Start Rootkit Hunter Update ---------------------
This is just the header line for the rootkit hunter email letting you know its updated itself. You do not need to do anything and this event is normal and means rkhunter is working correctly.
Checking rkhunter data files...
This means rkhunter is updating its data files. You do not need to do anything and this event is normal and means rkhunter is working correctly.
Checking file mirrors.dat [ No update ]
This means rkhunter check for an update to its mirror files. rkhunter uses "mirror" sites to distribute load for its update files. This means there is no update needed for this data file. You do not need to do anything and this event is normal and means rkhunter is working correctly.
Checking file programs_bad.dat [ No update ]
This means rkhunter check for an update to its "bad programs" data file. It uses this data to identify known bad programs. This means there is no update needed for this data file. You do not need to do anything and this event is normal and means rkhunter is working correctly.
Checking file backdoorports.dat [ No update ]
This means rkhunter check for an update to its "backdoor ports" data file. It uses this data to identify programs that are using TCP or UDP ports known to be used by malicious programs. This means there is no update needed for this data file. You do not need to do anything and this event is normal and means rkhunter is working correctly.
Checking file suspscan.dat [ No update ]
This means rkhunter check for an update to its "suspicious programs" data file. It uses this data to identify programs that may be acting in a suspicious manner. This means there is no update needed for this data file. You do not need to do anything and this event is normal and means rkhunter is working correctly.
Checking file i18n/cn [ No update ]
This means rkhunter check for an update to one of its language translation files it uses to display events in that language. This means there is no update needed for this data file. You do not need to do anything and this event is normal and means rkhunter is working correctly.
Checking file i18n/de [ No update ]
This means rkhunter check for an update to one of its language translation files it uses to display events in that language. This means there is no update needed for this data file. You do not need to do anything and this event is normal and means rkhunter is working correctly.
Checking file i18n/en [ No update ]
This means rkhunter check for an update to one of its language translation files it uses to display events in that language. This means there is no update needed for this data file. You do not need to do anything and this event is normal and means rkhunter is working correctly.
Checking file i18n/tr [ No update ]
This means rkhunter check for an update to one of its language translation files it uses to display events in that language. This means there is no update needed for this data file. You do not need to do anything and this event is normal and means rkhunter is working correctly.
Checking file i18n/tr.utf8 [ No update ]
This means rkhunter check for an update to one of its language translation files it uses to display events in that language. This means there is no update needed for this data file. You do not need to do anything and this event is normal and means rkhunter is working correctly.
Checking file i18n/zh [ No update ]
This means rkhunter check for an update to one of its language translation files it uses to display events in that language. This means there is no update needed for this data file. You do not need to do anything and this event is normal and means rkhunter is working correctly.
Checking file i18n/zh.utf8 [ No update ]
This means rkhunter check for an update to one of its language translation files it uses to display events in that language. This means there is no update needed for this data file. You do not need to do anything and this event is normal and means rkhunter is working correctly.
Warning: Found passwordless account in passwd file:
This means that a user account may be setup on the system without a password. This could allow someone to log into the system without a password. Whether this is the case depends on if the system allows password logins, and if the account has been locked out by the operating system.
Warning: Suspicious file types found in
This means that rkhunter has found files on your system that are suspicious. They may, or may not be malicious and you should investigate the contents of these files to ensure they are legitimate.
Warning: Suspicious file types found in /dev:
This means that rkhunter has found files on your system that are suspicious. They may, or may not be malicious and you should investigate the contents of these files to ensure they are legitimate.
Recently, udev has started using text files in /dev. The Filesystem Hierarchy Standard (FHS) for all Linux based systems does not allow text files in /dev, so text files should not be present which is why rkhunter may report these as suspicious. Before you assume that these files are not malicious, you should as described above investigate that they are not.
If you are sure they are not malicious, you can ignore files by editing rkhunter.conf on your system and adding lines like these, for each file you know is not malicious and want to ignore:
ALLOWDEVFILE="/dev/.udev/some/specific/file/being/reporting/by/rkhunter/you/want/to/ignore"
ALLOWDEVFILE="/dev/.udev/some/specific/file/being/reporting/by/rkhunter/you/also/want/to/ignore"
Checking file <somefile> [ No update ]
This is a normal message, it simply means there are no new updates available. This is not an error, and you do not need to take any actions.
Warning: No output found from the lsmod command or the /proc/modules file:
This means that rkhunter can not access /proc/modules to see what kernel modules are loaded into the system. This can happen if you are using a virtualization solution, such as VPStechnologies, that do not provide you with your own kernel and will not let the virtual private server see what modules are loaded on the system. No action is required and there is no solution to this issue. This is expected behavior for VPS systems.
Warning: The kernel modules directory '/lib/modules' is missing or empty.
This can happen if you are using a virtualization solution, such as VPS technologies, that do not provide you with your own kernel. This means that rkhunter can not access /lib/modules because it does not exist. It does this to see what kernel modules are loaded into the system. No action is required and there is no solution to this issue. This is expected behavior for VPS systems.
Warning: Package manager verification has failed:
If rkhunter is reporting:
The File Properties have changed
Example:
Current inode: 401101 Stored inode: 395428
This means that since the last time rkhunter ran the files inode has changed. An inode is a data structure used by your operating system (not rkhunter) to represent a filesystem object, which can be one of various things including a file or a directory. Each inode stores the attributes and disk block location(s) of the filesystem object's data. This can mean that either:
1) The file has been moved or copied on the system, and therefore its inode has changed since the last time rkhunter ran, either through an update or some third party action
2) An unauthorized change has occurred to the system, and someone/something has replaced/moved/copied over the file with a different version of the file which could be malicious or accidental
You should investigate the file modification on the file. The best way to do this is to use the ASL file integrity manager which will tell you what files have changed on your system, and what they previously were.
The file modification time has changed
This means that since the last time rkhunter ran the file modification on the reported file has changed. This can mean that either:
1) The files modification time has legitimately changed, either through an update or some third party action
2) An unauthorized change has occurred to the files permissions, which could be malicious or accidental
You should investigate the file modification on the file. The best way to do this is to use the ASL file integrity manager which will tell you what files have changed on your system, and what they previously were.
The file permissions have changed
This means that since the last time rkhunter ran the file permissions on the reported file have changed. This can mean that either:
1) The files permissions have legitimately changed, either through an update or some third party action
2) An unauthorized change has occurred to the files permissions, which could be malicious or accidental
You should investigate the file modification on the file. The best way to do this is to use the ASL file integrity manager which will tell you what files have changed on your system, and what they previously were.
The file group has changed
This means that since the last time rkhunter ran the group ownership on the reported file have changed. This can mean that either:
1) The group permissions have legitimately changed, either through an update or some third party action
2) An unauthorized change has occurred to the files permissions, which could be malicious or accidental
You should investigate the file modification on the file. The best way to do this is to use the ASL file integrity manager which will tell you what files have changed on your system, and what they previously were.
Warning: Hidden file found:
Linux has a concept of a "hidden file", where when file listing commands, such as "ls" are run by default the file is "hidden". This is used by legitimate programs to store settings, special directories, "swap" files, temporary files and other information that might "clutter" a file listing. File listing commands, such as "ls", can also display these hidden files when told to list "all" files. For example, the "vim" program creates a swap file when it is editing a file, and makes this file "hidden". Example:
/etc/.password.swp
Attackers may also sometimes use this method to "hide" a file or directory from a user hoping to avoid detection. This alert means that rkhunter has found a "hidden" file in a location where it is unusual to find these files. Rkhunter can not tell if the file is malicious or not, and you will need to investigate the file to determine if it is valid or malicious.
Warning: Hidden ports found
This means that something has a port open (or is holding it in a state to prevent other applications from binding to the port). This can happen for one of two reasons:
1) A malicious application or rootkit has a port open and is hiding it from the OS
2) A non-malicious application is holding the port in a "hidden" state to prevent other applications from binding to the port
The application port reserve will do this for some reserved ports, such as port 631. You may see an alert like this:
Warning: Hidden ports found: Port number: TCP:631
You will want to check if your system is using portreserve and if its truly configured to do this. Most servers do not need to use portreserve. portreserve is not part of ASL is not supported by Atomicorp, contact your OS vendor for assistance with portreserve.
