Atomicorp

Security for Everyone
https://forums.atomicorp.com/

rkhunter on CentOS5.2 PSA 8.6 error messages

https://forums.atomicorp.com/viewtopic.php?t=2768

Page 1 of 1

rkhunter on CentOS5.2 PSA 8.6 error messages

Posted: Mon Jan 19, 2009 9:17 pm
by greyman56
Hi,

I am having some troubles running the ART rkhunter on CentOS5.2 with plesk 8.6.

It is running properly, but gives some unusual messages that have me stumped.

The discussion (http://forum.swsoft.com/showthread.php? ... post222812) over at the plesk forum has the details if anyone can lend a hand.

Thanks
Graham

Posted: Tue Jan 20, 2009 8:26 pm
by mikeshinn
Is this a virtual server? If so, the hidden processes are the processes of the other virtual servers on the box - they are in fact hidden. If its not a vserver then the box has hidden processes and if you ran this at root that means the box may be rootkitted.

Posted: Tue Jan 20, 2009 8:58 pm
by greyman56
Thanks for your reply Mike.
mikeshinn wrote: Is this a virtual server?
Yes. Virtuozzo 4 I believe.
mikeshinn wrote: If so, the hidden processes are the processes of the other virtual servers on the box - they are in fact hidden.
So this means that the standard Plesk version must be ignoring these hidden processes (well they are not reported by the control panel version 1.2.8 of rkhunter), or have a way of distinguishing them from real rootkit stuff, or worse still the test for hiddens has been disabled.

Mmmm, this is looking quite messy.

I do not want to have a little sheep that cried wolf every day, which is more or less useless as a security monitoring tool. And its no good to have one that says all is OK when it might not be.

Any solutions or ideas anyone?

Posted: Tue Jan 20, 2009 10:15 pm
by scott
I dont believe the 1.2 version of rkhunter had anything like the detection capabilities that 1.3 has. So maybe thats one of the reasons they havent updated yet.

What you're seeing are the processes running in the other virtual servers

Posted: Tue Jan 20, 2009 10:36 pm
by greyman56
Thanks for your reply Scott,
scott wrote:I dont believe the 1.2 version of rkhunter had anything like the detection capabilities that 1.3 has. So maybe thats one of the reasons they havent updated yet.
OK that makes sense.
scott wrote:What you're seeing are the processes running in the other virtual servers
So I might try disabling the hidden process detection when on a VPS and rely on the other mechanisms to detect problems for the time being. Thats probably not so bad seeing as we did not have that in the Plesk version anyway.

Its just a matter of knowing whats happening, isn't it! Back to the books for me <grin>. Will have to know the new rkhunter better it seems.
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited