Hi,
I am having some troubles running the ART rkhunter on CentOS5.2 with plesk 8.6.
It is running properly, but gives some unusual messages that have me stumped.
The discussion (http://forum.swsoft.com/showthread.php? ... post222812) over at the plesk forum has the details if anyone can lend a hand.
Thanks
Graham
rkhunter on CentOS5.2 PSA 8.6 error messages
rkhunter on CentOS5.2 PSA 8.6 error messages
Last edited by greyman56 on Tue Jan 20, 2009 9:13 pm, edited 1 time in total.
-
mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4155
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Is this a virtual server? If so, the hidden processes are the processes of the other virtual servers on the box - they are in fact hidden. If its not a vserver then the box has hidden processes and if you ran this at root that means the box may be rootkitted.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Thanks for your reply Mike.
Mmmm, this is looking quite messy.
I do not want to have a little sheep that cried wolf every day, which is more or less useless as a security monitoring tool. And its no good to have one that says all is OK when it might not be.
Any solutions or ideas anyone?
Yes. Virtuozzo 4 I believe.mikeshinn wrote: Is this a virtual server?
So this means that the standard Plesk version must be ignoring these hidden processes (well they are not reported by the control panel version 1.2.8 of rkhunter), or have a way of distinguishing them from real rootkit stuff, or worse still the test for hiddens has been disabled.mikeshinn wrote: If so, the hidden processes are the processes of the other virtual servers on the box - they are in fact hidden.
Mmmm, this is looking quite messy.
I do not want to have a little sheep that cried wolf every day, which is more or less useless as a security monitoring tool. And its no good to have one that says all is OK when it might not be.
Any solutions or ideas anyone?
Thanks for your reply Scott,
Its just a matter of knowing whats happening, isn't it! Back to the books for me <grin>. Will have to know the new rkhunter better it seems.
OK that makes sense.scott wrote:I dont believe the 1.2 version of rkhunter had anything like the detection capabilities that 1.3 has. So maybe thats one of the reasons they havent updated yet.
So I might try disabling the hidden process detection when on a VPS and rely on the other mechanisms to detect problems for the time being. Thats probably not so bad seeing as we did not have that in the Plesk version anyway.scott wrote:What you're seeing are the processes running in the other virtual servers
Its just a matter of knowing whats happening, isn't it! Back to the books for me <grin>. Will have to know the new rkhunter better it seems.