Hi all,
This is my first foray with rkhunter so I'm still learning how it works.
I recently built a fresh Centos 7 server with the intention of having it
locked down pretty tight.
# uname -a
Linux ABCDEFG 3.10.0-327.28.3.el7.x86_64 #1 SMP Thu Aug 18 19:05:49 UTC
2016 x86_64 x86_64 x86_64 GNU/Linux
It is running Apache and VSFTPD. Firewall rules only permit connections
from specific IPs. SSH is blocked at the firewall so nothing external
should be able to reach it.
I put rkhunter on this box and set up daily email reports.
Rkhunter starts up and runs:
[03:21:09] Running Rootkit Hunter version 1.4.2 on ABCDEFG
[03:21:09]
[03:21:09] Info: Start date is Sun Sep 18 03:21:09 EDT 2016
[03:21:09]
[03:21:09] Checking configuration file and command-line options...
[03:21:09] Info: Detected operating system is 'Linux'
[03:21:09] Info: Found O/S name: CentOS Linux release 7.2.1511 (Core)
[03:21:09] Info: Command line is /usr/bin/rkhunter --update --nocolors
[03:21:09] Info: Environment shell is /bin/sh; rkhunter is using bash
[03:21:09] Info: Using configuration file '/etc/rkhunter.conf'
[03:21:09] Info: Installation directory is '/usr'
[03:21:09] Info: Using language 'en'
[03:21:09] Info: Using '/var/lib/rkhunter/db' as the database directory
[03:21:09] Info: Using '/usr/share/rkhunter/scripts' as the support script
directory
[03:21:09] Info: Using '/sbin /bin /usr/sbin /usr/bin /usr/local/bin
/usr/local/sbin /usr/libexec /usr/local/libexec' as the command directories
[03:21:09] Info: Using '/var/lib/rkhunter' as the temporary directory
[03:21:09] Info: X will be automatically detected
[03:21:09] Info: Found the 'basename' command: /bin/basename
[03:21:09] Info: Found the 'diff' command: /bin/diff
[03:21:09] Info: Found the 'dirname' command: /bin/dirname
[03:21:09] Info: Found the 'file' command: /bin/file
[03:21:09] Info: Found the 'find' command: /bin/find
[03:21:09] Info: Found the 'ifconfig' command: /sbin/ifconfig
[snip]
It checks for updates:
[03:21:11] Info: This version : 2009091601
[03:21:11] Info: Latest version: 2009091601
[03:21:11] Checking file i18n/cn [ No update ]
[03:21:12] Info: This version : 2014010301
[03:21:12] Info: Latest version: 2014010301
[03:21:12] Checking file i18n/de [ No update ]
[03:21:12] Info: This version : 2013112401
[03:21:12] Info: Latest version: 2013112401
[03:21:12] Checking file i18n/en [ No update ]
But when it is doing the file checks, it is giving some warnings:
[03:21:22] Info: Starting test name 'properties'
[03:21:22] Performing file properties checks
[03:21:22] Checking for prerequisites [ OK ]
[03:21:23] /usr/sbin/adduser [ OK ]
[03:21:24] /usr/sbin/chkconfig [ OK ]
[03:21:25] /usr/sbin/chroot [ OK ]
[03:21:26] /usr/sbin/depmod [ Warning ]
[03:21:26] Warning: The file properties have changed:
[03:21:26] File: /usr/sbin/depmod
[03:21:26] Current inode: 420722 Stored inode: 806149
The full set of warnings is this:
---------------------- Start Rootkit Hunter Scan ----------------------
Warning: The file properties have changed:
File: /usr/sbin/depmod
Current inode: 420722 Stored inode: 806149
Warning: The file properties have changed:
File: /usr/sbin/init
Current inode: 420734 Stored inode: 846785
Warning: The file properties have changed:
File: /usr/sbin/insmod
Current inode: 420723 Stored inode: 806150
Warning: The file properties have changed:
File: /usr/sbin/lsmod
Current inode: 22751 Stored inode: 806151
Warning: The file properties have changed:
File: /usr/sbin/modinfo
Current inode: 22755 Stored inode: 806152
Warning: The file properties have changed:
File: /usr/sbin/modprobe
Current inode: 22757 Stored inode: 806153
Warning: The file properties have changed:
File: /usr/sbin/rmmod
Current inode: 22758 Stored inode: 806154
Warning: The file properties have changed:
File: /usr/sbin/runlevel
Current inode: 420425 Stored inode: 846788
Warning: The file properties have changed:
File: /usr/bin/kmod
Current inode: 100930731 Stored inode: 101135620
Warning: The file properties have changed:
File: /usr/bin/systemctl
Current inode: 100883675 Stored inode: 101104379
Warning: The file properties have changed:
File: /usr/lib/systemd/systemd
Current inode: 35069854 Stored inode: 33716503
----------------------- End Rootkit Hunter Scan -----------------------
There are two users on this server with a login: root and the maintenace
account. And root cannot login over SSH. Every other account is a
"nologin" system account..
So the three questions I have are:
1. How can I tell if these rkhunter warnings false-positives?
2. How I fix the actual problem, whether it is a genuine file corruption or
a false-positive?
3. Are there troubleshooting steps I can follow to analyse the cause of
this?
I have applied all available yum updates to the system too, so maybe it's
ahead of the rkhunter repositories?
Many thanks for your patience and guidance.
-Derek
------------------------------------------------------------------------------
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
