Rkhunter several results for a script replacement

Questions about Wi-Fi and other network devices, file sharing, firewalls, connection sharing etc
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
Jimmy7782
Level 1
Level 1
Posts: 15
Joined: Wed Dec 07, 2022 8:22 pm

Rkhunter several results for a script replacement

Post by Jimmy7782 »

I have gotten many warnings and some are from a update but I got several results that are strange.
I checked the md5sum numbers of the script replacement errors and I dont see them match.

These are some of the md5sum numbers for a few suspect warnings

Code: Select all

slash@slash:~$ md5sum /bin/egrep
ef55d1537377114cc24cdc398fbdd930  /bin/egrep
slash@slash:~$ md5sum /bin/fgrep
3885488b9d1d10902c6b9c18e20bf952  /bin/fgrep
slash@slash:~$ md5sum /usr/bin/ldd
391741afba08eb43ea7425000d18eaa0  /usr/bin/ldd

Here is my scan log. Can I get some help with this ?

Code: Select all

slash@slash:~$  cat /var/log/rkhunter.log
[23:00:45] Running Rootkit Hunter version 1.4.6 on slash
[23:00:45]
[23:00:45] Info: Start date is Mon 29 May 2023 11:00:45 PM EDT
[23:00:45]
[23:00:45] Checking configuration file and command-line options...
[23:00:45] Info: Detected operating system is 'Linux'
[23:00:45] Info: Found O/S name: Linux Mint 21
[23:00:45] Info: Command line is /usr/bin/rkhunter --check
[23:00:45] Info: Environment shell is /bin/bash; rkhunter is using dash
[23:00:45] Info: Using configuration file '/etc/rkhunter.conf'
[23:00:45] Info: Installation directory is '/usr'
[23:00:45] Info: Using language 'en'
[23:00:45] Info: Using '/var/lib/rkhunter/db' as the database directory
[23:00:45] Info: Using '/usr/share/rkhunter/scripts' as the support script directory
[23:00:45] Info: Using '/usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin /usr/libexec' as the command directories
[23:00:45] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[23:00:45] Info: No mail-on-warning address configured
[23:00:45] Info: X will be automatically detected
[23:00:45] Info: Using second color set
[23:00:45] Info: Found the 'basename' command: /usr/bin/basename
[23:00:45] Info: Found the 'diff' command: /usr/bin/diff
[23:00:45] Info: Found the 'dirname' command: /usr/bin/dirname
[23:00:45] Info: Found the 'file' command: /usr/bin/file
[23:00:45] Info: Found the 'find' command: /usr/bin/find
[23:00:45] Info: Found the 'ifconfig' command: /usr/sbin/ifconfig
[23:00:45] Info: Found the 'ip' command: /usr/sbin/ip
[23:00:45] Info: Found the 'ipcs' command: /usr/bin/ipcs
[23:00:45] Info: Found the 'ldd' command: /usr/bin/ldd
[23:00:45] Info: Found the 'lsattr' command: /usr/bin/lsattr
[23:00:45] Info: Found the 'lsmod' command: /usr/sbin/lsmod
[23:00:45] Info: Found the 'lsof' command: /usr/bin/lsof
[23:00:45] Info: Found the 'mktemp' command: /usr/bin/mktemp
[23:00:45] Info: Found the 'netstat' command: /usr/bin/netstat
[23:00:45] Info: Found the 'numfmt' command: /usr/bin/numfmt
[23:00:45] Info: Found the 'perl' command: /usr/bin/perl
[23:00:45] Info: Found the 'pgrep' command: /usr/bin/pgrep
[23:00:45] Info: Found the 'ps' command: /usr/bin/ps
[23:00:45] Info: Found the 'pwd' command: /usr/bin/pwd
[23:00:45] Info: Found the 'readlink' command: /usr/bin/readlink
[23:00:45] Info: Found the 'stat' command: /usr/bin/stat
[23:00:45] Info: Found the 'strings' command: /usr/bin/strings
[23:00:45] Info: System is not using prelinking
[23:00:45] Info: Using the '/usr/bin/sha256sum' command for the file hash checks
[23:00:45] Info: Stored hash values used hash function '/usr/bin/sha256sum'
[23:00:45] Info: Stored hash values did not use a package manager
[23:00:45] Info: The hash function field index is set to 1
[23:00:45] Info: No package manager specified: using hash function '/usr/bin/sha256sum'
[23:00:45] Info: Previous file attributes were stored
[23:00:45] Info: Enabled tests are: all
[23:00:45] Info: Disabled tests are: suspscan hidden_ports hidden_procs deleted_files packet_cap_apps apps
[23:00:45] Info: Found kernel symbols file '/proc/kallsyms'
[23:00:45] Info: Using syslog for some logging - facility/priority level is 'authpriv.warning'.
[23:00:45] Info: Found the 'logger' command: /usr/bin/logger
[23:00:45] Info: Using 'date' to process epoch second times
[23:00:45]
[23:00:45] Checking if the O/S has changed since last time...
[23:00:45] Info: Nothing seems to have changed.
[23:00:45] Info: Locking is not being used
[23:00:45]
[23:00:45] Starting system checks...
[23:00:45]
[23:00:45] Info: Starting test name 'system_commands'
[23:00:45] Checking system commands...
[23:00:45]
[23:00:45] Info: Starting test name 'strings'
[23:00:45] Performing 'strings' command checks
[23:00:45]   Scanning for string /usr/sbin/ntpsx             [ OK ]
[23:00:46]   Scanning for string /usr/sbin/.../bkit-ava      [ OK ]
[23:00:46]   Scanning for string /usr/sbin/.../bkit-d        [ OK ]
[23:00:46]   Scanning for string /usr/sbin/.../bkit-shd      [ OK ]
[23:00:46]   Scanning for string /usr/sbin/.../bkit-f        [ OK ]
[23:00:46]   Scanning for string /usr/include/.../proc.h     [ OK ]
[23:00:46]   Scanning for string /usr/include/.../.bash_history [ OK ]
[23:00:46]   Scanning for string /usr/include/.../bkit-get   [ OK ]
[23:00:46]   Scanning for string /usr/include/.../bkit-dl    [ OK ]
[23:00:46]   Scanning for string /usr/include/.../bkit-screen [ OK ]
[23:00:46]   Scanning for string /usr/include/.../bkit-sleep [ OK ]
[23:00:46]   Scanning for string /usr/lib/.../bkit-adore.o   [ OK ]
[23:00:46]   Scanning for string /usr/lib/.../ls             [ OK ]
[23:00:46]   Scanning for string /usr/lib/.../netstat        [ OK ]
[23:00:46]   Scanning for string /usr/lib/.../lsof           [ OK ]
[23:00:46]   Scanning for string /usr/lib/.../bkit-ssh/bkit-shdcfg [ OK ]
[23:00:46]   Scanning for string /usr/lib/.../bkit-ssh/bkit-shhk [ OK ]
[23:00:46]   Scanning for string /usr/lib/.../bkit-ssh/bkit-pw [ OK ]
[23:00:46]   Scanning for string /usr/lib/.../bkit-ssh/bkit-shrs [ OK ]
[23:00:46]   Scanning for string /usr/lib/.../bkit-ssh/bkit-mots [ OK ]
[23:00:46]   Scanning for string /usr/lib/.../uconf.inv      [ OK ]
[23:00:46]   Scanning for string /usr/lib/.../psr            [ OK ]
[23:00:46]   Scanning for string /usr/lib/.../find           [ OK ]
[23:00:46]   Scanning for string /usr/lib/.../pstree         [ OK ]
[23:00:46]   Scanning for string /usr/lib/.../slocate        [ OK ]
[23:00:46]   Scanning for string /usr/lib/.../du             [ OK ]
[23:00:46]   Scanning for string /usr/lib/.../top            [ OK ]
[23:00:46]   Scanning for string /usr/sbin/...               [ OK ]
[23:00:46]   Scanning for string /usr/include/...            [ OK ]
[23:00:46]   Scanning for string /usr/include/.../.tmp       [ OK ]
[23:00:46]   Scanning for string /usr/lib/...                [ OK ]
[23:00:46]   Scanning for string /usr/lib/.../.ssh           [ OK ]
[23:00:46]   Scanning for string /usr/lib/.../bkit-ssh       [ OK ]
[23:00:46]   Scanning for string /usr/lib/.bkit-             [ OK ]
[23:00:46]   Scanning for string /tmp/.bkp                   [ OK ]
[23:00:46]   Scanning for string /tmp/.cinik                 [ OK ]
[23:00:46]   Scanning for string /tmp/.font-unix/.cinik      [ OK ]
[23:00:46]   Scanning for string /lib/.sso                   [ OK ]
[23:00:46]   Scanning for string /lib/.so                    [ OK ]
[23:00:46]   Scanning for string /var/run/...dica/clean      [ OK ]
[23:00:46]   Scanning for string /var/run/...dica/dxr        [ OK ]
[23:00:46]   Scanning for string /var/run/...dica/read       [ OK ]
[23:00:46]   Scanning for string /var/run/...dica/write      [ OK ]
[23:00:46]   Scanning for string /var/run/...dica/lf         [ OK ]
[23:00:46]   Scanning for string /var/run/...dica/xl         [ OK ]
[23:00:46]   Scanning for string /var/run/...dica/xdr        [ OK ]
[23:00:46]   Scanning for string /var/run/...dica/psg        [ OK ]
