Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

5 rkhunter warnings came up, should I be worried? [closed]

Tags:

centos

I just found rkhunter and decided to run a scan on my CentOS dedicated server, no rootkits found (thank goodness!) but there were warnings, I'm just curious if anyone else has ran into these or if this is something I should worry about or be investigating further?

Here are the warnings I received from rkhunter:

[22:01:58]   /sbin/ifdown                                    [ Warning ]
[22:01:58] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable

[22:01:58]   /sbin/ifup                                      [ Warning ]
[22:01:58] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable

[22:02:05]   /usr/bin/GET                                    [ Warning ]
[22:02:05] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: a /usr/bin/perl -w script text executable

[22:02:05]   /usr/bin/ldd                                    [ Warning ]
[22:02:05] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable

[22:02:07]   /usr/bin/whatis                                 [ Warning ]
[22:02:07] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script text executable

[22:03:03] Info: SCAN_MODE_DEV set to 'THOROUGH'
[22:03:05]   Checking /dev for suspicious file types         [ Warning ]
[22:03:05] Warning: Suspicious file types found in /dev:
[22:03:05]          /dev/md/autorebuild.pid: ASCII text
[22:03:05]          /dev/md/md-device-map: ASCII text
[22:03:05]          /dev/.udev/queue.bin: Applesoft BASIC program data
[22:03:05]          /dev/.udev/db/block:md0: ASCII text
[22:03:05]          /dev/.udev/db/block:md1: ASCII text
[22:03:05]          /dev/.udev/db/block:sda1: ASCII text
[22:03:05]          /dev/.udev/db/net:eth1: ASCII text
[22:03:05]          /dev/.udev/db/net:eth0: ASCII text
[22:03:05]          /dev/.udev/db/block:sdb3: ASCII text
[22:03:05]          /dev/.udev/db/block:sdb1: ASCII text
[22:03:05]          /dev/.udev/db/block:sda3: ASCII text
[22:03:05]          /dev/.udev/db/block:sda2: ASCII text
[22:03:05]          /dev/.udev/db/block:sdb2: ASCII text
[22:03:05]          /dev/.udev/db/input:event2: ASCII text
[22:03:05]          /dev/.udev/db/input:event0: ASCII text
[22:03:05]          /dev/.udev/db/block:sda: ASCII text
[22:03:05]          /dev/.udev/db/block:sdb: ASCII text
[22:03:05]          /dev/.udev/db/input:event4: ASCII text
[22:03:05]          /dev/.udev/db/input:mouse1: ASCII text
[22:03:05]          /dev/.udev/db/input:event3: ASCII text
[22:03:05]          /dev/.udev/db/input:event1: ASCII text
[22:03:05]          /dev/.udev/db/block:ram9: ASCII text
[22:03:05]          /dev/.udev/db/block:ram8: ASCII text
[22:03:05]          /dev/.udev/db/block:ram4: ASCII text
[22:03:05]          /dev/.udev/db/block:ram5: ASCII text
[22:03:05]          /dev/.udev/db/block:ram7: ASCII text
[22:03:05]          /dev/.udev/db/block:ram6: ASCII text
[22:03:05]          /dev/.udev/db/block:ram3: ASCII text
[22:03:06]          /dev/.udev/db/block:ram2: ASCII text
[22:03:06]          /dev/.udev/db/block:ram15: ASCII text
[22:03:06]          /dev/.udev/db/block:ram14: ASCII text
[22:03:06]          /dev/.udev/db/block:ram13: ASCII text
[22:03:06]          /dev/.udev/db/block:ram12: ASCII text
[22:03:06]          /dev/.udev/db/block:ram0: ASCII text
[22:03:06]          /dev/.udev/db/block:ram1: ASCII text
[22:03:06]          /dev/.udev/db/block:ram11: ASCII text
[22:03:06]          /dev/.udev/db/block:ram10: ASCII text
[22:03:06]          /dev/.udev/db/block:loop7: ASCII text
[22:03:06]          /dev/.udev/db/block:loop3: ASCII text
[22:03:06]          /dev/.udev/db/block:loop5: ASCII text
[22:03:06]          /dev/.udev/db/block:loop4: ASCII text
[22:03:06]          /dev/.udev/db/block:loop6: ASCII text
[22:03:06]          /dev/.udev/db/block:loop1: ASCII text
[22:03:06]          /dev/.udev/db/block:loop2: ASCII text
[22:03:06]          /dev/.udev/db/block:loop0: ASCII text
[22:03:06]          /dev/.udev/db/usb:2-1: ASCII text
[22:03:06]          /dev/.udev/db/usb:1-1: ASCII text
[22:03:06]          /dev/.udev/db/usb:3-7.1: ASCII text
[22:03:06]          /dev/.udev/db/usb:3-7: ASCII text
[22:03:06]          /dev/.udev/db/usb:usb1: ASCII text
[22:03:06]          /dev/.udev/db/usb:usb3: ASCII text
[22:03:06]          /dev/.udev/db/usb:usb4: ASCII text
[22:03:06]          /dev/.udev/db/usb:usb2: ASCII text
[22:03:06]          /dev/.udev/rules.d/99-root.rules: ASCII text

[22:03:06]   Checking for hidden files and directories       [ Warning ]
[22:03:06] Warning: Hidden directory found: /dev/.mdadm
[22:03:06] Warning: Hidden directory found: /dev/.udev
[22:03:06] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[22:03:06] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[22:03:06] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[22:03:06] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[22:03:06] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[22:03:06] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
like image 834
x80 Avatar asked Mar 03 '15 03:03

x80


2 Answers

Running CentOS 7.3.1611 here and recently found rkhunter warning about some commands too:

Warning: The command '/usr/sbin/ifdown' has been replaced by a script: /usr/sbin/ifdown: Bourne-Again shell script, ASCII text executable
Warning: The command '/usr/sbin/ifup' has been replaced by a script: /usr/sbin/ifup: Bourne-Again shell script, ASCII text executable
Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable

First, I found where those commands belong to:

# rpm -qf /usr/sbin/ifdown /usr/sbin/ifup /usr/bin/egrep /usr/bin/fgrep
initscripts-9.49.37-1.el7_3.1.x86_64
initscripts-9.49.37-1.el7_3.1.x86_64
grep-2.20-2.el7.x86_64
grep-2.20-2.el7.x86_64

Then, I verified those packages:

# rpm -V initscripts grep && echo OK
OK

Finally, I added these lines to /etc/rkhunter.conf.local to disable those warnings:

SCRIPTWHITELIST=/usr/sbin/ifdown
SCRIPTWHITELIST=/usr/sbin/ifup
SCRIPTWHITELIST=/usr/bin/fgrep
SCRIPTWHITELIST=/usr/bin/egrep

And checked again:

# rkhunter --check --rwo && echo OK
OK
like image 190
alexm Avatar answered Dec 17 '22 02:12

alexm


To check wether the files were infected you can check the packages, that include those files, for example for /usr/bin/ldd use

apt install debsums apt-file
apt-file update
debsums $(apt-file search -F --package-only /usr/bin/ldd)

If you only see OK you are free to add the file to the rkhunter ignore list:

for example add these lines to `/etc/rkhunter.conf.local` to disable those warnings:

SCRIPTWHITELIST=/usr/sbin/ifdown
SCRIPTWHITELIST=/usr/sbin/ifup
SCRIPTWHITELIST=/usr/bin/fgrep
SCRIPTWHITELIST=/usr/bin/egrep

The other warnings can also be disabled, see ´/etc/rkhunter.conf´

like image 43
rubo77 Avatar answered Dec 17 '22 04:12

rubo77