Line by line
Code:
[14:51:41] /usr/bin/unhide.rb [ Warning ]
[14:51:41] Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: a /usr/bin/ruby -w script text executable
This is just saying you have a script that is in your path -- this is often the sign of compromise (hooking a command), however in this particular case that's not true this application just happens to be a ruby script.
Code:
[14:53:02] Checking for passwd file changes [ Warning ]
[14:53:02] Warning: User 'postfix' has been added to the passwd file
Looks like a Charles said you installed postfix since the baseline file for rkhunter was created, doing so modified /etc/passwd (if you didn't install postfix than something is up, otherwise don't sweat it).
Code:
[14:53:02] Checking for group file changes [ Warning ]
[14:53:02] Warning: Group 'postfix' has been added to the group file.
[14:53:02] Warning: Group 'postdrop' has been added to the group file.
Same as the last.
Code:
[14:53:03] Checking for hidden files and directories [ Warning ]
[14:53:03] Warning: Hidden directory found: /etc/.java
[14:53:03] Warning: Hidden directory found: /dev/.udev
[14:53:03] Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'
These are standard warnings given when running rkhunter on a Ubuntu system. Ubuntu does things slightly different than other more traditional distros like RHEL, so rkhunter isn't expecting hidden files in these places, however these are normally present in any Ubuntu install by default.
Hope this helps
Bookmarks