ROOTKIT Detection and Prevention

[kazack]

In one of my earlier posts I got a reply which was"

Quote:
1. CHKRootKit - a simple program that detects hacker software and notifies you if any has been detected via email
2. RootKit Hunter - scanning tool to ensure your system does not have any backdoors or exploits

ASL includes this, sets it up, cooks the results and includes an advanced rootkit detection system, as well as real time root kit detection and prevention.

I have an issue because I just received and e-mail and need to know how to proceed:

--------------------- Start Rootkit Hunter Update ---------------------
[ Rootkit Hunter version 1.4.0 ]

Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Package manager verification has failed:
File: /bin/mount
The file permissions have changed
Warning: Package manager verification has failed:
File: /bin/ping
The file permissions have changed
Warning: Package manager verification has failed:
File: /bin/su
The file permissions have changed
The file group has changed
Warning: Package manager verification has failed:
File: /usr/bin/locate
The file permissions have changed
Warning: Package manager verification has failed:
File: /usr/bin/newgrp
The file permissions have changed
Warning: Hidden ports found:
Port number: TCP:631
Warning: Unable to check for passwd file differences: no copy of the passwd file exists.
Warning: Unable to check for group file differences: no copy of the group file exists.
Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
Warning: Suspicious file types found in /dev:
/dev/.udev/db/input:event4: ASCII text
/dev/.udev/db/input:event0: ASCII text
/dev/.udev/db/input:js0: ASCII text
/dev/.udev/db/input:event3: ASCII text
/dev/.udev/db/input ASCII text
/dev/.udev/db/input:event1: ASCII text
/dev/.udev/db/input:event2: ASCII text
/dev/.udev/db/input:mouse1: ASCII text
/dev/.udev/db/net:eth1: ASCII text
/dev/.udev/db/net:eth0: ASCII text
/dev/.udev/db/usb:1-2: ASCII text
/dev/.udev/db/usb:usb1: ASCII text
/dev/.udev/db/serio:serio0: ASCII text

----------------------- End Rootkit Hunter Scan -----------------------

How do I take care of this as I was told that asl would detect and prevent? Could this also be the results of the high load on my server as well?

Thanks,
Shawn Mulligan

[mikeshinn]

Was this a new install, or did you upgrade your OS? And if the later, what did you upgrade from and to?

[kazack]

Clean Install of 6.3. I never upgrade centos, created a new VM and installed,

Thanks Shawn

[mikeshinn]

Checking file programs_bad.dat [ No update ]

See this FAQ:

https://www.atomicorp.com/wiki/index.ph ... update_.5D

Warning: Package manager verification has failed:
File: /bin/mount
The file permissions have changed

See this FAQ:

https://www.atomicorp.com/wiki/index.ph ... has_failed:

Warning: Hidden ports found:
Port number: TCP:631

See this FAQ:

https://www.atomicorp.com/wiki/index.ph ... orts_found

Warning: Unable to check for passwd file differences: no copy of the passwd file exists.

See this FAQ:

https://www.atomicorp.com/wiki/index.ph ... ile_exists.

Warning: Unable to check for group file differences: no copy of the group file exists.

See this FAQ:

https://www.atomicorp.com/wiki/index.ph ... ile_exists.

[mikeshinn]

Oh, and these:

Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.

See this FAQ:

https://www.atomicorp.com/wiki/index.ph ... t_been_set.

Warning: Suspicious file types found in /dev:
/dev/.udev/db/input:event4: ASCII text
/dev/.udev/db/input:event0: ASCII text
/dev/.udev/db/input:js0: ASCII text
/dev/.udev/db/input:event3: ASCII text
/dev/.udev/db/input ASCII text
/dev/.udev/db/input:event1: ASCII text
/dev/.udev/db/input:event2: ASCII text
/dev/.udev/db/input:mouse1: ASCII text
/dev/.udev/db/net:eth1: ASCII text
/dev/.udev/db/net:eth0: ASCII text
/dev/.udev/db/usb:1-2: ASCII text
/dev/.udev/db/usb:usb1: ASCII text
/dev/.udev/db/serio:serio0: ASCII text

See this FAQ:

https://www.atomicorp.com/wiki/index.ph ... ASCII_text

[gaia]

Warning: Suspicious file types found in /dev:
/dev/.udev/db/input:event4: ASCII text
/dev/.udev/db/input:event0: ASCII text
/dev/.udev/db/input:js0: ASCII text
/dev/.udev/db/input:event3: ASCII text
/dev/.udev/db/input ASCII text
/dev/.udev/db/input:event1: ASCII text
/dev/.udev/db/input:event2: ASCII text
/dev/.udev/db/input:mouse1: ASCII text
/dev/.udev/db/net:eth1: ASCII text
/dev/.udev/db/net:eth0: ASCII text
/dev/.udev/db/usb:1-2: ASCII text
/dev/.udev/db/usb:usb1: ASCII text
/dev/.udev/db/serio:serio0: ASCII text

See this FAQ:

https://www.atomicorp.com/wiki/index.ph ... ASCII_text

Didnt find any info regarding "/dev/.udev/db/input:mouse1: ASCII text" on the linked FAQ page. just upgraded from CentOS 6.6 to 6.7

[mikeshinn]

This may help to explain what rkhunter is complaining about:

https://www.atomicorp.com/wiki/index.ph ... _in_.2Fdev:

Note: some browsers strip the trailing : off this URL, if yours does here a URL you can cut and paste:

Code: Select all

https://www.atomicorp.com/wiki/index.php?title=ASL_error_messages#Warning:_Suspicious_file_types_found_in_.2Fdev:

Text files arent "supposed" to be in /dev, so the developers of rkhunter flag that as suspicious if any text files are found there. udevd puts tons of text files in /dev.