51 "suspect" files....now what?? [rkhunter] <SOLVED>

Quick to answer questions about finding your way around Linux Mint as a new user.
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions use the other forums in the support section.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
Glockdoc
Level 2
Level 2
Posts: 96
Joined: Tue May 09, 2017 5:42 am

51 "suspect" files....now what?? [rkhunter] <SOLVED>

Post by Glockdoc »

Howdy!

My system has been doing some stuff that is out of the norm. I know viruses are generally not an issue with Linux. I ran RKHunter and got all sorts of warnings. The log is below. Unfortunately, I am not anywhere near savvy enough to understand if I have anything to be concerned with or if the warnings are just clutter. My log is below. It was too big for a single post so I deleted most of the stuff that came back "ok"

Thanks in advance for looking at it for me! JC

Code: Select all

[03:31:16] Running Rootkit Hunter version 1.4.2 on Glockdoc
[03:31:16]
[03:31:16] Info: Start date is Sat Dec  8 03:31:16 PST 2018
[03:31:16]
[03:31:16] Checking configuration file and command-line options...
[03:31:16] Info: Detected operating system is 'Linux'
[03:31:16] Info: Found O/S name: Linux Mint 18.2 Sonya
[03:31:16] Info: Command line is /usr/bin/rkhunter -c
[03:31:16] Info: Environment shell is /bin/bash; rkhunter is using dash
[03:31:16] Info: Using configuration file '/etc/rkhunter.conf'
[03:31:16] Info: Installation directory is '/usr'
[03:31:16] Info: Using language 'en'
[03:31:16] Info: Using '/var/lib/rkhunter/db' as the database directory
[03:31:16] Info: Using '/usr/share/rkhunter/scripts' as the support script directory
[03:31:16] Info: Using '/usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin' as the command directories
[03:31:16] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[03:31:16] Info: No mail-on-warning address configured
[03:31:16] Info: X will be automatically detected
[03:31:16] Info: Using second color set
[03:31:16]
[03:31:16] Checking if the O/S has changed since last time...
[03:31:16] Warning: The O/S name or version has changed since the last run:
[03:31:16]          Old O/S value: Linux Mint 18.2 Sonya    New value: Linux Mint 18.3 Sylvia
[03:31:16]          Because of the change(s) the file properties checks may give some false-positive results.
[03:31:16]          You may need to re-run rkhunter with the '--propupd' option.
[03:31:16]
[03:31:16] Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
           is used, all the files on their system are known to be genuine, and installed from a
           reliable source. The rkhunter '--check' option will compare the current file properties
           against previously stored values, and report if any values differ. However, rkhunter
           cannot determine what has caused the change, that is for the user to do.
[03:31:16] Info: Locking is not being used
[03:31:16]
[03:31:16] Starting system checks...
[03:31:16]
[03:31:16] Info: Starting test name 'system_commands'
[03:31:16] Checking system commands...
[03:31:16]
[03:31:16] Info: Starting test name 'strings'
[03:31:16] Performing 'strings' command checks

[03:31:18]
[03:31:18] Info: Starting test name 'properties'
[03:31:18] Performing file properties checks
[03:31:18] Warning: Checking for prerequisites               [ Warning ]
[03:31:18]          The local host configuration or operating system has changed.
[03:31:21]   /usr/sbin/adduser                               [ OK ]
[03:31:21] Info: Found file '/usr/sbin/adduser': it is whitelisted for the 'script replacement' check.
[
[03:31:23]   /usr/bin/curl                                   [ Warning ]
[03:31:23] Warning: The file properties have changed:
[03:31:23]          File: /usr/bin/curl
[03:31:23]          Current hash: a54ffa64789bea78248a39d55c2018edc4b7732e0959125a15882f76e087a26e
[03:31:23]          Stored hash : 653b3b3155f60e2ba92405929b8d04355eddf44efc0d3c19484d012c76208ac6
[03:31:23]          Current inode: 8782647    Stored inode: 8788262
[03:31:23]          Current file modification time: 1540828870 (29-Oct-2018 09:01:10)
[03:31:23]          Stored file modification time : 1508281721 (17-Oct-2017 16:08:41)
[03:31:23]   /usr/bin/cut                                    [ OK ]
[03:31:23]   /usr/bin/diff                                   [ OK ]
[03:31:23]   /usr/bin/dirname                                [ OK ]
[03:31:23]   /usr/bin/dpkg                                   [ Warning ]
[03:31:23] Warning: The file properties have changed:
[03:31:23]          File: /usr/bin/dpkg
[03:31:23]          Current hash: 622aa33f11ac45b306638d28beca49e0af6de16bcb83dc0835ab3c34b5e4f914
[03:31:23]          Stored hash : 7fd595dc87ed17bb8c2c8a0ec8ce514c97c23601e45f68f8edcf24f491076766
[03:31:23]          Current inode: 8786766    Stored inode: 8781920
[03:31:23]          Current file modification time: 1539815671 (17-Oct-2018 15:34:31)
[03:31:23]          Stored file modification time : 1491821886 (10-Apr-2017 03:58:06)
[03:31:23]   /usr/bin/dpkg-query                             [ Warning ]
[03:31:23] Warning: The file properties have changed:
[03:31:23]          File: /usr/bin/dpkg-query
[03:31:23]          Current hash: a3e07f254e743551fd1f26c53028e3d92b390b2ea24ac198638dc071584ee14c
[03:31:23]          Stored hash : c19804b0bf7b6d8433376a33b969fc97118359d12a6ebffd3f11b61e7ca0f77e
[03:31:24]          Current inode: 8786774    Stored inode: 8782028
[03:31:24]          Current file modification time: 1539815671 (17-Oct-2018 15:34:31)
[03:31:24]          Stored file modification time : 1491821886 (10-Apr-2017 03:58:06)
[03:31:24]   /usr/bin/du                                     [ OK ]
[03:31:24]   /usr/bin/env                                    [ OK ]
[03:31:24]   /usr/bin/file                                   [ Warning ]
[03:31:24] Warning: The file properties have changed:
[03:31:24]          File: /usr/bin/file
[03:31:24]          Current hash: 3432faffd8a0ae7fe367e937204e71f25e93f4d2198834e371583a51ebeccc33
[03:31:24]          Stored hash : 1cac36f1032dde7b54edcbc6afbfa8ed8be0c0dfcb2d3dd4d2f09c828d0ab70b
[03:31:24]          Current inode: 8783480    Stored inode: 8782218
[03:31:24]          Current file modification time: 1528911846 (13-Jun-2018 10:44:06)
[03:31:24]          Stored file modification time : 1448028742 (20-Nov-2015 06:12:22)
[03:31:24]   /usr/bin/find                                   [ OK ]
[03:31:24]   /usr/bin/GET                                    [ OK ]
[03:31:24]   /usr/bin/groups                                 [ OK ]
[03:31:24]   /usr/bin/head                                   [ OK ]
[03:31:24]   /usr/bin/id                                     [ OK ]
[03:31:24]   /usr/bin/killall                                [ OK ]
[03:31:24]   /usr/bin/last                                   [ Warning ]
[03:31:24] Warning: The file properties have changed:
[03:31:24]          File: /usr/bin/last
[03:31:24]          Current hash: 676f70395de562b7ffd93c834adb5a908d45e3b195983d124b34ea0b3ad3641f
[03:31:24]          Stored hash : 3e109545627853c991d953d8326276ccd2fea1de45db67eb6ef5cce29472b4a2
[03:31:24]          Current inode: 8807051    Stored inode: 8782026
[03:31:24]          Current file modification time: 1526482816 (16-May-2018 08:00:16)
[03:31:24]          Stored file modification time : 1497477075 (14-Jun-2017 14:51:15)
[03:31:25]   /usr/bin/lastlog                                [ OK ]
[03:31:25]   /usr/bin/ldd                                    [ Warning ]
[03:31:25] Warning: The file properties have changed:
[03:31:25]          File: /usr/bin/ldd
[03:31:25]          Current hash: a50b7f4e802b8d63b8ee12413f4bb6ca0d74d402b8ad88b107b753b85ff95e83
[03:31:25]          Stored hash : a7e79130910f5627d63f42d19144dc1fd8f0b9aa506364e1ab4be96b433c6ed8
[03:31:25]          Current inode: 8798446    Stored inode: 8782639
[03:31:25]          Current size: 5421    Stored size: 5420
[03:31:25]          Current file modification time: 1515984553 (14-Jan-2018 18:49:13)
[03:31:25]          Stored file modification time : 1497646344 (16-Jun-2017 13:52:24)
[03:31:25] Info: Found file '/usr/bin/ldd': it is whitelisted for the 'script replacement' check.
[03:31:25]   /usr/bin/less                                   [ OK ]
[03:31:25]   /usr/bin/locate                                 [ OK ]
[03:31:25]   /usr/bin/logger                                 [ Warning ]
[03:31:25] Warning: The file properties have changed:
[03:31:25]          File: /usr/bin/logger
[03:31:25]          Current hash: 9c92cb5a9c7b17314a7861507f1ab532b7ef31896233a3778971e841e671d9ab
[03:31:25]          Stored hash : 16e74a6b58777216955296588740f012b91fe31d791e795ec867659790e2102b
[03:31:25]          Current inode: 8791003    Stored inode: 8782009
[03:31:25]          Current file modification time: 1526482816 (16-May-2018 08:00:16)
[03:31:25]          Stored file modification time : 1497477075 (14-Jun-2017 14:51:15)
[03:31:25]   /usr/bin/lsattr                                 [ OK ]
[03:31:25]   /usr/bin/lsof                                   [ OK ]
[03:31:25]   /usr/bin/mail                                   [ Warning ]
[03:31:25] Warning: The file '/usr/bin/mail' exists on the system, but it is not present in the 'rkhunter.dat' file.
[03:31:25]   /usr/bin/md5sum                                 [ OK ]
[03:31:25]   /usr/bin/mlocate                                [ OK ]
[03:31:25]   /usr/bin/newgrp                                 [ OK ]
[03:31:26]   /usr/bin/passwd                                 [ OK ]
[03:31:26]   /usr/bin/perl                                   [ Warning ]
[03:31:26] Warning: The file properties have changed:
[03:31:26]          File: /usr/bin/perl
[03:31:26]          Current hash: 44b213b54841c16b7f1b74f654b0e8536ba9337c40585d3f088e28427e9982b4
[03:31:26]          Stored hash : 6ba5dac49dd1fbd03b117af828f74eada0c34ecf24414f3b445cf362936958f1
[03:31:26]          Current inode: 8782026    Stored inode: 8782985
[03:31:26]          Current size: 1911288    Stored size: 1907192
[03:31:26]          Current file modification time: 1542652175 (19-Nov-2018 10:29:35)
[03:31:26]          Stored file modification time : 1457870058 (13-Mar-2016 04:54:18)
[03:31:26]   /usr/bin/pgrep                                  [ Warning ]
[03:31:26] Warning: The file properties have changed:
[03:31:26]          File: /usr/bin/pgrep
[03:31:26]          Current hash: de78031dff36518e83d9262aadc5e398ba1f99a4c6bd1763f342bd00f44418d0
[03:31:26]          Stored hash : 0644a86a9ca270df65c18e00bad47e0c4ca9636072f183821b02e182783afef3
[03:31:26]          Current inode: 8792659    Stored inode: 8782807
[03:31:26]          Current size: 27264    Stored size: 27280
[03:31:26]          Current file modification time: 1526301776 (14-May-2018 05:42:56)
[03:31:26]          Stored file modification time : 1479750912 (21-Nov-2016 09:55:12)
[03:31:26]   /usr/bin/pkill                                  [ Warning ]
[03:31:26] Warning: The file properties have changed:
[03:31:26]          File: /usr/bin/pkill
[03:31:26]          Current hash: de78031dff36518e83d9262aadc5e398ba1f99a4c6bd1763f342bd00f44418d0
[03:31:26]          Stored hash : 0644a86a9ca270df65c18e00bad47e0c4ca9636072f183821b02e182783afef3
[03:31:26]          Current inode: 8792669    Stored inode: 8787964
[03:31:26]          Current file modification time: 1526301770 (14-May-2018 05:42:50)
[03:31:26]          Stored file modification time : 1479750909 (21-Nov-2016 09:55:09)
[03:31:26]   /usr/bin/pstree                                 [ OK ]
[03:31:26]   /usr/bin/rkhunter                               [ OK ]
[03:31:26]   /usr/bin/rpm                                    [ Warning ]
[03:31:26] Warning: The file '/usr/bin/rpm' exists on the system, but it is not present in the 'rkhunter.dat' file.
[03:31:26]   /usr/bin/runcon                                 [ OK ]
[03:31:27]   /usr/bin/sha1sum                                [ OK ]
[03:31:27]   /usr/bin/sha224sum                              [ OK ]
