PDA

View Full Version : [ubuntu] RKHunter Help Needed



Dalek Draco ON LINUX
February 1st, 2010, 07:34 AM
I've run RKHunter (after updated to latest version) and it came up with the usual:
/usr/bin/awk [ Warning ]
/usr/bin/last [ Warning ]
/usr/bin/ldd [ Warning ]
/usr/bin/gawk [ Warning ]
/sbin/init [ Warning ]
/sbin/runlevel [ Warning ]
/sbin/sulogin [ Warning ]
/usr/sbin/rsyslogd [ Warning ]
/usr/sbin/unhide [ Warning ]
/usr/sbin/unhide-linux26 [ Warning]

Performing filesystem checks
Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ Warning ]

[Press <ENTER> to continue]

Checking application versions...

Checking version of Exim MTA [ Warning ]
Checking version of GnuPG [ Warning ]
Checking version of OpenSSL [ Warning ]


I've read a little and I assume that these are false positives.

However it also found:

Checking for TCP port 60922 [ Warning ]

Which has not come up before. I'm guessing it has something to do with my network...thus I am a little worried.


Any help/ideas would be appreciated. Thanks.

unspawn
February 1st, 2010, 05:24 PM
I assume that these are false positives.
The logfile will show you more details than the display output. Regardless there is no reason to assume when you possess the (RKH docs and) common GNU/Linux tools to ensure these are false positives.



Checking for TCP port 60922 [ Warning ] Which has not come up before. I'm guessing it has something to do with my network
TCP/60922 is a port a component of the zaRwT rootkit listens on. If you have verified one of the services you provide legitimately uses the port (see 'lsof -Pwni tcp:60922', 'fuser -n tcp 60922' or the convoluted 'netstat -antple|grep 60922') then you can whitelist it. See examples in rkhunter.conf, the documentation and the rkhunter-users mailing list archives for more details.

Dalek Draco ON LINUX
February 2nd, 2010, 06:10 AM
Thanks for replying. Looks like the port was being used by a legit program. When I run a scan and it's not in use, the warning does not pop up.