no, any idea how to find the problem? Detail: any trojan / backdoor found.

Thanks,
Minotauro.

i have too after update kernel.

Originally posted by asc2000
i have too after update kernel.

Hello asc2000,

Ok, my kernel is:

Linux x.x.x 2.4.21-15.0.4.ELsmp #1 Thu Oct 23 01:36:33 EDT 2003 i686 i686 i386 GNU/Linux

Regards,
Minotauro.

If you use RPMs (right way), you can check this files.
First, ask rpm about this file:

#rpm -qf /bin/egrep
grep-2.5.1-7.8

See? This file into grep rpm.
Second, ask rpm about check grep:

# rpmquery -V grep

It answer if file modificated.

Are you running RH? Did up2date download/install new RPMs overnight? Check your logs...

Yes, the old version was 1.3.8 of egrep and the new is 1.3.11 after last nights Cpanel updates. All of the md5sums match the installs on our servers, think it is just rkhunter reading them incorrectly now.

i guess, the new checksums are not added to rkhunters db yet
check if new rkhunter version is out, they should be added asap

last version is 1.1.7

type rkhunter --version to check yours

i see the same but it looks like rkhunter bug

Greetings:

When I run Root Kit Hunter 1.1.7 on a recently updated RedHat Enterprise server, I don't get any false positives.

If you are using an older version, you may want to try 1.1.7.

However, if that reports problems, then maybe there are problems.

Thank you.

anyone getting this on RHE 3.0 ?


Rootkit Hunter 1.1.7 is running

Determining OS... Warning: this operating system is not fully supported!
Ready
Warning: Cannot find md5_not_known
All MD5 checks will be skipped!

what version of grep are you all running?

#rpm -qf /bin/egrep

gives me grep-2.5.1-24.1 - and its showing it as bad on all servers - so it must be not updated md5 in rkhunter

md5 e41ba09db4d05bb217f679463ebe50e3 /bin/egrep

i dont think all servers could be infected

Friends,

Please send me your logfiles when you have bad MD5 hashes after updating! So I can update the hash database.

After updating you only have to run rkhunter --update and it should be ok, like before. Please send any messages with the contact form on my website (www.rootkit.nl).

Michael

Originally posted by rkhunter
Friends,

Please send me your logfiles when you have bad MD5 hashes after updating! So I can update the hash database.

After updating you only have to run rkhunter --update and it should be ok, like before. Please send any messages with the contact form on my website (www.rootkit.nl).

Michael


I' have sent you mine rkhunter.log (I just deleted the usernames, from the "check usernames part".)

:)

Originally posted by rkhunter
Friends,

Please send me your logfiles when you have bad MD5 hashes after updating! So I can update the hash database.

After updating you only have to run rkhunter --update and it should be ok, like before. Please send any messages with the contact form on my website (www.rootkit.nl).

Michael

Hello all,

Thanks by information!! Mochael, i already send to you my rkhunter.log, thanks any help or information.

Regards,
Minotauro.

Originally posted by dynamicnet
Greetings:

When I run Root Kit Hunter 1.1.7 on a recently updated RedHat Enterprise server, I don't get any false positives.

If you are using an older version, you may want to try 1.1.7.

However, if that reports problems, then maybe there are problems.

Thank you.

http://www.webhostingtalk.com/showthread.php?s=&postid=2446557#post2446557

read my post there. You are giving them false information again.

Greetings Steve:

1. Take the time to read the very first post on this tread --> http://www.webhostingtalk.com/showthread.php?s=&threadid=316614

2. I stand by my statement, which is correct, that on all of our updated to Taroon 3 RedHat Enterprise servers, we get no false positivies.

There are no "[ BAD ]" entries stated. And we are using Root Kit Hunter 1.1.7.

Thank you.

Originally posted by dynamicnet
Greetings Steve:

1. Take the time to read the very first post on this tread --> http://www.webhostingtalk.com/showthread.php?s=&threadid=316614

2. I stand by my statement, which is correct, that on all of our updated to Taroon 3 RedHat Enterprise servers, we get no false positivies.

There are no "[ BAD ]" entries stated. And we are using Root Kit Hunter 1.1.7.

Thank you.


To bad it is not possible to get no [bad] entrys. The New md5 sums are not existent in the 1.1.7 version since it was released on august 29 and the new md5sums were sept. 1st, 2nd, and 3rd. Just not possible.

I'm going to have to side with thelinuxguy on this one, it's basically impossible to avoid the [BAD] reports as rkhunter just doesn't have the new MD5sums in it's database.

Greetings:

Then the impossible happened for the various RedHat Enterprise ES 3 servers we manage.

Thank you.

Originally posted by dynamicnet
Greetings:

Then the impossible happened for the various RedHat Enterprise ES 3 servers we manage.

Thank you.

No the impossible is you failed to update.

Ladies...?

Don't fight ;) Just let me know which hashes are wrong (by sending me the logfile).

If you don't have any changes, please check (with RPM) if you have the latest updates installed.

