Results 1 to 16 of 16
-
10-21-2006, 05:15 PM #1Junior Guru Wannabe
- Join Date
- Jun 2006
- Posts
- 58
RKHunter - depmod, insmod, modinfo BAD
RKHunter 1.2.8... Centos 3.8... Apache was 1.3.36 now 1.3.37...
Seemed to start after I went from Cpanel Stable to Release not too long ago...
/sbin/depmod [ BAD ]
/sbin/insmod [ BAD ]
/sbin/modinfo [ BAD ]
Hacked or upgraded files... ? What do you think? TIA...
-
10-21-2006, 07:30 PM #2Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
You running a 2.6 kernel? if so that may be your issue, the modutils are replaced for 2.6 kernel.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
10-21-2006, 07:57 PM #3Junior Guru Wannabe
- Join Date
- Jun 2006
- Posts
- 58
Yep - 2.6.17.6...
So, it's probably a "false alarm" and I need to update something...?
-
10-22-2006, 08:20 AM #4Web Hosting Master
- Join Date
- Jun 2003
- Posts
- 976
latest rkhunter + updates
Code:grep "CentOS release 3.8" os.dat
Code:grep "^801:/sbin/modinfo" defaulthashes.dat
so it has a hash for it
update your rkhunter database with "rkhunter --update" if you didnt yet
then run it with "rkhunter -c --createlogfile" to create a log file (/var/log/rkhunter.log)
check the log file for messages (search for modinfo) and you should know what it thinks is wrong
-
10-22-2006, 08:53 AM #5Junior Guru Wannabe
- Join Date
- Jun 2006
- Posts
- 58
Thanks sehe... Here's what I got...
[08:40:32] /sbin/depmod Hash NOT valid (My MD5: 7bd1414c824b786bb5a4ff3ecaaeeacd, expected: 66c262270a6bce829cb03ef99af59636)
[08:40:32] Using whitelists to compare MD5 hash (searching for 7bd1414c824b786bb5a4ff3ecaaeeacd)
[08:40:32] No whitelisted MD5 hash found for /sbin/depmod
[08:40:32] MD5 hash for my file (/sbin/depmod) is 7bd1414c824b786bb5a4ff3ecaaeeacd, but is not in database
[08:40:32] End of whitelist compare
[08:40:32] Checking /sbin/depmod against hashes in database (66c262270a6bce829cb03ef99af59636) failed
[08:40:33] RPM info: your package 'modutils-2.4.25-14.EL
module-init-tools-3.1-0.pre5.3'
[08:40:33] RPM info: packages in database:
[08:40:33] ---
[08:40:33] 801:/sbin/depmod:7bd1414c824b786bb5a4ff3ecaaeeacd:-:-:modutils-2.4.25-14.EL
module-init-tools-3.1-0.pre5.3
[08:40:33] ---
[08:40:33] /sbin/insmod Hash NOT valid (My MD5: 8a6f90491caa7e3190006d9181e6991b, expected: 99d2036821e53bd7ee1b0650f534d2d8)
[08:40:33] Using whitelists to compare MD5 hash (searching for 8a6f90491caa7e3190006d9181e6991b)
[08:40:33] No whitelisted MD5 hash found for /sbin/insmod
[08:40:33] MD5 hash for my file (/sbin/insmod) is 8a6f90491caa7e3190006d9181e6991b, but is not in database
[08:40:33] End of whitelist compare
[08:40:33] Checking /sbin/insmod against hashes in database (99d2036821e53bd7ee1b0650f534d2d8) failed
[08:40:33] RPM info: your package 'modutils-2.4.25-14.EL
module-init-tools-3.1-0.pre5.3'
[08:40:33] RPM info: packages in database:
[08:40:33] ---
[08:40:33] 801:/sbin/insmod:8a6f90491caa7e3190006d9181e6991b:-:-:modutils-2.4.25-14.EL
module-init-tools-3.1-0.pre5.3
[08:40:33] ---
[08:40:34] /sbin/modinfo Hash NOT valid (My MD5: 5b23fcbfc8410a98faaaea079bcbee7d, expected: d7eb96316ff82ff3313ba3aa1a877c01
)
[08:40:34] Using whitelists to compare MD5 hash (searching for 5b23fcbfc8410a98faaaea079bcbee7d)
[08:40:34] No whitelisted MD5 hash found for /sbin/modinfo
[08:40:34] MD5 hash for my file (/sbin/modinfo) is 5b23fcbfc8410a98faaaea079bcbee7d, but is not in database
[08:40:34] End of whitelist compare
[08:40:34] Checking /sbin/modinfo against hashes in database (d7eb96316ff82ff3313ba3aa1a877c01) failed
[08:40:34] RPM info: your package 'modutils-2.4.25-14.EL
module-init-tools-3.1-0.pre5.3'
[08:40:34] RPM info: packages in database:
[08:40:34] ---
[08:40:34] 801:/sbin/modinfo:5b23fcbfc8410a98faaaea079bcbee7d:-:-:modutils-2.4.25-14.EL
module-init-tools-3.1-0.pre5.3
[08:40:34] ---
-
10-22-2006, 11:21 AM #6Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Its likely a false alarm.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
10-22-2006, 11:26 AM #7Junior Guru Wannabe
- Join Date
- Jun 2006
- Posts
- 58
Thanks everybody...
-
10-22-2006, 02:04 PM #8Web Hosting Master
- Join Date
- Jun 2003
- Posts
- 976
guess the explanation is found in the way how your centos 3.8 box got its 2.6 kernel, it looks like centos 3.8 only ships 2.4 with modutils-2.4.25-14.EL
you somehow also got module-init-tools-3.1-0.pre5.3 installed, it has own modinfo etc tools and hashes rkhunter doesnt know about (for centos 3.8), so it produces the warnings
-
10-22-2006, 03:39 PM #9Junior Guru Wannabe
- Join Date
- Jun 2006
- Posts
- 58
Originally Posted by sehe
-
10-22-2006, 03:39 PM #10Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Originally Posted by sehe
Yes that is correct, centos 3 / rhel 3 stock modutils WILL NOT load the .ko modules from a 2.6 kernel, thus the updated utils and the bad rkhunter output.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
10-25-2006, 05:53 PM #11Web Hosting Guru
- Join Date
- Mar 2004
- Location
- London, UK
- Posts
- 299
Hi,
Would this be the same issue for a VPS?
On a VPS with 2.6 kernel
(2.6.9-022stab078.21-enterprise)
I get:
No logfile given: using default.
/bin/dmesg [ BAD ]
/bin/kill [ BAD ]
/bin/login [ BAD ]
/bin/mount [ BAD ]
On another VPS with 2.4 kernel
(2.4.20-021stab028.18.777-enterprise):
Line:
[ BAD ]
Line: [ BAD ]
[ BAD ]
Line: [ BAD ]
[ BAD ]
Line: [ BAD ]
[ BAD ]
Line: [ BAD ]
[ BAD ]
Line: [ BAD ]
My support say:
"The problem with RKHunter is that it will not show correct results since it has a bug when it's ran into a VPS. "
Any help appreciated.
Thanks,
- Vince
-
10-25-2006, 08:37 PM #12Web Hosting Guru
- Join Date
- Mar 2005
- Location
- Maine, USA
- Posts
- 311
there is a known bug in the current release of rkhunter that will falsely identify some files as being rootkits when they are not.
try using this tool from their sourceforge site to fix the hashes:
http://sourceforge.net/project/showf...kage_id=200881
-
10-26-2006, 07:15 AM #13Web Hosting Guru
- Join Date
- Mar 2004
- Location
- London, UK
- Posts
- 299
Hi,
Do excuse my ignorance.
So the issue and that patch apply to dedicated and VPS?
What I'm trying to find out is, rkhunter does not have any issues specifically with VPS setups?
Many thanks,
- Vince
-
10-26-2006, 07:47 AM #14Aspiring Evangelist
- Join Date
- Mar 2005
- Posts
- 361
Hi,
I´m having the same issue on my Centos 3.8 and rkhunter.
But I´ve figured out that should be a false positive.
-
10-27-2006, 02:02 PM #15Web Hosting Master
- Join Date
- Jun 2003
- Posts
- 976
Originally Posted by hostingvince
looks like hashupd.sh does apply to any server, since it does just add hashes of the current files to rkhunters db (not sure if those will be trashed on next --update)
-
10-29-2006, 07:01 PM #16Web Hosting Guru
- Join Date
- Mar 2004
- Location
- London, UK
- Posts
- 299
Originally Posted by hawk82
Thanks all.
- Vince