In one of my earlier posts I got a reply which was"
Quote:
1. CHKRootKit - a simple program that detects hacker software and notifies you if any has been detected via email
2. RootKit Hunter - scanning tool to ensure your system does not have any backdoors or exploits
ASL includes this, sets it up, cooks the results and includes an advanced rootkit detection system, as well as real time root kit detection and prevention.
I have an issue because I just received and e-mail and need to know how to proceed:
--------------------- Start Rootkit Hunter Update ---------------------
[ Rootkit Hunter version 1.4.0 ]
Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]
---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Package manager verification has failed:
File: /bin/mount
The file permissions have changed
Warning: Package manager verification has failed:
File: /bin/ping
The file permissions have changed
Warning: Package manager verification has failed:
File: /bin/su
The file permissions have changed
The file group has changed
Warning: Package manager verification has failed:
File: /usr/bin/locate
The file permissions have changed
Warning: Package manager verification has failed:
File: /usr/bin/newgrp
The file permissions have changed
Warning: Hidden ports found:
Port number: TCP:631
Warning: Unable to check for passwd file differences: no copy of the passwd file exists.
Warning: Unable to check for group file differences: no copy of the group file exists.
Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
Warning: Suspicious file types found in /dev:
/dev/.udev/db/input:event4: ASCII text
/dev/.udev/db/input:event0: ASCII text
/dev/.udev/db/input:js0: ASCII text
/dev/.udev/db/input:event3: ASCII text
/dev/.udev/db/input ASCII text
/dev/.udev/db/input:event1: ASCII text
/dev/.udev/db/input:event2: ASCII text
/dev/.udev/db/input:mouse1: ASCII text
/dev/.udev/db/net:eth1: ASCII text
/dev/.udev/db/net:eth0: ASCII text
/dev/.udev/db/usb:1-2: ASCII text
/dev/.udev/db/usb:usb1: ASCII text
/dev/.udev/db/serio:serio0: ASCII text
----------------------- End Rootkit Hunter Scan -----------------------
How do I take care of this as I was told that asl would detect and prevent? Could this also be the results of the high load on my server as well?
Thanks,
Shawn Mulligan
ROOTKIT Detection and Prevention
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: ROOTKIT Detection and Prevention
Was this a new install, or did you upgrade your OS? And if the later, what did you upgrade from and to?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: ROOTKIT Detection and Prevention
Clean Install of 6.3. I never upgrade centos, created a new VM and installed,
Thanks Shawn
Thanks Shawn
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: ROOTKIT Detection and Prevention
See this FAQ:Checking file programs_bad.dat [ No update ]
https://www.atomicorp.com/wiki/index.ph ... update_.5D
See this FAQ:Warning: Package manager verification has failed:
File: /bin/mount
The file permissions have changed
https://www.atomicorp.com/wiki/index.ph ... has_failed:
See this FAQ:Warning: Hidden ports found:
Port number: TCP:631
https://www.atomicorp.com/wiki/index.ph ... orts_found
See this FAQ:Warning: Unable to check for passwd file differences: no copy of the passwd file exists.
https://www.atomicorp.com/wiki/index.ph ... ile_exists.
See this FAQ:Warning: Unable to check for group file differences: no copy of the group file exists.
https://www.atomicorp.com/wiki/index.ph ... ile_exists.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: ROOTKIT Detection and Prevention
Oh, and these:
https://www.atomicorp.com/wiki/index.ph ... t_been_set.
https://www.atomicorp.com/wiki/index.ph ... ASCII_text
See this FAQ:Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
https://www.atomicorp.com/wiki/index.ph ... t_been_set.
See this FAQ:Warning: Suspicious file types found in /dev:
/dev/.udev/db/input:event4: ASCII text
/dev/.udev/db/input:event0: ASCII text
/dev/.udev/db/input:js0: ASCII text
/dev/.udev/db/input:event3: ASCII text
/dev/.udev/db/input ASCII text
/dev/.udev/db/input:event1: ASCII text
/dev/.udev/db/input:event2: ASCII text
/dev/.udev/db/input:mouse1: ASCII text
/dev/.udev/db/net:eth1: ASCII text
/dev/.udev/db/net:eth0: ASCII text
/dev/.udev/db/usb:1-2: ASCII text
/dev/.udev/db/usb:usb1: ASCII text
/dev/.udev/db/serio:serio0: ASCII text
https://www.atomicorp.com/wiki/index.ph ... ASCII_text
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: ROOTKIT Detection and Prevention
Didnt find any info regarding "/dev/.udev/db/input:mouse1: ASCII text" on the linked FAQ page. just upgraded from CentOS 6.6 to 6.7Warning: Suspicious file types found in /dev:
/dev/.udev/db/input:event4: ASCII text
/dev/.udev/db/input:event0: ASCII text
/dev/.udev/db/input:js0: ASCII text
/dev/.udev/db/input:event3: ASCII text
/dev/.udev/db/input ASCII text
/dev/.udev/db/input:event1: ASCII text
/dev/.udev/db/input:event2: ASCII text
/dev/.udev/db/input:mouse1: ASCII text
/dev/.udev/db/net:eth1: ASCII text
/dev/.udev/db/net:eth0: ASCII text
/dev/.udev/db/usb:1-2: ASCII text
/dev/.udev/db/usb:usb1: ASCII text
/dev/.udev/db/serio:serio0: ASCII text
See this FAQ:
https://www.atomicorp.com/wiki/index.ph ... ASCII_text
CentOS 6.9
ASL 4.0.19-37
ASL 4.0.19-37
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: ROOTKIT Detection and Prevention
This may help to explain what rkhunter is complaining about:
https://www.atomicorp.com/wiki/index.ph ... _in_.2Fdev:
Note: some browsers strip the trailing : off this URL, if yours does here a URL you can cut and paste:
Text files arent "supposed" to be in /dev, so the developers of rkhunter flag that as suspicious if any text files are found there. udevd puts tons of text files in /dev.
https://www.atomicorp.com/wiki/index.ph ... _in_.2Fdev:
Note: some browsers strip the trailing : off this URL, if yours does here a URL you can cut and paste:
Code: Select all
https://www.atomicorp.com/wiki/index.php?title=ASL_error_messages#Warning:_Suspicious_file_types_found_in_.2Fdev:
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone