Results 1 to 8 of 8

Thread: Rkhunter and Chkrootkit Warnings on fresh installed Opensuse 12.2 !!!

  1. #1

    Default Rkhunter and Chkrootkit Warnings on fresh installed Opensuse 12.2 !!!

    Hello everybody,

    After an OpenSuSE 12.2 fresh install:
    • Rkhunter tells me that there is an "unknown rootkit" !!!
    • Chkrootkit tells me that there is a "suckit rootkit" infection !!!


    Is there anybody who would made these scans and would had similar warnings ??? (I am just hoping that they are false positives.)

  2. #2

    Default Re: Rkhunter and Chkrootkit Warnings on fresh installed Opensuse 12.2 !!!

    I got these warnings from rkhunter after installing 12.2.

    Code:
    Warning: The following processes are using suspicious files:
             Command: cron
               UID: 0    PID: 1580
               Pathname: /etc/crontab
               Possible Rootkit: Unknown rootkit
             Command: cron
               UID: 0    PID: 7082
               Pathname: /etc/crontab
               Possible Rootkit: Unknown rootkit
             Command: egrep
               UID: 0    PID: 8573
               Pathname: /etc/crontab
               Possible Rootkit: Unknown rootkit
             Command: rkhunter
               UID: 0    PID: 16316
               Pathname: /etc/crontab
               Possible Rootkit: Unknown rootkit
             Command: run-crons
               UID: 0    PID: 7086
               Pathname: /etc/crontab
               Possible Rootkit: Unknown rootkit
             Command: sh
               UID: 0    PID: 7084
               Pathname: /etc/crontab
               Possible Rootkit: Unknown rootkit
             Command: sort
               UID: 0    PID: 8574
               Pathname: /etc/crontab
               Possible Rootkit: Unknown rootkit
             Command: suse.de-rkhunte
               UID: 0    PID: 12088
               Pathname: /etc/crontab
               Possible Rootkit: Unknown rootkit
             Command: uniq
               UID: 0    PID: 8575
               Pathname: /etc/crontab
               Possible Rootkit: Unknown rootkit
    As far as I know, they're false positive but I'm no expert on these things.

    I added these two lines to /etc/rkhunter.conf.local

    Code:
    RTKT_FILE_WHITELIST="/etc/crontab"
    USER_FILEPROP_FILES_DIRS="/etc/crontab"

  3. #3
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,851

    Default Re: Rkhunter and Chkrootkit Warnings on fresh installed Opensuse 12.2 !!!

    Quote Originally Posted by RANGOOO View Post
    Hello everybody,

    After an OpenSuSE 12.2 fresh install:
    • Rkhunter tells me that there is an "unknown rootkit" !!!
    • Chkrootkit tells me that there is a "suckit rootkit" infection !!!


    Is there anybody who would made these scans and would had similar warnings ??? (I am just hoping that they are false positives.)
    Please. like @londy, allways show what your computer shows (between CODE tags) and do not on y tell a story.
    Henk van Velden

  4. #4

    Default Re: Rkhunter and Chkrootkit Warnings on fresh installed Opensuse 12.2 !!!

    Quote Originally Posted by hcvv View Post
    Please. like @londy, allways show what your computer shows (between CODE tags) and do not on y tell a story.

    • OS: OpenSuse 12.2 (64bit)
    • Rkhunter log:

