Results 1 to 16 of 16
  1. #1
    Join Date
    Jun 2006
    Posts
    58

    RKHunter - depmod, insmod, modinfo BAD

    RKHunter 1.2.8... Centos 3.8... Apache was 1.3.36 now 1.3.37...

    Seemed to start after I went from Cpanel Stable to Release not too long ago...

    /sbin/depmod [ BAD ]
    /sbin/insmod [ BAD ]
    /sbin/modinfo [ BAD ]

    Hacked or upgraded files... ? What do you think? TIA...

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    You running a 2.6 kernel? if so that may be your issue, the modutils are replaced for 2.6 kernel.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    Join Date
    Jun 2006
    Posts
    58
    Yep - 2.6.17.6...

    So, it's probably a "false alarm" and I need to update something...?

  4. #4
    Join Date
    Jun 2003
    Posts
    976
    latest rkhunter + updates
    Code:
    grep "CentOS release 3.8" os.dat
    801:CentOS release 3.8 (Final):/usr/bin/md5sum:/bin:
    Code:
    grep "^801:/sbin/modinfo" defaulthashes.dat
    801:/sbin/modinfo:d7eb96316ff82ff3313ba3aa1a877c01:bd275a42047447cb3ead4f0a3edbab19dd0eaabd

    so it has a hash for it

    update your rkhunter database with "rkhunter --update" if you didnt yet
    then run it with "rkhunter -c --createlogfile" to create a log file (/var/log/rkhunter.log)
    check the log file for messages (search for modinfo) and you should know what it thinks is wrong

  5. #5
    Join Date
    Jun 2006
    Posts
    58
    Thanks sehe... Here's what I got...

    [08:40:32] /sbin/depmod Hash NOT valid (My MD5: 7bd1414c824b786bb5a4ff3ecaaeeacd, expected: 66c262270a6bce829cb03ef99af59636)
    [08:40:32] Using whitelists to compare MD5 hash (searching for 7bd1414c824b786bb5a4ff3ecaaeeacd)
    [08:40:32] No whitelisted MD5 hash found for /sbin/depmod
    [08:40:32] MD5 hash for my file (/sbin/depmod) is 7bd1414c824b786bb5a4ff3ecaaeeacd, but is not in database
    [08:40:32] End of whitelist compare
    [08:40:32] Checking /sbin/depmod against hashes in database (66c262270a6bce829cb03ef99af59636) failed
    [08:40:33] RPM info: your package 'modutils-2.4.25-14.EL
    module-init-tools-3.1-0.pre5.3'
    [08:40:33] RPM info: packages in database:
    [08:40:33] ---
    [08:40:33] 801:/sbin/depmod:7bd1414c824b786bb5a4ff3ecaaeeacd:-:-:modutils-2.4.25-14.EL
    module-init-tools-3.1-0.pre5.3
    [08:40:33] ---

    [08:40:33] /sbin/insmod Hash NOT valid (My MD5: 8a6f90491caa7e3190006d9181e6991b, expected: 99d2036821e53bd7ee1b0650f534d2d8)
    [08:40:33] Using whitelists to compare MD5 hash (searching for 8a6f90491caa7e3190006d9181e6991b)
    [08:40:33] No whitelisted MD5 hash found for /sbin/insmod
    [08:40:33] MD5 hash for my file (/sbin/insmod) is 8a6f90491caa7e3190006d9181e6991b, but is not in database
    [08:40:33] End of whitelist compare
    [08:40:33] Checking /sbin/insmod against hashes in database (99d2036821e53bd7ee1b0650f534d2d8) failed
    [08:40:33] RPM info: your package 'modutils-2.4.25-14.EL
    module-init-tools-3.1-0.pre5.3'
    [08:40:33] RPM info: packages in database:
    [08:40:33] ---
    [08:40:33] 801:/sbin/insmod:8a6f90491caa7e3190006d9181e6991b:-:-:modutils-2.4.25-14.EL
    module-init-tools-3.1-0.pre5.3
    [08:40:33] ---

    [08:40:34] /sbin/modinfo Hash NOT valid (My MD5: 5b23fcbfc8410a98faaaea079bcbee7d, expected: d7eb96316ff82ff3313ba3aa1a877c01
    )
    [08:40:34] Using whitelists to compare MD5 hash (searching for 5b23fcbfc8410a98faaaea079bcbee7d)
    [08:40:34] No whitelisted MD5 hash found for /sbin/modinfo
    [08:40:34] MD5 hash for my file (/sbin/modinfo) is 5b23fcbfc8410a98faaaea079bcbee7d, but is not in database
    [08:40:34] End of whitelist compare
    [08:40:34] Checking /sbin/modinfo against hashes in database (d7eb96316ff82ff3313ba3aa1a877c01) failed
    [08:40:34] RPM info: your package 'modutils-2.4.25-14.EL
    module-init-tools-3.1-0.pre5.3'
    [08:40:34] RPM info: packages in database:
    [08:40:34] ---
    [08:40:34] 801:/sbin/modinfo:5b23fcbfc8410a98faaaea079bcbee7d:-:-:modutils-2.4.25-14.EL
    module-init-tools-3.1-0.pre5.3
    [08:40:34] ---

  6. #6
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Its likely a false alarm.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  7. #7
    Join Date
    Jun 2006
    Posts
    58
    Thanks everybody...

  8. #8
    Join Date
    Jun 2003
    Posts
    976
    guess the explanation is found in the way how your centos 3.8 box got its 2.6 kernel, it looks like centos 3.8 only ships 2.4 with modutils-2.4.25-14.EL
    you somehow also got module-init-tools-3.1-0.pre5.3 installed, it has own modinfo etc tools and hashes rkhunter doesnt know about (for centos 3.8), so it produces the warnings

  9. #9
    Join Date
    Jun 2006
    Posts
    58
    Quote Originally Posted by sehe
    guess the explanation is found in the way how your centos 3.8 box got its 2.6 kernel, it looks like centos 3.8 only ships 2.4 with modutils-2.4.25-14.EL
    you somehow also got module-init-tools-3.1-0.pre5.3 installed, it has own modinfo etc tools and hashes rkhunter doesnt know about (for centos 3.8), so it produces the warnings
    I remember my provider/data center had my update my kernel a while back (because of security I think)...

  10. #10
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by sehe
    guess the explanation is found in the way how your centos 3.8 box got its 2.6 kernel, it looks like centos 3.8 only ships 2.4 with modutils-2.4.25-14.EL
    you somehow also got module-init-tools-3.1-0.pre5.3 installed, it has own modinfo etc tools and hashes rkhunter doesnt know about (for centos 3.8), so it produces the warnings

    Yes that is correct, centos 3 / rhel 3 stock modutils WILL NOT load the .ko modules from a 2.6 kernel, thus the updated utils and the bad rkhunter output.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  11. #11
    Join Date
    Mar 2004
    Location
    London, UK
    Posts
    299
    Hi,
    Would this be the same issue for a VPS?

    On a VPS with 2.6 kernel
    (2.6.9-022stab078.21-enterprise)
    I get:

    No logfile given: using default.
    /bin/dmesg [ BAD ]
    /bin/kill [ BAD ]
    /bin/login [ BAD ]
    /bin/mount [ BAD ]

    On another VPS with 2.4 kernel
    (2.4.20-021stab028.18.777-enterprise):

    Line:
    [ BAD ]
    Line: [ BAD ]
    [ BAD ]
    Line: [ BAD ]
    [ BAD ]
    Line: [ BAD ]
    [ BAD ]
    Line: [ BAD ]
    [ BAD ]
    Line: [ BAD ]

    My support say:
    "The problem with RKHunter is that it will not show correct results since it has a bug when it's ran into a VPS. "

    Any help appreciated.
    Thanks,

    - Vince

  12. #12
    Join Date
    Mar 2005
    Location
    Maine, USA
    Posts
    311
    there is a known bug in the current release of rkhunter that will falsely identify some files as being rootkits when they are not.
    try using this tool from their sourceforge site to fix the hashes:
    http://sourceforge.net/project/showf...kage_id=200881

  13. #13
    Join Date
    Mar 2004
    Location
    London, UK
    Posts
    299
    Hi,
    Do excuse my ignorance.
    So the issue and that patch apply to dedicated and VPS?

    What I'm trying to find out is, rkhunter does not have any issues specifically with VPS setups?

    Many thanks,

    - Vince

  14. #14
    Join Date
    Mar 2005
    Posts
    361
    Hi,
    I´m having the same issue on my Centos 3.8 and rkhunter.

    But I´ve figured out that should be a false positive.

  15. #15
    Join Date
    Jun 2003
    Posts
    976
    Quote Originally Posted by hostingvince
    Hi,
    Do excuse my ignorance.
    So the issue and that patch apply to dedicated and VPS?

    What I'm trying to find out is, rkhunter does not have any issues specifically with VPS setups?

    Many thanks,

    - Vince
    what distro does run in your vps?
    looks like hashupd.sh does apply to any server, since it does just add hashes of the current files to rkhunters db (not sure if those will be trashed on next --update)

  16. #16
    Join Date
    Mar 2004
    Location
    London, UK
    Posts
    299
    Quote Originally Posted by hawk82
    there is a known bug in the current release of rkhunter that will falsely identify some files as being rootkits when they are not.
    try using this tool from their sourceforge site to fix the hashes:
    http://sourceforge.net/project/showf...kage_id=200881
    This also solved on my VPS.

    Thanks all.

    - Vince

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •