Results 1 to 7 of 7

Thread: Rkhunter Warnings

  1. #1
    Join Date
    Dec 2009
    Beans
    49

    Rkhunter Warnings

    When I run Rkhunter I keep getting 2 particular Warnings: 1. /usr/sbin/unhide and 2. /usr/sbin/unhide-linux26. Both are 20080519 yjesus@security-projects.com. My question is - Who or what exactly is yjesus? My search found a yago.jesus, but no more info. Is this just some default monitoring of Ubuntu or do I have a security issue? If so, how do I go about fixing it? By the way, chkrootkit shows nothing of concern.

  2. #2
    Join Date
    Jun 2006
    Beans
    2,930

    Re: Rkhunter Warnings

    Code:
    aptitude show unhide
    Package: unhide
    State: not installed
    Version: 20080519-4
    Priority: extra
    Section: universe/admin
    Maintainer: Ubuntu MOTU Developers <ubuntu-motu@lists.ubuntu.com>
    Uncompressed Size: 1,962k
    Suggests: rkhunter
    Description: Forensic tool to find hidden processes and ports
     Unhide is a forensic tool to find processes and TCP/UDP ports hidden by
     rootkits, Linux kernel modules or by other techniques.  It includes two
     utilities: unhide and unhide-tcp. 
     
     unhide detects hidden processes using three techniques: 
     * comparing the output of /proc and /bin/ps 
     * comparing the information gathered from /bin/ps with the one gathered from
       system calls (syscall scanning) 
     * full scan of the process ID space (PIDs bruteforcing) 
       
     unhide-tcp identifies TCP/UDP ports that are listening but are not listed in
     /bin/netstat through brute forcing of all TCP/UDP ports available. 
     
     This package can be used by rkhunter in its daily scans.
    Homepage: http://www.security-projects.com/?Unhide
    it looks like it is part of rkhunter
    Support 7z in default installs!!!: Click Here

    How to use code blocks to post command output: Click Here
    Official Ubuntu Documentation

  3. #3
    Join Date
    Oct 2009
    Location
    Finland
    Beans
    129

    Re: Rkhunter Warnings

    I too get some warnings with rkhunter, but I think they probably result from some fairly strict policies that rkhunter is using when scanning for threats. So probably false alarms.

  4. #4
    Join Date
    Jun 2006
    Beans
    2,930

    Re: Rkhunter Warnings

    I am not sure how rkhunter actually works, but it probably needs to hide itself from other processes to ensure they cannot hide from it. It wouldn't be honest if it didn't report itself as a rootkit I guess.

    The sysinternals rootkit scanner for windows will report on legitimate items in windows also, but it doesn't mean that they are malacious.
    Support 7z in default installs!!!: Click Here

    How to use code blocks to post command output: Click Here
    Official Ubuntu Documentation

  5. #5
    Join Date
    Jun 2008
    Beans
    Hidden!

    Re: Rkhunter Warnings

    Don't worry about those
    Warnings: 1. /usr/sbin/unhide and 2. /usr/sbin/unhide-linux26
    Do a Scroogle search and you will see that many have those come up with various distros, including myself when I run rkhunter. Nothing to worry about.
    Last edited by User3k; December 23rd, 2009 at 04:17 PM.

  6. #6
    Join Date
    Dec 2007
    Location
    The last place I look
    Beans
    Hidden!
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Rkhunter Warnings

    I've gotten these before. the email address is just a developer on the project who handles support.

    the unhide applet is used by rkhunter to look for things that may have been hidden by a rootkit, like ports and processes, per the description lavindog provided.

    your fine.
    Things are rarely just crazy enough to work, but they're frequently just crazy enough to fail hilariously.

  7. #7
    Join Date
    Dec 2009
    Beans
    49

    Re: Rkhunter Warnings

    Thanks to all who replied. I didn't think there was anything to it, but the web address listing threw me.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •