Yesterday I went to login to my Ubuntu Server running on a Dell Poweredge, after being unable to login via ssh I posted a question http://unix.stackexchange.com/questi...several-months and today I hooked up a monitor and keyboard to attempt to login locally and ended up needing to run . Now that I have access I started looking at the log files and didn't see anything in my cursory overview that looked too odd, but then I installed rkhunter and chkrootkit each have odd results.
chrootkit finds a java directory with java 6.0 - This is odd because this server has no need for java and I did not install it.
rkhunter is running right now and I am going to post some of the output:
Checking the network...
Performing checks on the network ports
Checking for backdoor ports [ None found ]
Checking for hidden ports [ Skipped ]
Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]
Checking the local host...
Performing system boot checks
Checking for local host name [ Found ]
Checking for system startup files [ Found ]
Checking system startup files for malware [ None found ]
Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ Warning ]
Checking for group file changes [ Warning ]
Checking root account shell history files [ None found ]
Performing system configuration file checks
Checking for SSH configuration file [ Found ]
Checking if SSH root access is allowed [ Warning ]
Checking if SSH protocol v1 is allowed [ Not allowed ]
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]
Performing filesystem checks
Checking /dev for suspicious file types [ None found ]
Checking for hidden files and directories [ Warning ]
[Press <ENTER> to continue]
The odd thing about these results is that root login should not be allowed, root account shouldn't even be activated except via sudo (is that what that result means?). I am not sure but I would think that the changes to groups is also a bad sign unless that happens when I run passwd. I should not expect to have hidden files as far as I know. Last I definitely should not have Java 6.0 (unless it ships standard with the server OS)!
System checks summary=====================
File properties checks...
Files checked: 133
Suspect files: 1
Rootkits checked : 245
Possible rootkits: 0
All checks skipped
The system checks took: 12 minutes and 46 seconds
All results have been written to the log file (/var/log/rkhunter.log)
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
I will of course be happy to post any other logs or information for review.