Hello everybody,
After an OpenSuSE 12.2 fresh install:
Is there anybody who would made these scans and would had similar warnings ??? (I am just hoping that they are false positives.)
I got these warnings from rkhunter after installing 12.2.
Warning: The following processes are using suspicious files:
Command: cron
UID: 0 PID: 1580
Pathname: /etc/crontab
Possible Rootkit: Unknown rootkit
Command: cron
UID: 0 PID: 7082
Pathname: /etc/crontab
Possible Rootkit: Unknown rootkit
Command: egrep
UID: 0 PID: 8573
Pathname: /etc/crontab
Possible Rootkit: Unknown rootkit
Command: rkhunter
UID: 0 PID: 16316
Pathname: /etc/crontab
Possible Rootkit: Unknown rootkit
Command: run-crons
UID: 0 PID: 7086
Pathname: /etc/crontab
Possible Rootkit: Unknown rootkit
Command: sh
UID: 0 PID: 7084
Pathname: /etc/crontab
Possible Rootkit: Unknown rootkit
Command: sort
UID: 0 PID: 8574
Pathname: /etc/crontab
Possible Rootkit: Unknown rootkit
Command: suse.de-rkhunte
UID: 0 PID: 12088
Pathname: /etc/crontab
Possible Rootkit: Unknown rootkit
Command: uniq
UID: 0 PID: 8575
Pathname: /etc/crontab
Possible Rootkit: Unknown rootkit
As far as I know, they’re false positive but I’m no expert on these things.
I added these two lines to /etc/rkhunter.conf.local
RTKT_FILE_WHITELIST="/etc/crontab"
USER_FILEPROP_FILES_DIRS="/etc/crontab"
Please. like @londy, allways show what your computer shows (between CODE tags) and do not on y tell a story.
[14:19:48] Info: Starting test name 'malware'
[14:19:48] Performing malware checks
[14:19:48]
[14:19:48] Info: Test 'deleted_files' disabled at users request.
[14:19:48]
[14:19:48] Info: Starting test name 'running_procs'
[14:19:49] Checking running processes for suspicious files Warning ]
[14:19:49] Warning: The following processes are using suspicious files:
[14:19:49] Command: cron
[14:19:49] UID: 0 PID: 5207
[14:19:49] Pathname: /etc/crontab
[14:19:49] Possible Rootkit: Unknown rootkit
[14:19:49]
[14:19:49] Info: Test 'hidden_procs' disabled at users request.
[14:19:49]
[14:19:49] Info: Test 'suspscan' disabled at users request.
[14:19:49]
[14:19:49] Info: Starting test name 'other_malware'
[14:19:49] Performing check for login backdoors
[14:19:49] Checking for '/bin/.login' Not found ]
[14:19:49] Checking for '/sbin/.login' Not found ]
[14:19:49] Checking for login backdoors None found ]
[14:19:49]
[14:19:49] Performing check for suspicious directories
[14:19:49] Checking for directory '/usr/X11R6/bin/.,/copy' Not found ]
[14:19:49] Checking for directory '/dev/rd/cdb' Not found ]
[14:19:49] Checking for suspicious directories None found ]
[14:19:50]
[14:19:50] Checking for software intrusions Skipped ]
[14:19:50] Info: Check skipped - tripwire not installed
[14:19:50]
[14:19:50] Performing check for sniffer log files
[14:19:50] Checking for file '/usr/lib/libice.log' Not found ]
[14:19:50] Checking for file '/dev/prom/sn.l' Not found ]
[14:19:50] Checking for file '/dev/fd/.88/zxsniff.log' Not found ]
[14:19:50] Checking for sniffer log files None found ]
[14:19:50]
[14:19:50] Info: Starting test name 'trojans'
[14:19:50] Performing trojan specific checks
[14:19:50] Checking for enabled inetd services Skipped ]
[14:19:50] Info: Check skipped - file '/etc/inetd.conf' does not exist.
