| 
		
			| error from RkHunter and ChkRootKit [message #12718] | Tue, 08 May 2007 02:40  |  
			| 
				
				
					|  Markus Hardiyanto Messages: 27
 Registered: April 2007
 | Junior Member |  |  |  
	| I install RkHunter and ChkRootKit inside VE. the VE is using Centos 4.4 minimal installation. i download the Centos image from the list on OpenVZ Wiki. here is the error that i got:
 
 from RkHunter:
 
 Performing 'known good' check...
 /bin/kill  [ BAD ]
 /sbin/insmod  [ BAD ]
 /sbin/lsmod  [ BAD ]
 /sbin/modprobe  [ BAD ]
 /usr/bin/file  [ BAD ]
 ------------------------------------------------------------ --------------------
 Rootkit Hunter has found some bad or unknown hashes. This can happen due to replaced
 binaries or updated packages (which give other hashes). Be sure your hashes are
 up-to-date (rkhunter --update). If you're in doubt about these hashes, contact
 us through the Rootkit Hunter mailinglist at rkhunter-users@lists.sourceforge.net.
 ------------------------------------------------------------ --------------------
 
 is this false positives??
 
 
 from ChkRootKit:
 Checking `lkm'... You have    74 process hidden for readdir command
 chkproc: Warning: Possible LKM Trojan installed
 
 
 note that this VPS is a fresh install, how come there is several errors above?
 
 
 
 
 Best Regards,
 Markus
 
 
 
 Send instant messages to your online friends http://uk.messenger.yahoo.com
 |  
	|  |  | 
	|  | 
	|  | 
	| 
		
			| Re:  error from RkHunter and ChkRootKit [message #12756 is a reply to message #12718] | Wed, 09 May 2007 02:20   |  
			| 
				
				
					|  Markus Hardiyanto Messages: 27
 Registered: April 2007
 | Junior Member |  |  |  
	| i tried to install force util-linux rpm, the installation is succeeded. then i run rkhunter again, but still get the same error on this files: 
 > /bin/kill  [ BAD ]
 > /sbin/insmod  [ BAD ]
 > /sbin/lsmod  [ BAD ]
 > /sbin/modprobe  [ BAD ]
 > /usr/bin/file  [ BAD ]
 
 does a rpm -ivh --force do overwrite the current installation files on the server?
 
 i do this inside VE
 
 Best Regards,
 Markus
 
 ----- Original Message ----
 From: Daniel Pittman <daniel@rimspace.net>
 To: users@openvz.org
 Sent: Tuesday, May 8, 2007 7:12:37 PM
 Subject: Re: [Users] error from RkHunter and ChkRootKit
 
 Markus Hardiyanto <informatics2k1@yahoo.com> writes:
 
 > I install RkHunter and ChkRootKit inside VE. the VE is using Centos
 > 4.4 minimal installation. i download the Centos image from the list on
 > OpenVZ Wiki.  here is the error that i got:
 >
 > from RkHunter:
 >
 > Performing 'known good' check...
 > /bin/kill  [ BAD ]
 > /sbin/insmod  [ BAD ]
 > /sbin/lsmod  [ BAD ]
 > /sbin/modprobe  [ BAD ]
 > /usr/bin/file  [ BAD ]
 
 [...]
 
 > is this false positives??
 
 Yes and no -- those are modified from the standard packages you would
 have in a normal system, but the modification is to be expected with
 OpenVZ.  Er, except maybe the /usr/bin/file binary...
 
 > from ChkRootKit:
 > Checking `lkm'... You have    74 process hidden for readdir command
 > chkproc: Warning: Possible LKM Trojan installed
 
 Again, probably expected: the proc file system within the VE isn't
 identical to a physical system.
 
 Daniel
 --
 Digital Infrastructure Solutions -- making IT simple, stable and secure
 Phone: 0401 155 707        email: contact@digital-infrastructure.com.au
 http://digital-infrastructure.com.au/
 Send instant messages to your online friends http://uk.messenger.yahoo.com
 |  
	|  |  | 
	| 
		
			| Re:  error from RkHunter and ChkRootKit [message #12776 is a reply to message #12756] | Wed, 09 May 2007 08:56  |  
			| 
				
				
					|  Vasily Tarasov Messages: 1345
 Registered: January 2006
 | Senior Member |  |  |  
	| Hello, 
 Actually all the binaries (of user-space applications) that exists in VE
 are the same, that are used on appropriate distribution. So RkHunter
 should not complain on bad hashes. I see two possible reasons of this
 problem:
 
 1. RkHunter stores a database of hashes of "important" binaries
 per-distribution. So, probably it doesn't understand what distribution
 is installed in VE and uses wrong hashes.
 
 2. Hashes are out of date.
 
 
 As concerns ChkRootKit and /proc in VE. /proc in VE differs quite a lot
 from /proc on HN. But AFAIK ChkRootKit checks for the number of
 processes to be the same in /proc and in `ps` output... So it should not
 alarm. So I ask you to investigate, _why_ does it alarm. Please, find
 out what is the initial reason why ChkRootKit considers your VE to have
 LKM Trojan.
 
 BTW, you can not bother about LKM Trojan in VE: VE isn't allowed to load
 kernel modules ;)
 
 Vasily
 
 On Tue, 2007-05-08 at 19:20 -0700, Markus Hardiyanto wrote:
 > i tried to install force util-linux rpm, the installation is succeeded. then i run rkhunter again, but still get the same error on this files:
 >
 > > /bin/kill  [ BAD ]
 > > /sbin/insmod  [ BAD ]
 > > /sbin/lsmod  [ BAD ]
 > > /sbin/modprobe  [ BAD ]
 > > /usr/bin/file  [ BAD ]
 >
 > does a rpm -ivh --force do overwrite the current installation files on the server?
 >
 > i do this inside VE
 >
 > Best Regards,
 > Markus
 >
 > ----- Original Message ----
 > From: Daniel Pittman <daniel@rimspace.net>
 > To: users@openvz.org
 > Sent: Tuesday, May 8, 2007 7:12:37 PM
 > Subject: Re: [Users] error from RkHunter and ChkRootKit
 >
 > Markus Hardiyanto <informatics2k1@yahoo.com> writes:
 >
 > > I install RkHunter and ChkRootKit inside VE. the VE is using Centos
 > > 4.4 minimal installation. i download the Centos image from the list on
 > > OpenVZ Wiki.  here is the error that i got:
 > >
 > > from RkHunter:
 > >
 > > Performing 'known good' check...
 > > /bin/kill  [ BAD ]
 > > /sbin/insmod  [ BAD ]
 > > /sbin/lsmod  [ BAD ]
 > > /sbin/modprobe  [ BAD ]
 > > /usr/bin/file  [ BAD ]
 >
 > [...]
 >
 > > is this false positives??
 >
 > Yes and no -- those are modified from the standard packages you would
 > have in a normal system, but the modification is to be expected with
 > OpenVZ.  Er, except maybe the /usr/bin/file binary...
 >
 > > from ChkRootKit:
 > > Checking `lkm'... You have    74 process hidden for readdir command
 > > chkproc: Warning: Possible LKM Trojan installed
 >
 > Again, probably expected: the proc file system within the VE isn't
 > identical to a physical system.
 >
 >     Daniel
 |  
	|  |  |