Rootkit Hunter

[prgs1971]

Where i can find Rootkit Hunter configuration in Kloxo-MR?

I am getting this in my secure log, but i don't receive any warning.

Code: [Select]

Aug 19 03:41:49 server Rootkit Hunter: Rootkit hunter check started (version 1.4.0)
Aug 19 03:45:20 server Rootkit Hunter: Scanning took 3 minutes and 31 seconds
Aug 19 03:45:20 server Rootkit Hunter: Please inspect this machine, because it may be infected.
Where i can look for more detailed information about the above report?

How can hi debug this?

[prgs1971]

I find a detailed log in /var/log/rkhunter/rkhunter.log

I have extracted from the log what i think that must have our attention:

warning

Code: [Select]

[03:19:57] Warning: Checking for prerequisites               [ Warning ]
[03:19:57]          The file of stored file properties (rkhunter.dat) does not exist, and should be created. To do this type in 'rkhunter --propupd'.
[03:19:57] Info: The file properties check will still run as there are checks that can be performed without the rkhunter.dat file.

warning

Code: [Select]

[03:19:57] Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
           is used, all the files on their system are known to be genuine, and installed from a
           reliable source. The rkhunter '--check' option will compare the current file properties
           against previously stored values, and report if any values differ. However, rkhunter
           cannot determine what has caused the change, that is for the user to do.
Unable to find 'skdet' command

Code: [Select]

[03:21:49]   Performing Suckit Rookit additional checks
[03:21:49]     Checking hard link count on '/sbin/init'      [ OK ]
[03:21:50]     Checking for hidden file extensions           [ None found ]
[03:21:50]     Running skdet command                         [ Skipped ]
[03:21:50] Info: Unable to find the 'skdet' command
[03:21:50]   Suckit Rookit additional checks                 [ OK ]

tripwire not installed

Code: [Select]

[03:22:49]   Checking for software intrusions                [ Skipped ]
[03:22:49] Info: Check skipped - tripwire not installed

Check skipped - file '/etc/inetd.conf' does not exist.

Code: [Select]

[03:22:49] Info: Starting test name 'trojans'
[03:22:49] Performing trojan specific checks
[03:22:50]   Checking for enabled inetd services             [ Skipped ]
[03:22:50] Info: Check skipped - file '/etc/inetd.conf' does not exist.

Warning

Code: [Select]

Checking for enabled xinetd services            [ Warning ]
[03:22:52] Warning: Found enabled xinetd service: /etc/xinetd.d/pureftp
[03:22:53]   Checking for Apache backdoor                    [ Not found ]

warning

Code: [Select]

[03:22:53] Info: Starting test name 'os_specific'
[03:22:53] Performing Linux specific checks
[03:22:53]   Checking loaded kernel modules                  [ Warning ]
[03:22:53] Warning: No output found from the lsmod command or the /proc/modules file:
[03:22:53]          /proc/modules output:
[03:22:53]          lsmod output:

Unable to find the 'unhide-tcp' command

Code: [Select]

Info: Starting test name 'hidden_ports'
[03:22:59] Checking for hidden ports                         [ Skipped ]
[03:22:59] Info: Unable to find the 'unhide-tcp' command

warning

Code: [Select]

[03:23:06] Warning: The SSH and rkhunter configuration options should be the same:
[03:23:06]          SSH configuration option 'PermitRootLogin': without-password
[03:23:06]          Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': unset
Summary

Code: [Select]

[03:23:12] System checks summary
[03:23:12] =====================
[03:23:12]
[03:23:12] File properties checks...
[03:23:12] Required commands check failed
[03:23:12] Files checked: 139
[03:23:12] Suspect files: 0
[03:23:12]
[03:23:12] Rootkit checks...
[03:23:12] Rootkits checked : 308
[03:23:12] Possible rootkits: 0
[03:23:13]
[03:23:13] Applications checks...
[03:23:13] All checks skipped
[03:23:13]
[03:23:13] The system checks took: 3 minutes and 30 seconds
[03:23:13]
[03:23:13] Info: End date is Sun Aug 18 03:23:13 BST 2013

warning

Code: [Select]

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Checking for prerequisites               [ Warning ]
         The file of stored file properties (rkhunter.dat) does not exist, and should be created. To do this type in 'rkhunter --propupd'.
Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
         is used, all the files on their system are known to be genuine, and installed from a
         reliable source. The rkhunter '--check' option will compare the current file properties
         against previously stored values, and report if any values differ. However, rkhunter
         cannot determine what has caused the change, that is for the user to do.
Warning: Found enabled xinetd service: /etc/xinetd.d/pureftp
Warning: No output found from the lsmod command or the /proc/modules file:
         /proc/modules output:
         lsmod output:
Warning: The SSH and rkhunter configuration options should be the same:
         SSH configuration option 'PermitRootLogin': without-password
         Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': unset

----------------------- End Rootkit Hunter Scan -----------------------

Thanks in advance for any feedback in any of the above extracts from the log

[chrisf]

Did you try to uninstall rkhunter and reinstall?

[prgs1971]

I don't have done anything more about this, because i give up from kloxo-Mr .

Thanks anyway

[MRatWork]

Some info from rkhunter is 'false positive'. So, need more investigate rkhunter report. Google is best choice to know what is.