    Code:
    [14:19:48] Info: Starting test name 'malware'
    [14:19:48] Performing malware checks
    [14:19:48]
    [14:19:48] Info: Test 'deleted_files' disabled at users request.
    [14:19:48]
    [14:19:48] Info: Starting test name 'running_procs'
    [14:19:49]   Checking running processes for suspicious files [ Warning ]
    [14:19:49] Warning: The following processes are using suspicious files:
    [14:19:49]          Command: cron
    [14:19:49]            UID: 0    PID: 5207
    [14:19:49]            Pathname: /etc/crontab
    [14:19:49]            Possible Rootkit: Unknown rootkit
    [14:19:49]
    [14:19:49] Info: Test 'hidden_procs' disabled at users request.
    [14:19:49]
    [14:19:49] Info: Test 'suspscan' disabled at users request.
    [14:19:49]
    [14:19:49] Info: Starting test name 'other_malware'
    [14:19:49]   Performing check for login backdoors
    [14:19:49]     Checking for '/bin/.login'                    [ Not found ]
    [14:19:49]     Checking for '/sbin/.login'                   [ Not found ]
    [14:19:49]   Checking for login backdoors                    [ None found ]
    [14:19:49]
    [14:19:49]   Performing check for suspicious directories
    [14:19:49]     Checking for directory '/usr/X11R6/bin/.,/copy' [ Not found ]
    [14:19:49]     Checking for directory '/dev/rd/cdb'          [ Not found ]
    [14:19:49]   Checking for suspicious directories             [ None found ]
    [14:19:50]
    [14:19:50]   Checking for software intrusions                [ Skipped ]
    [14:19:50] Info: Check skipped - tripwire not installed
    [14:19:50]
    [14:19:50]   Performing check for sniffer log files
    [14:19:50]     Checking for file '/usr/lib/libice.log'       [ Not found ]
    [14:19:50]     Checking for file '/dev/prom/sn.l'            [ Not found ]
    [14:19:50]     Checking for file '/dev/fd/.88/zxsniff.log'   [ Not found ]
    [14:19:50]   Checking for sniffer log files                  [ None found ]
    [14:19:50]
    [14:19:50] Info: Starting test name 'trojans'
    [14:19:50] Performing trojan specific checks
    [14:19:50]   Checking for enabled inetd services             [ Skipped ]
    [14:19:50] Info: Check skipped - file '/etc/inetd.conf' does not exist.
    [14:19:50]
    [14:19:50]   Performing check for enabled xinetd services
    [14:19:50] Info: Using xinetd configuration file '/etc/xinetd.conf'
    [14:19:50]     Checking '/etc/xinetd.conf' for enabled services [ None found ]
    [14:19:50]       Found 'includedir /etc/xinetd.d' directive
    [14:19:50]     Checking '/etc/xinetd.d/chargen' for enabled services [ None found ]
    [14:19:50]     Checking '/etc/xinetd.d/chargen-udp' for enabled services [ None found ]
    [14:19:50]     Checking '/etc/xinetd.d/daytime' for enabled services [ None found ]
    [14:19:50]     Checking '/etc/xinetd.d/daytime-udp' for enabled services [ None found ]
    [14:19:50]     Checking '/etc/xinetd.d/discard' for enabled services [ None found ]
    [14:19:50]     Checking '/etc/xinetd.d/discard-udp' for enabled services [ None found ]
    [14:19:50]     Checking '/etc/xinetd.d/echo' for enabled services [ None found ]
    [14:19:50]     Checking '/etc/xinetd.d/echo-udp' for enabled services [ None found ]
    [14:19:50]     Checking '/etc/xinetd.d/netstat' for enabled services [ None found ]
    [14:19:50]     Checking '/etc/xinetd.d/rsync' for enabled services [ None found ]
    [14:19:50]     Checking '/etc/xinetd.d/sane-port' for enabled services [ None found ]
    [14:19:50]     Checking '/etc/xinetd.d/servers' for enabled services [ None found ]
    [14:19:50]     Checking '/etc/xinetd.d/services' for enabled services [ None found ]
    [14:19:50]     Checking '/etc/xinetd.d/swat' for enabled services [ None found ]
    [14:19:50]     Checking '/etc/xinetd.d/systat' for enabled services [ None found ]
    [14:19:51]     Checking '/etc/xinetd.d/time' for enabled services [ None found ]
    [14:19:51]     Checking '/etc/xinetd.d/time-udp' for enabled services [ None found ]
    [14:19:51]     Checking '/etc/xinetd.d/vnc' for enabled services [ None found ]
    [14:19:51]   Checking for enabled xinetd services            [ None found ]
    [14:19:51] Info: Apache backdoor check skipped: Apache modules and configuration directories not found.
    [14:19:51]
    [14:19:51] Info: Starting test name 'os_specific'
    [14:19:51] Performing Linux specific checks
    [14:19:51]   Checking loaded kernel modules                  [ OK ]
    [14:19:51] Info: Using modules pathname of '/lib/modules/3.4.6-2.10-desktop'
    [14:19:51]   Checking kernel module names                    [ OK ]
    [14:19:51]
    [14:19:51] Info: Starting test name 'network'
    [14:19:51] Checking the network...
    [14:19:51]
    [14:19:51] Performing checks on the network ports
    [14:19:51] Info: Starting test name 'ports'
    [14:19:51]   Performing check for backdoor ports
    [14:19:51]     Checking for TCP port 1524                    [ Not found ]
    [14:19:51]     Checking for TCP port 1984                    [ Not found ]
    [14:19:51]     Checking for UDP port 2001                    [ Not found ]
    [14:19:51]     Checking for TCP port 2006                    [ Not found ]
    [14:19:51]     Checking for TCP port 2128                    [ Not found ]
    [14:19:51]     Checking for TCP port 6666                    [ Not found ]
    [14:19:51]     Checking for TCP port 6667                    [ Not found ]
    [14:19:51]     Checking for TCP port 6668                    [ Not found ]
    [14:19:52]     Checking for TCP port 6669                    [ Not found ]
    [14:19:52]     Checking for TCP port 7000                    [ Not found ]
    [14:19:52]     Checking for TCP port 13000                   [ Not found ]
    [14:19:52]     Checking for TCP port 14856                   [ Not found ]
    [14:19:52]     Checking for TCP port 25000                   [ Not found ]
    [14:19:52]     Checking for TCP port 29812                   [ Not found ]
    [14:19:52]     Checking for TCP port 31337                   [ Not found ]
    [14:19:52]     Checking for TCP port 32982                   [ Not found ]
    [14:19:52]     Checking for TCP port 33369                   [ Not found ]
    [14:19:52]     Checking for TCP port 47107                   [ Not found ]
    [14:19:52]     Checking for TCP port 47018                   [ Not found ]
    [14:19:52]     Checking for TCP port 60922                   [ Not found ]
    [14:19:52]     Checking for TCP port 62883                   [ Not found ]
    [14:19:52]     Checking for TCP port 65535                   [ Not found ]
    [14:19:52]   Checking for backdoor ports                     [ None found ]
    [14:19:52]
    [14:19:52] Info: Test 'hidden_ports' disabled at users request.
    [14:19:52]
    [14:19:52] Performing checks on the network interfaces
    [14:19:52] Info: Starting test name 'promisc'
    [14:19:52]   Checking for promiscuous interfaces             [ None found ]
    [14:19:53]
    [14:19:53] Info: Test 'packet_cap_apps' disabled at users request.
    [14:19:53]
    [14:19:53] Info: Starting test name 'local_host'
    [14:19:53] Checking the local host...
    [14:19:53]
    [14:19:53] Info: Starting test name 'startup_files'
    [14:19:53] Performing system boot checks
    [14:19:53]   Checking for local host name                    [ Found ]
    [14:19:53]
    [14:19:53] Info: Starting test name 'startup_malware'
    [14:19:53] Info: Using system startup paths: /etc/init.d /etc/inittab
    [14:19:53]   Checking for system startup files               [ Found ]
    [14:19:55]   Checking system startup files for malware       [ None found ]
    [14:19:55]
    [14:19:55] Info: Starting test name 'group_accounts'
    [14:19:55] Performing group and account checks
    [14:19:55]   Checking for passwd file                        [ Found ]
    [14:19:55] Info: Found password file: /etc/passwd
    [14:19:55]   Checking for root equivalent (UID 0) accounts   [ None found ]
    [14:19:55] Info: Found shadow file: /etc/shadow
    [14:19:55]   Checking for passwordless accounts              [ None found ]
    [14:19:55]
    [14:19:55] Info: Starting test name 'passwd_changes'
    [14:19:55]   Checking for passwd file changes                [ Warning ]
    [14:19:55] Warning: Unable to check for passwd file differences: no copy of the passwd file exists.
    [14:19:55]
    [14:19:55] Info: Starting test name 'group_changes'
    [14:19:55]   Checking for group file changes                 [ Warning ]
    [14:19:55] Warning: Unable to check for group file differences: no copy of the group file exists.
    [14:19:55]   Checking root account shell history files       [ OK ]
    [14:19:55]
    [14:19:55] Info: Starting test name 'system_configs'
    [14:19:55] Performing system configuration file checks
    [14:19:55]   Checking for SSH configuration file             [ Found ]
    [14:19:55] Info: Found SSH configuration file: /etc/ssh/sshd_config
    [14:19:55] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'yes'.
    [14:19:55] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
    [14:19:55]   Checking if SSH root access is allowed          [ Warning ]
    [14:19:55] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
               The default value may be 'yes', to allow root access.
    [14:19:55]   Checking if SSH protocol v1 is allowed          [ Warning ]
    [14:19:55] Warning: The SSH configuration option 'Protocol' has not been set.
               The default value may be '2,1', to allow the use of protocol version 1.
    [14:19:55]   Checking for running syslog daemon              [ Found ]
    [14:19:55] Info: Found rsyslog configuration file: /etc/rsyslog.conf
    [14:19:55]   Checking for syslog configuration file          [ Found ]
    [14:19:55]   Checking if syslog remote logging is allowed    [ Not allowed ]
    [14:19:55]
    [14:19:55] Info: Starting test name 'filesystem'
    [14:19:55] Performing filesystem checks
    [14:19:56] Info: SCAN_MODE_DEV set to 'THOROUGH'
    [14:19:56] Info: Found file '/dev/shm/pulse-shm-2540841389': it is whitelisted.
    [14:19:56] Info: Found file '/dev/shm/pulse-shm-3709611046': it is whitelisted.
    [14:19:56] Info: Found file '/dev/shm/pulse-shm-4108338592': it is whitelisted.
    [14:19:56] Info: Found file '/dev/shm/pulse-shm-3591046746': it is whitelisted.
    [14:19:56] Info: Found file '/dev/shm/pulse-shm-1216186442': it is whitelisted.
    [14:19:56]   Checking /dev for suspicious file types         [ Warning ]
    [14:19:56] Warning: Suspicious file types found in /dev:
    [14:19:56]          /dev/.sysconfig/network/new-stamp-3: ASCII text
    [14:19:56]          /dev/.sysconfig/network/new-stamp-2: ASCII text
    [14:19:56]   Checking for hidden files and directories       [ Warning ]
    [14:19:56] Warning: Hidden directory found: '/dev/.sysconfig'
    [14:19:56] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
    [14:19:56] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
    [14:19:56]
    [14:19:56] Info: Starting test name 'apps'
    [14:19:56] Checking application versions...
    [14:19:56] Info: Application 'exim' not found.
    [14:19:56]   Checking version of GnuPG                       [ OK ]
    [14:19:56] Info: Application 'gpg' version '2.0.19' found.
    [14:19:56] Info: Application 'httpd' not found.
    [14:19:56] Info: Application 'named' not found.
    [14:19:56]   Checking version of OpenSSL                     [ OK ]
    [14:19:56] Info: Application 'openssl' version '1.0.1c' found.
    [14:19:56] Info: Application 'php' not found.
    [14:19:56] Info: Application 'procmail' not found.
    [14:19:56] Info: Application 'proftpd' not found.
    [14:19:57]   Checking version of OpenSSH                     [ OK ]
    [14:19:57] Info: Application 'sshd' version '6.0p1' found.
    [14:19:57] Info: Applications checked: 3 out of 9
    [14:19:57]
    [14:19:57] System checks summary
    [14:19:57] =====================
    [14:19:57]
    [14:19:57] File properties checks...
    [14:19:57] Files checked: 170
    [14:19:57] Suspect files: 0
    [14:19:57]
    [14:19:57] Rootkit checks...
    [14:19:57] Rootkits checked : 194
    [14:19:57] Possible rootkits: 1
    [14:19:57] Rootkit names    : Unknown rootkit
    [14:19:57]
    [14:19:57] Applications checks...
    [14:19:57] Applications checked: 3
    [14:19:57] Suspect applications: 0
    [14:19:57]
    [14:19:57] The system checks took: 1 minute and 25 seconds
    [14:19:57]
    [14:19:57] Info: End date is Tue Sep 11 14:19:57 CEST 2012
    • After a reinstall, chkrootkit did not work and I got :