You are both two good guys, so why argue about some stupid updates? :)

Originally posted by dynamicnet
Greetings:

Then the impossible happened for the various RedHat Enterprise ES 3 servers we manage.

Thank you.

How is it that you are able to get RKHunter to have the correct MD5sums when they aren't even in the database? Not sure why you are so adament about this, it's not an opinionated argument. It's either you updated your system and your sums check, or you don't.

Even the RKhunter author is asking for logs of this, doesn't that make you wonder what's really happening?

edit: sorry to bring you into this rkhunter, keep up the great work :)

Greetings:

Do you see any [ BAD ] ?


cat /etc/issue.net
Red Hat Enterprise Linux ES release 3 (Taroon Update 3)
Kernel \r on an \m


Rootkit Hunter 1.1.7 is running

Determining OS... Warning: this operating system is not fully supported!
Ready
Warning: Cannot find md5_not_known
All MD5 checks will be skipped!


Checking binaries
* Selftests
Strings (command) [ OK ]


* System tools
Skipped!


Check rootkits
* Default files and directories
Rootkit '55808 Trojan - Variant A'... [ OK ]
ADM Worm... [ OK ]
Rootkit 'AjaKit'... [ OK ]
Rootkit 'aPa Kit'... [ OK ]
Rootkit 'Apache Worm'... [ OK ]
Rootkit 'Ambient (ark) Rootkit'... [ OK ]
Rootkit 'Balaur Rootkit'... [ OK ]
Rootkit 'BeastKit'... [ OK ]
Rootkit 'BOBKit'... [ OK ]
Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
Rootkit 'Danny-Boy's Abuse Kit'... [ OK ]
Rootkit 'Devil RootKit'... [ OK ]
Rootkit 'Dica'... [ OK ]
Rootkit 'Dreams Rootkit'... [ OK ]
Rootkit 'Duarawkz'... [ OK ]
Rootkit 'Flea Linux Rootkit'... [ OK ]
Rootkit 'FreeBSD Rootkit'... [ OK ]
Rootkit '****`it Rootkit'... [ OK ]
Rootkit 'GasKit'... [ OK ]
Rootkit 'Heroin LKM'... [ OK ]
Rootkit 'HjC Kit'... [ OK ]
Rootkit 'ignoKit'... [ OK ]
Rootkit 'ImperalsS-FBRK'... [ OK ]
Rootkit 'Irix Rootkit'... [ OK ]
Rootkit 'Kitko'... [ OK ]
Rootkit 'Knark'... [ OK ]
Rootkit 'Li0n Worm'... [ OK ]
Rootkit 'Lockit / LJK2'... [ OK ]
Rootkit 'MRK'... [ OK ]
Rootkit 'Ni0 Rootkit'... [ OK ]
Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
Rootkit 'Optic Kit (Tux)'... [ OK ]
Rootkit 'Oz Rootkit'... [ OK ]
Rootkit 'Portacelo'... [ OK ]
Rootkit 'R3dstorm Toolkit'... [ OK ]
Rootkit 'RSHA's rootkit'... [ OK ]
Sebek LKM [ OK ]
Rootkit 'Scalper Worm'... [ OK ]
Rootkit 'Shutdown'... [ OK ]
Rootkit 'SHV4'... [ OK ]
Rootkit 'Sin Rootkit'... [ OK ]
Rootkit 'Slapper'... [ OK ]
Rootkit 'Sneakin Rootkit'... [ OK ]
Rootkit 'Suckit Rootkit'... [ OK ]
Rootkit 'SunOS Rootkit'... [ OK ]
Rootkit 'Superkit'... [ OK ]
Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
Rootkit 'TeLeKiT'... [ OK ]
Rootkit 'T0rn Rootkit'... [ OK ]
Rootkit 'Trojanit Kit'... [ OK ]
Rootkit 'Tuxtendo'... [ OK ]
Rootkit 'URK'... [ OK ]
Rootkit 'VcKit'... [ OK ]
Rootkit 'Volc Rootkit'... [ OK ]
Rootkit 'X-Org SunOS Rootkit'... [ OK ]
Rootkit 'zaRwT.KiT Rootkit'... [ OK ]

* Suspicious files and malware
Scanning for known rootkit strings [ OK ]
Scanning for known rootkit files [ OK ]
Testing running processes... [ OK ]
Miscellaneous Login backdoors [ OK ]
Miscellaneous directories [ OK ]
Sniffer logs [ OK ]

* Trojan specific characteristics
shv4
Checking /etc/rc.d/rc.sysinit
Test 1 [ Clean ]
Test 2 [ Clean ]
Test 3 [ Clean ]
Checking /etc/inetd.conf [ Not found ]
Checking /etc/xinetd.conf [ Clean ]

* Suspicious file properties
chmod properties
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
Script replacements
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]

* OS dependant tests

Linux
Checking loaded kernel modules... [ OK ]
Checking files attributes/usr/bin/lsattr: No such file or directory While reading flags on /usr/sbin/rcmysql
/usr/bin/lsattr: No such file or directory While reading flags on /usr/bin/recompile
[ OK ]
Checking LKM module path [ OK ]


Networking
* Check: frequently used backdoors
Port 2001: Scalper Rootkit [ OK ]
Port 2006: CB Rootkit [ OK ]
Port 2128: MRK [ OK ]
Port 14856: Optic Kit (Tux) [ OK ]
Port 47107: T0rn Rootkit [ OK ]
Port 60922: zaRwT.KiT [ OK ]

* Interfaces
Scanning for promiscuous interfaces [ OK ]


System checks
* Allround tests
Checking hostname... Found. Hostname is web.dynamicnet.net
Checking for passwordless user accounts... OK
Checking for differences in user accounts... OK. No changes.
Checking for differences in user groups... OK. No changes.
Checking boot.local/rc.local file...
- /etc/rc.local [ OK ]
- /etc/rc.d/rc.local [ OK ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
- /etc/init.d/boot.local [ Not found ]
Checking rc.d files...
Processing........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
.......................................
Result rc.d files check [ OK ]
Checking history files
Bourne Shell [ OK ]

* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ OK ]


Application advisories
* Application scan
Checking Apache2 modules ... [ Not found ]
Checking Apache configuration ... [ OK ]

* Application version scan
- ClamAV 0.75.1 [ OK ]
- PHP 4.3.8 [ OK ]
- Procmail MTA 3.22 [ OK ]



Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]

* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
Hint: see logfile for more information
info: PermitRootLogin without-password
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ OK (Only SSH2 allowed) ]

* Check: Events and Logging
Search for syslog configuration... [ OK ]
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]


---------------------------- Scan results ----------------------------

MD5
MD5 compared: 0
Incorrect MD5 checksums: 0

File scan
Scanned files: 320
Possible infected files: 0

Application scan
Vulnerable applications: 4

Scanning took 71 seconds
Scan results written to logfile (/var/log/rkhunter.log)

root@slinky [~/rkhunter]# rkhunter --version
Rootkit Hunter 1.1.7
root@slinky [~/rkhunter]#


okay i have run

rkhunter -c --cronjob --createlogfile


MD5
MD5 compared: 48
Incorrect MD5 checksums: 12

File scan
Scanned files: 320
Possible infected files: 0

Application scan
Vulnerable applications: 4

Scanning took 50 seconds
Scan results written to logfile (/var/log/rkhunter.log)


[quote]

Now lets look at the log file:
[12:36:43] /bin/egrep Hash NOT valid (My MD5: e41ba09db4d05bb217f679463ebe50e3, expected: 1a1c4e75e82a51bc570350aa22184913)
[12:36:43] Using whitelists to compare MD5 hash (searching for e41ba09db4d05bb217f679463ebe50e3)
[12:36:43] No whitelisted MD5 hash found for /bin/egrep
[12:36:43] MD5 hash for my file (/bin/egrep) is e41ba09db4d05bb217f679463ebe50e3, but is not in database
[12:36:43] End of whitelist compare
[12:36:43] Checking /bin/egrep against hashes in database (1a1c4e75e82a51bc570350aa22184913) failed
[12:36:43] RPM info: your package 'grep-2.5.1-24.1'
[12:36:43] RPM info: packages in database: grep-2.5.1-16
[12:36:43] /bin/env hash valid, found in database
[12:36:43] /bin/fgrep Hash NOT valid (My MD5: e41ba09db4d05bb217f679463ebe50e3, expected: 01b9524c8e60a5e167132a6e85452cd0)
[12:36:43] Using whitelists to compare MD5 hash (searching for e41ba09db4d05bb217f679463ebe50e3)
[12:36:43] No whitelisted MD5 hash found for /bin/fgrep
[12:36:43] MD5 hash for my file (/bin/fgrep) is e41ba09db4d05bb217f679463ebe50e3, but is not in database
[12:36:43] End of whitelist compare
[12:36:43] Checking /bin/fgrep against hashes in database (01b9524c8e60a5e167132a6e85452cd0) failed
[12:36:43] RPM info: your package 'grep-2.5.1-24.1'
[12:36:43] RPM info: packages in database: grep-2.5.1-16
[12:36:43] /bin/grep Hash NOT valid (My MD5: e41ba09db4d05bb217f679463ebe50e3, expected: 92f09f237afcc6439abd0a864ff5df7d)
[12:36:43] Using whitelists to compare MD5 hash (searching for e41ba09db4d05bb217f679463ebe50e3)
[12:36:43] No whitelisted MD5 hash found for /bin/grep
[12:36:43] MD5 hash for my file (/bin/grep) is e41ba09db4d05bb217f679463ebe50e3, but is not in database
[12:36:43] End of whitelist compare
[12:36:43] Checking /bin/grep against hashes in database (92f09f237afcc6439abd0a864ff5df7d) failed
[12:36:43] RPM info: your package 'grep-2.5.1-24.1'
[12:36:44] RPM info: packages in database: grep-2.5.1-16
[12:36:44] /bin/kill hash valid, found in database
[12:36:44] /bin/login hash valid, found in database
[12:36:44] /bin/ls hash valid, found in database
[12:36:44] /bin/mount hash valid, found in database
[12:36:44] /bin/netstat hash valid, found in database
[12:36:44] /bin/ps Hash NOT valid (My MD5: 4e64729be30119a2f755f9d300f460f9, expected: 9bd8bf260adc81d3a43a086fce6b430a)
[12:36:44] Using whitelists to compare MD5 hash (searching for 4e64729be30119a2f755f9d300f460f9)
[12:36:44] No whitelisted MD5 hash found for /bin/ps
[12:36:44] MD5 hash for my file (/bin/ps) is 4e64729be30119a2f755f9d300f460f9, but is not in database
[12:36:44] End of whitelist compare
[12:36:44] Checking /bin/ps against hashes in database (9bd8bf260adc81d3a43a086fce6b430a) failed
[12:36:44] RPM info: your package 'procps-2.0.17-10'
[12:36:44] RPM info: packages in database: procps-2.0.13-9.2E
[12:36:44] /bin/su hash valid, found in database
[12:36:44] /sbin/chkconfig Hash NOT valid (My MD5: 9bf498af39ca4dbbd8849fb475032ff7, expected: 02a6770731c79ae3b489bce3a33c55$
[12:36:44] Using whitelists to compare MD5 hash (searching for 9bf498af39ca4dbbd8849fb475032ff7)
[12:36:44] No whitelisted MD5 hash found for /sbin/chkconfig
[12:36:44] MD5 hash for my file (/sbin/chkconfig) is 9bf498af39ca4dbbd8849fb475032ff7, but is not in database
[12:36:45] RPM info: packages in database: chkconfig-1.3.8-3
[12:36:45] /sbin/depmod Hash NOT valid (My MD5: f67d966ebf39ac884e99a60ed29f451a, expected: 3ee8e8b380f7c2d61a92058d893c026b)
[12:36:45] /sbin/depmod Hash NOT valid (My MD5: f67d966ebf39ac884e99a60ed29f451a, expected: f22674a73db6a1b68bd929b427338821)
[12:36:45] /sbin/depmod Hash NOT valid (My MD5: f67d966ebf39ac884e99a60ed29f451a, expected: 1d0e78d33a8c49414dff94ae65c5cc11)
[12:36:45] Using whitelists to compare MD5 hash (searching for f67d966ebf39ac884e99a60ed29f451a)
[12:36:45] No whitelisted MD5 hash found for /sbin/depmod
[12:36:45] MD5 hash for my file (/sbin/depmod) is f67d966ebf39ac884e99a60ed29f451a, but is not in database
[12:36:45] End of whitelist compare
[12:36:45] Checking /sbin/depmod against hashes in database (3ee8e8b380f7c2d61a92058d893c026b
f22674a73db6a1b68bd929b427338821
1d0e78d33a8c49414dff94ae65c5cc11) failed
[12:36:45] RPM info: your package 'modutils-2.4.25-13.EL'
[12:36:45] RPM info: packages in database: modutils-2.4.25-11.EL
modutils-2.4.25-9.EL
modutils-2.4.25-12.EL
[12:36:45] /sbin/ifconfig hash valid, found in database
[12:36:45] /sbin/init Hash NOT valid (My MD5: c635c3c8778596be4a83593b26c27cec, expected: 90888c9fc0d9968b7d338740bb00122c)
[12:36:45] /sbin/init hash valid, found in database
[12:36:45] /sbin/insmod Hash NOT valid (My MD5: 3978a5ac9070563276e83016d32282c4, expected: 262664a94cccc7ea3acc95c4ed6cf65b)
[12:36:45] /sbin/insmod Hash NOT valid (My MD5: 3978a5ac9070563276e83016d32282c4, expected: f998c3e41531ade97b2c7d7933687da8)
[12:36:45] /sbin/insmod Hash NOT valid (My MD5: 3978a5ac9070563276e83016d32282c4, expected: 3ea3cbafcd7db7595969beb2043536f5)
[12:36:45] Using whitelists to compare MD5 hash (searching for 3978a5ac9070563276e83016d32282c4)
[12:36:45] No whitelisted MD5 hash found for /sbin/insmod
[12:36:45] MD5 hash for my file (/sbin/insmod) is 3978a5ac9070563276e83016d32282c4, but is not in database
[12:36:45] End of whitelist compare
[12:36:45] Checking /sbin/insmod against hashes in database (262664a94cccc7ea3acc95c4ed6cf65b
f998c3e41531ade97b2c7d7933687da8
3ea3cbafcd7db7595969beb2043536f5) failed
[12:36:45] RPM info: your package 'modutils-2.4.25-13.EL'
[12:36:45] RPM info: packages in database: modutils-2.4.25-11.EL
modutils-2.4.25-9.EL
modutils-2.4.25-12.EL
[12:36:45] /sbin/modinfo Hash NOT valid (My MD5: 8934944c5ce4742fa91801fea2721d4d, expected: 500ea6824d2810f133b3949a42a3ad50)
[12:36:46] /sbin/modinfo Hash NOT valid (My MD5: 8934944c5ce4742fa91801fea2721d4d, expected: 7cf43bb904863baa740566b73bef836d)
[12:36:46] /sbin/modinfo Hash NOT valid (My MD5: 8934944c5ce4742fa91801fea2721d4d, expected: c7302e0b33375b3f968ce8f8e7674667)
12:36:46] No whitelisted MD5 hash found for /sbin/modinfo
[12:36:46] MD5 hash for my file (/sbin/modinfo) is 8934944c5ce4742fa91801fea2721d4d, but is not in database
[12:36:46] End of whitelist compare
[12:36:46] Checking /sbin/modinfo against hashes in database (500ea6824d2810f133b3949a42a3ad50
7cf43bb904863baa740566b73bef836d
c7302e0b33375b3f968ce8f8e7674667) failed
[12:36:46] RPM info: your package 'modutils-2.4.25-13.EL'
[12:36:46] RPM info: packages in database: modutils-2.4.25-11.EL
modutils-2.4.25-9.EL
modutils-2.4.25-12.EL
[12:36:46] /sbin/runlevel Hash NOT valid (My MD5: 8175cc96f3a2cd134fc35c6739a6b4c3, expected: 1ee5df34d0b75cf7b3fca7a82a4b618$
[12:36:46] /sbin/runlevel hash valid, found in database
[12:36:46] /sbin/sysctl Hash NOT valid (My MD5: 2115eb229dc7378a4dcc60875ec1cf3f, expected: 425f95a6465587aa08918a914c2324d0)
[12:36:46] Using whitelists to compare MD5 hash (searching for 2115eb229dc7378a4dcc60875ec1cf3f)
[12:36:46] No whitelisted MD5 hash found for /sbin/sysctl
[12:36:46] MD5 hash for my file (/sbin/sysctl) is 2115eb229dc7378a4dcc60875ec1cf3f, but is not in database
[12:36:46] End of whitelist compare
[12:36:46] /sbin/sysctl Hash NOT valid (My MD5: 2115eb229dc7378a4dcc60875ec1cf3f, expected: 425f95a6465587aa08918a914c2324d0)
[12:36:46] Using whitelists to compare MD5 hash (searching for 2115eb229dc7378a4dcc60875ec1cf3f)
[12:36:46] No whitelisted MD5 hash found for /sbin/sysctl
[12:36:46] MD5 hash for my file (/sbin/sysctl) is 2115eb229dc7378a4dcc60875ec1cf3f, but is not in database
[12:36:46] End of whitelist compare
[12:36:46] Checking /sbin/sysctl against hashes in database (425f95a6465587aa08918a914c2324d0) failed
[12:36:46] RPM info: your package 'procps-2.0.17-10'
[12:36:46] RPM info: packages in database: procps-2.0.13-9.2E
[12:36:46] /sbin/syslogd Hash NOT valid (My MD5: 75a7302bae84528783e510cd82e84374, expected: 4f1c0a24761deb8fd95e467add18a97f)
[12:36:46] /sbin/syslogd Hash NOT valid (My MD5: 75a7302bae84528783e510cd82e84374, expected: 784cac9348ad6d899c536d6e256707ce)
[12:36:46] /sbin/syslogd Hash NOT valid (My MD5: 75a7302bae84528783e510cd82e84374, expected: 3d3d77f77a76c7362b24a8b07051b098)
[12:36:46] Using whitelists to compare MD5 hash (searching for 75a7302bae84528783e510cd82e84374)
[12:36:46] No whitelisted MD5 hash found for /sbin/syslogd
[12:36:46] MD5 hash for my file (/sbin/syslogd) is 75a7302bae84528783e510cd82e84374, but is not in database
[12:36:46] End of whitelist compare
[12:36:46] Checking /sbin/syslogd against hashes in database (4f1c0a24761deb8fd95e467add18a97f
784cac9348ad6d899c536d6e256707ce
3d3d77f77a76c7362b24a8b07051b098) failed
[12:36:46] RPM info: your package 'sysklogd-1.4.1-12.3'
[12:36:46] RPM info: packages in database: sysklogd-1.4.1-12
sysklogd-1.4.1-12ensim1
sysklogd-1.4.1-12.1
[12:36:47] /usr/bin/file hash valid, found in database
[12:36:47] /usr/bin/find hash valid, found in database
[12:36:47] /usr/bin/groups hash valid, found in database
[12:36:47] /usr/bin/kill hash valid, found in database
[12:36:47] /usr/bin/killall hash valid, found in database
[12:36:47] /usr/bin/lsattr hash valid, found in database
[12:36:47] /usr/bin/pstree hash valid, found in database
[12:36:47] /usr/bin/sha1sum hash valid, found in database
[12:36:47] /usr/bin/stat hash valid, found in database
[12:36:47] /usr/bin/users hash valid, found in database
[12:36:47] /usr/bin/w Hash NOT valid (My MD5: 780585d4459338aa5e6745b7f13bfe62, expected: ef428d61e99a1263bb0bfc35eaffaea9)
[12:36:47] Using whitelists to compare MD5 hash (searching for 780585d4459338aa5e6745b7f13bfe62)
[12:36:47] No whitelisted MD5 hash found for /usr/bin/w
[12:36:47] MD5 hash for my file (/usr/bin/w) is 780585d4459338aa5e6745b7f13bfe62, but is not in database
[12:36:47] End of whitelist compare
[12:36:47] Checking /usr/bin/w against hashes in database (ef428d61e99a1263bb0bfc35eaffaea9) failed
[12:36:48] RPM info: your package 'procps-2.0.17-10'
[12:36:48] RPM info: packages in database: procps-2.0.13-9.2E
[12:36:48] /usr/bin/watch Hash NOT valid (My MD5: 041f940e8a9753460978e32634a31af5, expected: 47da5050adc6907ae8c3adf9535def5$
[12:36:48] Using whitelists to compare MD5 hash (searching for 041f940e8a9753460978e32634a31af5)
[12:36:48] Checking /usr/bin/watch against hashes in database (47da5050adc6907ae8c3adf9535def58) failed
[12:36:48] RPM info: your package 'procps-2.0.17-10'
[12:36:48] RPM info: packages in database: procps-2.0.13-9.2E
[12:36:48] /usr/bin/who hash valid, found in database
[12:36:48] /usr/bin/whoami hash valid, found in database

Theres your proof i just ran up2date -u and then installed a fresh version of rkhunter. You did not update plain and simple.

Originally posted by dynamicnet
Greetings:

Do you see any [ BAD ] ?


cat /etc/issue.net
Red Hat Enterprise Linux ES release 3 (Taroon Update 3)
Kernel \r on an \m


Rootkit Hunter 1.1.7 is running

Determining OS... Warning: this operating system is not fully supported!
Ready
Warning: Cannot find md5_not_known
All MD5 checks will be skipped!



Dude READ IT:


Warning: Cannot find md5_not_known
All MD5 checks will be skipped!

Greetings Steve:

Then why does /etc/issue.net report Taroon Update 3?

cat /etc/issue.net
Red Hat Enterprise Linux ES release 3 (Taroon Update 3)
Kernel \r on an \m


Thank you.

Dude you just ignored my post:

your rkhunter said:

Warning: Cannot find md5_not_known
All MD5 checks will be skipped!

therefor it is NOT CHECKING MD5SUM.



Determining OS... Warning: this operating system is not fully supported!
Ready


also makes me think your faking the release. RHE is 100% supported.

Greetings Steve:

Read the very 1st post in this thread.

The issue was about [BAD] vs. [OK].

I stated, I got zero [BAD].

Thank you.

Originally posted by dynamicnet
Greetings Steve:

Then why does /etc/issue.net report Taroon Update 3?

cat /etc/issue.net
Red Hat Enterprise Linux ES release 3 (Taroon Update 3)
Kernel \r on an \m


Thank you.


root@slinky [~]# cat /etc/issue.net
This computer system is for authorized users only. Individuals using this
system without authority or in excess of their authority are subject to
having all their activities on this system monitored and recorded or
examined by any authorized person, including law enforcement, as system
personnel deem appropriate. In the course of monitoring individuals
improperly using the system or in the course of system maintenance, the
activities of authorized users may also be monitored and recorded. Any
material so recorded may be disclosed as appropriate. Anyone using this
system consents to these terms.


root@slinky [~]#


Maybe because you put it in the file?

Originally posted by dynamicnet
Greetings Steve:

Read the very 1st post in this thread.

The issue was about [BAD] vs. [OK].

I stated, I got zero [BAD].

Thank you.


Dude do you relize it is not even checking for md5 sum? SO it will not say bad. If it was checking it would Your server is either compromised or your rkhunter is damaged.

Please read the other thread, it solves the problem ;-)

Greetings Steve:

The issue was the very 1st post in the thread. Please read.

The person reported [BAD], and then everyone jumped on the band wagon stating otherwise.

All I stated is that I get [OK].

Thank you.

P.S. /etc/issue.net should mimic /etc/redhat-release on RedHat servers; maybe you edited yours <smile>.

Originally posted by dynamicnet
Greetings Steve:

The issue was the very 1st post in the thread. Please read.

The person reported [BAD], and then everyone jumped on the band wagon stating otherwise.

All I stated is that I get [OK].

Thank you.

P.S. /etc/issue.net should mimic /etc/redhat-release on RedHat servers; maybe you edited yours <smile>.


Do you read the words coming out of my keyboard? I could care less what the post was about, All i was doing was correcting you and you keep denying it the cold hard facts are here.

Originally posted by dynamicnet

P.S. /etc/issue.net should mimic /etc/redhat-release on RedHat servers; maybe you edited yours <smile>.
cpanel does overwrite the issue.net file with the content above
so i guess TLG is using CPanel and your not

Greetings Steve:

"I could care less what the post was about."

Yes, I know.

"All i was doing was correcting you and you"

No, you were sharing your opinion based on something I did not state nor was I talking about.

I posted that I got [OK], when I did get [OK].

Unless you can change the output of our systems so it states [BAD] then you cannot correct me.

Thank you.

Originally posted by dynamicnet
Greetings Steve:

"I could care less what the post was about."

Yes, I know.

"All i was doing was correcting you and you"

No, you were sharing your opinion based on something I did not state nor was I talking about.

I posted that I got [OK], when I did get [OK].

Unless you can change the output of our systems so it states [BAD] then you cannot correct me.

Thank you.


Your server is not checking for md5 sums which is a security risk, i thought you were security concious? You obviously are ignoring everything your rkhunter even said it was not going to check md5 sums which automatically makes eventhing [ok].

Greetings Steve:

We have multiple checks for root kits of which root kit hunter is one.

Why not refer to your own post on http://www.webhostingtalk.com/showthread.php?s=&threadid=316834&perpage=15&pagenumber=2 before you start throwing jabs.

Thank you.

Originally posted by dynamicnet
Greetings Steve:

We have multiple checks for root kits of which root kit hunter is one.

Why not refer to your own post on http://www.webhostingtalk.com/showthread.php?s=&threadid=316834&perpage=15&pagenumber=2 before you start throwing jabs.

Thank you.


What does that have to do with anything, that is a low blow. It shows your jelously and irresponsibility to debate like adults.

Greetings Steve:

I posted it because you had a degree of rightness in your response.

You stated "Yes, that is true. WHT surves one purpose to... to tear a company apart imho." (which I agree to a degree).

That should tell you not to make jabs at others when you are not responsible for them nor do you know the entire situation.

Thank you.

Originally posted by dynamicnet
Greetings Steve:

I posted it because you had a degree of rightness in your response.

You stated "Yes, that is true. WHT surves one purpose to... to tear a company apart imho." (which I agree to a degree).

That should tell you not to make jabs at others when you are not responsible for them nor do you know the entire situation.

Thank you.


You were giving false information in two posts and fail to reconize your error. Not very good in my book. Looks egoish. And this is my last post. theres no use to aruging with you, you cant handle it and bring up unrelated items.

Greetings Steve:

I posted the output from one of the servers we manage.

The information I posted was correct.

Thank you.

Originally posted by dynamicnet
Greetings Steve:

I posted the output from one of the servers we manage.

The information I posted was correct.

Thank you.

No it was not it did not check the md5 sum therefore it was incorrect. It even said it was not going to check it. you know what they say, hooked on phonics works.

Greetings Steve:

Did you not just state, "And this is my last post." the post prior? <smile>.

I stand by what I posted, Steve; because I was responding to the very 1st post in the the thread.

Thank you.

Originally posted by dynamicnet
Greetings Steve:

Did you not just state, "And this is my last post." the post prior? <smile>.

I stand by what I posted, Steve; because I was responding to the very 1st post in the the thread.

Thank you.
damn you really are stupid. Not only are you completely incorrect on what you are saying but then you try to attack someone who actually is correct.

I suggest anyone looking for a server management company to stay far away from these people. I wouldnt let em touch my server with a 50 foot pole.

lol
that's funny

"i didn't run any md5 check on my server, but i guarantee i didn't receive any bad md5 check!"

dynamicnet:

The issue was about [BAD] vs. [OK].

I stated, I got zero [BAD].

true, due to this

Warning: Cannot find md5_not_known
All MD5 checks will be skipped!

so its unlikely that he will get [BAD] reports if the check is not being run, so his statement was correct

TLG and others get [BAD] reports while checking MD5 and SHA1 sums, cause this check is being run on their systems, so their statements are correct too


MD5
MD5 compared: 0
Incorrect MD5 checksums: 0

vs.

MD5
MD5 compared: 48
Incorrect MD5 checksums: 12


so maybe now stay on topic and stop the bashing?

P.S.
cat /etc/issue.net on rhel (AS) (from fresh rpm)

"Red Hat Enterprise Linux AS release 3 (Taroon)"

on one with cpanel on it
"This computer system is for authorized users only. Individuals using this
...
system consents to these terms"

Come on everybody, be smart and stop the discussion. It's all based on a stupid miscommunication. It's the same like ****ing ducks --> stupid and not 'normal'....

You both lose your valuable meaning to this forum with this way. I spoke you both and you are both two good guys. So why argueing about some stupid thing?

Besides that, it's all offtopic to this thread (like mine reaction too now..).

Become friends, you can help eachother :-)

* resuming rkhunter development *

well

back to topic then
is there already a solution for that?

i just got the last version of rkhunter and still find the [BAD]s

thanks

Greetings:

The solution is

rkhunter --update


Thank you.

You beat me to it thanks

Originally posted by dynamicnet
Greetings:

The solution is

rkhunter --update


Thank you.

i asked before rkhunter it ends and display the message to update ;)
thanks

btw
on the md5 check i'm still getting:
/sbin/chkconfig [ BAD ]

and also:
- ClamAV 0.60 [ Vulnerable ]
- GnuPG 1.2.1 [ Vulnerable ]
- OpenSSL 0.9.7a [ Vulnerable ]
- ProFTPd 1.2.9 [ Vulnerable ]
- OpenSSH 3.6.1p2 [ Vulnerable ]

is it normal?

Just run it a few times, I have just updated it 30 minutes ago. Most mirrors updating within a few hours, so sometimes you can miss it due to that :-)

quote:
/sbin/chkconfig [ BAD ]

Send me your logfile please (www.rootkit.nl --> contact form)

Do you also use Red Hat? If so, RH patches some older version numbers, instead of using the latest versions of software. rkhunter checks (for now) on version numbers to decide which one should be upgraded. So it can be a false positive. If you don't use a distribution which patches older versions, you have to upgrade those software packages :-)

If you don't want an application test, run it with --skip-application-check. Specially made for RH users :-)

Originally posted by rkhunter
Just run it a few times, I have just updated it 30 minutes ago. Most mirrors updating within a few hours, so sometimes you can miss it due to that :-)

quote:
/sbin/chkconfig [ BAD ]

Send me your logfile please (www.rootkit.nl --> contact form)

Do you also use Red Hat? If so, RH patches some older version numbers, instead of using the latest versions of software. rkhunter checks (for now) on version numbers to decide which one should be upgraded. So it can be a false positive. If you don't use a distribution which patches older versions, you have to upgrade those software packages :-)

If you don't want an application test, run it with --skip-application-check. Specially made for RH users :-)

yes, it's RH

btw... which logfile?

I did recieve the same after the first update but is has cleared up

The one you get with --createlogfile :-)

by the way thanks, rkhunter

For pervent this situations I reccomend use tripwire.

Originally posted by rkhunter
The one you get with --createlogfile :-)

Your message has been sent. Thank you for your input!

btw... just a question
does rkhunter trust on /usr/bin/md5sum ?
if someone hacks the system and change it to output the "correct" md5s the checks will be good?

Originally posted by spulis
by the way thanks, rkhunter

For what...?

Originally posted by Lem0nHead
btw... just a question
does rkhunter trust on /usr/bin/md5sum ?
if someone hacks the system and change it to output the "correct" md5s the checks will be good?
[20:42:56] Info: Using /usr/bin/md5sum to verify MD5 hashes
[20:42:56] Info: /usr/bin/md5sum found
[20:42:56] Info: Digest::MD5 installed (version 2.33).
[20:42:56] Info: Using Perl Digest::MD5 module instead of /usr/bin/md5sum

Originally posted by Lem0nHead
btw... just a question
does rkhunter trust on /usr/bin/md5sum ?
if someone hacks the system and change it to output the "correct" md5s the checks will be good?

It doesn't trust anything, but will make use of it ;-)

But.. if it can find the MD5 Perl module, it will that.

It is possible to avoid rkhunter detection, you could even replace things in rkhunter to avoid it. But that's why there are many new releases, because it gets better every release. And until it cannot trust 100% some parts of the system, the tests can fail and provide you a false security idea ;-)

The intention of rkhunter is to create a fool proof application which cannot be tricked and that's why I doing active development on it.

So step in, subscribe yourself to the Fresmeat project page (http://www.freshmeat.net/projects/rkhunter) and stay updated :-)

I wonder how many people ordered OS restores before finding this thread. ;)

Then, out of those people, how many ordered a second one after thinking the box was already compromised again within 5 minutes of the first restore? :D

Originally posted by seiler
I wonder how many people ordered OS restores before finding this thread. ;)

Then, out of those people, how many ordered a second one after thinking the box was already compromised again within 5 minutes of the first restore? :D


Heh no kidding :P

I wonder how many will need a OS restore once dynamicnet
starts checking the MD5?;)

Greetings:

Zero.

As I shared several times, we use a layered approach with backups to layers when available.

We do not go by just one root kit detection method.

Furthermore, we work closely with our clients.

Server hardening is like charging a battery. If you don't keep it charged, it is not good for you.

Thank you.

Originally posted by seiler
I wonder how many people ordered OS restores before finding this thread. ;)

Have to admit I came very very close. Not really helped when some people say that theirs has no bad reports when they aren't even doing the tests :eek: , glad I held off and did some futhur digging now.

People don't read logfiles... If they did, they COULD read that the version in the database was different from the version installed on their system. This is in the logfile loud and clear.

But, I'm gonna add an extra message to rkhunter so it advices people more clearly what to do... This thread showed me this is needed...

Originally posted by rkhunter
People don't read logfiles... If they did, they COULD read that the version in the database was different from the version installed on their system. This is in the logfile loud and clear.

But, I'm gonna add an extra message to rkhunter so it advices people more clearly what to do... This thread showed me this is needed...

it maybe a good idea to compare the md5 with the "last rkhunter check" also

yeah yeah... i know tripwire can be used for that, but i'd like to have this option on rkhunter ;)

It's not a bad idea at all. It's on my To Do ;)