[23:00:46]   Scanning for string /var/run/...dica/secure     [ OK ]
[23:00:46]   Scanning for string /var/run/...dica/rdx        [ OK ]
[23:00:46]   Scanning for string /var/run/...dica/va         [ OK ]
[23:00:46]   Scanning for string /var/run/...dica/cl.sh      [ OK ]
[23:00:46]   Scanning for string /var/run/...dica/last.log   [ OK ]
[23:00:46]   Scanning for string /usr/bin/.etc               [ OK ]
[23:00:46]   Scanning for string /etc/sshd_config            [ OK ]
[23:00:46]   Scanning for string /etc/ssh_host_key           [ OK ]
[23:00:46]   Scanning for string /etc/ssh_random_seed        [ OK ]
[23:00:46]   Scanning for string /dev/ptyp                   [ OK ]
[23:00:46]   Scanning for string /dev/ptyq                   [ OK ]
[23:00:46]   Scanning for string /dev/ptyr                   [ OK ]
[23:00:46]   Scanning for string /dev/ptys                   [ OK ]
[23:00:46]   Scanning for string /dev/ptyt                   [ OK ]
[23:00:46]   Scanning for string /dev/fd/.88/freshb-bsd      [ OK ]
[23:00:46]   Scanning for string /dev/fd/.88/fresht          [ OK ]
[23:00:46]   Scanning for string /dev/fd/.88/zxsniff         [ OK ]
[23:00:46]   Scanning for string /dev/fd/.88/zxsniff.log     [ OK ]
[23:00:46]   Scanning for string /dev/fd/.99/.ttyf00         [ OK ]
[23:00:46]   Scanning for string /dev/fd/.99/.ttyp00         [ OK ]
[23:00:46]   Scanning for string /dev/fd/.99/.ttyq00         [ OK ]
[23:00:46]   Scanning for string /dev/fd/.99/.ttys00         [ OK ]
[23:00:46]   Scanning for string /dev/fd/.99/.pwsx00         [ OK ]
[23:00:46]   Scanning for string /etc/.acid                  [ OK ]
[23:00:46]   Scanning for string /usr/lib/.fx/sched_host.2   [ OK ]
[23:00:46]   Scanning for string /usr/lib/.fx/random_d.2     [ OK ]
[23:00:46]   Scanning for string /usr/lib/.fx/set_pid.2      [ OK ]
[23:00:46]   Scanning for string /usr/lib/.fx/setrgrp.2      [ OK ]
[23:00:46]   Scanning for string /usr/lib/.fx/TOHIDE         [ OK ]
[23:00:46]   Scanning for string /usr/lib/.fx/cons.saver     [ OK ]
[23:00:46]   Scanning for string /usr/lib/.fx/adore/ava/ava  [ OK ]
[23:00:46]   Scanning for string /usr/lib/.fx/adore/adore/adore.ko [ OK ]
[23:00:47]   Scanning for string /bin/sysback                [ OK ]
[23:00:47]   Scanning for string /usr/local/bin/sysback      [ OK ]
[23:00:47]   Scanning for string /usr/lib/.tbd               [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib/t0rns     [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib/du        [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib/ls        [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib/t0rnsb    [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib/ps        [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib/t0rnp     [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib/find      [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib/ifconfig  [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib/pg        [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib/ssh.tgz   [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib/top       [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib/sz        [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib/login     [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib/in.fingerd [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib/1i0n.sh   [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib/pstree    [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib/in.telnetd [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib/mjy       [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib/sush      [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib/tfn       [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib/name      [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib/getip.sh  [ OK ]
[23:00:47]   Scanning for string /usr/info/.torn/sh*         [ OK ]
[23:00:47]   Scanning for string /usr/src/.puta/.1addr       [ OK ]
[23:00:47]   Scanning for string /usr/src/.puta/.1file       [ OK ]
[23:00:47]   Scanning for string /usr/src/.puta/.1proc       [ OK ]
[23:00:47]   Scanning for string /usr/src/.puta/.1logz       [ OK ]
[23:00:47]   Scanning for string /usr/info/.t0rn             [ OK ]
[23:00:47]   Scanning for string /dev/.lib                   [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib               [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib           [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/lib/dev       [ OK ]
[23:00:47]   Scanning for string /dev/.lib/lib/scan          [ OK ]
[23:00:47]   Scanning for string /usr/src/.puta              [ OK ]
[23:00:47]   Scanning for string /usr/man/man1/man1          [ OK ]
[23:00:47]   Scanning for string /usr/man/man1/man1/lib      [ OK ]
[23:00:47]   Scanning for string /usr/man/man1/man1/lib/.lib [ OK ]
[23:00:47]   Scanning for string /usr/man/man1/man1/lib/.lib/.backup [ OK ]
[23:00:47]
[23:00:47] Info: Starting test name 'shared_libs'
[23:00:47] Performing 'shared libraries' checks
[23:00:47]   Checking for preloading variables               [ None found ]
[23:00:47]   Checking for preloaded libraries                [ None found ]
[23:00:47]
[23:00:47] Info: Starting test name 'shared_libs_path'
[23:00:47]   Checking LD_LIBRARY_PATH variable               [ Not found ]
[23:00:47]
[23:00:47] Info: Starting test name 'properties'
[23:00:47] Performing file properties checks
[23:00:47]   Checking for prerequisites                      [ OK ]
[23:00:49]   /usr/sbin/adduser                               [ OK ]
[23:00:49] Info: Found file '/usr/sbin/adduser': it is whitelisted for the 'script replacement' check.
[23:00:49]   /usr/sbin/chroot                                [ OK ]
[23:00:49]   /usr/sbin/cron                                  [ OK ]
[23:00:49]   /usr/sbin/depmod                                [ OK ]
[23:00:50]   /usr/sbin/fsck                                  [ OK ]
[23:00:50]   /usr/sbin/groupadd                              [ OK ]
[23:00:50]   /usr/sbin/groupdel                              [ OK ]
[23:00:50]   /usr/sbin/groupmod                              [ OK ]
[23:00:50]   /usr/sbin/grpck                                 [ OK ]
[23:00:50]   /usr/sbin/ifconfig                              [ OK ]
[23:00:50]   /usr/sbin/ifdown                                [ OK ]
[23:00:50]   /usr/sbin/ifup                                  [ OK ]
[23:00:50]   /usr/sbin/init                                  [ Warning ]
[23:00:50] Warning: The file properties have changed:
[23:00:50]          File: /usr/sbin/init
[23:00:50]          Current hash: 477209848fabcaf52c060d98287f880845cb07fc9696216dbcfe9b6ea8e72bcd
[23:00:50]          Stored hash : c76a78e1572f62e0b28e0e5c459bd475917eb92177bdbeedf965d22c261b0f82
[23:00:50]          Current inode: 25953647    Stored inode: 25953749
[23:00:50]          Current file modification time: 1679322728 (20-Mar-2023 10:32:08)
[23:00:50]          Stored file modification time : 1677761882 (02-Mar-2023 07:58:02)
[23:00:50]   /usr/sbin/insmod                                [ OK ]
[23:00:50]   /usr/sbin/ip                                    [ OK ]
[23:00:50]   /usr/sbin/lsmod                                 [ OK ]
[23:00:50]   /usr/sbin/modinfo                               [ OK ]
[23:00:50]   /usr/sbin/modprobe                              [ OK ]
[23:00:51]   /usr/sbin/nologin                               [ OK ]
[23:00:51]   /usr/sbin/pwck                                  [ OK ]
[23:00:51]   /usr/sbin/rmmod                                 [ OK ]
[23:00:51]   /usr/sbin/route                                 [ OK ]
[23:00:51]   /usr/sbin/rsyslogd                              [ OK ]
[23:00:51]   /usr/sbin/runlevel                              [ Warning ]
[23:00:51] Warning: The file properties have changed:
[23:00:51]          File: /usr/sbin/runlevel
[23:00:51]          Current hash: f48396b4d8fbf906a0a12ec5f9581a119fe266b0d61919c251e8320bd099327a
[23:00:51]          Stored hash : a9c198f924de92ab40633d345c55b6e84986e6e58f5569220871af3edeaca069
[23:00:51]          Current inode: 25954758    Stored inode: 25954035
[23:00:51]          Current file modification time: 1679322728 (20-Mar-2023 10:32:08)
[23:00:51]          Stored file modification time : 1677761882 (02-Mar-2023 07:58:02)
[23:00:51]   /usr/sbin/sulogin                               [ OK ]
[23:00:51]   /usr/sbin/sysctl                                [ OK ]
[23:00:51]   /usr/sbin/useradd                               [ OK ]
[23:00:51]   /usr/sbin/userdel                               [ OK ]
[23:00:51]   /usr/sbin/usermod                               [ OK ]
[23:00:51]   /usr/sbin/vipw                                  [ OK ]
[23:00:52]   /usr/sbin/unhide                                [ OK ]
[23:00:52]   /usr/sbin/unhide-linux                          [ OK ]
[23:00:52]   /usr/sbin/unhide-posix                          [ OK ]
[23:00:52]   /usr/sbin/unhide-tcp                            [ OK ]
[23:00:52]   /usr/bin/awk                                    [ OK ]
[23:00:52]   /usr/bin/basename                               [ OK ]
[23:00:52]   /usr/bin/bash                                   [ OK ]
[23:00:52]   /usr/bin/cat                                    [ OK ]
[23:00:52]   /usr/bin/chattr                                 [ OK ]
[23:00:52]   /usr/bin/chmod                                  [ OK ]
[23:00:52]   /usr/bin/chown                                  [ OK ]
[23:00:52]   /usr/bin/cp                                     [ OK ]
[23:00:52]   /usr/bin/curl                                   [ Warning ]
[23:00:52] Warning: The file properties have changed:
[23:00:52]          File: /usr/bin/curl
[23:00:52]          Current hash: 1a54929c2846d7062a8453ebd170cfb4f9dba80eb97edb3d48d68c8db0e5bbcb
[23:00:52]          Stored hash : bf4707292c81934ecb2fec97a51519727511cb71b33ca379ee78a27cef6067fc
[23:00:52]          Current inode: 25953739    Stored inode: 25955981
[23:00:52]          Current file modification time: 1678811822 (14-Mar-2023 12:37:02)
[23:00:52]          Stored file modification time : 1676467205 (15-Feb-2023 08:20:05)
[23:00:52]   /usr/bin/cut                                    [ OK ]
[23:00:52]   /usr/bin/date                                   [ OK ]
[23:00:52]   /usr/bin/df                                     [ OK ]
[23:00:53]   /usr/bin/diff                                   [ OK ]
[23:00:53]   /usr/bin/dirname                                [ OK ]
[23:00:53]   /usr/bin/dmesg                                  [ OK ]
[23:00:53]   /usr/bin/dpkg                                   [ Warning ]
[23:00:53] Warning: The file properties have changed:
[23:00:53]          File: /usr/bin/dpkg
[23:00:53]          Current hash: 0da103b1b79cc04ed22e6627b5484fb503516ec9b8ee17cbb1eeb10f7c083785
[23:00:53]          Stored hash : b4becd8e93ccfe388a25716a2f930fff5ebe452a0db644bc6d2ed8f228bcbf1c
[23:00:53]          Current inode: 25954133    Stored inode: 25952584
[23:00:53]          Current file modification time: 1680356622 (01-Apr-2023 09:43:42)
[23:00:53]          Stored file modification time : 1653477111 (25-May-2022 07:11:51)
[23:00:53]   /usr/bin/dpkg-query                             [ Warning ]
[23:00:53] Warning: The file properties have changed:
[23:00:53]          File: /usr/bin/dpkg-query
[23:00:53]          Current hash: 48e103a0020d92f68f8f23f3ffb597cee75db08db9de00992cb6fa7ded863267
[23:00:53]          Stored hash : 629808fd2dea5d964f2693ff61920e5b0cd91ab9d7f41b4dfcaeb29bece10438
[23:00:53]          Current inode: 25955147    Stored inode: 25952600
[23:00:53]          Current file modification time: 1680356622 (01-Apr-2023 09:43:42)
[23:00:53]          Stored file modification time : 1653477111 (25-May-2022 07:11:51)
[23:00:53]   /usr/bin/du                                     [ OK ]
[23:00:53]   /usr/bin/echo                                   [ OK ]
[23:00:53]   /usr/bin/ed                                     [ OK ]
[23:00:53]   /usr/bin/egrep                                  [ OK ]
[23:00:53] Info: Found file '/usr/bin/egrep': it is whitelisted for the 'script replacement' check.
[23:00:53]   /usr/bin/env                                    [ OK ]
[23:00:53]   /usr/bin/fgrep                                  [ OK ]
[23:00:53] Info: Found file '/usr/bin/fgrep': it is whitelisted for the 'script replacement' check.
[23:00:53]   /usr/bin/file                                   [ OK ]
[23:00:53]   /usr/bin/find                                   [ OK ]
[23:00:53]   /usr/bin/fuser                                  [ OK ]
[23:00:53]   /usr/bin/GET                                    [ OK ]
[23:00:53]   /usr/bin/grep                                   [ OK ]
[23:00:54]   /usr/bin/groups                                 [ OK ]
[23:00:54]   /usr/bin/head                                   [ OK ]
[23:00:54]   /usr/bin/id                                     [ OK ]
[23:00:54]   /usr/bin/ip                                     [ OK ]
[23:00:54]   /usr/bin/ipcs                                   [ OK ]
[23:00:54]   /usr/bin/kill                                   [ OK ]
[23:00:54]   /usr/bin/killall                                [ OK ]
[23:00:54]   /usr/bin/last                                   [ OK ]
[23:00:54]   /usr/bin/lastlog                                [ OK ]
[23:00:54]   /usr/bin/ldd                                    [ OK ]
[23:00:54] Info: Found file '/usr/bin/ldd': it is whitelisted for the 'script replacement' check.
[23:00:54]   /usr/bin/less                                   [ OK ]
[23:00:54]   /usr/bin/locate                                 [ OK ]
[23:00:54]   /usr/bin/logger                                 [ OK ]
[23:00:54]   /usr/bin/login                                  [ OK ]
[23:00:54]   /usr/bin/ls                                     [ OK ]
[23:00:54]   /usr/bin/lsattr                                 [ OK ]
[23:00:54]   /usr/bin/lsmod                                  [ OK ]
[23:00:54]   /usr/bin/lsof                                   [ OK ]
[23:00:55]   /usr/bin/mail                                   [ OK ]
[23:00:55]   /usr/bin/md5sum                                 [ OK ]
[23:00:55]   /usr/bin/mktemp                                 [ OK ]
[23:00:55]   /usr/bin/more                                   [ OK ]
[23:00:55]   /usr/bin/mount                                  [ OK ]
[23:00:55]   /usr/bin/mv                                     [ OK ]
[23:00:55]   /usr/bin/netstat                                [ OK ]
[23:00:55]   /usr/bin/newgrp                                 [ OK ]
[23:00:55]   /usr/bin/passwd                                 [ OK ]
[23:00:55]   /usr/bin/perl                                   [ OK ]
[23:00:55]   /usr/bin/pgrep                                  [ OK ]
[23:00:55]   /usr/bin/ping                                   [ OK ]
[23:00:55]   /usr/bin/pkill                                  [ OK ]
[23:00:55]   /usr/bin/ps                                     [ OK ]
[23:00:55]   /usr/bin/pstree                                 [ OK ]
[23:00:55]   /usr/bin/pwd                                    [ OK ]
[23:00:55]   /usr/bin/readlink                               [ OK ]
[23:00:55]   /usr/bin/rkhunter                               [ OK ]
[23:00:56]   /usr/bin/runcon                                 [ OK ]
[23:00:56]   /usr/bin/sed                                    [ OK ]
[23:00:56]   /usr/bin/sh                                     [ OK ]
[23:00:56]   /usr/bin/sha1sum                                [ OK ]
[23:00:56]   /usr/bin/sha224sum                              [ OK ]
[23:00:56]   /usr/bin/sha256sum                              [ OK ]
[23:00:56]   /usr/bin/sha384sum                              [ OK ]
[23:00:56]   /usr/bin/sha512sum                              [ OK ]
[23:00:56]   /usr/bin/size                                   [ Warning ]
[23:00:56] Warning: The file properties have changed:
[23:00:56]          File: /usr/bin/size
[23:00:56]          Current hash: 7a894308c8bc2acd7233beffb1367af0bacd23ab77fbf17b8e7384948a8182fe
[23:00:56]          Stored hash : afaf68954e54f1822eb9cf48b9419eef7b6427cbeda9de5c4f9c3a6ba5d4bbe9
[23:00:56]          Current inode: 25955186    Stored inode: 25958539
[23:00:56]          Current file modification time: 1684739913 (22-May-2023 03:18:33)
[23:00:56]          Stored file modification time : 1667397531 (02-Nov-2022 09:58:51)
[23:00:56]   /usr/bin/sort                                   [ OK ]
[23:00:56]   /usr/bin/ssh                                    [ OK ]
[23:00:56]   /usr/bin/stat                                   [ OK ]
[23:00:56]   /usr/bin/strace                                 [ OK ]
[23:00:56]   /usr/bin/strings                                [ Warning ]
[23:00:56] Warning: The file properties have changed:
[23:00:56]          File: /usr/bin/strings
[23:00:56]          Current hash: 260035cf5919efd9852ef283c0f338137fff7c9be0dfec299dd079bf65bfbfa9
[23:00:56]          Stored hash : f8981a4809881a54f12f176dc2e2e2d25a36b467f2d1dce5b19403470358b1f9
[23:00:56]          Current inode: 25955188    Stored inode: 25958541
[23:00:56]          Current file modification time: 1684739913 (22-May-2023 03:18:33)
[23:00:56]          Stored file modification time : 1667397531 (02-Nov-2022 09:58:51)
[23:00:56]   /usr/bin/su                                     [ OK ]
[23:00:57]   /usr/bin/sudo                                   [ Warning ]
[23:00:57] Warning: The file properties have changed:
[23:00:57]          File: /usr/bin/sudo
[23:00:57]          Current hash: 7d3c2983ad2f278d9e799b5792f13f57bf890bd3b03d10b36e53bf0b6677895e
[23:00:57]          Stored hash : 49278c0ebbc089cc04cfa6136a8011519fbaca9d99106443212e43c2141a7ff9
[23:00:57]          Current inode: 25957682    Stored inode: 25953068
[23:00:57]          Current file modification time: 1680544844 (03-Apr-2023 14:00:44)
[23:00:57]          Stored file modification time : 1677679177 (01-Mar-2023 08:59:37)
[23:00:57]   /usr/bin/tail                                   [ OK ]
[23:00:57]   /usr/bin/telnet                                 [ OK ]
[23:00:57]   /usr/bin/test                                   [ OK ]
[23:00:57]   /usr/bin/top                                    [ OK ]
[23:00:57]   /usr/bin/touch                                  [ OK ]
[23:00:57]   /usr/bin/tr                                     [ OK ]
[23:00:57]   /usr/bin/uname                                  [ OK ]
[23:00:57]   /usr/bin/uniq                                   [ OK ]
[23:00:57]   /usr/bin/users                                  [ OK ]
[23:00:57]   /usr/bin/vmstat                                 [ OK ]
[23:00:57]   /usr/bin/w                                      [ OK ]
[23:00:57]   /usr/bin/watch                                  [ OK ]
[23:00:57]   /usr/bin/wc                                     [ OK ]
[23:00:57]   /usr/bin/wget                                   [ OK ]
[23:00:57]   /usr/bin/whatis                                 [ OK ]
[23:00:57]   /usr/bin/whereis                                [ OK ]
[23:00:57]   /usr/bin/which                                  [ OK ]
[23:00:58] Info: Found file '/usr/bin/which': it is whitelisted for the 'script replacement' check.
[23:00:58]   /usr/bin/who                                    [ OK ]
[23:00:58]   /usr/bin/whoami                                 [ OK ]
[23:00:58]   /usr/bin/numfmt                                 [ OK ]
[23:00:58]   /usr/bin/kmod                                   [ OK ]
[23:00:58]   /usr/bin/systemd                                [ Warning ]
[23:00:58] Warning: The file properties have changed:
[23:00:58]          File: /usr/bin/systemd
[23:00:58]          Current hash: 477209848fabcaf52c060d98287f880845cb07fc9696216dbcfe9b6ea8e72bcd
[23:00:58]          Stored hash : c76a78e1572f62e0b28e0e5c459bd475917eb92177bdbeedf965d22c261b0f82
[23:00:58]          Current inode: 25957781    Stored inode: 25956458
[23:00:58]          Current file modification time: 1679322728 (20-Mar-2023 10:32:08)
[23:00:58]          Stored file modification time : 1677761882 (02-Mar-2023 07:58:02)
[23:00:58]   /usr/bin/systemctl                              [ Warning ]
[23:00:58] Warning: The file properties have changed:
[23:00:58]          File: /usr/bin/systemctl
[23:00:58]          Current hash: f48396b4d8fbf906a0a12ec5f9581a119fe266b0d61919c251e8320bd099327a
[23:00:58]          Stored hash : a9c198f924de92ab40633d345c55b6e84986e6e58f5569220871af3edeaca069
[23:00:58]          Current inode: 25953751    Stored inode: 25954081
[23:00:58]          Current size: 1119856    Stored size: 1115760
[23:00:58]          Current file modification time: 1679322728 (20-Mar-2023 10:32:08)
[23:00:58]          Stored file modification time : 1677761882 (02-Mar-2023 07:58:02)
[23:00:58]   /usr/bin/gawk                                   [ OK ]
[23:00:58]   /usr/bin/lwp-request                            [ Warning ]
[23:00:58] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script text executable
[23:00:58]   /usr/bin/plocate                                [ OK ]
[23:00:58]   /usr/bin/bsd-mailx                              [ OK ]
[23:00:58]   /usr/bin/dash                                   [ OK ]
[23:00:58]   /usr/bin/x86_64-linux-gnu-size                  [ Warning ]
[23:00:58] Warning: The file properties have changed:
[23:00:58]          File: /usr/bin/x86_64-linux-gnu-size
[23:00:58]          Current hash: 7a894308c8bc2acd7233beffb1367af0bacd23ab77fbf17b8e7384948a8182fe
[23:00:58]          Stored hash : afaf68954e54f1822eb9cf48b9419eef7b6427cbeda9de5c4f9c3a6ba5d4bbe9
[23:00:58]          Current inode: 25955158    Stored inode: 25958519
[23:00:58]          Current file modification time: 1684739913 (22-May-2023 03:18:33)
[23:00:58]          Stored file modification time : 1667397531 (02-Nov-2022 09:58:51)
[23:00:58]   /usr/bin/x86_64-linux-gnu-strings               [ Warning ]
[23:00:58] Warning: The file properties have changed:
[23:00:58]          File: /usr/bin/x86_64-linux-gnu-strings
[23:00:58]          Current hash: 260035cf5919efd9852ef283c0f338137fff7c9be0dfec299dd079bf65bfbfa9
[23:00:58]          Stored hash : f8981a4809881a54f12f176dc2e2e2d25a36b467f2d1dce5b19403470358b1f9
[23:00:58]          Current inode: 25955159    Stored inode: 25958520
[23:00:58]          Current file modification time: 1684739913 (22-May-2023 03:18:33)
[23:00:58]          Stored file modification time : 1667397531 (02-Nov-2022 09:58:51)
[23:00:58]   /usr/bin/telnet.netkit                          [ OK ]
[23:00:59]   /usr/bin/which.debianutils                      [ OK ]
[23:00:59] Info: Found file '/usr/bin/which.debianutils': it is whitelisted for the 'script replacement' check.
[23:01:00]   /usr/lib/systemd/systemd                        [ Warning ]
[23:01:00] Warning: The file properties have changed:
[23:01:00]          File: /usr/lib/systemd/systemd
[23:01:00]          Current hash: 477209848fabcaf52c060d98287f880845cb07fc9696216dbcfe9b6ea8e72bcd
[23:01:01]          Stored hash : c76a78e1572f62e0b28e0e5c459bd475917eb92177bdbeedf965d22c261b0f82
[23:01:01]          Current inode: 25954768    Stored inode: 25956371
[23:01:01]          Current file modification time: 1679322728 (20-Mar-2023 10:32:08)
[23:01:01]          Stored file modification time : 1677761882 (02-Mar-2023 07:58:02)
[23:01:03]
I only posted warnings since I cant post more than 6000 characters.
Last edited by LockBot on Thu Nov 30, 2023 11:00 pm, edited 2 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
User avatar
Midnight True
Level 7
Level 7
Posts: 1504
Joined: Wed Jul 20, 2022 3:23 am
Location: Southern and Southwestern area of Mato
Contact:

Re: Rkhunter several results for a script replacement

Post by Midnight True »

Jimmy7782 wrote: Mon May 29, 2023 11:26 pm
Please note that rkhunter is this old
Rootkit Hunter release 1.4.6 (February 20th 2018)
i believe this causes a lot of false positives due to its outdated database
Jimmy7782
Level 1
Level 1
Posts: 15
Joined: Wed Dec 07, 2022 8:22 pm

Re: Rkhunter several results for a script replacement

Post by Jimmy7782 »

Thanks for the fast reply but I checked and posted the md5sums you can see I posted 3
or 4 current md5sum checks and I looked on google for a current md5 for those warnings
and they don't match. Any advice on making sure these md5's are correct ? Can I replace
the things with the warnings ? I have had a rootkit in the past recently and did a reinstall.
Its a hassle because I have lots of work on this setup.
User avatar
Midnight True
Level 7
Level 7
Posts: 1504
Joined: Wed Jul 20, 2022 3:23 am
Location: Southern and Southwestern area of Mato
Contact:

Re: Rkhunter several results for a script replacement

Post by Midnight True »

Jimmy7782 wrote: Mon May 29, 2023 11:52 pm
Awww that is unfortunately. i check on my system and i found the following:

Code: Select all

milla@DiggieIsBack:~$  md5sum /bin/egrep
ef55d1537377114cc24cdc398fbdd930  /bin/egrep
milla@DiggieIsBack:~$ md5sum /bin/fgrep
3885488b9d1d10902c6b9c18e20bf952  /bin/fgrep
milla@DiggieIsBack:~$ md5sum /usr/bin/ldd
391741afba08eb43ea7425000d18eaa0  /usr/bin/ldd
looks the same with yours. The reason i can think of is that LM 21.1 is a stable/fix release distro that is based on kernel 5.15.x series (to check please try in the terminal)

Code: Select all

 uname -r
because of that the repositories (i.e. source of applications) are frozen and thus the latest version of the frozen apps (exception are security updates) will only be used on LM 22 series. I believe the md5sum you see are for the latest version of the apps which are currently enjoyed by rolling release distros such as arch, gentoo, etc.

You might also try to check

Code: Select all

dig
to know which DNS your system is using

Code: Select all

cat /etc/resolv.conf
and

Code: Select all

/etc/systemd/resolved.conf
if the result of dig command dns is similar to what you put on the above, else the rootkit had modified the above and thus redirecting your web traffic to another dns or proxy server

also you need to check your routers setting for dns or port forwarding manipulation

You can also try this terminal command to check if there is suspicious applications running to your system

Code: Select all

cat /var/lib/dpkg/info/*.list > /tmp/listin ; ls -F /proc/*/exe|sed s/@//1 |xargs -l readlink | grep -vxFf /tmp/listin; rm /tmp/listin
to check what application is connecting to the internet

Code: Select all

sudo ss -tunlp
For more security tips please check this out
https://easylinuxtipsproject.blogspot.c ... urity.html

Edit note: added code tags
Jimmy7782
Level 1
Level 1
Posts: 15
Joined: Wed Dec 07, 2022 8:22 pm

Re: Rkhunter several results for a script replacement

Post by Jimmy7782 »

Thanks a lot for letting me know you have the same hash number. I appreciate this answer.
My DNS in the file shows

Code: Select all

dig
 <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26937
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 16

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;.				IN	NS

;; ANSWER SECTION:
.			59870	IN	NS	a.root-servers.net.
.			59870	IN	NS	b.root-servers.net.
.			59870	IN	NS	c.root-servers.net.
.			59870	IN	NS	d.root-servers.net.
.			59870	IN	NS	e.root-servers.net.
.			59870	IN	NS	f.root-servers.net.
.			59870	IN	NS	g.root-servers.net.
.			59870	IN	NS	h.root-servers.net.
.			59870	IN	NS	i.root-servers.net.
.			59870	IN	NS	j.root-servers.net.
.			59870	IN	NS	k.root-servers.net.
.			59870	IN	NS	l.root-servers.net.
.			59870	IN	NS	m.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net.	3446739	IN	A	198.41.0.4
b.root-servers.net.	3446739	IN	A	199.9.14.201
c.root-servers.net.	3227904	IN	A	192.33.4.12
d.root-servers.net.	3227874	IN	A	199.7.91.13
e.root-servers.net.	3228192	IN	A	192.203.230.10
f.root-servers.net.	3227961	IN	A	192.5.5.241
g.root-servers.net.	3228661	IN	A	192.112.36.4
h.root-servers.net.	3358612	IN	A	198.97.190.53
i.root-servers.net.	3358612	IN	A	192.36.148.17
j.root-servers.net.	3358612	IN	A	192.58.128.30
k.root-servers.net.	3358612	IN	A	193.0.14.129
l.root-servers.net.	3227873	IN	A	199.7.83.42
m.root-servers.net.	3227875	IN	A	202.12.27.33
a.root-servers.net.	3228038	IN	AAAA	2001:503:ba3e::2:30
b.root-servers.net.	3228021	IN	AAAA	2001:500:200::b

;; Query time: 8 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Tue May 30 01:00:35 EDT 2023
;; MSG SIZE  rcvd: 503


dig command
 nameserver 127.0.0.53
options edns0 trust-ad
Here is the output of the very long command, I'm learning some things in kali like python, more commands, some pentesting but Im still a noob in many ways.

Code: Select all

cat /var/lib/dpkg/info/*.list > /tmp/listin ; ls -F /proc/*/exe|sed s/@//1 |xargs -l readlink | grep -vxFf /tmp/listin; rm /tmp/listin
ls: cannot access '/proc/795965/exe': No such file or directory
ls: cannot access '/proc/795966/exe': No such file or directory
/usr/lib/systemd/systemd
/usr/bin/bash
/usr/bin/dash
/usr/bin/bash
/usr/bin/bash
/usr/bin/bash
/usr/bin/bash
/usr/bin/bash
/usr/bin/bash
/usr/bin/bash
/usr/bin/grep
/usr/bin/readlink
/usr/bin/readlink
I hope this looks ok to you, I have other things like iftop, atop, snort ( has lots of port 1900 reports ), watch netstat and others. I do also
check my routers admin settings and it all looks normal, the logs rarely show something odd.
Last edited by karlchen on Tue May 30, 2023 3:29 am, edited 2 times in total.
Reason: added [code] [/code] tags
Jimmy7782
Level 1
Level 1
Posts: 15
Joined: Wed Dec 07, 2022 8:22 pm

Re: Rkhunter several results for a script replacement

Post by Jimmy7782 »

My latest check shows some bin/dash thing here.

Code: Select all

cat /var/lib/dpkg/info/*.list > /tmp/listin ; ls -F /proc/*/exe|sed s/@//1 |xargs -l readlink | grep -vxFf /tmp/listin; rm /tmp/listin
ls: cannot access '/proc/795965/exe': No such file or directory
ls: cannot access '/proc/795966/exe': No such file or directory
/usr/lib/systemd/systemd
/usr/bin/bash
/usr/bin/dash here
/usr/bin/bash
/usr/bin/bash
/usr/bin/bash
/usr/bin/bash
/usr/bin/bash
/usr/bin/bash
/usr/bin/bash
/usr/bin/grep
/usr/bin/readlink
/usr/bin/readlink
Last edited by karlchen on Tue May 30, 2023 3:28 am, edited 1 time in total.
Reason: added [code] [/code] tags
Jimmy7782
Level 1
Level 1
Posts: 15
Joined: Wed Dec 07, 2022 8:22 pm

Re: Rkhunter several results for a script replacement

Post by Jimmy7782 »

I just edited the long response, I misplaced the dig command

Code: Select all

  dig

; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52247
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 16

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;.				IN	NS

;; ANSWER SECTION:
.			6045	IN	NS	b.root-servers.net.
.			6045	IN	NS	f.root-servers.net.
.			6045	IN	NS	h.root-servers.net.
.			6045	IN	NS	d.root-servers.net.
.			6045	IN	NS	c.root-servers.net.
.			6045	IN	NS	g.root-servers.net.
.			6045	IN	NS	l.root-servers.net.
.			6045	IN	NS	j.root-servers.net.
.			6045	IN	NS	a.root-servers.net.
.			6045	IN	NS	k.root-servers.net.
.			6045	IN	NS	i.root-servers.net.
.			6045	IN	NS	e.root-servers.net.
.			6045	IN	NS	m.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net.	6045	IN	AAAA	2001:503:ba3e::2:30
a.root-servers.net.	6045	IN	A	198.41.0.4
b.root-servers.net.	6045	IN	A	199.9.14.201
g.root-servers.net.	6045	IN	A	192.112.36.4
h.root-servers.net.	6045	IN	A	198.97.190.53
d.root-servers.net.	6045	IN	A	199.7.91.13
f.root-servers.net.	6045	IN	A	192.5.5.241
l.root-servers.net.	6045	IN	A	199.7.83.42
j.root-servers.net.	6045	IN	A	192.58.128.30
b.root-servers.net.	6045	IN	AAAA	2001:500:200::b
i.root-servers.net.	6045	IN	A	192.36.148.17
k.root-servers.net.	6045	IN	A	193.0.14.129
c.root-servers.net.	6045	IN	A	192.33.4.12
e.root-servers.net.	6045	IN	A	192.203.230.10
m.root-servers.net.	6045	IN	A	202.12.27.33

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Tue May 30 01:19:49 EDT 2023
;; MSG SIZE  rcvd: 503

Code: Select all

 cat /etc/resolv.conf
# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad
search .
Last edited by karlchen on Tue May 30, 2023 3:29 am, edited 1 time in total.
Reason: added [code] [/code] tags
User avatar
Midnight True
Level 7
Level 7
Posts: 1504
Joined: Wed Jul 20, 2022 3:23 am
Location: Southern and Southwestern area of Mato
Contact:

Re: Rkhunter several results for a script replacement

Post by Midnight True »

Jimmy7782 wrote: Tue May 30, 2023 1:08 am

Code: Select all

dig
 <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26937
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 16

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;.				IN	NS

;; ANSWER SECTION:
.			59870	IN	NS	a.root-servers.net.
.			59870	IN	NS	b.root-servers.net.
.			59870	IN	NS	c.root-servers.net.
.			59870	IN	NS	d.root-servers.net.
.			59870	IN	NS	e.root-servers.net.
.			59870	IN	NS	f.root-servers.net.
.			59870	IN	NS	g.root-servers.net.
.			59870	IN	NS	h.root-servers.net.
.			59870	IN	NS	i.root-servers.net.
.			59870	IN	NS	j.root-servers.net.
.			59870	IN	NS	k.root-servers.net.
.			59870	IN	NS	l.root-servers.net.
.			59870	IN	NS	m.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net.	3446739	IN	A	198.41.0.4
b.root-servers.net.	3446739	IN	A	199.9.14.201
c.root-servers.net.	3227904	IN	A	192.33.4.12
d.root-servers.net.	3227874	IN	A	199.7.91.13
e.root-servers.net.	3228192	IN	A	192.203.230.10
f.root-servers.net.	3227961	IN	A	192.5.5.241
g.root-servers.net.	3228661	IN	A	192.112.36.4
h.root-servers.net.	3358612	IN	A	198.97.190.53
i.root-servers.net.	3358612	IN	A	192.36.148.17
j.root-servers.net.	3358612	IN	A	192.58.128.30
k.root-servers.net.	3358612	IN	A	193.0.14.129
l.root-servers.net.	3227873	IN	A	199.7.83.42
m.root-servers.net.	3227875	IN	A	202.12.27.33
a.root-servers.net.	3228038	IN	AAAA	2001:503:ba3e::2:30
b.root-servers.net.	3228021	IN	AAAA	2001:500:200::b

;; Query time: 8 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Tue May 30 01:00:35 EDT 2023
;; MSG SIZE  rcvd: 503
i am not really sure why you have a lot "Additional Section", but to my knowledge 127.0.0.53 is the default for more info please check this out https://unix.stackexchange.com/question ... 127-0-0-53

here's mine for reference:

Code: Select all

milla@DiggieIsBack:~$ dig

; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62509
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;.				IN	NS

;; ANSWER SECTION:
.			81571	IN	NS	d.root-servers.net.
.			81571	IN	NS	j.root-servers.net.
.			81571	IN	NS	l.root-servers.net.
.			81571	IN	NS	e.root-servers.net.
.			81571	IN	NS	g.root-servers.net.
.			81571	IN	NS	c.root-servers.net.
.			81571	IN	NS	h.root-servers.net.
.			81571	IN	NS	f.root-servers.net.
.			81571	IN	NS	m.root-servers.net.
.			81571	IN	NS	k.root-servers.net.
.			81571	IN	NS	b.root-servers.net.
.			81571	IN	NS	a.root-servers.net.
.			81571	IN	NS	i.root-servers.net.

;; Query time: 124 msec
;; SERVER: 76.76.2.2#53(76.76.2.2) (UDP)
;; WHEN: Tue May 30 14:05:44 PST 2023
;; MSG SIZE  rcvd: 239

Jimmy7782 wrote: Tue May 30, 2023 1:08 am

Code: Select all

ls: cannot access '/proc/795965/exe': No such file or directory
ls: cannot access '/proc/795966/exe': No such file or directory
/usr/bin/dash
i am not sure why you have the ls error. Unfortunately i have no experience using dash

here's mine for reference

Code: Select all

milla@DiggieIsBack:~$ cat /var/lib/dpkg/info/*.list > /tmp/listin ; ls -F /proc/*/exe|sed s/@//1 |xargs -l readlink | grep -vxFf /tmp/listin; rm /tmp/listin
/usr/lib/systemd/systemd
/app/lib/firefox/firefox-bin
/app/lib/firefox/firefox-bin
/app/lib/firefox/firefox-bin
/app/lib/firefox/firefox-bin
/app/lib/firefox/firefox-bin
/app/lib/firefox/firefox-bin
/app/lib/firefox/firefox-bin
/app/lib/firefox/firefox-bin
/app/lib/firefox/firefox-bin
/app/lib/firefox/firefox-bin
/app/lib/firefox/firefox-bin
/app/lib/firefox/firefox-bin
/app/lib/firefox/firefox-bin
/app/lib/firefox/firefox-bin
/usr/bin/bash
/usr/bin/bash
/app/lib/firefox/firefox-bin
/app/lib/firefox/firefox-bin
/usr/bin/bash
/usr/bin/grep
/usr/bin/readlink
/usr/bin/readlink
Jimmy7782 wrote: Tue May 30, 2023 1:08 am I do also
check my routers admin settings and it all looks normal, the logs rarely show something odd.
That is good to hear, lastly i recommend to enable your firewall, by default it is set to deny all incoming but allow all outgoing

Code: Select all

sudo ufw enable
Tips in using the forum, there is </> please select that and put all the code inside the tag so that it would be a lot easier for other members of the forum to read your posts/replies
Jimmy7782
Level 1
Level 1
Posts: 15
Joined: Wed Dec 07, 2022 8:22 pm

Re: Rkhunter several results for a script replacement

Post by Jimmy7782 »

Yes I have the firewall on. I do see a lot of additional. Could that just be because im
using programs like snort, iftop, atop and other network tools. I'm gonna lookup the
IP addresses.

I checked these IP addresses and they are flagged for hacking and other web abuses.
What can I do to get rid of them ? Is this some zero day rootkit, do I have to reinstall ?
Can you explain to me how or what these servers are doing on my machine ? For
the most part the computer works fine but I understand these new rootkits can hide
from almost any check like Who, netstat, id, finger and the many programs that check
for weird connections. I have my firewall on both routers on, Nmap shows port 53, 80
open on them for the most part in this scan. I really do need help from someone like you
who knows more on this topic, I'm still trying to educate myself more on pentesting. I have
been hacked before which is why I have many monitor tools. Is there a way to remove these
IP addresses ?

I do all kinds of checks including checking the shadow file, passwd, group files. This stuff hides
incredibly well. Do I gotta reinstall things. I appreciate this info and new commands you gave me.
So I understand these are the DNS servers my network is connecting through ? What can
I do and is this a glitch with my modem or router. My fresh mint laptop has a same result.
Last edited by Jimmy7782 on Tue May 30, 2023 12:44 pm, edited 2 times in total.
Jimmy7782
Level 1
Level 1
Posts: 15
Joined: Wed Dec 07, 2022 8:22 pm

Re: Rkhunter several results for a script replacement

Post by Jimmy7782 »

Here is my latest scan, it shows less ip addresses and more of the AAAA ones.

Code: Select all

 dig

; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25076
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;.				IN	NS

;; ANSWER SECTION:
.			6732	IN	NS	a.root-servers.net.
.			6732	IN	NS	e.root-servers.net.
.			6732	IN	NS	l.root-servers.net.
.			6732	IN	NS	b.root-servers.net.
.			6732	IN	NS	i.root-servers.net.
.			6732	IN	NS	j.root-servers.net.
.			6732	IN	NS	c.root-servers.net.
.			6732	IN	NS	k.root-servers.net.
.			6732	IN	NS	m.root-servers.net.
.			6732	IN	NS	d.root-servers.net.
.			6732	IN	NS	g.root-servers.net.
.			6732	IN	NS	h.root-servers.net.
.			6732	IN	NS	f.root-servers.net.

;; ADDITIONAL SECTION:
c.root-servers.net.	6732	IN	AAAA	2001:500:2::c
f.root-servers.net.	6732	IN	A	192.5.5.241
a.root-servers.net.	6732	IN	A	198.41.0.4
b.root-servers.net.	6732	IN	A	199.9.14.201
d.root-servers.net.	6732	IN	A	199.7.91.13
e.root-servers.net.	6732	IN	A	192.203.230.10
e.root-servers.net.	6732	IN	AAAA	2001:500:a8::e
a.root-servers.net.	6732	IN	AAAA	2001:503:ba3e::2:30
b.root-servers.net.	6732	IN	AAAA	2001:500:200::b
c.root-servers.net.	6732	IN	A	192.33.4.12
g.root-servers.net.	6732	IN	A	192.112.36.4
f.root-servers.net.	6732	IN	AAAA	2001:500:2f::f
d.root-servers.net.	6732	IN	AAAA	2001:500:2d::d

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Tue May 30 11:59:19 EDT 2023
;; MSG SIZE  rcvd: 519
I also did this scan on a laptop with a fresh linux mint install and I am getting the same dig output.
Is this a issue with a modem, router or what else ? Can someone explain what this is ? These IP
addresses are flagged for web abuses. Ran the scan on a Tails usb OS and is shows nothing in
dig. Its only on Linux mint, even fresh installs.
Just checked a Kali linux install that I don't use much, It has 27 additional but the same pattern of IP
addresses but more. My big concern is that these IP addresses are flagged.

A user here has almost the same scan output, I just am concerned about the computer being infected but
I just need answers.
https://stackoverflow.com/questions/218 ... ervers-net
Last edited by karlchen on Tue May 30, 2023 3:51 pm, edited 1 time in total.
Reason: added [code] [/code] tags
User avatar
karlchen
Level 23
Level 23
Posts: 18177
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Rkhunter several results for a script replacement

Post by karlchen »

Hello, Jimmy7782.

Your thread has been titled "Rkhunter several results for a script replacement".
Your rkhunter output holds a small number of corresponding lines.
But nowhere in this thread, any question is asked about these "script replacements", no answer is given on "script replacements" anywhere.

So, please, permit me to explain about the found whitelisted script replacements:

Code: Select all

[23:00:49] Info: Found file '/usr/sbin/adduser': it is whitelisted for the 'script replacement' check.
[23:00:53] Info: Found file '/usr/bin/egrep': it is whitelisted for the 'script replacement' check.
[23:00:53] Info: Found file '/usr/bin/fgrep': it is whitelisted for the 'script replacement' check.
[23:00:54] Info: Found file '/usr/bin/ldd': it is whitelisted for the 'script replacement' check.
[23:00:58] Info: Found file '/usr/bin/which': it is whitelisted for the 'script replacement' check.
[23:00:59] Info: Found file '/usr/bin/which.debianutils': it is whitelisted for the 'script replacement' check.
The idea behind checking whether executable ELF64 binaries have been replaced by scripts is as follows:
Malware might replace genuine executable ELF64 binaries by shell scripts having the same name as the binary file.
The scripts might even launch the genuine ELF64 binaries, but they would also initiate some malicious activities in addition.
Repoacing the binaries in their original location by scripts would be a pretty primitive way of camouflaging the malware.

So far for the theory.

In real life, legitimate distributions like e.g. Debian, Ubuntu, Linux Mint and many more, use such script replacements. But not to camouflage anything.
Example:
egrep and fgrep are scripts which invoke the ELF64 binary grep in different ways.
which is a shell script, which does not even invoke any ELF64 binary, it makes use of bash internal commands only.

This is why such known "script replacements" are white listed by rkhunter and not reported as potentially malicious.

Hope this answers the question implicitly asked by the thread title, in case the answer has been of any interest at all at any time.

Karl
Image
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
User avatar
karlchen
Level 23
Level 23
Posts: 18177
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Rkhunter several results for a script replacement

Post by karlchen »

Hello, Jimmy7782.
Jimmy7782 wrote: Mon May 29, 2023 11:26 pm These are some of the md5sum numbers for a few suspect warnings

Code: Select all

slash@slash:~$ md5sum /bin/egrep
ef55d1537377114cc24cdc398fbdd930  /bin/egrep
slash@slash:~$ md5sum /bin/fgrep
3885488b9d1d10902c6b9c18e20bf952  /bin/fgrep
slash@slash:~$ md5sum /usr/bin/ldd
391741afba08eb43ea7425000d18eaa0  /usr/bin/ldd
md5sum checksums of executables, which rkhunter reports because their checksums have changed between the previous rkhunter run and now, are meaningless.
The checksums in the rkhunter logfiles are sha256 checksums.
The md5sum checksum of a file will of course never match its sha256 checksum.

Regards,
Karl
Image
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
User avatar
karlchen
Level 23
Level 23
Posts: 18177
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Rkhunter several results for a script replacement

Post by karlchen »

Midnight True wrote: Mon May 29, 2023 11:38 pm Please note that rkhunter is this old
Rootkit Hunter release 1.4.6 (February 20th 2018)
Correct. rkhunter is not the best maintained piece of software.
And its approach to malware (rootkit) detection is pretty ancient and error prone.
It only compares a previous system state to the current state and displays the differences.
Finding out whether any of the listed differences can be accounted for by software updates or whether they have been caused by malicious manipulation, this interpretation is left to the user, who runs rkhunter.
Midnight True wrote: Mon May 29, 2023 11:38 pm i believe this causes a lot of false positives due to its outdated database
Rkhunter does not come with a database holding the names and sha256 checksums of genuine ELF64 binary executables.
Such a database is only created (or updated), when the user executes the commandline sudo rkhunter --propupd.
rkhunter creates the file /var/lib/rkhunter/db/rkhunter.dat.
Next time the user executes the commandline sudo rkhunter --check --sk the executable files, which rkhunter check are checked against this file /var/lib/rkhunter/db/rkhunter.dat and the differences reported (old sha256 checksum and new sha256 checksum).
So it all depends on the very first run of sudo rkhunter --propupd, because rkhunter considers this the clean starting state.
It is the user, however, to has to make sure that the system is clean at this point in time.

What rkhunter can diagnose is pretty limited.
Image
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
Jimmy7782
Level 1
Level 1
Posts: 15
Joined: Wed Dec 07, 2022 8:22 pm

Re: Rkhunter several results for a script replacement

Post by Jimmy7782 »

Thank you all for your replies, I understand rkhunter does report many false positives, I used the
propupdate because a lot of these warnings are confirmed updates I checked myself and another
poster reported the same md5 as what I posted, so I just ignored these results. I am a bit concerned
with my dig command results but it could also be a false positive. I just hope the user who mentioned
the dig command has a answer. Rkhunter needs a better replacement for finding newer malware.
User avatar
Midnight True
Level 7
Level 7
Posts: 1504
Joined: Wed Jul 20, 2022 3:23 am
Location: Southern and Southwestern area of Mato
Contact:

Re: Rkhunter several results for a script replacement

Post by Midnight True »

Jimmy7782 wrote: Tue May 30, 2023 11:45 am I checked these IP addresses and they are flagged for hacking and other web abuses.
What can I do to get rid of them ? Is this some zero day rootkit, do I have to reinstall ?
Please run this command in the terminal:

Code: Select all

sudo ss -tunlp
so that we will have idea what applications are connecting to the internet. To my understanding you have just reinstalled right? By the way had you verify your LM ISO?
Jimmy7782 wrote: Tue May 30, 2023 11:45 am Can you explain to me how or what these servers are doing on my machine ? For
the most part the computer works fine but I understand these new rootkits can hide
from almost any check like Who, netstat, id, finger and the many programs that check
for weird connections. I have my firewall on both routers on, Nmap shows port 53, 80
open on them for the most part in this scan. Is there a way to remove these
IP addresses ?
To my knowledge by default there are several IP addresses that on your device to provide basic internet needs, for example ntpd for time synchronization, avahi-daemon for color/graphic display and systemd-resolve well it does a lot but the most important is to sync with the repositories to fetch updates and applications for the software manager. Some port are open because your system need it, for example port 53. For more info about this please check this out https://askubuntu.com/questions/710621/ ... on-port-53
However, some port are known as default remote access, in particular port 22 for SSH. If you don't use ssh you can block access to it by

Code: Select all

sudo ufw deny 22
Jimmy7782 wrote: Tue May 30, 2023 11:45 am So I understand these are the DNS servers my network is connecting through ? What can
I do and is this a glitch with my modem or router. My fresh mint laptop has a same result.
To my knowledge the DNS is kinda the post office of the internet it facilitates the finding of website from various servers to your system. By default the dns used are those provided by your ISP or VPN provider which is sometimes slow or have privacy implications. You can use other DNS if you like to either speed up your internet or have more privacy, Here are some options regarding dns https://avoidthehack.com/best-dns-privacy
To change DNS please check this out https://www.linuxfordevices.com/tutoria ... s-on-linux
I personally use Control D 76.76.2.2 and cloudflare 1.1.1.1 as fall back
User avatar
Midnight True
Level 7
Level 7
Posts: 1504
Joined: Wed Jul 20, 2022 3:23 am
Location: Southern and Southwestern area of Mato
Contact:

Re: Rkhunter several results for a script replacement

Post by Midnight True »

Jimmy7782 wrote: Tue May 30, 2023 12:02 pm

Code: Select all

 dig

; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25076
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;.				IN	NS

;; ANSWER SECTION:
.			6732	IN	NS	a.root-servers.net.
.			6732	IN	NS	e.root-servers.net.
.			6732	IN	NS	l.root-servers.net.
.			6732	IN	NS	b.root-servers.net.
.			6732	IN	NS	i.root-servers.net.
.			6732	IN	NS	j.root-servers.net.
.			6732	IN	NS	c.root-servers.net.
.			6732	IN	NS	k.root-servers.net.
.			6732	IN	NS	m.root-servers.net.
.			6732	IN	NS	d.root-servers.net.
.			6732	IN	NS	g.root-servers.net.
.			6732	IN	NS	h.root-servers.net.
.			6732	IN	NS	f.root-servers.net.

;; ADDITIONAL SECTION:
c.root-servers.net.	6732	IN	AAAA	2001:500:2::c
f.root-servers.net.	6732	IN	A	192.5.5.241
a.root-servers.net.	6732	IN	A	198.41.0.4
b.root-servers.net.	6732	IN	A	199.9.14.201
d.root-servers.net.	6732	IN	A	199.7.91.13
e.root-servers.net.	6732	IN	A	192.203.230.10
e.root-servers.net.	6732	IN	AAAA	2001:500:a8::e
a.root-servers.net.	6732	IN	AAAA	2001:503:ba3e::2:30
b.root-servers.net.	6732	IN	AAAA	2001:500:200::b
c.root-servers.net.	6732	IN	A	192.33.4.12
g.root-servers.net.	6732	IN	A	192.112.36.4
f.root-servers.net.	6732	IN	AAAA	2001:500:2f::f
d.root-servers.net.	6732	IN	AAAA	2001:500:2d::d

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Tue May 30 11:59:19 EDT 2023
;; MSG SIZE  rcvd: 519
i did some research and found this https://linuxize.com/post/how-to-use-di ... -in-linux/
The “ADDITIONAL” section gives us information about the IP addresses of the authoritative DNS servers shown in the authority section.
but your result do not show any "Authority section" ???
Sorry but this is beyond my current knowledge, but i am willing to help you out to learn more about this.
t42
Level 11
Level 11
Posts: 3709
Joined: Mon Jan 20, 2014 6:48 pm

Re: Rkhunter several results for a script replacement

Post by t42 »

Jimmy7782 wrote: Tue May 30, 2023 7:46 pm concerned with my dig command results
You are running dig without arguments. Here you have an output of the nameservers that host the root zone. No issue here. You should get the same result with

Code: Select all

dig . NS
Mind the dot.
-=t42=-
Locked

Return to “Networking”