[03:31:27]   /usr/bin/sha256sum                              [ OK ]
[03:31:27]   /usr/bin/sha384sum                              [ OK ]
[03:31:27]   /usr/bin/sha512sum                              [ OK ]
[03:31:27]   /usr/bin/size                                   [ Warning ]
[03:31:27] Warning: The file properties have changed:
[03:31:27]          File: /usr/bin/size
[03:31:27]          Current hash: fc5732de8da1e3678bb9955eed867b908dcb74d3d95b3fa7474774beb68ca3e6
[03:31:27]          Stored hash : ffd8ab41e6eb408a677a2c19bf764f87b7ad79869daf34fdab50c98dd6b96df0
[03:31:27]          Current inode: 8816239    Stored inode: 8785805
[03:31:27]          Current file modification time: 1535636344 (30-Aug-2018 06:39:04)
[03:31:27]          Stored file modification time : 1503325454 (21-Aug-2017 07:24:14)
[03:31:27]   /usr/bin/sort                                   [ OK ]
[03:31:27]   /usr/bin/ssh                                    [ Warning ]
[03:31:27] Warning: The file properties have changed:
[03:31:27]          File: /usr/bin/ssh
[03:31:27]          Current hash: 8f21276872dd7b5edd2b86d2ff32e9974e2c92d39ebdf8240a36502b7d7a020f
[03:31:27]          Stored hash : 9e2597b132b7b9bb148b8107366dea067e11cc936c0e6161d9be87dc8c80be0e
[03:31:27]          Current inode: 8787145    Stored inode: 8788946
[03:31:27]          Current file modification time: 1541417174 (05-Nov-2018 03:26:14)
[03:31:27]          Stored file modification time : 1489673087 (16-Mar-2017 07:04:47)
[03:31:27]   /usr/bin/stat                                   [ OK ]
[03:31:27]   /usr/bin/strace                                 [ OK ]
[03:31:27]   /usr/bin/strings                                [ Warning ]
[03:31:27] Warning: The file properties have changed:
[03:31:27]          File: /usr/bin/strings
[03:31:27]          Current hash: 34e48f212678ee01f4d8ebcbe1060a2d79f0fe83281db57d259589f736afdd5a
[03:31:27]          Stored hash : c26d611e50cad9e1c62c95caeec76488507606a8a9d1f609e3cabe98e9db172f
[03:31:27]          Current inode: 8816259    Stored inode: 8785793
[03:31:27]          Current file modification time: 1535636344 (30-Aug-2018 06:39:04)
[03:31:27]          Stored file modification time : 1503325454 (21-Aug-2017 07:24:14)
[03:31:28]   /usr/bin/sudo                                   [ OK ]
[03:31:28]   /usr/bin/tail                                   [ OK ]
[03:31:28]   /usr/bin/telnet                                 [ OK ]
[03:31:28]   /usr/bin/test                                   [ OK ]
[03:31:28]   /usr/bin/top                                    [ Warning ]
[03:31:28] Warning: The file properties have changed:
[03:31:28]          File: /usr/bin/top
[03:31:28]          Current hash: d33b51d8927aed9d6e378d176f253274a13ef9cdd633d03e0907e5463c73ce1b
[03:31:28]          Stored hash : bbe58393a2b87031192ece56b7b65b38ab743fb604789dba3dbdfc4fe6a4991b
[03:31:28]          Current inode: 8792666    Stored inode: 8782535
[03:31:28]          Current file modification time: 1526301776 (14-May-2018 05:42:56)
[03:31:28]          Stored file modification time : 1479750912 (21-Nov-2016 09:55:12)
[03:31:28]   /usr/bin/touch                                  [ OK ]
[03:31:28]   /usr/bin/tr                                     [ OK ]
[03:31:28]   /usr/bin/uniq                                   [ OK ]
[03:31:28]   /usr/bin/users                                  [ OK ]
[03:31:28]   /usr/bin/vmstat                                 [ Warning ]
[03:31:28] Warning: The file properties have changed:
[03:31:28]          File: /usr/bin/vmstat
[03:31:28]          Current hash: 4e6601f0e3bc918b904e2ef5b68d9579864bca555f1e3d3568bc6894bd06374a
[03:31:28]          Stored hash : df70c59f1c1e225511743ebb590c3b429c5c790d592d679910983d47db6eff10
[03:31:28]          Current inode: 8792664    Stored inode: 8782047
[03:31:28]          Current file modification time: 1526301776 (14-May-2018 05:42:56)
[03:31:28]          Stored file modification time : 1479750912 (21-Nov-2016 09:55:12)
[03:31:28]   /usr/bin/w                                      [ Warning ]
[03:31:28] Warning: The file properties have changed:
[03:31:28]          File: /usr/bin/w
[03:31:28]          Current hash: a92d70f69149aca7c6e4657d0256d4b9e50dea63bbad13504756681237179a9a
[03:31:28]          Stored hash : a6901a6d361fb63cbfd7d22711b5a793c496b556f97c0d6b501177ffbdba2e6a
[03:31:29]   /usr/bin/watch                                  [ Warning ]
[03:31:29] Warning: The file properties have changed:
[03:31:29]          File: /usr/bin/watch
[03:31:29]          Current hash: aaac8cf9e7b24257bccc41f5d0461e2cbe86c7ac2d1194b7583c2f742a43537d
[03:31:29]          Stored hash : 52678d945a2e08d039b3d11f381e241c7c2373d263b0f14b0de06145050032d0
[03:31:29]          Current inode: 8792660    Stored inode: 8782505
[03:31:29]          Current file modification time: 1526301776 (14-May-2018 05:42:56)
[03:31:29]          Stored file modification time : 1479750912 (21-Nov-2016 09:55:12)
[03:31:29]   /usr/bin/wc                                     [ OK ]
[03:31:29]   /usr/bin/wget                                   [ Warning ]
[03:31:29] Warning: The file properties have changed:
[03:31:29]          File: /usr/bin/wget
[03:31:29]          Current hash: 3da1cf5c040bff73a9335d990b99cc5462486c065a5f1148f4c235b31b399046
[03:31:29]          Stored hash : 4b60d3dfaa3363ffd5ff7357c843948c74f01b1b9ff82c35abdb532cb3ca8beb
[03:31:29]          Current inode: 8782639    Stored inode: 8783397
[03:31:29]          Current file modification time: 1525806424 (08-May-2018 12:07:04)
[03:31:29]          Stored file modification time : 1508843803 (24-Oct-2017 04:16:43)
[03:31:29]   /usr/bin/whatis                                 [ OK ]
[03:31:29]   /usr/bin/whereis                                [ Warning ]
[03:31:29] Warning: The file properties have changed:
[03:31:29]          File: /usr/bin/whereis
[03:31:29]          Current hash: 46ca4ef0fb003140d7bbdcfe0d4d22dc6f82034705af3191b024abe003cc1fbf
[03:31:29]          Stored hash : 029548161e191fb6e95b47298b3bce6e13d4145829da5f3d1dc471b58e420961
[03:31:29]          Current inode: 8807057    Stored inode: 8783351
[03:31:29]          Current file modification time: 1526482816 (16-May-2018 08:00:16)
[03:31:29]          Stored file modification time : 1497477075 (14-Jun-2017 14:51:15)
[03:31:29]   /usr/bin/which                                  [ OK ]
[03:31:29]   /usr/bin/who                                    [ OK ]
[03:31:29]   /usr/bin/whoami                                 [ OK ]
[03:31:29]   /usr/bin/gawk                                   [ OK ]
[03:31:29]   /usr/bin/lwp-request                            [ Warning ]
[03:31:29] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: a /usr/bin/perl -w script, ASCII text executable
[03:31:29]   /usr/bin/s-nail                                 [ Warning ]
[03:31:29] Warning: The file '/usr/bin/s-nail' exists on the system, but it is not present in the 'rkhunter.dat' file.
[03:31:30]   /usr/bin/x86_64-linux-gnu-size                  [ Warning ]
[03:31:30] Warning: The file properties have changed:
[03:31:30]          File: /usr/bin/x86_64-linux-gnu-size
[03:31:30]          Current hash: fc5732de8da1e3678bb9955eed867b908dcb74d3d95b3fa7474774beb68ca3e6
[03:31:30]          Stored hash : ffd8ab41e6eb408a677a2c19bf764f87b7ad79869daf34fdab50c98dd6b96df0
[03:31:30]          Current inode: 8816214    Stored inode: 8785676
[03:31:30]          Current file modification time: 1535636344 (30-Aug-2018 06:39:04)
[03:31:30]          Stored file modification time : 1503325454 (21-Aug-2017 07:24:14)
[03:31:30]   /usr/bin/x86_64-linux-gnu-strings               [ Warning ]
[03:31:30] Warning: The file properties have changed:
[03:31:30]          File: /usr/bin/x86_64-linux-gnu-strings
[03:31:30]          Current hash: 34e48f212678ee01f4d8ebcbe1060a2d79f0fe83281db57d259589f736afdd5a
[03:31:30]          Stored hash : c26d611e50cad9e1c62c95caeec76488507606a8a9d1f609e3cabe98e9db172f
[03:31:30]          Current inode: 8816221    Stored inode: 8785669
[03:31:30]          Current file modification time: 1535636344 (30-Aug-2018 06:39:04)
[03:31:30]          Stored file modification time : 1503325454 (21-Aug-2017 07:24:14)
[03:31:30]   /usr/bin/telnet.netkit                          [ OK ]
[03:31:30]   /usr/bin/w.procps                               [ Warning ]
[03:31:30] Warning: The file properties have changed:
[03:31:30]          File: /usr/bin/w.procps
[03:31:30]          Current hash: a92d70f69149aca7c6e4657d0256d4b9e50dea63bbad13504756681237179a9a
[03:31:30]          Stored hash : a6901a6d361fb63cbfd7d22711b5a793c496b556f97c0d6b501177ffbdba2e6a
[03:31:30]          Current inode: 8792662    Stored inode: 8782803
[03:31:30]          Current file modification time: 1526301776 (14-May-2018 05:42:56)
[03:31:30]          Stored file modification time : 1479750912 (21-Nov-2016 09:55:12)
[03:31:30]   /sbin/depmod                                    [ Warning ]
[03:31:30] Warning: The file properties have changed:
[03:31:30]          File: /sbin/depmod
[03:31:30]          Current hash: 90bf091d93f316256334584ea4f1e0f1e770c0dbe80d1770b6a80f329a5dd6aa
[03:31:30]          Stored hash : 440c11316045cf7482ed6fc7f384a277850ff2ba8eb4282644029efe7c302434
[03:31:30]          Current inode: 27141320    Stored inode: 27132201
[03:31:30]          Current file modification time: 1540803028 (29-Oct-2018 01:50:28)
[03:31:30]          Stored file modification time : 1500993335 (25-Jul-2017 07:35:35)
[03:31:30]   /sbin/fsck                                      [ Warning ]
[03:31:30] Warning: The file properties have changed:
[03:31:30]          File: /sbin/fsck
[03:31:30]          Current hash: 88c195cce3a71eb2240bc0b2e83d0504009a4636e5b6c7b0ec08a021a6ef9beb
[03:31:30]          Stored hash : e784d6f6e3d27b26a71f3330d2ca00351a87f28f3a9f8cf67c680c62c1fdfda7
[03:31:30]          Current inode: 27140933    Stored inode: 27132220
[03:31:30]          Current file modification time: 1526482816 (16-May-2018 08:00:16)
[03:31:30]          Stored file modification time : 1497477075 (14-Jun-2017 14:51:15)
[03:31:31]   /sbin/ifconfig                                  [ OK ]
[03:31:31]   /sbin/ifdown                                    [ Warning ]
[03:31:31] Warning: The file properties have changed:
[03:31:31]          File: /sbin/ifdown
[03:31:31]          Current hash: 24974c0d9dad9f3576c4d19f7efa4f718a64798f4d560056d7eb985000032e24
[03:31:31]          Stored hash : b093dbc0dc790d2d206ca332359b158d75538d36a8377cb217924f27f5263e70
[03:31:31]          Current inode: 27132101    Stored inode: 27131994
[03:31:31]          Current file modification time: 1525962112 (10-May-2018 07:21:52)
[03:31:31]          Stored file modification time : 1481307396 (09-Dec-2016 10:16:36)
[03:31:31]   /sbin/ifup                                      [ Warning ]
[03:31:31] Warning: The file properties have changed:
[03:31:31]          File: /sbin/ifup
[03:31:31]          Current hash: 24974c0d9dad9f3576c4d19f7efa4f718a64798f4d560056d7eb985000032e24
[03:31:31]          Stored hash : b093dbc0dc790d2d206ca332359b158d75538d36a8377cb217924f27f5263e70
[03:31:31]          Current inode: 27132072    Stored inode: 27131915
[03:31:31]          Current file modification time: 1525962113 (10-May-2018 07:21:53)
[03:31:31]          Stored file modification time : 1481307397 (09-Dec-2016 10:16:37)
[03:31:31]   /sbin/init                                      [ Warning ]
[03:31:31] Warning: The file properties have changed:
[03:31:31]          File: /sbin/init
[03:31:31]          Current hash: 48d3a5e7669948a14f3ee99364bb53bcf769ca521c1dd2bff65231a08e5e762d
[03:31:31]          Stored hash : a83cc2a548683b41dedccd47437985445ce583f8b549123f74d215f7201f5a07
[03:31:31]          Current inode: 27132201    Stored inode: 27131991
[03:31:31]          Current file modification time: 1543320259 (27-Nov-2018 04:04:19)
[03:31:31]          Stored file modification time : 1509205247 (28-Oct-2017 08:40:47)
[03:31:31]   /sbin/insmod                                    [ Warning ]
[03:31:31] Warning: The file properties have changed:
[03:31:31]          File: /sbin/insmod
[03:31:31]          Current hash: 90bf091d93f316256334584ea4f1e0f1e770c0dbe80d1770b6a80f329a5dd6aa
[03:31:31]          Stored hash : 440c11316045cf7482ed6fc7f384a277850ff2ba8eb4282644029efe7c302434
[03:31:31]          Current inode: 27141283    Stored inode: 27132207
[03:31:31]          Current file modification time: 1540803028 (29-Oct-2018 01:50:28)
[03:31:31]          Stored file modification time : 1500993335 (25-Jul-2017 07:35:35)
[03:31:31]   /sbin/ip                                        [ Warning ]
[03:31:31] Warning: The file properties have changed:
[03:31:31]          File: /sbin/ip
[03:31:31]          Current hash: 39693d68da9b210ef5735f3a2c3847f191a70a7853815266301de0a5eabda3f3
[03:31:31]          Stored hash : 0782fff5be871adffd11141808f8a52d8e6a3000f5730d0132b6f5f704750d00
[03:31:31]          Current inode: 27132148    Stored inode: 27132065
[03:31:31]          Current file modification time: 1541530131 (06-Nov-2018 10:48:51)
[03:31:31]          Stored file modification time : 1494001476 (05-May-2017 09:24:36)
[03:31:31]   /sbin/lsmod                                     [ Warning ]
[03:31:31] Warning: The file properties have changed:
[03:31:31]          File: /sbin/lsmod
[03:31:31]          Current hash: 90bf091d93f316256334584ea4f1e0f1e770c0dbe80d1770b6a80f329a5dd6aa
[03:31:31]          Stored hash : 440c11316045cf7482ed6fc7f384a277850ff2ba8eb4282644029efe7c302434
[03:31:31]          Current inode: 27141318    Stored inode: 27132199
[03:31:32]          Current file modification time: 1540803028 (29-Oct-2018 01:50:28)
[03:31:32]          Stored file modification time : 1500993335 (25-Jul-2017 07:35:35)
[03:31:32]   /sbin/modinfo                                   [ Warning ]
[03:31:32] Warning: The file properties have changed:
[03:31:32]          File: /sbin/modinfo
[03:31:32]          Current hash: 90bf091d93f316256334584ea4f1e0f1e770c0dbe80d1770b6a80f329a5dd6aa
[03:31:32]          Stored hash : 440c11316045cf7482ed6fc7f384a277850ff2ba8eb4282644029efe7c302434
[03:31:32]          Current inode: 27141290    Stored inode: 27132205
[03:31:32]          Current file modification time: 1540803028 (29-Oct-2018 01:50:28)
[03:31:32]          Stored file modification time : 1500993335 (25-Jul-2017 07:35:35)
[03:31:32]   /sbin/modprobe                                  [ Warning ]
[03:31:32] Warning: The file properties have changed:
[03:31:32]          File: /sbin/modprobe
[03:31:32]          Current hash: 90bf091d93f316256334584ea4f1e0f1e770c0dbe80d1770b6a80f329a5dd6aa
[03:31:32]          Stored hash : 440c11316045cf7482ed6fc7f384a277850ff2ba8eb4282644029efe7c302434
[03:31:32]          Current inode: 27141322    Stored inode: 27132203
[03:31:32]          Current file modification time: 1540803028 (29-Oct-2018 01:50:28)
[03:31:32]          Stored file modification time : 1500993335 (25-Jul-2017 07:35:35)
[03:31:32]   /sbin/rmmod                                     [ Warning ]
[03:31:32] Warning: The file properties have changed:
[03:31:32]          File: /sbin/rmmod
[03:31:32]          Current hash: 90bf091d93f316256334584ea4f1e0f1e770c0dbe80d1770b6a80f329a5dd6aa
[03:31:32]          Stored hash : 440c11316045cf7482ed6fc7f384a277850ff2ba8eb4282644029efe7c302434
[03:31:32]          Current inode: 27141324    Stored inode: 27132017
[03:31:32]          Current file modification time: 1540803028 (29-Oct-2018 01:50:28)
[03:31:32]          Stored file modification time : 1500993335 (25-Jul-2017 07:35:35)
[03:31:32]   /sbin/route                                     [ OK ]
[03:31:32]   /sbin/runlevel                                  [ Warning ]
[03:31:32] Warning: The file properties have changed:
[03:31:32]          File: /sbin/runlevel
[03:31:32]          Current hash: 191f5ea5bd8586b856e52afae6bc963216f1435123d566737bc4d0c369e6e1c7
[03:31:32]          Stored hash : 297dd233556d0286d51965b127e15d6ab1c2b7795332755f1aae0b17d03e3fa6
[03:31:32]          Current inode: 27132100    Stored inode: 27132132
[03:31:32]          Current file modification time: 1543320259 (27-Nov-2018 04:04:19)
[03:31:32]          Stored file modification time : 1509205247 (28-Oct-2017 08:40:47)
[03:31:33]   /sbin/sulogin                                   [ Warning ]
[03:31:33] Warning: The file properties have changed:
[03:31:33]          File: /sbin/sulogin
[03:31:33]          Current hash: e20ddeb02a1fc8da2365b84fb8decb17da65951ab3deaaddd43791fde0afb60e
[03:31:33]          Stored hash : 37f6637bd9c7d1527b21c325cf6c446482987f2e5e60797ee71469e28aff2c40
[03:31:33]          Current inode: 27140935    Stored inode: 27132216
[03:31:33]          Current file modification time: 1526482816 (16-May-2018 08:00:16)
[03:31:33]          Stored file modification time : 1497477075 (14-Jun-2017 14:51:15)
[03:31:33]   /sbin/sysctl                                    [ Warning ]
[03:31:33] Warning: The file properties have changed:
[03:31:33]          File: /sbin/sysctl
[03:31:33]          Current hash: af588243565d674252a9fa175b6e6ad344adaf6c604329211d03978a751662ca
[03:31:33]          Stored hash : eef0dff3d8e36a5b8ed5a0c08301df2f1a81aab08794abf238925fc284fb6d8b
[03:31:33]          Current inode: 27131915    Stored inode: 27131986
[03:31:33]          Current file modification time: 1526301776 (14-May-2018 05:42:56)
[03:31:33]          Stored file modification time : 1479750912 (21-Nov-2016 09:55:12)
[03:31:33]   /bin/bash                                       [ OK ]
[03:31:33]   /bin/cat                                        [ OK ]
[03:31:33]   /bin/chmod                                      [ OK ]
[03:31:33]   /bin/chown                                      [ OK ]
[03:31:33]   /bin/cp                                         [ OK ]
[03:31:33]   /bin/date                                       [ OK ]
[03:31:34]   /bin/df                                         [ OK ]
[03:31:34]   /bin/dmesg                                      [ Warning ]
[03:31:34] Warning: The file properties have changed:
[03:31:34]          File: /bin/dmesg
[03:31:34]          Current hash: 4caf339df76fa5cef3756ab752c9023169005a7623738a6578bbdd89fcf38809
[03:31:34]          Stored hash : 4f4477c81e08dbeae9ea599c270354cd02dc3cfc41a3e98e66bc3f9b4dc92939
[03:31:34]          Current inode: 16658353    Stored inode: 16646237
[03:31:34]          Current file modification time: 1526482816 (16-May-2018 08:00:16)
[03:31:34]          Stored file modification time : 1497477075 (14-Jun-2017 14:51:15)
[03:31:34]   /bin/echo                                       [ OK ]
[03:31:34]   /bin/ed                                         [ OK ]
[03:31:34]   /bin/egrep                                      [ OK ]
[03:31:34] Info: Found file '/bin/egrep': it is whitelisted for the 'script replacement' check.
[03:31:34]   /bin/fgrep                                      [ OK ]
[03:31:34] Info: Found file '/bin/fgrep': it is whitelisted for the 'script replacement' check.
[03:31:34]   /bin/fuser                                      [ OK ]
[03:31:34]   /bin/grep                                       [ OK ]
[03:31:34]   /bin/ip                                         [ Warning ]
[03:31:34] Warning: The file properties have changed:
[03:31:34]          File: /bin/ip
[03:31:34]          Current hash: 39693d68da9b210ef5735f3a2c3847f191a70a7853815266301de0a5eabda3f3
[03:31:34]          Stored hash : 0782fff5be871adffd11141808f8a52d8e6a3000f5730d0132b6f5f704750d00
[03:31:35]          Current inode: 16646199    Stored inode: 16646262
[03:31:35]          Current file modification time: 1541530140 (06-Nov-2018 10:49:00)
[03:31:35]          Stored file modification time : 1494001477 (05-May-2017 09:24:37)
[03:31:35]   /bin/kill                                       [ Warning ]
[03:31:35] Warning: The file properties have changed:
[03:31:35]          File: /bin/kill
[03:31:35]          Current hash: 3a49d6419a81cc4a2dce027531efc2d9c3799c7256b37a0e0c3450eb119af94e
[03:31:35]          Stored hash : 1f2a1e0b7dec95663c30f27e6cf27f1062c89f028f92ce36def3661974fca107
[03:31:35]          Current inode: 16654658    Stored inode: 16646261
[03:31:35]          Current file modification time: 1526301776 (14-May-2018 05:42:56)
[03:31:35]          Stored file modification time : 1479750912 (21-Nov-2016 09:55:12)
[03:31:35]   /bin/less                                       [ OK ]
[03:31:35]   /bin/login                                      [ OK ]
[03:31:35]   /bin/ls                                         [ OK ]
[03:31:35]   /bin/lsmod                                      [ Warning ]
[03:31:35] Warning: The file properties have changed:
[03:31:35]          File: /bin/lsmod
[03:31:35]          Current hash: 90bf091d93f316256334584ea4f1e0f1e770c0dbe80d1770b6a80f329a5dd6aa
[03:31:35]          Stored hash : 440c11316045cf7482ed6fc7f384a277850ff2ba8eb4282644029efe7c302434
[03:31:35]          Current inode: 16650750    Stored inode: 16646206
[03:31:35]          Current file modification time: 1540803028 (29-Oct-2018 01:50:28)
[03:31:35]          Stored file modification time : 1500993335 (25-Jul-2017 07:35:35)
[03:31:35]   /bin/mktemp                                     [ OK ]
[03:31:35]   /bin/more                                       [ Warning ]
[03:31:35] Warning: The file properties have changed:
[03:31:35]          File: /bin/more
[03:31:35]          Current hash: 37b23deb84b68b29e25186d62f4f293ea57fa423ba6f870a50b57b0ba3a05af5
[03:31:35]          Stored hash : d95df40d791af3fec8359104ff7a82fde5ab588d73429c6407a612aba99c03d5
[03:31:35]          Current inode: 16658354    Stored inode: 16646240
[03:31:35]          Current file modification time: 1526482816 (16-May-2018 08:00:16)
[03:31:35]          Stored file modification time : 1497477075 (14-Jun-2017 14:51:15)
[03:31:35]   /bin/mount                                      [ Warning ]
[03:31:35] Warning: The file properties have changed:
[03:31:35]          File: /bin/mount
[03:31:35]          Current hash: e45d3f9a16f420dd44a2e8bbeaf267c748dc4fcc89a9091442d141498f1ba2e6
[03:31:35]          Stored hash : d67207136138e0959c3e16c8d7aecb0737431b483fccaa81c0d8dad6ad035137
[03:31:35]          Current inode: 16655063    Stored inode: 16646196
[03:31:35]          Current file modification time: 1526482816 (16-May-2018 08:00:16)
[03:31:35]          Stored file modification time : 1497477075 (14-Jun-2017 14:51:15)
[03:31:36]   /bin/mv                                         [ OK ]
[03:31:36]   /bin/netstat                                    [ OK ]
[03:31:36]   /bin/ping                                       [ OK ]
[03:31:36]   /bin/ps                                         [ Warning ]
[03:31:36] Warning: The file properties have changed:
[03:31:36]          File: /bin/ps
[03:31:36]          Current hash: bb56ae839be1742bc63c08cec08789c4bbb37cbe23e8719974c6e63212ecc3d6
[03:31:36]          Stored hash : a0714e349d58ce9ee8b0f5d9d2f1b9944f22cdb2ab3cf2c222b444aaad290f89
[03:31:36]          Current inode: 16654659    Stored inode: 16646239
[03:31:36]          Current file modification time: 1526301776 (14-May-2018 05:42:56)
[03:31:36]          Stored file modification time : 1479750912 (21-Nov-2016 09:55:12)
[03:31:36]   /bin/pwd                                        [ OK ]
[03:31:36]   /bin/readlink                                   [ OK ]
[03:31:36]   /bin/sed                                        [ OK ]
[03:31:36]   /bin/sh                                         [ OK ]
[03:31:36]   /bin/su                                         [ OK ]
[03:31:37]   /bin/touch                                      [ OK ]
[03:31:37]   /bin/uname                                      [ OK ]
[03:31:37]   /bin/which                                      [ OK ]
[03:31:37] Info: Found file '/bin/which': it is whitelisted for the 'script replacement' check.
[03:31:37]   /bin/kmod                                       [ Warning ]
[03:31:37] Warning: The file properties have changed:
[03:31:37]          File: /bin/kmod
[03:31:37]          Current hash: 90bf091d93f316256334584ea4f1e0f1e770c0dbe80d1770b6a80f329a5dd6aa
[03:31:37]          Stored hash : 440c11316045cf7482ed6fc7f384a277850ff2ba8eb4282644029efe7c302434
[03:31:37]          Current inode: 16650749    Stored inode: 16646199
[03:31:37]          Current file modification time: 1540803030 (29-Oct-2018 01:50:30)
[03:31:37]          Stored file modification time : 1500993337 (25-Jul-2017 07:35:37)
[03:31:37]   /bin/systemd                                    [ Warning ]
[03:31:37] Warning: The file properties have changed:
[03:31:37]          File: /bin/systemd
[03:31:37]          Current hash: 48d3a5e7669948a14f3ee99364bb53bcf769ca521c1dd2bff65231a08e5e762d
[03:31:37]          Stored hash : a83cc2a548683b41dedccd47437985445ce583f8b549123f74d215f7201f5a07
[03:31:37]          Current inode: 16648000    Stored inode: 16646317
[03:31:37]          Current file modification time: 1543320259 (27-Nov-2018 04:04:19)
[03:31:37]          Stored file modification time : 1509205236 (28-Oct-2017 08:40:36)
[03:31:37]   /bin/systemctl                                  [ Warning ]
[03:31:37] Warning: The file properties have changed:
[03:31:37]          File: /bin/systemctl
[03:31:37]          Current hash: 191f5ea5bd8586b856e52afae6bc963216f1435123d566737bc4d0c369e6e1c7
[03:31:37]          Stored hash : 297dd233556d0286d51965b127e15d6ab1c2b7795332755f1aae0b17d03e3fa6
[03:31:37]          Current inode: 16647438    Stored inode: 16646316
[03:31:37]          Current file modification time: 1543320278 (27-Nov-2018 04:04:38)
[03:31:37]          Stored file modification time : 1460457270 (12-Apr-2016 03:34:30)
[03:31:37]   /bin/dash                                       [ OK ]
[03:31:38]   /lib/systemd/systemd                            [ Warning ]
[03:31:38] Warning: The file properties have changed:
[03:31:38]          File: /lib/systemd/systemd
[03:31:38]          Current hash: 48d3a5e7669948a14f3ee99364bb53bcf769ca521c1dd2bff65231a08e5e762d
[03:31:38]          Stored hash : a83cc2a548683b41dedccd47437985445ce583f8b549123f74d215f7201f5a07
[03:31:38]          Current inode: 28969872    Stored inode: 28971317
[03:31:39]          Current size: 1577264    Stored size: 1573136
[03:31:39]          Current file modification time: 1543320282 (27-Nov-2018 04:04:42)
[03:31:39]          Stored file modification time : 1460457272 (12-Apr-2016 03:34:32)
[03:31:41]

[03:32:28] Checking the local host...
[03:32:28]
[03:32:28] Info: Starting test name 'startup_files'
[03:32:28] Performing system boot checks
[03:32:28]   Checking for local host name                    [ Found ]
[03:32:28]
[03:32:28] Info: Starting test name 'startup_malware'
[03:32:28]   Checking for system startup files               [ Found ]
[03:32:29]   Checking system startup files for malware       [ None found ]
[03:32:29]
[03:32:29] Info: Starting test name 'group_accounts'
[03:32:29] Performing group and account checks
[03:32:29]   Checking for passwd file                        [ Found ]
[03:32:29] Info: Found password file: /etc/passwd
[03:32:29]   Checking for root equivalent (UID 0) accounts   [ None found ]
[03:32:29] Info: Found shadow file: /etc/shadow
[03:32:29]   Checking for passwordless accounts              [ Warning ]
[03:32:29] Warning: Found passwordless account in shadow file: second
[03:32:29]
[03:32:29] Info: Starting test name 'passwd_changes'
[03:32:29]   Checking for passwd file changes                [ Warning ]
[03:32:29] Warning: User 'bind' has been added to the passwd file.
[03:32:29] Warning: User 'postfix' has been added to the passwd file.
[03:32:29] Warning: User 'second' has been added to the passwd file.
[03:32:29] Warning: User 'stunnel4' has been added to the passwd file.
[03:32:29] Warning: User 'geoclue' has been added to the passwd file.
[03:32:29] Warning: User 'lightdm' has been added to the passwd file.
[03:32:29] Warning: User 'guest-k7i4qh' has been added to the passwd file.
[03:32:29] Warning: User 'guest-4zwhnu' has been added to the passwd file.
[03:32:29] Warning: User 'guest-le1dsl' has been added to the passwd file.
[03:32:29] Warning: User 'cl-builder' has been added to the passwd file.
[03:32:29]
[03:32:29] Info: Starting test name 'group_changes'
[03:32:29]   Checking for group file changes                 [ Warning ]
[03:32:29] Warning: Changes found in the group file for group 'sudo':
[03:32:29]          User 'second' has been added to the group
[03:32:29] Warning: Changes found in the group file for group 'nopasswdlogin':
[03:32:29]          User 'second' has been added to the group
[03:32:29] Warning: Group 'bind' has been added to the group file.
[03:32:29] Warning: Group 'postfix' has been added to the group file.
[03:32:29] Warning: Group 'postdrop' has been added to the group file.
[03:32:29] Warning: Group 'second' has been added to the group file.
[03:32:29] Warning: Group 'stunnel4' has been added to the group file.
[03:32:29] Warning: Group 'geoclue' has been added to the group file.
[03:32:29] Warning: Group 'lightdm' has been added to the group file.
[03:32:29] Warning: Group 'guest-k7i4qh' has been added to the group file.
[03:32:29] Warning: Group 'guest-4zwhnu' has been added to the group file.
[03:32:29] Warning: Group 'guest-le1dsl' has been added to the group file.
[03:32:29] Warning: Group 'cl-builder' has been added to the group file.
[03:32:29]   Checking root account shell history files       [ None found ]
[03:32:29]
[03:32:29] Info: Starting test name 'system_configs'
[03:32:29] Performing system configuration file checks
[03:32:29]   Checking for an SSH configuration file          [ Not found ]
[03:32:29]   Checking for a running system logging daemon    [ Found ]
[
[03:32:31]   Checking /dev for suspicious file types         [ Warning ]
[03:32:31] Warning: Suspicious file types found in /dev:
[03:32:31]          /dev/shm/mono.3909: data
[03:32:31]          /dev/shm/pulse-shm-3435104594: data
[03:32:31]          /dev/shm/pulse-shm-3418618277: data
[03:32:32]   Checking for hidden files and directories       [ Warning ]
[03:32:32] Warning: Hidden directory found: /etc/.java
[03:32:32]   Checking for missing log files                  [ Skipped ]
[03:32:32]   Checking for empty log files                    [ Skipped ]
[03:32:37]
[03:32:37] Info: Test 'apps' disabled at users request.
[03:32:37]
[03:32:37] System checks summary
[03:32:37] =====================
[03:32:37]
[03:32:37] File properties checks...
[03:32:37] Required commands check failed
[03:32:37] Files checked: 146
[03:32:37] Suspect files: 51
[03:32:37]
[03:32:37] Rootkit checks...
[03:32:37] Rootkits checked : 365
[03:32:37] Possible rootkits: 0
[03:32:37]
[03:32:37] Applications checks...
[03:32:37] All checks skipped
[03:32:37]
[03:32:37] The system checks took: 1 minute and 21 seconds
[03:32:37]
[03:32:37] Info: End date is Sat Dec  8 03:32:37 PST 2018
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 4 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Top
User avatar
xenopeek
Level 25
Level 25
Posts: 29587
Joined: Wed Jul 06, 2011 3:58 am

Re: 51 "suspect" files....now what?? [rkhunter]

Post by xenopeek »

This is the pertinent bit:

Code: Select all

[03:31:16] Checking if the O/S has changed since last time...
[03:31:16] Warning: The O/S name or version has changed since the last run:
[03:31:16]          Old O/S value: Linux Mint 18.2 Sonya    New value: Linux Mint 18.3 Sylvia
[03:31:16]          Because of the change(s) the file properties checks may give some false-positive results.
[03:31:16]          You may need to re-run rkhunter with the '--propupd' option.
[03:31:16]
[03:31:16] Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
           is used, all the files on their system are known to be genuine, and installed from a
           reliable source. The rkhunter '--check' option will compare the current file properties
           against previously stored values, and report if any values differ. However, rkhunter
           cannot determine what has caused the change, that is for the user to do.
I take that to mean you ran rkhunter at some point in the past when still on Linux Mint 18.2 and you didn't tell rkhunter to update its files signature database after upgrading to Linux Mint 18.3. So now it's telling you it's seeing differences between the current files (on Linux Mint 18.3) and the last time you updated its files signature database (on Linux Mint 18.2). That's hardly surpising.

rkhunter is a tool to flag possibly suspicious files. The onus is on the human to investigate and weed out what are actually bad files and what are just false positives. I suggest at minimum reading section 3.1 and 3.8 in the rkhunter FAQ: https://sourceforge.net/p/rkhunter/rkh_ ... /files/FAQ
Image
Top
Glockdoc
Level 2
Level 2
Posts: 96
Joined: Tue May 09, 2017 5:42 am

Re: 51 "suspect" files....now what?? [rkhunter]

Post by Glockdoc »

Yes, ran it on 18.2, forgot it was on the machine, ran it today (18.3).

So how do I tell rkhunter to update file signatures.

It sounds as if that would be step 1, then re run rkhunter and see if I still get the same warnings.

Reading section 3.1 thru 3.8 was not much help. There was a like to CERT that I will look at later. Too much detail for a quick read.

Thank you, JC
Top
Hoser Rob
Level 20
Level 20
Posts: 11796
Joined: Sat Dec 15, 2012 8:57 am

Re: 51 "suspect" files....now what?? [rkhunter]

Post by Hoser Rob »

rkhunter isn';t exactly a beginner level app, here's a guide, there are others but this looks pretty good:

http://xmodulo.com/how-to-scan-linux-for-rootkits.html
For every complex problem there is an answer that is clear, simple, and wrong - H. L. Mencken
Top
User avatar
Pepi
Level 6
Level 6
Posts: 1305
Joined: Wed Nov 18, 2009 7:47 pm

Re: 51 "suspect" files....now what?? [rkhunter]

Post by Pepi »

I learned to quit using rkhunter. Just confusing with all the things it finds that are really OK
Top
Glockdoc
Level 2
Level 2
Posts: 96
Joined: Tue May 09, 2017 5:42 am

Re: 51 "suspect" files....now what?? [rkhunter]

Post by Glockdoc »

Ok, found the update command, ran it, re ran rkhunter and it was MUCH cleaner. Below are the warnings.

Frankly, I have no idea if I should be concerned. PLUS, I do not know if the 1 supspicious file is thelwp-request or the hidden /.java file


Your thoughts guys?

Thanks for your help. I can muddle around, but am still in the midst of the steep learning curve....an love it!

Code: Select all


[07:09:35]   /usr/bin/lwp-request                             Warning ]
[07:09:35] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: a /usr/bin/perl -w script, ASCII text executable

[07:10:28] Info: SCAN_MODE_DEV set to 'THOROUGH'
[07:10:30]   Checking /dev for suspicious file types         [ Warning ]
[07:10:30] Warning: Suspicious file types found in /dev:
[07:10:30]          /dev/shm/mono.3909: data
[07:10:30]          /dev/shm/pulse-shm-3435104594: data
[07:10:30]          /dev/shm/pulse-shm-3418618277: data
[07:10:30]   Checking for hidden files and directories       [ Warning ]
[07:10:30] Warning: Hidden directory found: /etc/.java


System checks summary
[07:10:35] =====================
[07:10:35]
[07:10:35] File properties checks...
[07:10:35] Files checked: 146
[07:10:35] Suspect files: 1
[07:10:35]
[07:10:35] Rootkit checks...
[07:10:35] Rootkits checked : 365
[07:10:35] Possible rootkits: 0
[07:10:35]
[07:10:35] Applications checks...
[07:10:35] All checks skipped
[07:10:35]
[07:10:35] The system checks took: 1 minute and 13 seconds
[07:10:35]
Top
Glockdoc
Level 2
Level 2
Posts: 96
Joined: Tue May 09, 2017 5:42 am

Re: 51 "suspect" files....now what?? [rkhunter]

Post by Glockdoc »

After doing some more poking around, some more reading, and scans w chkrootkit and lynsis, it appears the hidden /.java file is created by Sun and ok and the script command is a false positive.

I am going to mark this solved.....unless anyone objects and my system is fubar! LOL

Thanks for all the pointers.
Top
User avatar
jimallyn
Level 19
Level 19
Posts: 9075
Joined: Thu Jun 05, 2014 7:34 pm
Location: Wenatchee, WA USA

Re: 51 "suspect" files....now what?? [rkhunter] <SOLVED>

Post by jimallyn »

People ask about rkhunter (and what's the other one?) and the answer is often something along the lines of if you want to do that, be prepared to spend a lot of time searching the web for all the known false positives reported.

I recently installed Comodo antivirus, mostly just for amusement. The first time I ran it, it found 61 Windows viruses in deleted emails. I used to check email for a friend who was temporarily without a computer, and all the viruses found were in HIS deleted emails. (He used to be very careless about his internet use.) No Linux viruses have been found. Anyway, I think Comodo checks for rootkits, too.
“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan
Top
phd21
Level 20
Level 20
Posts: 10104
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: 51 "suspect" files....now what?? [rkhunter] <SOLVED>

Post by phd21 »

Hi Glockdoc,

I just read your post and the good replies to it. Here are my thoughts on this as well.

Detecting Linux rootkits and Security Holes with rkhunter in Ubuntu 18.04.
https://www.theurbanpenguin.com/detecti ... ntu-18-04/

I don't know if it is true or not, but I just read the author developer of rkhunter also created "lynis" which includes the rkhunter funtions?

How to Perform Security Audits With Lynis on Ubuntu 16.04 | DigitalOcean
https://www.digitalocean.com/community/ ... untu-16-04

How to Perform System Security Auditing with Lynis on Ubuntu 18.04 - kifarunix.com
https://kifarunix.com/how-to-perform-sy ... ntu-18-04/

Three Tools to Scan a Linux Server for Viruses, Malware and Rootkits
https://www.howtoforge.com/tutorial/how ... -rootkits/

Hope this helps ...
Phd21: Mint 20 Cinnamon & KDE Neon 64-bit Awesome OS's, Dell Inspiron I5 7000 (7573, quad core i5-8250U ) 2 in 1 touch screen
Top
Glockdoc
Level 2
Level 2
Posts: 96
Joined: Tue May 09, 2017 5:42 am

Re: 51 "suspect" files....now what?? [rkhunter] <SOLVED>

Post by Glockdoc »

GREAT INFO!!

Thank you. My final solution was to install Mint 19 beside 18.3, but I am pretty sure 18.3 is clean and fine.
Top
phd21
Level 20
Level 20
Posts: 10104
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: 51 "suspect" files....now what?? [rkhunter] <SOLVED>

Post by phd21 »

Hi Glockdoc,

You are welcome from all of us that replied...

I have run all of these checks on both Linux Mint 18.x and 19.x and I have never found anything serious like a virus, malware, or "rootkit", to worry about. I also have both Linux Mint 18.x and 19.x installed (dual-boot scenario).

I forgot to add in this post, that I also have bootable CD/DVD and USB stick of various anti-virus applications which I boot to about every month or two, or if something weird happens like a serious warning, which I run overnight to check my systems and they have never found anything in Linux although they did find a couple MS Windows files with issues and they deleted or quarantined them automatically. Note not all of these bootable anti-virus and anti-malware applications can check Linux file systems as well as MS Windows and or Mac systems, so make sure they can. "Kaspersky", "Avira", "Dr.Web", "Comodo", "Sophos", etc... I usually use "Kaspersky" or "Avira".
Phd21: Mint 20 Cinnamon & KDE Neon 64-bit Awesome OS's, Dell Inspiron I5 7000 (7573, quad core i5-8250U ) 2 in 1 touch screen
Top
Locked

Return to “Beginner Questions”