I emailed this to the creator of rootkit hunter, but since I noticed he said his email inbox is pretty full, perhaps you guys can answer this more quickly:



I am not quite sure what to make of what rkhunter told me. This is my first time running it, and I am a VERY "paranoid" sysadmin. (which is, for all intents and purposes, good!) I check daily every command users on my machine execute, I look at logwatch everyday, ect ect.

I ran rkhunter out of curiosity more than anything, and here is what it showed me:

* System tools
Info: prelinked files found
Performing 'known good' check...
/usr/bin/find [ OK ]
/usr/bin/file [ OK ]
/usr/bin/kill [ BAD ]
/usr/bin/killall [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/users [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/bin/mount [ BAD ]
/bin/netstat [ OK ]
/bin/egrep [ OK ]
/bin/fgrep [ OK ]
/bin/grep [ OK ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/env [ OK ]
/bin/ls [ OK ]
/bin/su [ OK ]
/bin/ps [ OK ]
/bin/dmesg [ BAD ]
/bin/kill [ BAD ]
/bin/login [ BAD ]
/sbin/chkconfig [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/modinfo [ OK ]
/sbin/sysctl [ OK ]
/sbin/syslogd [ OK ]
/sbin/init [ OK ]
/sbin/runlevel [ OK ]




This is a fedora core 2 server, updated via yum every night. The only thing that has been ran that could (but shouldnt) change the hashes of those files is LES, (linux security environment), which is basically a script that "locks down" your box for you. (www.rfxnetworks.com)

Any ideas? Perhaps these are false positives? I sure hope they are, or else I have been missing something that I shouldn't be.



There were no other errors about anything else other than what it reported above.


Any ideas guys?

I would run another program on the system and check both outputs, also run ls -la from ssh console and check file permissions for abnormal modes and if your not sure of abnormal modes for files just post them here and ill respond or im sure someone else will.

i ran chkrootkit and the only thing it returned was a false positive on port 465, which is the port i use for pop3 SSL. nothing else was returned aside from "unknown files" for the source code for linux kernel installations that yum created, which it seems chkrootkit always does lol.

I just ran rkhunter on another fedora core 2 system i have sitting in my room that we use for testing, that i know darn well isnt infected with anything because the only people who have login access to it is me and a friend, and is rarely turned on in the first place, and it returned checksum errors for those same files, so im pretty certain those are false positives now.


[root@server1 bin]# cd /bin/
[root@server1 bin]# ls -la mount
-rwx------ 1 root root 78888 Nov 29 16:09 mount
[root@server1 bin]# cd /usr/bin/
[root@server1 bin]# ls -la kill
lrwxrwxrwx 1 root root 14 Dec 22 03:31 kill -> ../../bin/kill
[root@server1 bin]# cd ../../bin/
[root@server1 bin]# ls -la kill
-rwxr-xr-x 1 root root 10096 Nov 29 16:09 kill
[root@server1 bin]# ls -la dmesg
-rwx------ 1 root root 6172 Nov 29 16:09 dmesg
[root@server1 bin]# ls -la login
-rwxr-xr-x 1 root root 23308 Nov 29 16:09 login
[root@server1 bin]#


and i see nothing weird about any of those permissions.


silly rkhunter :P

I haven't seen false positives with RKHunter with anything other than Fedora. Recently, I saw false positives with Fedora as well, I thought it was because the server was busy at the time but maybe that was not the reason...

Sometimes they just complain but better safe to be sorry... I personally don't see nothing wrong with those. Also keep an eye on your syslog and run sockstat once and a while and check for incoming and outgoing connections if you suspect some type of compromise.

heh already done :P when i say im a paranoid sysadmin i mean im a paranoid sysadmin. every port on my server is locked down and refuses incoming and outgoing data on it aside from the port needed for my boxes services.

i also get notified via email everytime a new program is started on my box that attempts to create a connection with the outside world.

i honestly dont suspect any compromise on my box, was just kinda taken aback when rkhunter told me those binaries were bad

Just this morning rkhunter reported bad hashes

System tools
Performing 'known good' check...
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/dmesg [ BAD ]
/bin/egrep [ BAD ]
/bin/env [ OK ]
/bin/fgrep [ BAD ]
/bin/grep [ BAD ]
/bin/kill [ BAD ]
/bin/login [ BAD ]
/bin/ls [ OK ]
/bin/mount [ BAD ]
/bin/netstat [ BAD ]
/bin/ps [ BAD ]
/bin/su [ OK ]
/sbin/chkconfig [ BAD ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ BAD ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/runlevel [ OK ]
/sbin/sysctl [ BAD ]
/sbin/syslogd [ BAD ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/groups [ OK ]
/usr/bin/kill [ OK ]
/usr/bin/killall [ BAD ]
/usr/bin/lsattr [ OK ]
/usr/bin/pstree [ BAD ]
/usr/bin/sha1sum [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/users [ OK ]
/usr/bin/w [ BAD ]
/usr/bin/watch [ BAD ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]

i checked a couple permissions but not 100% sure if there ok
root@server [/bin]# ls -la dmesg
-rwxr-xr-x 1 root root 4108 Jan 20 12:21 dmesg*
root@server [/bin]# ls -la mount
-rwsr-xr-x 1 root root 68508 Jan 20 12:21 mount*


any thoughts


thanks

It looks like rootkit hunter MD5 hashes database is a little behind RedHat's official packages. The newest packages that include utilities marked as BAD are not yet added to Rootkit Hunter, that's why they show as BAD. The developer will soon catch up with those.

Originally posted by nextgenhosting
Just this morning rkhunter reported bad hashes

any thoughts

thanks

Interesting... I am seeing the same thing, after compiling the latest kernel and taking some RHEL3 updates.

I had my management company look at it and they think that I was possibly compromised, however, I am thinking it is just a false positive.

Sirius

Check the MD5 of those files against the ones being offered by RedHat. If they were installed by RPM use the built-in ability of RPM to verify the MD5 of installed packages.

We are experiencing the same "BAD" reporting on our RHE servers. I checked their md5 using "rpm -Vf <filename>". Most of them were fine, a few gave an "M" error - which is a permissions error - but no md5 errors. So I'm thinking its not a hack.

For the sake of anyone else who comes accross this problem - it looks like its an rkhunter problem - not a hack. See the following thread at www.servermatrix for more info:
http://forums.servermatrix.com/viewtopic.php?t=15142