[Novalug] Warnings (wasRe: php vulnerability ...)(LONG)

Beartooth beartooth@Beartooth.Info
Fri May 18 11:04:38 EDT 2012


On Thu, 17 May 2012, James Ewing Cottrell 3rd wrote:

> Recently I googled an error message I was seeing. The article 
> said "You're infected...run 'chkrootkit' and 'rkhunter'".

 	First off, "rpm -q php" got "not installed, both as 
userid and as root. So this may be a whole nother kettle of fish.

> Google both names, download, and run them. They will tell you 
> if you have one or more of many common infections.

 	I did not get "you're infected." But after trying both 
commands ("not installed") I did "yum install chkrootkit" and 
"yum install rkhunter."

 	chkrootkit gave me :

Searching for Suckit rootkit...

Warning: /sbin/init INFECTED

 	rkhunter -c gave me :

   Performing file properties checks
     Checking for prerequisites                        [ Warning ]

   Performing trojan specific checks
     Checking for enabled xinetd services              [ Warning ]

    Checking for passwd file changes                  [ Warning ]
     Checking for group file changes                   [ Warning ]


System checks summary
=====================

File properties checks...
     Required commands check failed
     Files checked: 139
     Suspect files: 0

Rootkit checks...
     Rootkits checked : 249
     Possible rootkits: 0

Applications checks...
     All checks skipped
Rootkit checks...
     Rootkits checked : 249
     Possible rootkits: 0

Applications checks...
     All checks skipped

The system checks took: 12 minutes and 23 seconds

All results have been written to the log file 
(/var/log/rkhunter/rkhunter.log)

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)

[root@Hbsk3 ~]#

 	In the log I found :

[10:03:33] Info: Starting test name 'shared_libs_path'
[10:03:33]   Checking LD_LIBRARY_PATH variable        $
[10:03:33]
[10:03:33] Info: Starting test name 'properties'
[10:03:33] Performing file properties checks
[10:03:33] Warning: Checking for prerequisites        $
[10:03:33]          The file of stored file properties$
[10:03:33] Info: The file properties check will still $
[10:03:33]
[10:03:33]
[10:03:33] Warning: WARNING! It is the users responsib$
            is used, all the files on their system are $
            reliable source. The rkhunter '--check' opt$
            against previously stored values, and repor$
            cannot determine what has caused the change$

[10:03:33] Info: Found file '/sbin/ifdown': it is whit$
[10:03:33]   /sbin/ifup                               $
[10:03:33] Info: Found file '/sbin/ifup': it is whitel$

[10:03:36] Info: Found file '/usr/bin/GET': it is whit$
[10:03:36]   /usr/bin/groups                          $
[10:03:36] Info: Found file '/usr/bin/groups': it is w$

[10:03:36] Info: Found file '/usr/bin/ldd': it is whit$

[10:03:37] Info: Found file '/usr/bin/whatis': it is w$

[10:08:13]   Performing Suckit Rookit additional checks
[10:08:13]     Checking hard link count on '/sbin/init$
[10:08:13]     Checking for hidden file extensions    $
[10:08:13]     Running skdet command                  $
[10:08:13] Info: Unable to find the 'skdet' command
[10:08:13]   Suckit Rookit additional checks          $

[10:08:19] Info: Starting test name 'malware'
[10:08:19] Performing malware checks
[10:08:19]
[10:08:19] Info: Test 'deleted_files' disabled at user$
[10:08:19]
[10:08:20] Info: Test 'hidden_procs' disabled at users$
[10:08:20]
[10:08:20] Info: Test 'suspscan' disabled at users req$
[10:08:20]
[10:08:21]   Checking for software intrusions         $
[10:08:21] Info: Check skipped - tripwire not installed

[10:08:21]   Checking for enabled xinetd services     $
[10:08:21] Warning: Found enabled xinetd service: /etc$
[10:08:21] Info: Apache backdoor check skipped: Apache$
[10:08:21]
[10:15:05] Info: Starting test name 'hidden_ports'
[10:15:05] Checking for hidden ports                  $
[10:15:05] Info: Unable to find the 'unhide-tcp' comma$
[10:15:05]
[10:15:05] Info: Starting test name 'group_accounts'
[10:15:05] Performing group and account checks
[10:15:05]   Checking for passwd file                 $
[10:15:05] Info: Found password file: /etc/passwd
[10:15:05]   Checking for root equivalent (UID 0) acco$
[10:15:05] Info: Found shadow file: /etc/shadow
[10:15:05]   Checking for passwordless accounts       $
[10:15:05]
[10:15:05] Info: Starting test name 'group_changes'
[10:15:05]   Checking for group file changes          $
[10:15:05] Warning: Unable to check for group file dif$
[10:15:05]
[10:15:53] Info: Test 'apps' disabled at users request.
[10:15:53] Possible rootkits: 0
[10:15:53]
[10:15:53] Applications checks...
[10:15:53] All checks skipped


all those lines about users request did not come from any user I 
know of.

 	So is it to worry??

-- 
Beartooth Staffwright, Not Quite Clueless Power User
Remember I know little (precious little!) of where up is.




More information about the Novalug mailing list