[14:19:50]
[14:19:50] Performing check for enabled xinetd services
[14:19:50] Info: Using xinetd configuration file '/etc/xinetd.conf'
[14:19:50] Checking '/etc/xinetd.conf' for enabled services None found ]
[14:19:50] Found 'includedir /etc/xinetd.d' directive
[14:19:50] Checking '/etc/xinetd.d/chargen' for enabled services None found ]
[14:19:50] Checking '/etc/xinetd.d/chargen-udp' for enabled services None found ]
[14:19:50] Checking '/etc/xinetd.d/daytime' for enabled services None found ]
[14:19:50] Checking '/etc/xinetd.d/daytime-udp' for enabled services None found ]
[14:19:50] Checking '/etc/xinetd.d/discard' for enabled services None found ]
[14:19:50] Checking '/etc/xinetd.d/discard-udp' for enabled services None found ]
[14:19:50] Checking '/etc/xinetd.d/echo' for enabled services None found ]
[14:19:50] Checking '/etc/xinetd.d/echo-udp' for enabled services None found ]
[14:19:50] Checking '/etc/xinetd.d/netstat' for enabled services None found ]
[14:19:50] Checking '/etc/xinetd.d/rsync' for enabled services None found ]
[14:19:50] Checking '/etc/xinetd.d/sane-port' for enabled services None found ]
[14:19:50] Checking '/etc/xinetd.d/servers' for enabled services None found ]
[14:19:50] Checking '/etc/xinetd.d/services' for enabled services None found ]
[14:19:50] Checking '/etc/xinetd.d/swat' for enabled services None found ]
[14:19:50] Checking '/etc/xinetd.d/systat' for enabled services None found ]
[14:19:51] Checking '/etc/xinetd.d/time' for enabled services None found ]
[14:19:51] Checking '/etc/xinetd.d/time-udp' for enabled services None found ]
[14:19:51] Checking '/etc/xinetd.d/vnc' for enabled services None found ]
[14:19:51] Checking for enabled xinetd services None found ]
[14:19:51] Info: Apache backdoor check skipped: Apache modules and configuration directories not found.
[14:19:51]
[14:19:51] Info: Starting test name 'os_specific'
[14:19:51] Performing Linux specific checks
[14:19:51] Checking loaded kernel modules OK ]
[14:19:51] Info: Using modules pathname of '/lib/modules/3.4.6-2.10-desktop'
[14:19:51] Checking kernel module names OK ]
[14:19:51]
[14:19:51] Info: Starting test name 'network'
[14:19:51] Checking the network...
[14:19:51]
[14:19:51] Performing checks on the network ports
[14:19:51] Info: Starting test name 'ports'
[14:19:51] Performing check for backdoor ports
[14:19:51] Checking for TCP port 1524 Not found ]
[14:19:51] Checking for TCP port 1984 Not found ]
[14:19:51] Checking for UDP port 2001 Not found ]
[14:19:51] Checking for TCP port 2006 Not found ]
[14:19:51] Checking for TCP port 2128 Not found ]
[14:19:51] Checking for TCP port 6666 Not found ]
[14:19:51] Checking for TCP port 6667 Not found ]
[14:19:51] Checking for TCP port 6668 Not found ]
[14:19:52] Checking for TCP port 6669 Not found ]
[14:19:52] Checking for TCP port 7000 Not found ]
[14:19:52] Checking for TCP port 13000 Not found ]
[14:19:52] Checking for TCP port 14856 Not found ]
[14:19:52] Checking for TCP port 25000 Not found ]
[14:19:52] Checking for TCP port 29812 Not found ]
[14:19:52] Checking for TCP port 31337 Not found ]
[14:19:52] Checking for TCP port 32982 Not found ]
[14:19:52] Checking for TCP port 33369 Not found ]
[14:19:52] Checking for TCP port 47107 Not found ]
[14:19:52] Checking for TCP port 47018 Not found ]
[14:19:52] Checking for TCP port 60922 Not found ]
[14:19:52] Checking for TCP port 62883 Not found ]
[14:19:52] Checking for TCP port 65535 Not found ]
[14:19:52] Checking for backdoor ports None found ]
[14:19:52]
[14:19:52] Info: Test 'hidden_ports' disabled at users request.
[14:19:52]
[14:19:52] Performing checks on the network interfaces
[14:19:52] Info: Starting test name 'promisc'
[14:19:52] Checking for promiscuous interfaces None found ]
[14:19:53]
[14:19:53] Info: Test 'packet_cap_apps' disabled at users request.
[14:19:53]
[14:19:53] Info: Starting test name 'local_host'
[14:19:53] Checking the local host...
