error from RkHunter and ChkRootKit [message #12718] |
Tue, 08 May 2007 02:40 |
Markus Hardiyanto
Messages: 27 Registered: April 2007
|
Junior Member |
|
|
I install RkHunter and ChkRootKit inside VE. the VE is using Centos 4.4 minimal installation. i download the Centos image from the list on OpenVZ Wiki.
here is the error that i got:
from RkHunter:
Performing 'known good' check...
/bin/kill [ BAD ]
/sbin/insmod [ BAD ]
/sbin/lsmod [ BAD ]
/sbin/modprobe [ BAD ]
/usr/bin/file [ BAD ]
------------------------------------------------------------ --------------------
Rootkit Hunter has found some bad or unknown hashes. This can happen due to replaced
binaries or updated packages (which give other hashes). Be sure your hashes are
up-to-date (rkhunter --update). If you're in doubt about these hashes, contact
us through the Rootkit Hunter mailinglist at rkhunter-users@lists.sourceforge.net.
------------------------------------------------------------ --------------------
is this false positives??
from ChkRootKit:
Checking `lkm'... You have 74 process hidden for readdir command
chkproc: Warning: Possible LKM Trojan installed
note that this VPS is a fresh install, how come there is several errors above?
Best Regards,
Markus
Send instant messages to your online friends http://uk.messenger.yahoo.com
|
|
|
|
|
Re: error from RkHunter and ChkRootKit [message #12756 is a reply to message #12718] |
Wed, 09 May 2007 02:20 |
Markus Hardiyanto
Messages: 27 Registered: April 2007
|
Junior Member |
|
|
i tried to install force util-linux rpm, the installation is succeeded. then i run rkhunter again, but still get the same error on this files:
> /bin/kill [ BAD ]
> /sbin/insmod [ BAD ]
> /sbin/lsmod [ BAD ]
> /sbin/modprobe [ BAD ]
> /usr/bin/file [ BAD ]
does a rpm -ivh --force do overwrite the current installation files on the server?
i do this inside VE
Best Regards,
Markus
----- Original Message ----
From: Daniel Pittman <daniel@rimspace.net>
To: users@openvz.org
Sent: Tuesday, May 8, 2007 7:12:37 PM
Subject: Re: [Users] error from RkHunter and ChkRootKit
Markus Hardiyanto <informatics2k1@yahoo.com> writes:
> I install RkHunter and ChkRootKit inside VE. the VE is using Centos
> 4.4 minimal installation. i download the Centos image from the list on
> OpenVZ Wiki. here is the error that i got:
>
> from RkHunter:
>
> Performing 'known good' check...
> /bin/kill [ BAD ]
> /sbin/insmod [ BAD ]
> /sbin/lsmod [ BAD ]
> /sbin/modprobe [ BAD ]
> /usr/bin/file [ BAD ]
[...]
> is this false positives??
Yes and no -- those are modified from the standard packages you would
have in a normal system, but the modification is to be expected with
OpenVZ. Er, except maybe the /usr/bin/file binary...
> from ChkRootKit:
> Checking `lkm'... You have 74 process hidden for readdir command
> chkproc: Warning: Possible LKM Trojan installed
Again, probably expected: the proc file system within the VE isn't
identical to a physical system.
Daniel
--
Digital Infrastructure Solutions -- making IT simple, stable and secure
Phone: 0401 155 707 email: contact@digital-infrastructure.com.au
http://digital-infrastructure.com.au/
Send instant messages to your online friends http://uk.messenger.yahoo.com
|
|
|
Re: error from RkHunter and ChkRootKit [message #12776 is a reply to message #12756] |
Wed, 09 May 2007 08:56 |
Vasily Tarasov
Messages: 1345 Registered: January 2006
|
Senior Member |
|
|
Hello,
Actually all the binaries (of user-space applications) that exists in VE
are the same, that are used on appropriate distribution. So RkHunter
should not complain on bad hashes. I see two possible reasons of this
problem:
1. RkHunter stores a database of hashes of "important" binaries
per-distribution. So, probably it doesn't understand what distribution
is installed in VE and uses wrong hashes.
2. Hashes are out of date.
As concerns ChkRootKit and /proc in VE. /proc in VE differs quite a lot
from /proc on HN. But AFAIK ChkRootKit checks for the number of
processes to be the same in /proc and in `ps` output... So it should not
alarm. So I ask you to investigate, _why_ does it alarm. Please, find
out what is the initial reason why ChkRootKit considers your VE to have
LKM Trojan.
BTW, you can not bother about LKM Trojan in VE: VE isn't allowed to load
kernel modules ;)
Vasily
On Tue, 2007-05-08 at 19:20 -0700, Markus Hardiyanto wrote:
> i tried to install force util-linux rpm, the installation is succeeded. then i run rkhunter again, but still get the same error on this files:
>
> > /bin/kill [ BAD ]
> > /sbin/insmod [ BAD ]
> > /sbin/lsmod [ BAD ]
> > /sbin/modprobe [ BAD ]
> > /usr/bin/file [ BAD ]
>
> does a rpm -ivh --force do overwrite the current installation files on the server?
>
> i do this inside VE
>
> Best Regards,
> Markus
>
> ----- Original Message ----
> From: Daniel Pittman <daniel@rimspace.net>
> To: users@openvz.org
> Sent: Tuesday, May 8, 2007 7:12:37 PM
> Subject: Re: [Users] error from RkHunter and ChkRootKit
>
> Markus Hardiyanto <informatics2k1@yahoo.com> writes:
>
> > I install RkHunter and ChkRootKit inside VE. the VE is using Centos
> > 4.4 minimal installation. i download the Centos image from the list on
> > OpenVZ Wiki. here is the error that i got:
> >
> > from RkHunter:
> >
> > Performing 'known good' check...
> > /bin/kill [ BAD ]
> > /sbin/insmod [ BAD ]
> > /sbin/lsmod [ BAD ]
> > /sbin/modprobe [ BAD ]
> > /usr/bin/file [ BAD ]
>
> [...]
>
> > is this false positives??
>
> Yes and no -- those are modified from the standard packages you would
> have in a normal system, but the modification is to be expected with
> OpenVZ. Er, except maybe the /usr/bin/file binary...
>
> > from ChkRootKit:
> > Checking `lkm'... You have 74 process hidden for readdir command
> > chkproc: Warning: Possible LKM Trojan installed
>
> Again, probably expected: the proc file system within the VE isn't
> identical to a physical system.
>
> Daniel
|
|
|