Warning: Unable to check for passwd file differences: no copy of the passwd file exists.
This means that rkhunter has not previously generated a passwd file to compare with this run of rkhunter. If you are certain that this should exist, this means that:
1) An authorized party has removed this information from the system. This can occur if rkhunter was removed, these data files were removed, or if a major change in rkhunters design requires a new data format to be used.
2) An unauthorized party has removed this information from the system. An attacker may want to remove this information so that rkhunter will not report recent changes to the passwd file.
If you believe an unauthorized party has removed this information from your system, your system may have experienced a root level compromise. Additional forensics will be necessary to determine the root cause.
Warning: Unable to check for group file differences: no copy of the group file exists.
See "Warning: Unable to check for passwd file differences: no copy of the passwd file exists." above.
Warning: The SSH configuration option 'PermitRootLogin' has not been set.
This means that SSH is not configured specifically to allow or deny root logins. SSH will default to the defined behavior for your vendors implementation of sshd. In most cases, this means that SSH will allow root access.
Warning: The SSH and rkhunter configuration options should be the same
This means that SSH is configured to either allow or deny root logins, and rkhunter is set to the opposite. For example, you may see this reported from rkhunter:
SSH configuration option 'PermitRootLogin': yes Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
rkhunter does not enforce your SSH configuration, like ASL does. So if you have configured ASL to manage your ssh settings, you can ignore this warning if SSH is set to your liking. If you wish to use rkhunter to notify you of your SSH settings, then you will need to make sure rkhunter is configured to match your ssh settings. ASL does this automatically for its vulnerability management system, as ASL will both configure SSH to your liking, will enforce these settings and will notify you if this condition presents any risks.
We recommend you disable this capability in rkhunter as it is redundant to the alerting system in ASL, and as ASL has the capability to configure SSH based on what you configure ASL to do, whereas rkhunter does not have this capability.
Please see these settings in ASL for more information about SSH:
https://www.atomicorp.com/wiki/index.php/ASL_Configuration#SSH_daemon_configuration
Warning: Suspicious file types found in /dev: <somefile> ASCII text
rkhunter, by default, follows the conventions laid out for /dev. /dev is not supposed to contain ASCII text files, however one element of some RHEL and Centos systems is known to do this: udev. For those systems you may see alerts such as this:
/dev/.udev/db/input:event4: ASCII text /dev/.udev/db/input:event0: ASCII text /dev/.udev/db/input:js0: ASCII text /dev/.udev/db/input:event3: ASCII text /dev/.udev/db/input:mouse2: ASCII text /dev/.udev/db/input:event1: ASCII text /dev/.udev/db/input:event2: ASCII text /dev/.udev/db/input:mouse1: ASCII text /dev/.udev/db/net:eth1: ASCII text /dev/.udev/db/net:eth0: ASCII text /dev/.udev/db/usb:1-2: ASCII text /dev/.udev/db/usb:usb1: ASCII text /dev/.udev/db/serio:serio0: ASCII text
These are benign, however these are also not an error in rkhunter. rkhunter uses the standards set for /dev correctly, and is correctly alerting on this non-standard condition.
If you do not see these alerts for udev, then malicious code may be on your system.
Warning: The file '/foo/bar' exists on the system, but it is not present in the rkhunter.dat file.
rkhunter has a file integrity checking system. ASL has its own indepdent and more robust file integrity checking system, and does not use this part of rkhunter, although its still activated for those users that have custom scripts that use rkhunter. If you wish to use this capability in rkhunter, you will have to periodically update rkhunters file integrity checking system based on your own best judgement if these changes are authorized. ASL does this automatically for its own file integrity checking system, so you may also just want to disable this in rkhunter or ignore these warnings.
If you want to use this part of rkhunter, then you will need to:
- confirm that the file is in fact legitimate
- the change was authorized
- update the rkhunter database to reflect this. The command to update the database is:
rkhunter --propupd /path/to/file
Warning: The file '/foo/bar' does not exist on the system, but it is present in the rkhunter.dat file.
rkhunter has a file integrity checking system. ASL has its own independent and more robust file integrity checking system, and does not use this part of rkhunter, although its still activated for those users that have custom scripts that use rkhunter. If you wish to use this capability in rkhunter, you will have to periodically update rkhunters file integrity checking system based on your own best judgement if these changes are authorized. ASL does this automatically for its own file integrity checking system, so you may also just want to disable this in rkhunter or ignore these warnings.
If you want to use this part of rkhunter, then you will need to:
1) confirm that the file is in fact legitimate 2) the change was authorized 3) update the rkhunter database to reflect this. The command to update the database is:
rkhunter --propupd /path/to/file
Warning: Suspicious file types found in /dev:
This could be a sign of an intrusion. So read this section carefully. rkhunter will look for files in suspicious places that should not be there. Previously, text files should never have been seen in /dev. Recent changes to udev have caused udev to store data in /dev that are text files. This is the only known legitimate application that will do this. Here is an example of a udev text file:
/dev/.udev/db/class@misc@tun: ASCII text
If you see this, it generally means that you need to upgrade rkkhunter, and overwrite your rkhunter .conf file with rkhunter.conf.rpmnew file which contains new directives to address this. To perform this upgrade, follow this process and run these commands as root:
Step 1) yum -y upgrade rkhunter
Step 2) cp /etc/rkhunter.conf.rpmnew /etc/rkhunter.conf
Step 3) asl -s -f
If you see text files that are not associated with udev, this may be an indication that your system has been compromised.
proftp errors
CRITICAL:3:a programming/runtime error on proftp upgrade
If you receive an error like this:
psa-proftpd-1.3.3e-1.el5.art.x86_64.rpm | 2.0 MB 00:04 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : psa-proftpd 1/1 CRITICAL:3:a programming/runtime error CRITICAL:3:a programming/runtime error error: %trigger(psa-triggers-10.10.1-cos5.build1010110207.15.noarch) scriptlet failed, exit status 3 error: %trigger(psa-triggers-10.11.0-cos5.build1011110331.11.noarch) scriptlet failed, exit status 3 Installed: psa-proftpd.x86_64 0:1.3.3e-1.el5.art
This is not caused by ASL. psa-triggers is a piece of software from Parallels company and is not part of psa-proftp and has no adverse impact on the installation of Atomicorps psa-proftp or its upgrade. Please report this bug to Parallels if you have issues with this error and their software.
Detailed Explanation:
In Linux systems that support RPMs software can be installed to "monitor" changes in other software and then require and force the system to take additional, unrelated and external actions. When that software is installed they can require "triggers" to be executed when that software is changed, upgraded, installed, etc. These triggers are not part of the software, and are not even included in it. Its part of the larger software management system of the operating system, and is something a third party piece of software can require for any piece of software. These triggers are outside the control of the software itself or its authors.
In this case, when proftp is upgraded, another package (Plesk) has configured the system to require that if the package "psa-proftpd" changes that the "psa-triggers" package must also be run. This is neither requested by proftp, its package or its upgrade. Its completely outside of the package itself. Because of this, in this case proftp is upgraded successfully, however the third party software (Plesk in this case) has a bug that causes an error with the external "psa-triggers" package (and not with proftp or the upgrade). As a result, this does not effect the psa-proftp software, as per the message:
Installed: psa-proftpd.x86_64 0:1.3.3e-1.el5.art
The software was installed/upgraded successfully.
The error message:
CRITICAL:3:a programming/runtime error CRITICAL:3:a programming/runtime error error: %trigger(psa-triggers-10.10.1-cos5.build1010110207.15.noarch) scriptlet failed, exit status 3 error: %trigger(psa-triggers-10.11.0-cos5.build1011110331.11.noarch) scriptlet failed, exit status 3
Is reported from the external and unrelated psa-triggers package from Parallels. This has no effect on the Atomicorp psa-proftp package install, nor does it prevent or effect its installation, upgrade or change. This message is external to the upgrade of proftp and it is not related to any software from Atomocorp.com.
This is a bug in Plesk, and is not something in ASL or proftp, nor is it something the proftp package from Atomicorp requests or executes.
Report this to the vendor as a bug in their software (in the example above, this is a bug in PSA 10).
Fatal: unknown configuration directive 'ClamAV' on line 1 of '/etc/proftp-asl.conf'
Explanation:
This means that you are not using the Atomicorp version of Pro FTP. You are using some other parties version of proftp that does not include malware upload support.
Some products (such as PSA miroupdates), will install a different version of proftp over the Atomicorp version. These vendors will also not update your rpm repository, so checking your installed packages will also not show this change and will appear to report that the atomicorp version of proftp is install, it is not.
This error is conclusive proof the system is not running the Atomicorp version of psa-proftp.
Solution:
Reinstall the Atomicorp version of Proftp:
yum reinstall psa-proftpd psa-proftpd-xinetd
If you attempt to resinstall our version of proftp, and you get an error from yum similar to this:
yum reinstall psa-proftpd psa-proftpd-xinetd Loaded plugins: fastestmirror Setting up Reinstall Process Loading mirror speeds from cached hostfile * addons: centos.kiewel-online.ch * atomic: www7.atomicorp.com * base: centos.kiewel-online.ch * extras: centos.kiewel-online.ch * rpmforge: ftp-stud.fht-esslingen.de * updates: centos.kiewel-online.ch Installed package psa-proftpd-1.3.3c-3.el5.art.x86_64 not available. Installed package psa-proftpd-xinetd-1.3.3c-3.el5.art.x86_64 not available. Nothing to do
This means that you have either configured yum to either exclude you from installing proftp, you have yum priorities setup, you have disabled the asl repository or you have third party repositories also configured on the system that is throwing off yum and not allowing it to install the software it needs.
Steps to troubleshoot your yum configuration:
Step 1)
Disable all third party repositories.
Step 2)
Remove yum priorities if its installed:
yum remove yum-priorities
Step 3)
Check your yum configuration to make sure you do not have anything excluded. Exclude entries are sometimes added to /etc/yum.conf or in your /etc/yum.repos.d/ directory, and will look similar to this example:
exclude=psa-proftp*
Remove these entries.
Step 4)
Check to make sure the asl respository is enabled. The ASL respository is stored in the /etc/yum.repos.d directory in a file titled "asl.repo". In that file are three asl "channels", there are:
- asl-2.0
- asl-2.0-testing
- asl-2.0-bleeding
Ensure that under the asl-2.0 heading that you see a line like this:
enabled=1
That means the channel is enabled. You do not need to enable the asl-2.0-testing or asl-2.0-bleeding channels. Those channels are for beta and test software, and are not supported.
A working configuration will look like similar to this:
[asl-2.0] name=Atomicorp - - Atomic Secured Linux 2.0 baseurl=http://username:password@atomicorp.com/channels/asl-2.0/centos/5/x86_64 enabled=1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt gpgcheck=1 [asl-2.0-testing] name=Atomicorp - - Atomic Secured Linux 2.0 (TESTING) baseurl=http://username:password@atomicorp.com/channels/asl-2.0-testing/centos/5/x86_64 enabled=0 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt gpgcheck=1 [asl-2.0-bleeding] name=Atomicorp - - Atomic Secured Linux 2.0 (BLEEDING) baseurl=http://username:password@atomicorp.com/channels/asl-2.0-bleeding/centos/5/x86_64 enabled=0 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt gpgcheck=1
Do not change any other settings in this file.
Step 4) Attempt to reinstall again
yum reinstall psa-proftpd psa-proftpd-xinetd
If this still fails, it may because your system had a very old version of psaproftp, and you need to upgrade. In which case, run this command as root:
yum upgrade psa-proftpd psa-proftpd-xinetd