(SOLVED) Rkhunter warning

[Jasn]

Hello there!
I just ran rkhunter and it gave a warning:

17:56:41] Warning: The file properties have changed:
[17:56:41]          File: /usr/sbin/tcpd
[17:56:41]          Current hash: 680af8f06317fdfce723ce2f19cdf883a7990952
[17:56:41]          Stored hash : c8b89caea904e9c27b5362a75617437c2102cade
[17:56:41]          Current inode: 4981433    Stored inode: 4982295
[17:56:41]          Current size: 31316    Stored size: 5720
[17:56:41]          Current file modification time: 1281070335
[17:56:41]          Stored file modification time : 1219506387

I tried to google it, but could not find a satisfactory answer.
Could this be a result of some updates that  I installed today?
Is there something to worry about?

[uncleV]

Did you update rkhunter itself before checking?

[Jasn]

Yes I updated rkhunter, but did not run rkhunter --propupd..

[tschommer]

Jasn, I'm sure you're fully updated.

As far as I can see, tcpd was part of an updated package tcp_wrappers and has a timestamp 2010-08-06 (date of update on my system).

As long as the summary looks okay I wouldn't worry too much.

Rootkit checks...
    Rootkits checked : 117
    Possible rootkits: 0

Applications checks...
    Applications checked: 3
    Suspect applications: 0

[Jasn]

Thank You!
That's a relief.

[uncleV]

May me rkhunter - central data base was not updated too.

[alphaace]

Hi,

So after reading this post, I downloaded rkhunter to play with it. I did the --update and the --propupd.

Then when I ran rkhunter -c, all the file properties in /usr/sbin were okay EXCEPT for rkhunter. How does that work?? I had a warning.

Also, I had a warnings here:

Performing trojan specific checks
    Checking for enabled xinetd services                     [ Warning ]


Checking for passwd file changes                         [ Warning ]
    Checking for group file changes                          [ Warning ]
Checking if SSH root access is allowed                   [ Warning ]
    Checking for hidden files and directories                [ Warning

Should I worry about these? And if so, how do I fix them?

[Jasn]

Hi!

Hi,

So after reading this post, I downloaded rkhunter to play with it. I did the --update and the --propupd.

Then when I ran rkhunter -c, all the file properties in /usr/sbin were okay EXCEPT for rkhunter. How does that work?? I had a warning.

Also, I had a warnings here:

Performing trojan specific checks
    Checking for enabled xinetd services                     [ Warning ]


Checking for passwd file changes                         [ Warning ]
    Checking for group file changes                          [ Warning ]
Checking if SSH root access is allowed                   [ Warning ]
    Checking for hidden files and directories                [ Warning

Should I worry about these? And if so, how do I fix them?

First you should check what these warnings are. Open /var/log/rkhunter.log with kwrite. There you find more specific information of them.
You can check the web what you find about them.
If you find out that they are false warnings, you can open /etc/rkhunter.conf. Editing rkhunter.conf you can stop these warnings.
If you post here those lines of your rkhunter.log, where these warnings are explained, it's easier to help with editing rkhunter.conf.

[Jasn]

Hello again!

There's a rather long an thorough guide to rkhunter here: http://sourceforge.net/apps/trac/rkhunter/wiki/MPRKH.
I have not read it through myself and most of it would probably go over my head with me being a rookie to linux.

[alphaace]

I'm a somewhat beginner to...although I did compile my first driver the other day (yay!)

Anyway, here's my relevant log sections:
[13:43:47] /usr/sbin/rkhunter                                [ Warning ]
[13:43:47] Warning: The command '/usr/sbin/rkhunter' has been replaced and is not a script: /usr/sbin/rkhunter: a /bin/sh script text executable

[13:45:57]     Checking '/etc/xinetd.d/saned' for enabled services [ Warning ]


[13:46:14] Warning: The SSH and rkhunter configuration options should be the same:
[13:46:14]          SSH configuration option 'PermitRootLogin': without-password
[13:46:14]          Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no


Any help how to fix these is appreciated. The last one is really worrying, how do I disable root login via ssh?

[Jasn]

Hi!

I'm a somewhat beginner to...although I did compile my first driver the other day (yay!)

Anyway, here's my relevant log sections:
[13:43:47] /usr/sbin/rkhunter                                [ Warning ]
[13:43:47] Warning: The command '/usr/sbin/rkhunter' has been replaced and is not a script: /usr/sbin/rkhunter: a /bin/sh script text executable

[13:45:57]     Checking '/etc/xinetd.d/saned' for enabled services [ Warning ]


[13:46:14] Warning: The SSH and rkhunter configuration options should be the same:
[13:46:14]          SSH configuration option 'PermitRootLogin': without-password
[13:46:14]          Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no


Any help how to fix these is appreciated. The last one is really worrying, how do I disable root login via ssh?

I've had these same warnings myself.
The first one about /usr/sbin/rkhunter I think is due to rkhunter -c being run for the first time.
I checked it via google and to my knowledge it's a false alarm.
You can get rid of it by editing /etc/rkhunter.conf. Add the last line of the following (bold).
SCRIPTWHITELIST=/usr/bin/GET
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/whatis
SCRIPTWHITELIST=/sbin/ifup
SCRIPTWHITELIST=/sbin/ifdown
SCRIPTWHITELIST=/bin/egrep
SCRIPTWHITELIST=/bin/fgrep
SCRIPTWHITELIST=/etc/.aumixrc
SCRIPTWHITELIST=/usr/sbin/rkhunter

I think the second waning is also false. Googled that too.
Add the next to /etc/rkhunter.conf (again the bold line):

# Allow the following enabled xinetd services. Whilst it would be
# nice to use the service names themselves, at the time of testing
# we only have the pathname available. As such, these entries are
# the xinetd file pathnames.
# Only one service (file) per line (use multiple XINETD_ALLOWED_SVC lines).
#
#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo
XINETD_ALLOWED_SVC=/etc/xinetd.d/saned

Notice there's no hash in the beginning of added lines.

The third warning about SSH root login I found somewhere in the web a solution how to change the login to not permitted. I'm sorry , but I can't remember how it was done right now.
Anyway I got it changed to not permitted, but a few days later it had somehow changed to permitted again (maybe updating PClinuxOs does that?).
I maybe wrong, but I don't think it's an issue.
I'll get back to that later.
After you've edited /etc/rkhunter.conf, try running rkhunter -c to see if those two warnings have gone.

[Dragynn]

Just adding to the database here. I got the same warnings about SSH and about the /usr/sbin/rkhunter files and editing the /etc/rkhunter.conf fixed it right up, but I also got a "hidden file" warning about the /etc/.aumixrc that's scriptwhitelisted, so I added an 'ALLOWHIDDENFILE" line about it too and the warning disappeared. It's a harmless config file.

As for SSH, I went into start>>system>>preferences>>configure your computer>>network services>>open SSH daemon configuration>> second click brings up some choices, "permit root login" being the operative one here, switched it to "no"  and that did the trick, fresh scan and zero warnings.

[Texstar]

Just a FYI , root login is controlled by the denyusers file in /etc/ssh folder which contains the root user.

[Dragynn]

Just a FYI , root login is controlled by the denyusers file in /etc/ssh folder which contains the root user.

Sure enough...after re-boot I get the warning again. So how does one go about changing that setting and making it persist?

Thanks!

[7272andy]

Edit /etc/rkhunter.conf
find the line
     ALLOW_SSH_ROOT_USER=no
and change to read
     ALLOW_SSH_ROOT_USER=without-password

Regards
Andy