[14:19:53]
[14:19:53] Info: Starting test name 'startup_files'
[14:19:53] Performing system boot checks
[14:19:53] Checking for local host name Found ]
[14:19:53]
[14:19:53] Info: Starting test name 'startup_malware'
[14:19:53] Info: Using system startup paths: /etc/init.d /etc/inittab
[14:19:53] Checking for system startup files Found ]
[14:19:55] Checking system startup files for malware None found ]
[14:19:55]
[14:19:55] Info: Starting test name 'group_accounts'
[14:19:55] Performing group and account checks
[14:19:55] Checking for passwd file Found ]
[14:19:55] Info: Found password file: /etc/passwd
[14:19:55] Checking for root equivalent (UID 0) accounts None found ]
[14:19:55] Info: Found shadow file: /etc/shadow
[14:19:55] Checking for passwordless accounts None found ]
[14:19:55]
[14:19:55] Info: Starting test name 'passwd_changes'
[14:19:55] Checking for passwd file changes Warning ]
[14:19:55] Warning: Unable to check for passwd file differences: no copy of the passwd file exists.
[14:19:55]
[14:19:55] Info: Starting test name 'group_changes'
[14:19:55] Checking for group file changes Warning ]
[14:19:55] Warning: Unable to check for group file differences: no copy of the group file exists.
[14:19:55] Checking root account shell history files OK ]
[14:19:55]
[14:19:55] Info: Starting test name 'system_configs'
[14:19:55] Performing system configuration file checks
[14:19:55] Checking for SSH configuration file Found ]
[14:19:55] Info: Found SSH configuration file: /etc/ssh/sshd_config
[14:19:55] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'yes'.
[14:19:55] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[14:19:55] Checking if SSH root access is allowed Warning ]
[14:19:55] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
[14:19:55] Checking if SSH protocol v1 is allowed Warning ]
[14:19:55] Warning: The SSH configuration option 'Protocol' has not been set.
The default value may be '2,1', to allow the use of protocol version 1.
[14:19:55] Checking for running syslog daemon Found ]
[14:19:55] Info: Found rsyslog configuration file: /etc/rsyslog.conf
[14:19:55] Checking for syslog configuration file Found ]
[14:19:55] Checking if syslog remote logging is allowed Not allowed ]
[14:19:55]
[14:19:55] Info: Starting test name 'filesystem'
[14:19:55] Performing filesystem checks
[14:19:56] Info: SCAN_MODE_DEV set to 'THOROUGH'
[14:19:56] Info: Found file '/dev/shm/pulse-shm-2540841389': it is whitelisted.
[14:19:56] Info: Found file '/dev/shm/pulse-shm-3709611046': it is whitelisted.
[14:19:56] Info: Found file '/dev/shm/pulse-shm-4108338592': it is whitelisted.
[14:19:56] Info: Found file '/dev/shm/pulse-shm-3591046746': it is whitelisted.
[14:19:56] Info: Found file '/dev/shm/pulse-shm-1216186442': it is whitelisted.
[14:19:56] Checking /dev for suspicious file types Warning ]
[14:19:56] Warning: Suspicious file types found in /dev:
[14:19:56] /dev/.sysconfig/network/new-stamp-3: ASCII text
[14:19:56] /dev/.sysconfig/network/new-stamp-2: ASCII text
[14:19:56] Checking for hidden files and directories Warning ]
[14:19:56] Warning: Hidden directory found: '/dev/.sysconfig'
[14:19:56] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[14:19:56] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[14:19:56]
[14:19:56] Info: Starting test name 'apps'
[14:19:56] Checking application versions...
[14:19:56] Info: Application 'exim' not found.
[14:19:56] Checking version of GnuPG OK ]
[14:19:56] Info: Application 'gpg' version '2.0.19' found.
[14:19:56] Info: Application 'httpd' not found.
[14:19:56] Info: Application 'named' not found.
[14:19:56] Checking version of OpenSSL OK ]
[14:19:56] Info: Application 'openssl' version '1.0.1c' found.
[14:19:56] Info: Application 'php' not found.
[14:19:56] Info: Application 'procmail' not found.
[14:19:56] Info: Application 'proftpd' not found.
[14:19:57] Checking version of OpenSSH OK ]
[14:19:57] Info: Application 'sshd' version '6.0p1' found.
[14:19:57] Info: Applications checked: 3 out of 9
[14:19:57]
[14:19:57] System checks summary
[14:19:57] =====================
[14:19:57]
[14:19:57] File properties checks...
[14:19:57] Files checked: 170
[14:19:57] Suspect files: 0
[14:19:57]
[14:19:57] Rootkit checks...
[14:19:57] Rootkits checked : 194
[14:19:57] Possible rootkits: 1
[14:19:57] Rootkit names : Unknown rootkit
[14:19:57]
[14:19:57] Applications checks...
[14:19:57] Applications checked: 3
[14:19:57] Suspect applications: 0
[14:19:57]
[14:19:57] The system checks took: 1 minute and 25 seconds
[14:19:57]
[14:19:57] Info: End date is Tue Sep 11 14:19:57 CEST 2012
chkrootkit: can't find `strings'.
PS: before the reinstall I got the following warning (that seems to be a bug):
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Thx for your help
Thx @londy for your response. I’m not an expert neither that is why I do not feel comfortable to whitelist something I do not know !
@hcvv, I post it an excerpt of my rkhunter.log, do you have a similar results ? what about chkrootkit ?
I am looking forward to hearing from you !
Thank you everybody !
First, I do not understand why you did a reinstall. Was that from a different repo or any other difference between the earlier install and the new one? Repeating the same installation is rather useless (except when you destroyed parts of the package manualy).
Then, when chkrootkit complains that it can not find *strings, *that is strange. The tool strings is basicaly allways installed. Try that, my test:
henk@boven:~> which strings
/usr/bin/strings
henk@boven:~>
and thus it is there.
I do not have installed chkrootkit nor *rkhunter. *Maybe I am a bit lousy in security (in this subject, not overall 
) and I am stiill on 11.4
So, in fact, as a forum member, I did not have the intention to answer in this post. As a mod I pointed you to the CODE tags.
I can find a package chkrootkit in the OSS rpo, but I can not find *rkhunter, *maybe it is in 12.2?
When I glance through your output, I do not see any alarming issues. The crontab warning is a bit strange, but you did not tell what you found inspecting* /etc/crontab*.
Since I am a newbie and coming from “windows’s world”, may be it seems a little bit paranoid but you would tell me it is linux and do not be ! anyway…
I thank you for your response. Now I come back to 12.1 and there is no rkhunter warning rotfl!. Chkrootkit works but gives
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
which seems to be a bug !!!
Thank you everybody
On 09/12/2012 11:06 AM, RANGOOO wrote:
> I am looking forward to hearing from you !
there have been many before you asking questions about security:
how to have it?
what to do to keep it?
how to re-get if if not CERTAIN you have not been penetrated?
how to know when you have enough security?
security is SUCH a huge field i doubt a lot of folks here are willing to
step up and pass judgment on your system without ever having sat down
at your machine and run a lot more than just rkhunter, etc…
and, even if someone does: do you actually know if that answer is correct?
we here are users just like you…
well, maybe we have been using Linux for a lot of years…or not…
maybe some are actual working linux admins…or not…
maybe some really are experts in security…on there system, in
their environment and to the level they need…
so i’m not gonna answer for your system, BUT:
if you download openSUSE from http://software.opensuse.org/
-check the downloaded iso with the md5 or sha1 code also downloaded from
software.opensuse.org then you know you have an iso as trustworthy as
any you can get (i guess)
then burn it to a disk, boot from the disk, run the offered “Media
Check”…but do not install yet!
THIS is the time to plan what all you want to install for security
(like) rkhunter, chrootkit, tripwire and whatever else you wish to rely
on…download them now from a trusted source, and compare trusted
check sums on each, and and format and then copy them on whatever
external media you wish to install them from–because you will NOT
connect to the internet or network prior to running all of those to base
line what is safe! [remember the centrifuges destroyed in a warm country
by a virus? i guess they were probably infected by UBS keys dropped in
parking lots, or near the homes of workers known to work with/on/near
the targets…who plugged them into their own laptops to see what was on
the thumbdrive and . . .]
so then do a full format and install from your known clean openSUSE
install medium without the internet connected
then install from your known clean medium rkhunter/etc, READ their
documentation so you know their strengths and weaknesses…then run them
against your absolutely known un-penetrated system…and you can maybe
trust that whatever they find is harmless…maybe (most probably–well,
probably enough that i would trust it–but i doubt if the CIA or NSA would.)
from then on your machine is only as safe as are your normal security
procedures…some of mine are: never log into the GUI as root; never run
any internet app (mail, browser, chat, etc etc etc) as root; and then
there are lots and lots of other things to do: like never let an
untrusted individual have free physical access to the machine; don’t run
stuff you don’t need (like sshd, ftpd, etc etc etc); and on and on and
on…
btw: i do not wear an aluminum foil cap…it is not thick enough!
–
dd http://goo.gl/PUjnL