[rkhunter] Warnings found for mysite

Discussion in 'Parallels Plesk Panel 10.x for Linux Problems, Suggested Fixes, and How-To' started by KrishnaR, Aug 12, 2012.

  1. KrishnaR

    KrishnaR New Member

    Messages:
    7
    I've got this message today:
    Please inspect this machine, because it may be infected.

    I've looked at the log error and this is what it came out:

    Checking for string 'psniff' [ Not found ]
    Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
    Checking for string '/dev/ptyxx' [ Not found ]
    Checking for string '/dev/xdta' [ Not found ]
    Checking for string '/usr/lib/.tbd' [ Not found ]
    Checking for string 'in.inetd' [ Not found ]
    Checking for string '#<HIDE_.*>' [ Not found ]
    Checking for string 'bin/xchk' [ Not found ]
    Checking for string 'bin/xsf' [ Not found ]
    Checking for possible rootkit strings [ None found ]

    Performing malware checks
    Info: Starting test name 'malware'

    Info: Test 'deleted_files' disabled at users request.
    Info: Starting test name 'running_procs'
    Checking running processes for suspicious files [ None found ]

    Info: Test 'hidden_procs' disabled at users request.

    Info: Test 'suspscan' disabled at users request.

    Performing check for login backdoors
    Info: Starting test name 'other_malware'
    Checking for '/bin/.login' [ Not found ]
    Checking for '/sbin/.login' [ Not found ]
    Checking for login backdoors [ None found ]

    Performing check for suspicious directories
    Checking for directory '/usr/X11R6/bin/.,/copy' [ Not found ]
    Checking for directory '/dev/rd/cdb' [ Not found ]
    Checking for suspicious directories [ None found ]

    Checking for software intrusions [ Skipped ]
    Info: Check skipped - tripwire not installed

    Performing check for sniffer log files
    Checking for file '/usr/lib/libice.log' [ Not found ]
    Checking for sniffer log files [ None found ]

    Performing trojan specific checks
    Info: Starting test name 'trojans'
    Checking for enabled inetd services [ Skipped ]
    Info: Check skipped - file '/etc/inetd.conf' does not exist.

    Performing check for enabled xinetd services
    Info: Using xinetd configuration file '/etc/xinetd.conf'
    Checking '/etc/xinetd.conf' for enabled services [ None found ]
    Found 'includedir /etc/xinetd.d' directive
    Checking '/etc/xinetd.d/chargen-dgram' for enabled services [ None found ]
    Checking '/etc/xinetd.d/chargen-stream' for enabled services [ None found ]
    Checking '/etc/xinetd.d/cvs' for enabled services [ None found ]
    Checking '/etc/xinetd.d/daytime-dgram' for enabled services [ None found ]
    Checking '/etc/xinetd.d/daytime-stream' for enabled services [ None found ]
    Checking '/etc/xinetd.d/discard-dgram' for enabled services [ None found ]
    Checking '/etc/xinetd.d/discard-stream' for enabled services [ None found ]
    Checking '/etc/xinetd.d/echo-dgram' for enabled services [ None found ]
    Checking '/etc/xinetd.d/echo-stream' for enabled services [ None found ]
    Checking '/etc/xinetd.d/ftp_psa' for enabled services [ Warning ]
    Checking '/etc/xinetd.d/poppassd_psa' for enabled services [ Warning ]
    Checking '/etc/xinetd.d/rsync' for enabled services [ None found ]
    Checking '/etc/xinetd.d/tcpmux-server' for enabled services [ None found ]
    Checking '/etc/xinetd.d/time-dgram' for enabled services [ None found ]
    Checking '/etc/xinetd.d/time-stream' for enabled services [ None found ]
    Checking for enabled xinetd services [ Warning ]
    Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
    Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa
    Checking for Apache backdoor [ Not found ]

    Performing Linux specific checks
    Info: Starting test name 'os_specific'
    Checking loaded kernel modules [ OK ]
    Info: Using modules pathname of '/lib/modules/2.6.32-279.2.1.el6.x86_64'
    Checking kernel module names [ OK ]

    Checking the network...
    Info: Starting test name 'network'
    Info: Starting test name 'ports'

    Performing check for backdoor ports
    Checking for TCP port 1524 [ Not found ]
    Checking for TCP port 1984 [ Not found ]
    Checking for UDP port 2001 [ Not found ]
    Checking for TCP port 2006 [ Not found ]
    Checking for TCP port 2128 [ Not found ]
    Checking for TCP port 6666 [ Not found ]
    Checking for TCP port 6667 [ Not found ]
    Checking for TCP port 6668 [ Not found ]
    Checking for TCP port 6669 [ Not found ]
    Checking for TCP port 7000 [ Not found ]
    Checking for TCP port 13000 [ Not found ]
    Checking for TCP port 14856 [ Not found ]
    Checking for TCP port 25000 [ Not found ]
    Checking for TCP port 29812 [ Not found ]
    Checking for TCP port 31337 [ Not found ]
    Checking for TCP port 32982 [ Not found ]
    Checking for TCP port 33369 [ Not found ]
    Checking for TCP port 47107 [ Not found ]
    Checking for TCP port 47018 [ Not found ]
    Checking for TCP port 60922 [ Not found ]
    Checking for TCP port 62883 [ Not found ]
    Checking for TCP port 65535 [ Not found ]

    Performing checks on the network interfaces
    Info: Starting test name 'promisc'
    Checking for promiscuous interfaces [ None found ]

    Info: Test 'packet_cap_apps' disabled at users request.

    Checking the local host...
    Info: Starting test name 'local_host'

    Performing system boot checks
    Info: Starting test name 'startup_files'
    Checking for local host name [ Found ]
    Info: Starting test name 'startup_malware'
    Checking for system startup files [ Found ]
    Checking system startup files for malware [ None found ]

    Performing group and account checks
    Info: Starting test name 'group_accounts'
    Checking for passwd file [ Found ]
    Info: Found password file: /etc/passwd
    Checking for root equivalent (UID 0) accounts [ None found ]
    Info: Found shadow file: /etc/shadow
    Checking for passwordless accounts [ None found ]
    Info: Starting test name 'passwd_changes'
    Checking for passwd file changes [ Warning ]
    Warning: Unable to check for passwd file differences: no copy of the passwd file exists.
    Info: Starting test name 'group_changes'
    Checking for group file changes [ Warning ]
    Warning: Unable to check for group file differences: no copy of the group file exists.
    Checking root account shell history files [ OK ]

    Performing system configuration file checks
    Info: Starting test name 'system_configs'
    Checking for SSH configuration file [ Found ]
    Info: Found SSH configuration file: /etc/ssh/sshd_config
    Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'unset'.
    Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '2'.
    Checking if SSH root access is allowed [ Not set ]
    Checking if SSH protocol v1 is allowed [ Not allowed ]
    Checking for running syslog daemon [ Found ]
    Checking for syslog configuration file [ Found ]
    Info: Found syslog configuration file: /etc/rsyslog.conf
    Checking if syslog remote logging is allowed [ Not allowed ]

    Performing filesystem checks
    Info: Starting test name 'filesystem'
    Info: SCAN_MODE_DEV set to 'THOROUGH'
    Checking /dev for suspicious file types [ Warning ]
    Warning: Suspicious file types found in /dev:
    /dev/md/md-device-map: ASCII text
    Checking for hidden files and directories [ Warning ]
    Warning: Hidden directory found: /dev/.mdadm
    Warning: Hidden directory found: /dev/.udev
    Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
    Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
    Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
    Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
    Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text

    Checking application versions...
    Info: Starting test name 'apps'
    Info: Application 'exim' not found.
    Checking version of GnuPG [ OK ]
    Info: Application 'gpg' version '2.0.14' found.
    Checking version of Apache [ Warning ]
    Warning: Application 'httpd', version '2.2.15', is out of date, and possibly a security risk.
    Checking version of Bind DNS [ OK ]
    Info: Application 'named' version '9.8.2rc1' found.
    Checking version of OpenSSL [ OK ]
    Info: Application 'openssl' version '1.0.0-fips' found.
    Checking version of PHP [ OK ]
    Info: Application 'php' version '5.3.3' found.
    Checking version of Procmail MTA [ OK ]
    Info: Application 'procmail' version '3.22' found.
    Checking version of ProFTPd [ Skipped ]
    Info: Unable to obtain version number for 'proftpd': version option gives: ProFTPD Version 1.3.3e
    Checking version of OpenSSH [ OK ]
    Info: Application 'sshd' version '5.3p1' found.
    Info: Applications checked: 8 out of 9

    System checks summary

    Required commands check failed
    Files checked: 124
    Suspect files: 3

    Rootkit checks...
    Rootkits checked : 112
    Possible rootkits: 0

    Applications checks...
    Applications checked: 8
    Suspect applications: 1

    The system checks took: 1 minute and 12 seconds

    Please advice.
  2. abdi

    abdi Product Expert

    Messages:
    2,202
    Your results are not bad at all ...Nothing to worry about!
    However, you can inspect those warned against files just to be sure they were not replaced by anybody else other than you or the system :)
  3. KrishnaR

    KrishnaR New Member

    Messages:
    7
    Oky :)
    Thanks abdi
  4. abdi

    abdi Product Expert

    Messages:
    2,202
    Your welcome :)

Share This Page