Debian Lenny 5 rkhunter log
Hej alle!
Jeg har ikke selv den store erfaring med Linux Servere, men jeg kan de fleste grund ting.
Men her for nyligt modtog jeg en email fra min server, fra et program kaldet "RKHunter", og i denne mail står der:
"Please inspect this machine, because it may be infected."
Og den er sendt fra ROOT-brugeren på serveren kan jeg se..
og så gik jeg ind og kiggede i loggen for RKHunter på serveren, og har lavet et lille udkast af det som står i den:
[01:01:47]
[01:01:47] Performing system configuration file checks
[01:01:47] Info: Starting test name 'system_configs'
[01:01:48] Checking for SSH configuration file [ Found ]
[01:01:48] Info: Found SSH configuration file: /etc/ssh/sshd_config
[01:01:48] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'unset'.
[01:01:48] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '2'.
[01:01:48] Checking if SSH root access is allowed [ Warning ]
[01:01:48] Warning: The SSH and rkhunter configuration options should be the same:
[01:01:48] SSH configuration option 'PermitRootLogin': yes
[01:01:48] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': unset
[01:01:48] Checking if SSH protocol v1 is allowed [ Not allowed ]
[01:01:48] Checking for running syslog daemon [ Found ]
[01:01:48] Checking for syslog configuration file [ Found ]
[01:01:48] Info: Found syslog configuration file: /etc/rsyslog.conf
[01:01:48] Checking if syslog remote logging is allowed [ Not allowed ]
[01:01:48]
[01:01:48] Performing filesystem checks
[01:01:48] Info: Starting test name 'filesystem'
[01:01:48] Info: SCAN_MODE_DEV set to 'THOROUGH'
[01:01:49] Checking /dev for suspicious file types [ Warning ]
[01:01:49] Warning: Suspicious file types found in /dev:
[01:01:49] /dev/shm/network/ifstate: ASCII text
[01:01:49] Checking for hidden files and directories [ Warning ]
[01:01:49] Warning: Hidden directory found: /etc/.java
[01:01:49] Warning: Hidden directory found: /dev/.udev
[01:01:49] Warning: Hidden directory found: /dev/.initramfs
[01:01:49]
[01:01:49] Checking application versions...
[01:01:49] Info: Starting test name 'apps'
[01:01:50] Info: Application 'exim' not found.
[01:01:50] Checking version of GnuPG [ Warning ]
[01:01:50] Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk.
[01:01:50] Info: Application 'httpd' not found.
[01:01:50] Checking version of Bind DNS [ Warning ]
[01:01:50] Warning: Application 'named', version '9.5.1', is out of date, and possibly a security risk.
[01:01:50] Checking version of OpenSSL [ Warning ]
[01:01:50] Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk.
[01:01:50] Checking version of PHP [ Warning ]
[01:01:50] Warning: Application 'php', version '5.2.6', is out of date, and possibly a security risk.
[01:01:50] Info: Application 'procmail' not found.
[01:01:50] Checking version of ProFTPd [ Skipped ]
[01:01:50] Info: Unable to obtain version number for 'proftpd': version option gives: ProFTPD Version 1.3.2e
[01:01:50] Checking version of OpenSSH [ Warning ]
[01:01:51] Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk.
[01:01:51] Info: Applications checked: 6 out of 9
[01:01:51]
[01:01:51] System checks summary
[01:01:51] =====================
[01:01:51]
[01:01:51] File properties checks...
[01:01:51] Required commands check failed
[01:01:51] Files checked: 119
[01:01:51] Suspect files: 0
[01:01:51]
[01:01:51] Rootkit checks...
[01:01:51] Rootkits checked : 112
[01:01:51] Possible rootkits: 0
[01:01:51]
[01:01:51] Applications checks...
[01:01:51] Applications checked: 6
[01:01:51] Suspect applications: 5
[01:01:51]
[01:01:51] The system checks took: 1 minute and 10 seconds
Og ud fra hvad jeg kan forstå, så siger den at der er 5 mistænkelige programmer på serveren som er out-dated..
Så gik jeg ind via PuTTY som root bruger, og skrev:
apt-get update
apt-get upgrade
Men den sagde at der ikke var nogen programmer som havde brug for at blive opdateret..
Hvad kan det skyldes at jeg modtager sådan en email?
Det modstrider jo hinanden..
Vh,
Mads Jürgensen.
Jeg har ikke selv den store erfaring med Linux Servere, men jeg kan de fleste grund ting.
Men her for nyligt modtog jeg en email fra min server, fra et program kaldet "RKHunter", og i denne mail står der:
"Please inspect this machine, because it may be infected."
Og den er sendt fra ROOT-brugeren på serveren kan jeg se..
og så gik jeg ind og kiggede i loggen for RKHunter på serveren, og har lavet et lille udkast af det som står i den:
[01:01:47]
[01:01:47] Performing system configuration file checks
[01:01:47] Info: Starting test name 'system_configs'
[01:01:48] Checking for SSH configuration file [ Found ]
[01:01:48] Info: Found SSH configuration file: /etc/ssh/sshd_config
[01:01:48] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'unset'.
[01:01:48] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '2'.
[01:01:48] Checking if SSH root access is allowed [ Warning ]
[01:01:48] Warning: The SSH and rkhunter configuration options should be the same:
[01:01:48] SSH configuration option 'PermitRootLogin': yes
[01:01:48] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': unset
[01:01:48] Checking if SSH protocol v1 is allowed [ Not allowed ]
[01:01:48] Checking for running syslog daemon [ Found ]
[01:01:48] Checking for syslog configuration file [ Found ]
[01:01:48] Info: Found syslog configuration file: /etc/rsyslog.conf
[01:01:48] Checking if syslog remote logging is allowed [ Not allowed ]
[01:01:48]
[01:01:48] Performing filesystem checks
[01:01:48] Info: Starting test name 'filesystem'
[01:01:48] Info: SCAN_MODE_DEV set to 'THOROUGH'
[01:01:49] Checking /dev for suspicious file types [ Warning ]
[01:01:49] Warning: Suspicious file types found in /dev:
[01:01:49] /dev/shm/network/ifstate: ASCII text
[01:01:49] Checking for hidden files and directories [ Warning ]
[01:01:49] Warning: Hidden directory found: /etc/.java
[01:01:49] Warning: Hidden directory found: /dev/.udev
[01:01:49] Warning: Hidden directory found: /dev/.initramfs
[01:01:49]
[01:01:49] Checking application versions...
[01:01:49] Info: Starting test name 'apps'
[01:01:50] Info: Application 'exim' not found.
[01:01:50] Checking version of GnuPG [ Warning ]
[01:01:50] Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk.
[01:01:50] Info: Application 'httpd' not found.
[01:01:50] Checking version of Bind DNS [ Warning ]
[01:01:50] Warning: Application 'named', version '9.5.1', is out of date, and possibly a security risk.
[01:01:50] Checking version of OpenSSL [ Warning ]
[01:01:50] Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk.
[01:01:50] Checking version of PHP [ Warning ]
[01:01:50] Warning: Application 'php', version '5.2.6', is out of date, and possibly a security risk.
[01:01:50] Info: Application 'procmail' not found.
[01:01:50] Checking version of ProFTPd [ Skipped ]
[01:01:50] Info: Unable to obtain version number for 'proftpd': version option gives: ProFTPD Version 1.3.2e
[01:01:50] Checking version of OpenSSH [ Warning ]
[01:01:51] Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk.
[01:01:51] Info: Applications checked: 6 out of 9
[01:01:51]
[01:01:51] System checks summary
[01:01:51] =====================
[01:01:51]
[01:01:51] File properties checks...
[01:01:51] Required commands check failed
[01:01:51] Files checked: 119
[01:01:51] Suspect files: 0
[01:01:51]
[01:01:51] Rootkit checks...
[01:01:51] Rootkits checked : 112
[01:01:51] Possible rootkits: 0
[01:01:51]
[01:01:51] Applications checks...
[01:01:51] Applications checked: 6
[01:01:51] Suspect applications: 5
[01:01:51]
[01:01:51] The system checks took: 1 minute and 10 seconds
Og ud fra hvad jeg kan forstå, så siger den at der er 5 mistænkelige programmer på serveren som er out-dated..
Så gik jeg ind via PuTTY som root bruger, og skrev:
apt-get update
apt-get upgrade
Men den sagde at der ikke var nogen programmer som havde brug for at blive opdateret..
Hvad kan det skyldes at jeg modtager sådan en email?
Det modstrider jo hinanden..
Vh,
Mads Jürgensen.
Kommentarer1
Re: Debian Lenny 5 rkhunter log
http://rkhunter.cvs.sourceforge.net/viewvc/*checkout*/rkhunter/rkhunter…
Punkt 3.2 kunne være en forklaring, der kan få dig til at ånde lettet op (men du bør undersøge 'hændelsen' til bunds så godt, du kan):
-- CITAT BEGYND ------
3.2) Rootkit Hunter tells me that I have an out-of-date or unsecure
application installed. But I have fully patched my server!
How is this possible?
A. Some distributions, for example Red Hat and OpenBSD, do patch
old versions of software. However, Rootkit Hunter thinks it is
an old version, and so sees it as being unsecure.
It is possible to whitelist specific applications, or specific
versions of an application. The configuration file contains more
details about this.
If you wish you can skip the application version check completely
by adding the 'apps' test name to the DISABLE_TESTS option in your
rkhunter configuration file.
-- CITAT SLUT ------