    Code:
     chkrootkit: can't find `strings'.
    PS: before the reinstall I got the following warning (that seems to be a bug):

    Code:
     Searching for Suckit rootkit... Warning: /sbin/init INFECTED
    Thx for your help

  5. #5

    Default Re: Rkhunter and Chkrootkit Warnings on fresh installed Opensuse 12.2 !!!

    Thx @londy for your response. I'm not an expert neither that is why I do not feel comfortable to whitelist something I do not know !

    @hcvv, I post it an excerpt of my rkhunter.log, do you have a similar results ? what about chkrootkit ?

    I am looking forward to hearing from you !

    Thank you everybody !

  6. #6
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,851

    Default Re: Rkhunter and Chkrootkit Warnings on fresh installed Opensuse 12.2 !!!

    First, I do not understand why you did a reinstall. Was that from a different repo or any other difference between the earlier install and the new one? Repeating the same installation is rather useless (except when you destroyed parts of the package manualy).

    Then, when chkrootkit complains that it can not find strings, that is strange. The tool strings is basicaly allways installed. Try that, my test:
    Code:
    henk@boven:~> which strings
    /usr/bin/strings
    henk@boven:~>
    and thus it is there.

    I do not have installed chkrootkit nor rkhunter. Maybe I am a bit lousy in security (in this subject, not overall ) and I am stiill on 11.4
    So, in fact, as a forum member, I did not have the intention to answer in this post. As a mod I pointed you to the CODE tags.

    I can find a package chkrootkit in the OSS rpo, but I can not find rkhunter, maybe it is in 12.2?

    When I glance through your output, I do not see any alarming issues. The crontab warning is a bit strange, but you did not tell what you found inspecting /etc/crontab.
    Henk van Velden

  7. #7

    Default Re: Rkhunter and Chkrootkit Warnings on fresh installed Opensuse 12.2 !!!

    Since I am a newbie and coming from "windows's world", may be it seems a little bit paranoid but you would tell me it is linux and do not be ! anyway...

    I thank you for your response. Now I come back to 12.1 and there is no rkhunter warning . Chkrootkit works but gives
    Code:
    Searching for Suckit rootkit... Warning: /sbin/init INFECTED
    which seems to be a bug !!!

    Thank you everybody

  8. #8
    dd@home.dk NNTP User

    Default Re: Rkhunter and Chkrootkit Warnings on fresh installed Opensuse12.2 !!!

    On 09/12/2012 11:06 AM, RANGOOO wrote:
    > I am looking forward to hearing from you !


    there have been many before you asking questions about security:

    how to have it?

    what to do to keep it?

    how to re-get if if not CERTAIN you have *not* been penetrated?

    how to know when you have enough security?

    security is SUCH a huge field i doubt a lot of folks here are willing to
    step up and pass judgment on your system without ever having sat down
    _at_ your machine and run a lot more than just rkhunter, etc..

    and, even if someone does: do you actually *know* if that answer is correct?

    we here are users just like you..
    well, maybe we have been using Linux for a lot of years...or not..

    maybe some are actual working linux admins....or not..

    maybe some really are _experts_ in security....on _there_ system, in
    _their_ environment and to the level _they_ need...

    so i'm not gonna answer for your system, BUT:

    if you download openSUSE from http://software.opensuse.org/

    -check the downloaded iso with the md5 or sha1 code also downloaded from
    software.opensuse.org _then_ you know you have an iso as trustworthy as
    any you can get (i guess)

    - then burn it to a disk, boot from the disk, run the offered "Media
    Check"...but do not install yet!

    - THIS is the time to plan what all you want to install for security
    (like) rkhunter, chrootkit, tripwire and whatever else you wish to rely
    on...download them now from a *trusted* source, and compare trusted
    check sums on each, and and format and then copy them on whatever
    external media you wish to install them from--because you will NOT
    connect to the internet or network prior to running all of those to base
    line what is safe! [remember the centrifuges destroyed in a warm country
    by a virus? i _guess_ they were probably infected by UBS keys dropped in
    parking lots, or near the homes of workers known to work with/on/near
    the targets...who plugged them into their own laptops to see what was on
    the thumbdrive and . . .]

    - so then do a full format and install from your known clean openSUSE
    install medium *without* the internet connected

    - then install from your known clean medium rkhunter/etc, READ their
    documentation so you know their strengths and weaknesses...then run them
    against your absolutely known un-penetrated system...and you can *maybe*
    trust that whatever they find is harmless....maybe (most probably--well,
    probably enough that i would trust it--but i doubt if the CIA or NSA would.)

    from then on your machine is only as safe as are your normal security
    procedures...some of mine are: never log into the GUI as root; never run
    any internet app (mail, browser, chat, etc etc etc) as root; and then
    there are lots and lots of other things to do: like never let an
    untrusted individual have free physical access to the machine; don't run
    stuff you don't need (like sshd, ftpd, etc etc etc); and on and on and
    on....

    btw: i do not wear an aluminum foil cap.....it is not thick enough! ;-)

    --
    dd http://goo.gl/PUjnL

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •