rkhunter warning [SOLVED]

Questions about applications and software
Forum rules
Before you post please read how to get help
Post Reply
turtlebay
Level 5
Level 5
Posts: 630
Joined: Mon Apr 01, 2013 12:33 pm

rkhunter warning [SOLVED]

Post by turtlebay »

I have just run a scan on my Mint 18 Mate with rkhunter and got a couple of warnings. What should I do now and are these warnings something I need to worry about?

/usr/bin/lwp-request [ Warning ]
Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ Warning ]

Code: Select all

 pete@pete-LM-1545 ~ $ sudo apt install rkhunter
[sudo] password for pete: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libqjson0 quvi
Use 'sudo apt autoremove' to remove them.
Recommended packages:
  bsd-mailx | mailutils | heirloom-mailx | mailx default-mta
  | mail-transport-agent unhide unhide.rb
The following NEW packages will be installed
  rkhunter
0 to upgrade, 1 to newly install, 0 to remove and 38 not to upgrade.
Need to get 198 kB of archives.
After this operation, 1,008 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu xenial/universe i386 rkhunter all 1.4.2-5 [198 kB]
Fetched 198 kB in 0s (559 kB/s)
Preconfiguring packages ...
Selecting previously unselected package rkhunter.
(Reading database ... 274158 files and directories currently installed.)
Preparing to unpack .../rkhunter_1.4.2-5_all.deb ...
Unpacking rkhunter (1.4.2-5) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up rkhunter (1.4.2-5) ...

Creating config file /etc/default/rkhunter with new version
[ Rootkit Hunter version 1.4.2 ]
File created: searched for 177 files, found 143
pete@pete-LM-1545 ~ $ sudo rkhunter --update
[ Rootkit Hunter version 1.4.2 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ Updated ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ No update ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/tr                                      [ No update ]
  Checking file i18n/tr.utf8                                 [ No update ]
  Checking file i18n/zh                                      [ No update ]
  Checking file i18n/zh.utf8                                 [ No update ]
pete@pete-LM-1545 ~ $ sudo rkhunter -c
[ Rootkit Hunter version 1.4.2 ]

Checking system commands...

  Performing 'strings' command checks
    Checking 'strings' command                               [ OK ]

  Performing 'shared libraries' checks
    Checking for preloading variables                        [ None found ]
    Checking for preloaded libraries                         [ None found ]
    Checking LD_LIBRARY_PATH variable                        [ Not found ]

  Performing file properties checks
    Checking for prerequisites                               [ OK ]
    /usr/sbin/adduser                                        [ OK ]
    /usr/sbin/chroot                                         [ OK ]
    /usr/sbin/cron                                           [ OK ]
    /usr/sbin/groupadd                                       [ OK ]
    /usr/sbin/groupdel                                       [ OK ]
    /usr/sbin/groupmod                                       [ OK ]
    /usr/sbin/grpck                                          [ OK ]
    /usr/sbin/nologin                                        [ OK ]
    /usr/sbin/pwck                                           [ OK ]
    /usr/sbin/rsyslogd                                       [ OK ]
    /usr/sbin/tcpd                                           [ OK ]
    /usr/sbin/useradd                                        [ OK ]
    /usr/sbin/userdel                                        [ OK ]
    /usr/sbin/usermod                                        [ OK ]
    /usr/sbin/vipw                                           [ OK ]
    /usr/bin/awk                                             [ OK ]
    /usr/bin/basename                                        [ OK ]
    /usr/bin/chattr                                          [ OK ]
    /usr/bin/curl                                            [ OK ]
    /usr/bin/cut                                             [ OK ]
    /usr/bin/diff                                            [ OK ]
    /usr/bin/dirname                                         [ OK ]
    /usr/bin/dpkg                                            [ OK ]
    /usr/bin/dpkg-query                                      [ OK ]
    /usr/bin/du                                              [ OK ]
    /usr/bin/env                                             [ OK ]
    /usr/bin/file                                            [ OK ]
    /usr/bin/find                                            [ OK ]
    /usr/bin/GET                                             [ OK ]
    /usr/bin/groups                                          [ OK ]
    /usr/bin/head                                            [ OK ]
    /usr/bin/id                                              [ OK ]
    /usr/bin/killall                                         [ OK ]
    /usr/bin/last                                            [ OK ]
    /usr/bin/lastlog                                         [ OK ]
    /usr/bin/ldd                                             [ OK ]
    /usr/bin/less                                            [ OK ]
    /usr/bin/locate                                          [ OK ]
    /usr/bin/logger                                          [ OK ]
    /usr/bin/lsattr                                          [ OK ]
    /usr/bin/lsof                                            [ OK ]
    /usr/bin/md5sum                                          [ OK ]
    /usr/bin/mlocate                                         [ OK ]
    /usr/bin/newgrp                                          [ OK ]
    /usr/bin/passwd                                          [ OK ]
    /usr/bin/perl                                            [ OK ]
    /usr/bin/pgrep                                           [ OK ]
    /usr/bin/pkill                                           [ OK ]
    /usr/bin/pstree                                          [ OK ]
    /usr/bin/rkhunter                                        [ OK ]
    /usr/bin/runcon                                          [ OK ]
    /usr/bin/sha1sum                                         [ OK ]
    /usr/bin/sha224sum                                       [ OK ]
    /usr/bin/sha256sum                                       [ OK ]
    /usr/bin/sha384sum                                       [ OK ]
    /usr/bin/sha512sum                                       [ OK ]
    /usr/bin/size                                            [ OK ]
    /usr/bin/sort                                            [ OK ]
    /usr/bin/ssh                                             [ OK ]
    /usr/bin/stat                                            [ OK ]
    /usr/bin/strace                                          [ OK ]
    /usr/bin/strings                                         [ OK ]
    /usr/bin/sudo                                            [ OK ]
    /usr/bin/tail                                            [ OK ]
    /usr/bin/telnet                                          [ OK ]
    /usr/bin/test                                            [ OK ]
    /usr/bin/top                                             [ OK ]
    /usr/bin/touch                                           [ OK ]
    /usr/bin/tr                                              [ OK ]
    /usr/bin/uniq                                            [ OK ]
    /usr/bin/users                                           [ OK ]
    /usr/bin/vmstat                                          [ OK ]
    /usr/bin/w                                               [ OK ]
    /usr/bin/watch                                           [ OK ]
    /usr/bin/wc                                              [ OK ]
    /usr/bin/wget                                            [ OK ]
    /usr/bin/whatis                                          [ OK ]
    /usr/bin/whereis                                         [ OK ]
    /usr/bin/which                                           [ OK ]
    /usr/bin/who                                             [ OK ]
    /usr/bin/whoami                                          [ OK ]
    /usr/bin/gawk                                            [ OK ]
    /usr/bin/lwp-request                                     [ Warning ]
    /usr/bin/i686-linux-gnu-size                             [ OK ]
    /usr/bin/i686-linux-gnu-strings                          [ OK ]
    /usr/bin/telnet.netkit                                   [ OK ]
    /usr/bin/w.procps                                        [ OK ]
    /sbin/depmod                                             [ OK ]
    /sbin/fsck                                               [ OK ]
    /sbin/ifconfig                                           [ OK ]
    /sbin/ifdown                                             [ OK ]
    /sbin/ifup                                               [ OK ]
    /sbin/init                                               [ OK ]
    /sbin/insmod                                             [ OK ]
    /sbin/ip                                                 [ OK ]
    /sbin/lsmod                                              [ OK ]
    /sbin/modinfo                                            [ OK ]
    /sbin/modprobe                                           [ OK ]
    /sbin/rmmod                                              [ OK ]
    /sbin/route                                              [ OK ]
    /sbin/runlevel                                           [ OK ]
    /sbin/sulogin                                            [ OK ]
    /sbin/sysctl                                             [ OK ]
    /bin/bash                                                [ OK ]
    /bin/cat                                                 [ OK ]
    /bin/chmod                                               [ OK ]
    /bin/chown                                               [ OK ]
    /bin/cp                                                  [ OK ]
    /bin/date                                                [ OK ]
    /bin/df                                                  [ OK ]
    /bin/dmesg                                               [ OK ]
    /bin/echo                                                [ OK ]
    /bin/ed                                                  [ OK ]
    /bin/egrep                                               [ OK ]
    /bin/fgrep                                               [ OK ]
    /bin/fuser                                               [ OK ]
    /bin/grep                                                [ OK ]
    /bin/ip                                                  [ OK ]
    /bin/kill                                                [ OK ]
    /bin/less                                                [ OK ]
    /bin/login                                               [ OK ]
    /bin/ls                                                  [ OK ]
    /bin/lsmod                                               [ OK ]
    /bin/mktemp                                              [ OK ]
    /bin/more                                                [ OK ]
    /bin/mount                                               [ OK ]
    /bin/mv                                                  [ OK ]
    /bin/netstat                                             [ OK ]
    /bin/ping                                                [ OK ]
    /bin/ps                                                  [ OK ]
    /bin/pwd                                                 [ OK ]
    /bin/readlink                                            [ OK ]
    /bin/sed                                                 [ OK ]
    /bin/sh                                                  [ OK ]
    /bin/su                                                  [ OK ]
    /bin/touch                                               [ OK ]
    /bin/uname                                               [ OK ]
    /bin/which                                               [ OK ]
    /bin/kmod                                                [ OK ]
    /bin/systemd                                             [ OK ]
    /bin/systemctl                                           [ OK ]
    /bin/dash                                                [ OK ]
    /lib/systemd/systemd                                     [ OK ]

[Press <ENTER> to continue]


Checking for rootkits...

  Performing check of known rootkit files and directories
    55808 Trojan - Variant A                                 [ Not found ]
    ADM Worm                                                 [ Not found ]
    AjaKit Rootkit                                           [ Not found ]
    Adore Rootkit                                            [ Not found ]
    aPa Kit                                                  [ Not found ]
    Apache Worm                                              [ Not found ]
    Ambient (ark) Rootkit                                    [ Not found ]
    Balaur Rootkit                                           [ Not found ]
    BeastKit Rootkit                                         [ Not found ]
    beX2 Rootkit                                             [ Not found ]
    BOBKit Rootkit                                           [ Not found ]
    cb Rootkit                                               [ Not found ]
    CiNIK Worm (Slapper.B variant)                           [ Not found ]
    Danny-Boy's Abuse Kit                                    [ Not found ]
    Devil RootKit                                            [ Not found ]
    Dica-Kit Rootkit                                         [ Not found ]
    Dreams Rootkit                                           [ Not found ]
    Duarawkz Rootkit                                         [ Not found ]
    Enye LKM                                                 [ Not found ]
    Flea Linux Rootkit                                       [ Not found ]
    Fu Rootkit                                               [ Not found ]
    rainbows`it Rootkit                                          [ Not found ]
    GasKit Rootkit                                           [ Not found ]
    Heroin LKM                                               [ Not found ]
    HjC Kit                                                  [ Not found ]
    ignoKit Rootkit                                          [ Not found ]
    IntoXonia-NG Rootkit                                     [ Not found ]
    Irix Rootkit                                             [ Not found ]
    Jynx Rootkit                                             [ Not found ]
    KBeast Rootkit                                           [ Not found ]
    Kitko Rootkit                                            [ Not found ]
    Knark Rootkit                                            [ Not found ]
    ld-linuxv.so Rootkit                                     [ Not found ]
    Li0n Worm                                                [ Not found ]
    Lockit / LJK2 Rootkit                                    [ Not found ]
    Mood-NT Rootkit                                          [ Not found ]
    MRK Rootkit                                              [ Not found ]
    Ni0 Rootkit                                              [ Not found ]
    Ohhara Rootkit                                           [ Not found ]
    Optic Kit (Tux) Worm                                     [ Not found ]
    Oz Rootkit                                               [ Not found ]
    Phalanx Rootkit                                          [ Not found ]
    Phalanx2 Rootkit                                         [ Not found ]
    Phalanx2 Rootkit (extended tests)                        [ Not found ]
    Portacelo Rootkit                                        [ Not found ]
    R3dstorm Toolkit                                         [ Not found ]
    RH-Sharpe's Rootkit                                      [ Not found ]
    RSHA's Rootkit                                           [ Not found ]
    Scalper Worm                                             [ Not found ]
    Sebek LKM                                                [ Not found ]
    Shutdown Rootkit                                         [ Not found ]
    SHV4 Rootkit                                             [ Not found ]
    SHV5 Rootkit                                             [ Not found ]
    Sin Rootkit                                              [ Not found ]
    Slapper Worm                                             [ Not found ]
    Sneakin Rootkit                                          [ Not found ]
    'Spanish' Rootkit                                        [ Not found ]
    Suckit Rootkit                                           [ Not found ]
    Superkit Rootkit                                         [ Not found ]
    TBD (Telnet BackDoor)                                    [ Not found ]
    TeLeKiT Rootkit                                          [ Not found ]
    T0rn Rootkit                                             [ Not found ]
    trNkit Rootkit                                           [ Not found ]
    Trojanit Kit                                             [ Not found ]
    Tuxtendo Rootkit                                         [ Not found ]
    URK Rootkit                                              [ Not found ]
    Vampire Rootkit                                          [ Not found ]
    VcKit Rootkit                                            [ Not found ]
    Volc Rootkit                                             [ Not found ]
    Xzibit Rootkit                                           [ Not found ]
    zaRwT.KiT Rootkit                                        [ Not found ]
    ZK Rootkit                                               [ Not found ]

[Press <ENTER> to continue]


  Performing additional rootkit checks
    Suckit Rookit additional checks                          [ OK ]
    Checking for possible rootkit files and directories      [ None found ]
    Checking for possible rootkit strings                    [ None found ]

  Performing malware checks
    Checking running processes for suspicious files          [ None found ]
    Checking for login backdoors                             [ None found ]
    Checking for suspicious directories                      [ None found ]
    Checking for sniffer log files                           [ None found ]
    Suspicious Shared Memory segments                        [ None found ]

  Performing Linux specific checks
    Checking loaded kernel modules                           [ OK ]
    Checking kernel module names                             [ OK ]

[Press <ENTER> to continue]


Checking the network...

  Performing checks on the network ports
    Checking for backdoor ports                              [ None found ]
    Checking for hidden ports                                [ Skipped ]

  Performing checks on the network interfaces
    Checking for promiscuous interfaces                      [ None found ]

Checking the local host...

  Performing system boot checks
    Checking for local host name                             [ Found ]
    Checking for system startup files                        [ Found ]
    Checking system startup files for malware                [ None found ]

  Performing group and account checks
    Checking for passwd file                                 [ Found ]
    Checking for root equivalent (UID 0) accounts            [ None found ]
    Checking for passwordless accounts                       [ None found ]
    Checking for passwd file changes                         [ None found ]
    Checking for group file changes                          [ None found ]
    Checking root account shell history files                [ None found ]

  Performing system configuration file checks
    Checking for an SSH configuration file                   [ Not found ]
    Checking for a running system logging daemon             [ Found ]
    Checking for a system logging configuration file         [ Found ]
    Checking if syslog remote logging is allowed             [ Not allowed ]

  Performing filesystem checks
    Checking /dev for suspicious file types                  [ Warning ]
    Checking for hidden files and directories                [ Warning ]

[Press <ENTER> to continue]



System checks summary
=====================

File properties checks...
    Files checked: 143
    Suspect files: 1

Rootkit checks...
    Rootkits checked : 365
    Possible rootkits: 0

Applications checks...
    All checks skipped

The system checks took: 2 minutes and 4 seconds

All results have been written to the log file: /var/log/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

pete@pete-LM-1545 ~ $ 
Last edited by turtlebay on Sun Jan 22, 2017 3:54 pm, edited 1 time in total.
User avatar
Pjotr
Level 22
Level 22
Posts: 16161
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: rkhunter warning

Post by Pjotr »

turtlebay wrote:I have just run a scan on my Mint 18 Mate with rkhunter and got a couple of warnings. What should I do now
Uninstall rkhunter.
and are these warnings something I need to worry about?
No.

Recommended reading:
https://sites.google.com/site/easylinux ... t/security

All this assuming that you're not running a server, in which case I suspect that you would already have read the log that rkhunter asks you to read. :wink:
Tip: 10 things to do after installing Linux Mint 20.1 Ulyssa
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
turtlebay
Level 5
Level 5
Posts: 630
Joined: Mon Apr 01, 2013 12:33 pm

Re: rkhunter warning

Post by turtlebay »

OK thank you, especially for the tip about Mono which I have removed.

The only reason I ran rkhunter is that recently a member of my household used my system to watch some p*rn and my Linux slowed down and started doing some strange things - mouse going erratic at times and new web pages opening really slowly as if they were possibly being viewed or scanned by an outside agency.

I have also installed the latest kernel today and it seems better now ( was using 4.04.0-45, now using 4.4.0-59).
turtlebay
Level 5
Level 5
Posts: 630
Joined: Mon Apr 01, 2013 12:33 pm

Re: rkhunter warning

Post by turtlebay »

The rkhunter log found these:

Code: Select all

Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: a /usr/bin/perl -w script, ASCII text executable

 Checking /dev for suspicious file types         [ Warning ]
[10:03:44] Warning: Suspicious file types found in /dev:
[10:03:44]          /dev/shm/pulse-shm-961302576: data
[10:03:44]          /dev/shm/pulse-shm-3661534109: data
[10:03:44]          /dev/shm/pulse-shm-80446364: data
[10:03:44]          /dev/shm/pulse-shm-709735179: data
[10:03:44]   Checking for hidden files and directories       [ Warning ]
[10:03:45] Warning: Hidden directory found: /etc/.java 
User avatar
karlchen
Level 21
Level 21
Posts: 13829
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: rkhunter warning

Post by karlchen »

Hi, turtlebay.

About lwp-request:

It is a warning only. The warning tells that lwp-request is not an executable, but a script (scripts can be manipulated more easily, this is why). On Ubuntu / Linux Mint lwp-request will be a script.
On my system rkhunter tells this about lwp-requestin the logfile /var/log/rkhunter.log:

Code: Select all

[14:19:44]   /usr/bin/lwp-request                            [ OK ]
[14:19:44] Info: Found file '/usr/bin/lwp-request': it is whitelisted for the 'script replacement' check
The reason is that the lwp-request script has been marked as OK in the rkhunter configuration file /etc/rkhunter.conf.

Code: Select all

#
# Allow the specified commands to be scripts.
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
SCRIPTWHITELIST=/bin/egrep
SCRIPTWHITELIST=/bin/fgrep
SCRIPTWHITELIST=/bin/which
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/lwp-request
SCRIPTWHITELIST=/usr/sbin/adduser
SCRIPTWHITELIST=/usr/sbin/prelink
#SCRIPTWHITELIST=/usr/bin/unhide.rb

About suspicious files in /dev and suspicious hidden files and directories:

Again fom my system:

Code: Select all

$ ls -lL /dev/shm
insgesamt 88
-rwx------ 1 karl karl 67108904 Jan 22 10:13 pulse-shm-1375389624
-rwx------ 1 karl karl 67108904 Jan 22 13:16 pulse-shm-1982065199
-rwx------ 1 karl karl 67108904 Jan 22 11:32 pulse-shm-2020830285
-rwx------ 1 karl karl 67108904 Jan 22 10:13 pulse-shm-2355695496
-rwx------ 1 karl karl 67108904 Jan 22 10:13 pulse-shm-264640909
-rwx------ 1 karl karl 67108904 Jan 22 10:13 pulse-shm-3114031445
Normally side effect of using pulse audio. So no cause for alarm.

Specifcally about the hidden directory /etc/.java:
Again you might consider whielisting it in the rkhunter configuration file /etc/rkhunter.conf:

Code: Select all

#
# Allow the specified hidden directories to be whitelisted.
#
# This is a space-separated list of directory pathnames.
# The option may be specified more than once. The option
# may use wildcard characters.
#
#ALLOWHIDDENDIR="/etc/.java"
#ALLOWHIDDENDIR="/dev/.static"
#ALLOWHIDDENDIR="/dev/.SRC-unix"
#ALLOWHIDDENDIR="/etc/.etckeeper"
It all depends on what is the clean state on a given Linux distribution. So it will be safe to allow hidden directory /etc/.java, but I would not recommend simply allowing all not allowed hidden directories.

HTH,
Karl
Image
Linux Mint 19.3 64-bit Cinnamon, Total Commander 9.51 64-bit
Good Company
Habitual
Level 13
Level 13
Posts: 4861
Joined: Sun Nov 21, 2010 8:31 pm
Location: 0.0.0.0

Re: rkhunter warning

Post by Habitual »

User avatar
karlchen
Level 21
Level 21
Posts: 13829
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: rkhunter warning

Post by karlchen »

You might have bothered to tell us that the linked thread covers the reported case right at the beginning, Habitual, so as to make us really follow the link and read the thread. :wink:
Image
Linux Mint 19.3 64-bit Cinnamon, Total Commander 9.51 64-bit
Good Company
Habitual
Level 13
Level 13
Posts: 4861
Joined: Sun Nov 21, 2010 8:31 pm
Location: 0.0.0.0

Re: rkhunter warning [SOLVED]

Post by Habitual »

Corten+
Level 1
Level 1
Posts: 1
Joined: Tue Mar 21, 2017 4:03 am

Re: rkhunter warning [SOLVED]

Post by Corten+ »

Hi I am a new. And I have this error on my rkhunter:

/usr/bin/lwp-request [ Warning ]

Whats the solution?

Thank you in advance :D
User avatar
karlchen
Level 21
Level 21
Posts: 13829
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: rkhunter warning [SOLVED]

Post by karlchen »

Hi, Corten+.

You are free to really read the posts in this thread before appending your question to it. :wink:
The answer to your question had been given at the beginning of this post here already.
So you may safely ignore this warning. - Warning unequal error.

Cheers,
Karl
Image
Linux Mint 19.3 64-bit Cinnamon, Total Commander 9.51 64-bit
Good Company
User avatar
sammiev
Level 4
Level 4
Posts: 369
Joined: Sat May 19, 2012 12:16 pm

Re: rkhunter warning [SOLVED]

Post by sammiev »

Corten+ wrote:Hi I am a new. And I have this error on my rkhunter:

/usr/bin/lwp-request [ Warning ]

Whats the solution?

Thank you in advance :D
Read post #2.
Post Reply

Return to “Software & Applications”