Please take a VERY CLOSE look at this snapshot of my log:
Snipped #1:
[16:36:54] Performing file properties checks
[16:36:54] Info: Starting test name 'properties'
[16:36:54] Warning: Checking for prerequisites Warning ]
[16:36:54] The file of stored file properties (rkhunter.dat) does not exist, and so must be created. To do this type in 'rkhunter --propupd'.
[16:36:55]
[16:36:55] Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
is used, all the files on their system are known to be genuine, and installed from a
reliable source. The rkhunter '--check' option will compare the current file properties
against previously stored values, and report if any values differ. However, rkhunter
cannot determine what has caused the change, that is for the user to do.
Snipped #2:
[16:36:58] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text
Snipped #3:
[16:37:00] /sbin/chkconfig Warning ]
[16:37:00] Warning: The command '/sbin/chkconfig' has been replaced by a script: /sbin/chkconfig: a /usr/bin/perl script text
Snipped #4:
[16:37:01] /sbin/ifup Warning ]
[16:37:01] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text
Snipped #5:
[16:38:03] Checking /dev for suspicious file types Warning ]
[16:38:03] Warning: Suspicious file types found in /dev:
[16:38:03] /dev/shm/sysconfig/config-wlan0: ASCII text
[16:38:03] Info: Found hidden directory '/dev/.udev': it is whitelisted.
Please tell me what these mean and how to fix these. IF YOU CONSIDER ANY OF THESE AS BEING ABLE TO SPY OR TO CAUSE SIMILAR HARM, I’LL CRUNCH MY SYSTEM RIGHT AWAY - so please be real careful what you say…
Thanks for your immediate help.
Take a deep breath firstly I suspect these are ALL HARMLESS, so how do we check first few are telling you what you know that you have only run it once this time.
/usr/bin/ldd is a script so lets check cat /usr/bin/ldd (Do we see anything malicious)
Ditto for /sbin/chkconfig, /sbin/ifup
So now presuming that what I suspect these all will be fine and just warnings. You are beginning to have a base to start from Kurt Seifried - LASG / Attack detection first section though here we’re talking servers.
You’ve just be warned where it expected a binary it got a script, I get them but for different files on different OS not every OS is the same.
Thanks - at least this makes my heartbeat slow down a bit.
As for further scanning: These warnings appeared on my own computer and not on my servers (which I am quite happy about).
Thing is, that cat outputs the whole file to command prompt - and I really don’t know if there’s anything suspicious/harmful in there. Is LASG meant to be used on desktop computers? Is it my best bet?
Well to me sensible usage i.e never ever log in as root(& if needed so never network connected) Only have external services you need.
RKhunter is good but the problem I have is thinking maliciously… I’ve gained root presumably to get my rootkit on so why the hell wouldn’t I just replace rkhunter, the src is on line to be modified?
I don’t run a server do have a toy server but most of the time my router doesn’t even allow it out. So I look at this way how can I be exploited, social engineering and no program can stop that.
Goes back to what doors are open and malcomlewis’s suggestion of shell accs and nmap seem the best if security is the aim. But true security involves, so many things that those pages address mainly the first thing you need is a base to compare with i.e a clean install from distrubution media, md5’s, ps usage, file usage, memory usage etc…
On a desktop I find linux has far fewer services running by default, and very few that are exploitable, but every pc/user is diff.
Security policy is to be determined by our own requirements.
For me, I’m just a desktop with no external services so presumably have only got social engineering left with the added confusion of neither kde or gnome running
More doors open more to worry, less doors less to worry about is my policy.
I hope you did take FM’s recommendation and took a deep breath.
After that, please have a look at how rkhunter works first.
Second, check it’s config file and change it to suit your needs (/etc/rkhunter.conf )
Next, have a look at it’s warning/tip - most likely you actually did not build, after installing it, a database of the bins rkhunter checks (the --propupd switch) (Of course you need to do that first on a clean system).
And last - do no forget to set rkhunter in sysconfig to run the --propupd every time new software is installed or else you will get “compromised” after every software update (/etc/sysconfig/rkhunter ). Be aware that this will slowdown the system during the update.
If you install manually software you will have to manually run --propupd.
Even with these settings you mighst still get warnings regarding files like /dev/shm/sysconfig/config-wlan0 if you do not set them as ‘safe’ in /etc/rkhunter.conf
Thanks again FeatherMonkey, for your detailed reply - I’ve raised your points again as you’ve been a tremendous help. Now take my waod ‘as-is’ - your answer helped me, and that’s why I pressed the button.
You won’t hear an excuse for my actions here. Have a good weekend.
Though to me this would be better suited to a honeypot, to me its a bit like putting a bullseye on your front and wondering why the kids keep throwing snowballs at you.
And most certainly overkill on a desktop pc.
Also even just installing it could be compromising, now I doubt it is malicious but you have an article that was written 7/8 years ago recommending it can you still trust the integrity of the site?
>
> Please take a CLOSE look at this snapshot of my log:
>
> Snipped #1:
>
> Code:
> --------------------
> [16:36:54] Performing file properties checks
> [16:36:54] Info: Starting test name ‘properties’
> [16:36:54] Warning: Checking for prerequisites
> Warning ] [16:36:54] The file of stored file properties
> (rkhunter.dat) does not exist, and so must be created. To do this
> type in ‘rkhunter --propupd’. [16:36:55] [16:36:55] Warning:
> WARNING! It is the users responsibility to ensure that when the
> ‘–propupd’ option is used, all the files on their system are known
> to be genuine, and installed from a reliable source. The rkhunter
> ‘–check’ option will compare the current file properties against
> previously stored values, and report if any values differ. However,
> rkhunter cannot determine what has caused the change, that is for
> the user to do. --------------------
>
>
> Snipped #2:
>
> Code:
> --------------------
> [16:36:58] Warning: The command ‘/usr/bin/ldd’ has been replaced
> by a script: /usr/bin/ldd: Bourne-Again shell script text
> --------------------
>
>
> Snipped #3:
>
> Code:
> --------------------
> [16:37:00] /sbin/chkconfig
> Warning ] [16:37:00] Warning: The command ‘/sbin/chkconfig’ has
> been replaced by a script: /sbin/chkconfig: a /usr/bin/perl script
> text --------------------
>
>
> Snipped #4:
>
> Code:
> --------------------
> [16:37:01] /sbin/ifup
> Warning ] [16:37:01] Warning: The command ‘/sbin/ifup’ has been
> replaced by a script: /sbin/ifup: Bourne-Again shell script text
> --------------------
>
>
> Snipped #5:
>
> Code:
> --------------------
> [16:38:03] Checking /dev for suspicious file types
> Warning ] [16:38:03] Warning: Suspicious file types found in /dev:
> [16:38:03] /dev/shm/sysconfig/config-wlan0: ASCII text
> [16:38:03] Info: Found hidden directory ‘/dev/.udev’: it is
> whitelisted. --------------------
>
>
>
> Please tell me what these mean and how to fix these. IF YOU CONSIDER
> ANY OF THESE AS BEING ABLE TO SPY, CRUNCH MY SYSTEM RIGHT AWAY - so
> please be real careful what you say…
>
> Thanks for your immediate help.
>
> -TheMask.-
Those are pretty much false positives. For those that you know are good
you can whitelist those scripts in the /etc/rkhunter.conf file. Check
out this link for more info. http://servertune.com/kbase/entry/267/
>
> Thanks - at least this makes my heartbeat slow down a bit.
> As for further scanning: These warnings appeared on my own computer
> and not on my servers (which I am quite happy about).
>
> Thing is, that cat outputs the whole file to command prompt - and I
> really don’t know if there’s anything suspicious/harmful in there.
> Is LASG meant to be used on desktop computers? Is it my best bet?
> -
> TheMask.-
Are you using opensuse on the servers or is it a different OD/distro?
Thank you for your previous answer - it helped alot. I partially can understand why you’ve added the second question… would I need to buy a commercial license for OpenSuse if your assumption was the case? …
>
> 69_rs_ss Wrote:
> > Are you using opensuse on the servers or is it a different
> > OD/distro?
>
> Thank you for your previous answer - it helped alot. I partially can
> understand why you’ve added the second question… would I need to
> buy a commercial license for OpenSuse if your assumption was the
> case? …
>
> -TheMask.-
I was curious if you were using a different distro because if so, they
might set something up a bit different so that rkhunter doesn’t see
those false positives.
You don’t need a commercial license when running opensuse, SLED/SLES
yes if you would like to update the system but opensuse no.
Thanks guys. To clarify this: I’m having these warnings on my own Computer, which in turn runs OpenSuse 11.1.
Now the solution was already mentioned: Setting these false positives as “normal” in the config-file. But how? Is that somehow possible with MC?
Have a good weekend.