Need help with understanding rkhunter
by markLopez09 from LinuxQuestions.org on (#5CK23)
Hello,
I recently installed rkhunter on my LinuxMint and ran a check, but I'm not sure about the results.
I read the manpage and found a couple of switches I was immediately concerned with. Two things to take note of:
1. I ran rkhunter --update to update my initial install, and it did not go through. It said: Invalid WEB_CMD configuration option: Relative pathname: "/bin/false"
2. I did not do --propupd because, to my understanding, you need to specify a file/directory/package to do that update.
Given those, I ran rkhunter -c anyway, and it came back with this:
[12:00:55] Info: Starting test name 'properties'
[12:00:55] Performing file properties checks
...
[12:01:50] /usr/bin/lwp-request [ Warning ]
[12:01:50] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script text executable
...
[12:05:26] Info: Starting test name 'malware'
[12:05:26] Performing malware checks
...
[12:05:35] Info: Starting test name 'ipc_shared_mem'
[12:05:35] Info: The minimum shared memory segment size to be checked (in bytes): 1048576 (1.0MB)
[12:05:35] Checking for suspicious (large) shared memory segments [ Warning ]
[12:05:35] Warning: The following suspicious (large) shared memory segments have been found:
[12:05:35] Process: /usr/lib/i386-linux-gnu/cinnamon-settings-daemon/csd-background PID: 1181 Owner: mac Size: 32MB (configured size allowed: 1.0MB)
[12:05:35] Process: /usr/lib/gnome-terminal/gnome-terminal-server PID: 1540 Owner: mac Size: 4.0MB (configured size allowed: 1.0MB)
...
[12:05:59] Info: Starting test name 'passwd_changes'
[12:05:59] Checking for passwd file changes [ Warning ]
[12:05:59] Warning: User 'postfix' has been added to the passwd file.
[12:05:59]
[12:05:59] Info: Starting test name 'group_changes'
[12:05:59] Checking for group file changes [ Warning ]
[12:05:59] Warning: Group 'postfix' has been added to the group file.
[12:05:59] Warning: Group 'postdrop' has been added to the group file.
...
[12:06:09] Checking for hidden files and directories [ Warning ]
[12:06:09] Warning: Hidden directory found: /etc/.java
...
[12:06:13] System checks summary
[12:06:13] =====================
[12:06:13]
[12:06:13] File properties checks...
[12:06:13] Files checked: 151
[12:06:13] Suspect files: 1
[12:06:13]
[12:06:13] Rootkit checks...
[12:06:13] Rootkits checked : 480
[12:06:14] Possible rootkits: 2
[12:06:14]
[12:06:14] Applications checks...
[12:06:14] All checks skipped
So I have lwp-request replaced by a script, two segments eating up more memory than they should, and changes to passwd and group files. This system is LinuxMint by the way.
I have another box which runs openSUSE, and I ran rkhunter on that too. Similar problem with files being replaced by a script but no suspicious shared memory segments.
[19:27:23] System checks summary
[19:27:23] =====================
[19:27:23]
[19:27:23] File properties checks...
[19:27:23] Required commands check failed
[19:27:23] Files checked: 191
[19:27:23] Suspect files: 5
[19:27:23]
[19:27:23] Rootkit checks...
[19:27:23] Rootkits checked : 490
[19:27:24] Possible rootkits: 0
[19:27:24]
[19:27:24] Applications checks...
[19:27:24] All checks skipped
Now, on the openSUSE box, I succeeded with rkhunter --update. After getting the above result, I decided to do rkhunter --propupd without specifying a file (out of curiosity), then ran another check. After doing that, the suspect files are gone.
[19:38:49] System checks summary
[19:38:49] =====================
[19:38:49]
[19:38:49] File properties checks...
[19:38:49] Files checked: 191
[19:38:49] Suspect files: 0
[19:38:49]
[19:38:49] Rootkit checks...
[19:38:50] Rootkits checked : 490
[19:38:50] Possible rootkits: 0
[19:38:50]
[19:38:50] Applications checks...
[19:38:50] All checks skipped
So I guess the questions I really need answers to are:
1. What does --propupd really do if you don't specify a file/directory/package? The manpage says it updates everything if none is specified. But a warning says it's the users responsibility to ensure the files are genuine when using this switch, which is why I'm hesitant to do the same thing in my LinuxMint box (given the results say I possibly have a rootkit and I'm afraid I might accidentally whitelist it).
2. How do I fix the Invalid WEB_CMD configuration option: Relative pathname: "/bin/false" part when doing --update?
3. Can anyone tell me if the suspicious (large) shared memory segments shown on the results are actually rootkits? Or at least tell me how I can investigate it?
4. postfix and postdrop have been added in the passwd and group files. What are those? And should I be concerned?
Please help. Thanks in advance.
I recently installed rkhunter on my LinuxMint and ran a check, but I'm not sure about the results.
I read the manpage and found a couple of switches I was immediately concerned with. Two things to take note of:
1. I ran rkhunter --update to update my initial install, and it did not go through. It said: Invalid WEB_CMD configuration option: Relative pathname: "/bin/false"
2. I did not do --propupd because, to my understanding, you need to specify a file/directory/package to do that update.
Given those, I ran rkhunter -c anyway, and it came back with this:
[12:00:55] Info: Starting test name 'properties'
[12:00:55] Performing file properties checks
...
[12:01:50] /usr/bin/lwp-request [ Warning ]
[12:01:50] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script text executable
...
[12:05:26] Info: Starting test name 'malware'
[12:05:26] Performing malware checks
...
[12:05:35] Info: Starting test name 'ipc_shared_mem'
[12:05:35] Info: The minimum shared memory segment size to be checked (in bytes): 1048576 (1.0MB)
[12:05:35] Checking for suspicious (large) shared memory segments [ Warning ]
[12:05:35] Warning: The following suspicious (large) shared memory segments have been found:
[12:05:35] Process: /usr/lib/i386-linux-gnu/cinnamon-settings-daemon/csd-background PID: 1181 Owner: mac Size: 32MB (configured size allowed: 1.0MB)
[12:05:35] Process: /usr/lib/gnome-terminal/gnome-terminal-server PID: 1540 Owner: mac Size: 4.0MB (configured size allowed: 1.0MB)
...
[12:05:59] Info: Starting test name 'passwd_changes'
[12:05:59] Checking for passwd file changes [ Warning ]
[12:05:59] Warning: User 'postfix' has been added to the passwd file.
[12:05:59]
[12:05:59] Info: Starting test name 'group_changes'
[12:05:59] Checking for group file changes [ Warning ]
[12:05:59] Warning: Group 'postfix' has been added to the group file.
[12:05:59] Warning: Group 'postdrop' has been added to the group file.
...
[12:06:09] Checking for hidden files and directories [ Warning ]
[12:06:09] Warning: Hidden directory found: /etc/.java
...
[12:06:13] System checks summary
[12:06:13] =====================
[12:06:13]
[12:06:13] File properties checks...
[12:06:13] Files checked: 151
[12:06:13] Suspect files: 1
[12:06:13]
[12:06:13] Rootkit checks...
[12:06:13] Rootkits checked : 480
[12:06:14] Possible rootkits: 2
[12:06:14]
[12:06:14] Applications checks...
[12:06:14] All checks skipped
So I have lwp-request replaced by a script, two segments eating up more memory than they should, and changes to passwd and group files. This system is LinuxMint by the way.
I have another box which runs openSUSE, and I ran rkhunter on that too. Similar problem with files being replaced by a script but no suspicious shared memory segments.
[19:27:23] System checks summary
[19:27:23] =====================
[19:27:23]
[19:27:23] File properties checks...
[19:27:23] Required commands check failed
[19:27:23] Files checked: 191
[19:27:23] Suspect files: 5
[19:27:23]
[19:27:23] Rootkit checks...
[19:27:23] Rootkits checked : 490
[19:27:24] Possible rootkits: 0
[19:27:24]
[19:27:24] Applications checks...
[19:27:24] All checks skipped
Now, on the openSUSE box, I succeeded with rkhunter --update. After getting the above result, I decided to do rkhunter --propupd without specifying a file (out of curiosity), then ran another check. After doing that, the suspect files are gone.
[19:38:49] System checks summary
[19:38:49] =====================
[19:38:49]
[19:38:49] File properties checks...
[19:38:49] Files checked: 191
[19:38:49] Suspect files: 0
[19:38:49]
[19:38:49] Rootkit checks...
[19:38:50] Rootkits checked : 490
[19:38:50] Possible rootkits: 0
[19:38:50]
[19:38:50] Applications checks...
[19:38:50] All checks skipped
So I guess the questions I really need answers to are:
1. What does --propupd really do if you don't specify a file/directory/package? The manpage says it updates everything if none is specified. But a warning says it's the users responsibility to ensure the files are genuine when using this switch, which is why I'm hesitant to do the same thing in my LinuxMint box (given the results say I possibly have a rootkit and I'm afraid I might accidentally whitelist it).
2. How do I fix the Invalid WEB_CMD configuration option: Relative pathname: "/bin/false" part when doing --update?
3. Can anyone tell me if the suspicious (large) shared memory segments shown on the results are actually rootkits? Or at least tell me how I can investigate it?
4. postfix and postdrop have been added in the passwd and group files. What are those? And should I be concerned?
Please help. Thanks in advance.